SAN FRANCISCO — Can Facebook be trusted with your personal information?
That’s the question many Americans are asking after revelations that a data-mining firm working for the Trump campaign improperly got its hands on the personal information of tens of millions of Facebook users and created detailed profiles that were used to target unsuspecting voters in the presidential election.
For many, the incident raises troubling new questions about how Facebook manages third-party access to the sensitive information of its 2 billion users, including what safeguards the social media giant has in place to prevent apps from sharing information and whether it has any way of knowing when it’s shared more broadly than intended.
Facebook says a researcher, Cambridge University’s Aleksandr Kogan, gained access to the data of 270,000 Facebook users in 2013 through a personality quiz app that required Facebook users to grant access to their personal information including friends and “likes.”
According to Facebook, he then gave that information to Cambridge Analytica, the firm that claimed it helped President Trump win the 2016 election. The Trump campaign says it did not use data from Cambridge Analytica.
Facebook says the transmission of data to Cambridge Analytics was a violation of its rules and, on Friday, it suspended the firm. On Monday Facebook announced that Cambridge Analytica had agreed to an independent audit by a digital forensics firm. But the auditors were turned away by the UK Information Commissioner’s Office, which is pursuing its own investigation.
Before apps gain access to Facebook users, the Silicon Valley company says it conducts “a robust review” to determine if apps have a legitimate need for users’ data. It also noted it has restricted how much personal information outsiders can obtain since the Cambridge Analytica incident.
“We actually reject a significant number of apps through this process. Kogan’s app would not be permitted access to detailed friends’ data today,” Facebook said.
It’s unclear if that statement will assuage worried users. It certainly hasn’t lowered the political heat in the U.S. and Europe, where calls are intensifying for new regulations.
And on Monday the markets reacted. Facebook had one of its worst trading days since 2012. The nearly 7% plunge in Facebook shares led a sell-off in tech stocks.
More: Facebook data of 50M users exploited by Trump data firm, say reports; firm suspended
More: Facebook backlash: Failure to disclose political firm’s profile access draws scrutiny
More: Facebook apps may see more of your personal info than you want. Here’s how to turn them off
Cambridge Analytica “is another indication of systemic problems at Facebook,” Pivotal Research analyst Brian Wieser wrote in a research note Sunday night.
Those systemic problems have dramatically worsened since the presidential election, with Facebook coming under intense fire on multiple fronts: Russian operatives using Facebook to manipulate voter sentiment during the presidential election, Facebook accounts spreading “fake” news, the potential for its advertising system to be used for racist targeting and its slow response to violent or harmful content on the platform.
Wieser says he does not believe the latest public relations nightmare will dent Facebook’s advertising business because advertisers are unlikely to suddenly pull back on spending.
And that’s the problem, says Jeffrey Chester, executive director of the Center for Digital Democracy.
“The Cambridge Analytica scandal gives us a glimpse of how Facebook makes billions of dollars off of our personal information without ever dealing with the consequences,” said Chester, a longtime privacy critic of Facebook.
More: Facebook and Cambridge Analytica: What we know so far
More: Facebook plans audit into data misuse allegations as shares dive 7%, worst in four years
More: Will new Facebook scandal force tech CEOs to testify on Russia’s ‘information warfare’?
Tapping the personal information people freely share on the social network to target advertising is the special sauce that has turned Facebook’s business into one of the world’s most powerful and lucrative. But it’s also Facebook’s greatest weakness, making it vulnerable to criticism from privacy activists, regulators and lawmakers.
Over the weekend, U.S. and British lawmakers and privacy activists slammed Facebook, with some demanding that Facebook chief executive Mark Zuckerberg personally appear at legislative hearings.
Siva Vaidhyanathan, professor of media studies at the University of Virginia and author of the upcoming book on Facebook Antisocial Media, says Facebook’s policies betrayed users.
“This was not a data breach. This was Facebook being Facebook,” said Vaidhyanathan, who is calling on the FTC to open a new investigation into how people’s Facebook information flows to third-party applications.
In 2007, Facebook gave third parties who created an app on the Facebook platform access to the personal information of Facebook users including friend lists, interests and “likes.” The move coaxed more people to join Facebook and spend more time there, fueling the rapid rise of the social network from 58 million users to more than 2 billion.
Hundreds of app developers requested, and in some cases required, access to information in Facebook users’ profiles, tapping into mountains of information about Facebook users and their friends, including hometowns, education, careers, birthdays, photos, relationship statuses and religious and political leanings.
From the Obama reelection campaign in 2012 to the success of Farmville and Words with Friends, Facebook’s lax policy has allowed many outsiders vacuum up data on Facebook users and their friends, Vaidhyanathan said.
In 2015, with criticism growing, Facebook restricted third-party access to information about friends.
Marc Rotenberg, president of the Electronic Privacy Information Center, says the Cambridge Analytica incident is a textbook violation of the settlement Facebook reached with the FTC in 2011 which required that Facebook users give permission before their data was shared beyond the privacy limits they set on Facebook.
“EPIC and many consumer privacy organizations worked hard to get that order in place. It prohibited precisely what happened. But the FTC failed to enforce the order and we now live with the consequences,” Rotenberg said.
The consequences can be chilling. Some third parties have been able — with the help of voter registration files, shopping histories, real estate records and other documents — to identify exactly who users are and pitch them with pinpoint accuracy on everything from a new car to a presidential candidate.
Facebook says it discovered that Cambridge Analytica accessed the data of 270,000 Facebook users in 2015 and received assurances that the firm had deleted the data. On Friday Facebook acknowledged that Cambridge Analytica may have held onto it, prompting Facebook to start an investigation and suspend the firm.
The average Facebook users has nearly 200 friends so if Cambridge Analytica accessed the friends of 270,000 users, the data of more than 50 million people could have been obtained.
That news, which broke over the weekend, didn’t seem to rattle Facebook users, who have shrugged each time the Silicon Valley company has played fast and loose with their privacy.
“That really doesn’t concern me,” McKenzie Guymon, a 29-year-old blogger from Utah, said of the Cambridge Analytica leak. “I didn’t let Facebook make up my mind in the election. In fact, I stayed off of Facebook because of the amount of nastiness that was going on with people who were fighting about the election.”
Even John McGrath, who says he rushed to delete his Facebook account when he heard the news, didn’t end up pulling the trigger. He says a four-year-old photograph of his daughter playing the piano stopped him in his tracks.
“It feels like the Gambinos have hijacked my family album,” McGrath, a 48-year-old software developer and product manager from San Francisco who works for Amazon, wrote in a Facebook post.
So instead he removed all the identifying information he could: where he lives, works, where he went to school, family relationships, contact information and more.