Facebook Data Leak: 50-million Profiles Harvested
Cambridge Analytica used stolen Facebook data to map people’s personalities
One of the biggest cybersecurity stories of the moment is the Facebook Data Leak. Cambridge Analytica – a company with a name that is about to drive my spell-check crazy – harvested the profiles of over 50-million people, without consent or permission.
The scale of the Facebook data leak wasn’t fully known until recently. And Facebook had yet to acknowledge it. But it’s all out in the open following a New York Times exposé on the leak.
Who is Cambridge Analytica?
Cambridge Analytica is a London-based organization, founded in 2013 as an offshoot of SCL group, that offers services to businesses and political organizations to change audience behavior.
The company analyzes huge amounts of data and uses behavioral science to help identify people that various organizations can target. At this point, the group is admittedly conservative – not in the traditional sense, but in the way that conservative is used today in American politics to describe individuals and organizations that are right of center.
The company’s founder and CEO Alexander Nix has told the website Contagious that Cambridge Analytica was created to address the “vacuum in the US Republican political market” that Nix perceived when Mitt Romney failed to beat Barack Obama for the US presidency in 2012.
“The Democrats had ostensibly been leading the tech revolution, and data analytics and digital engagement were areas where Republicans had failed to catch up. We saw this as an opportunity.”
Nix eventually met two influential “conservatives.” The first was Steve Bannon, the leader of the right-wing news site Breitbart, then later he crossed paths with Republican megadonor Robert Mercer.
Mercer was looking for a leg up politically, something that would make him a Republican kingmaker. He opted to invest in Cambridge Analytica, though he wanted to see something solid before allotting anymore funding to the upstart company.
Cambridge Analytica gets Financial Backing
Mercer invested 1.5 million Cambridge Analytica at the beginning. It didn’t go well. The company failed to produce a memo that adequately explained the work they do to Toby Neugebauer, another conservative donor that was backing the presidential campaign of Texas Senator Ted Cruz.
Mercer freaked out via email, “IT’S 2 PAGES! 4 hours work max (or an hour each). What have you all been doing??”
Traditionally, analytics companies use what’s publicly available and consumer product histories to try to predict behaviors. Unfortunately, that data isn’t really that useful compared to what can be found on a social media network like Facebook. For instance, sexual orientation, religious affiliation, political beliefs and mental state.
So, the problem was that the data that Cambridge Analytica had collected using traditional methods wasn’t all that useful for what the company was trying to do. The information they needed was prohibitively expensive.
Christopher Wylie helped start the company but left in 2014. He spoke with the New York Times extensively about Cambridge Analytica. It was Wylie who found a solution at nearby Cambridge University’s Psychometrics Centre. Cambridge researchers developed a technique that mapped individuals’ personality traits based on their Facebook use. The researchers paid Facebook users to take a personality quiz and download an app. The app scraped private information from the individuals’ Facebook profile and those of their friends. At the time, this was permitted.
“Rules don’t matter for them”
Unfortunately for Cambridge Analytica, Cambridge University wouldn’t work with them.
“Rules don’t matter for them, for them, this is a war, and it’s all fair,“ Wylie told the New York Times. “They want to fight a culture war in America. Cambridge Analytica was supposed to be the arsenal of weapons to fight that culture war.”
That explains Cambridge Analytica’s next move. It found a workaround in the form of Dr. Aleksandr Kogan, a Russian-American professor at Cambridge University that taught psychology and knew the methods that had been developed by the Psychometrics Centre.
Dr. Kogan developed an app, similar to the one used by the Psychometrics Centre, it cost $800,000 to make and Cambridge Analytica let him keep a copy for himself.
The Facebook Data Leak
After linking up with Kogan, Cambridge Analytica received $15-million from Mercer, the company became a little more official, in the shadiest way possible. They essentially created a shell. Any contracts that Cambridge Analytica were given to its parent company, SCL in London.
Bannon and Mercer’s daughter joined the Cambridge Analytica board. It was also purportedly Bannon who came up with the name Cambridge Analytica in the first place.
