Security Bits Logo

Security Bits Special — The Cambridge Analytica & Facebook Kerfuffle

The Cliff Notes Version of the Story

This story was broken by two major news paper organisations cooperating with each other — the Guardian (through it’s publication the Observer) in the UK, and the New York Times in the US:

The other major source for this story is a collection of undercover films gathered by UK TV Station Channel 4’s news division:

For context, Channel 4 is a commercial TV station in the US. It’s known for not pulling punches, and for pushing the boundaries of what’s acceptable on British TV in terms of topics raised, language used in programs, and more sexually explicit content in their programming aimed at grownups. Their news division is not noticeably politically partisan or let/right aligned IMO. I think of them as a more edgy and somewhat sensation-prone BBC rather than either an MSNBC or a FoxNews with a British accent.

The company at the centre of this whole story is Cambridge Analytica, a US shell company for British technology that grew out of research at Cambridge University owned and run by US political operatives. The technology in question is so-called psychographic profiling. The idea is to take a whole bunch of data about a person and use that to derive their personality type, then to design messages that will resonate with each different personality type, and target them at the appropriate people. Basically, highly tailored and targeted, and hence effective, propaganda!

The original work on psychographic profiles comes from UK political firm SCL, one of who’s founders is Christopher Wylie. SCL experimented with their techniques in elections in various countries around the world before coming to the attention of US political operatives Steve Bannon and Robert Mercer. The US firm Cambridge Analytica was set up by Steve Bannon and others with money from Robert Mercer, and it licensed SCL’s technology. Alexander Nix was made chairman, and Steve Bannon joined their board.

SCL promised Bannon & Mercer technology that could allow them to influence people like no other technology could, but they had a problem, they didn’t have the data they needed to input into their algorithms. That’s where academic researcher Aleksandr Kogan comes into the picture.

Kogan was employed by SCL to build a Facebook app to get the needed data. His app used Facebook’s APIs to gather together data on 50 million Americans, which SCL could then combine with data they’d already gathered from other sources build psychographic profiles which they were able to connect to real US voters.

Armed with the data from Facebook, and the technology from SCL, Cambridge Analytica could tie specific human beings to specific voting districts, specific contact details, and, specific personality types. They could then use this information to nudge voters in vital, closely fought districts, to vote the way their clients wanted. In an indirect electoral system like the one the US has, that kind of powerful targeting can be really effective. If you do it right, you can win an election with significantly fewer votes overall than your opponents. In 2016, Donald Trump won the electoral college convincingly (304 to 227), but he lost the popular vote by a bigger margin than any other winning candidate in US history (~63M to ~66M).

BTW, Channel 4’s undercover reporting focuses on SCL, and it paints that company, and its executives in a very poor light indeed. They brag about how they have a mind control weapon, they explain how they use various legally dubious techniques to entrap politicians, and generally come across looking like evil incarnate.

The Facebook data was gathered in 2014, and since then SCL has worked for various people in various elections around the world. However, this story focuses on the role the US shell company Cambridge Analytica played in the 2016 US elections.

This story brings up really big questions in three distinct areas:

  1. Electoral politics — how effective is this kind of highly targeted propaganda? Were any elections laws broken? British firms and British people were closely involved in a US election, did they do so within the law? These are very interesting questions, but totally outside of my area of expertise, and, out of scope for a technology geek podcast, with or without an ever-so-slight Apple bias 🙂
  2. Privacy Law — did SCL or Cambridge Analytica break US or UK privacy laws? Again, very interesting questions, but totally outside of my area of expertise. There are certainly a lot of investigations being started by US & UK lawmakers, and the UK information commissioner, so this question may or may not end up in front of one or more judges and/or juries. Time will tell.
  3. Facebook’s Technologies, Policies, and Practices.

Facebook’s Role

First and foremost, it must be stressed that no one hacked Facebook in any way what so ever. The scarily powerful dataset at the centre of all this was intentionally gathered by Facebook, and is basically the product Facebook’s entire business model revolves around. Facebook intended to have all this data, and they make their money by selling it.

Furthermore, the API’s used by Kogan’s app, the so-called Facebook Platform, worked as intended. Unless you changed your privacy settings from their defaults, you gave your friends permission to share data about you with apps they use. Kogan’s app asked users for permission to use their data, and that included data about their friends, and unless their friends had intentionally blocked the Facebook platform, their data was given to the app. This is how paying 27,000 people to take a personality test (that’s what the app did) could allow an app to gather data on 50 million people.

What Kogan’s app broke was FaceBook’s rules. The app asked users to grant access to their data and their friends data for academic purposes, but that data was used commercially.

We now know Facebook knew what had happened to this data many months, even years ago, and did very little about it. We also now know that Facebook knew this when they were busy playing down the effect (ab)use of their platform had on the 2016 US election. Whistle blowers also allege that Facebook intentionally turned a blind eye to abuses of their terms and conditions.

Back in 2014, the existence of the so-called Facebook Platform, and it’s default settings, were controversial. They got privacy-conscious people like myself very hot and bothered, and it’s around this time that I personally reached my limits, and deleted my Facebook account.

However, it’s important to know that since 2014, Facebook’s privacy policies, default settings, the options given to users, and the presentation of those options have changed a lot. Kogan’s app wouldn’t be able to gather as much data as easily today.

Ultimately, what we have here is nothing more than a very dramatic example of just how valuable and powerful the data Facebook intentionally gathers together can be. There’s no real news here to anyone who’s been following Facebook over the years, this is just the most compelling anecdote to illustrate what we’ve known all along!

Like I said, this anecdote illustrates perfectly why I don’t have a Facebook account. But if you do, you might find these links useful:

Further Reading

Palate cleanser: twitter.com/…

Leave a Reply

Your email address will not be published.

Scroll to top