It was at this point that the company began its Facebook Data Leak, using Kogan’s app to harvest millions of profiles under false pretenses. The app falsely claimed that it was harvesting user data for academic purposes. It harvested over 50-million profiles.
“This was a scam – and a fraud,” Paul Grewel, Facebook’s general counsel said in a statement to the New York Times. “We will take whatever steps are required to see that all the data in question is deleted once and for all – and take action against all offending parties.”
Facebook has already suspended Cambridge Analytica, Wylie and Kogan from its network. But the damage is done, per the Times, Cambridge Analytica still has the data.
What’s in the Data?
While over 50-million profiles were stolen by Kogan’s app (a figure confirmed by company emails), only about 30-million were viable. The rest didn’t contain enough information to be usable.
Here’s what Cambridge Analytica was looking to determine from the data, per an email between Kogan and Wylie that was disclosed to the New York Times.
“We wanted as much as we could get,” Wylie told the Times. “Where it came from, who said we could have it – we weren’t really asking.”
Cambridge Analytica and Donald Trump
In July 2014, over two years before Trump’s victory in the 2016 election, an election lawyer, Laurence Levy, raised a red flag about whether Cambridge Analytica was violating laws that limit involvement in American elections by foreign nationals.
This memo went to Bannon, Rebekah Mercer (Robert’s daughter) and Nix—all board members. It didn’t dissuade them.
A little after this time, in early 2015, Wylie and most of his team left the company over political disagreements with the direction it was headed. Wylie and the other departures are left of center politically and didn’t like working with Mercer-selected hard right candidates.
Near the end of 2015 the Guardian uncovered Ted Cruz’s use of information that was harvested without consent from Facebook.
Cambridge Analytica also worked for Donald Trump’s 2016 political campaign as a result of their mutual connection to Bannon, who was also working for the campaign at the time.
There’s a little bit of uncertainty about what role Cambridge Analytics played for Trump. Nix has stated that the firm’s profiles helped shape Trump’s strategy, but has also said that given the lack of time to comprehensively model Trump voters and that the campaign relied heavily on the psychographics that were created for Cruz.
Trouble for Cambridge Analytica
It all seems to be catching up to the company now, though.
Cambridge Analytica has come under fire of late in Britain, where both Parliament and government regulators are investigating it for illegal work on Brexit.
Meanwhile in the United States, Nix has had to appear in front of congressional investigators and Robert Mueller, the special counsel investigating President Trump for collusion with Russia, has demanded Cambridge Analytica’s emails. In addition, Julian Assange, the leader of WikiLeaks who has been hiding in the Ecuadorian embassy to escape extradition for a rape charge, also claims that Nix reached out to him to try to get incriminating emails from the Hillary Clinton campaign.
Nix denies everything. He blames the Facebook data leak entirely on Kogan for violating the social media giant’s terms of service. Additionally he said during another deposition that Kogan’s contribution was worthless.
For what it’s worth, Nix also said he destroyed the data two years ago, a fact that is disputed by the Times’ reporting.
Either way, it’s clear Nix is in the crosshairs of a number of investigations both in the US and worldwide.
Well, for Facebook, there are a number of questions that now have to be answered. Facebook tried to deny this and downplay it—a move that will warrant a massive GDPR fine from the EU if Facebook ever does this in its jurisdiction.
Beyond the bad optics, Facebook is going to need to further tighten up its security and monitoring. Granted, this doesn’t qualify as a true breach – that’s why we’re referring to it as a leak – but there were clearly some signs that the social media giant missed, or further steps it could have taken to prevent an app from scraping millions of profiles.
As for Cambridge Analytica, the company seems to be personae non gratae in US politics. It remains to be seen whether it will be rehired by the Trump 2020 campaign. But for now, Cambridge Analytica is trying to break into the commercial advertising market.
But, as a former employee told the Times, Cambridge Analytica pitched its services to Mercedes-Benz, MetLife and AB InBev.
None of them signed up.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown