SAN FRANCISCO — Facebook last week suspended the Trump campaign’s data consultant, Cambridge Analytica, for scraping the data of potentially millions of users without their consent. But thousands of other developers, including the makers of games such as FarmVille and the dating app Tinder, as well as political consultants from President Barack Obama’s 2012 presidential campaign, also siphoned huge amounts of data about users and their friends, developing deep understandings of people’s relationships and preferences.
Cambridge Analytica — unlike other firms that access Facebook’s user data — broke Facebook’s rules by obtaining the data under the pretense of academic use. But experts familiar with Facebook’s systems and policies say that the greater problem was that the rules for accessing the social network’s information trove were so loose in the first place.
Facebook chief executive Mark Zuckerberg in 2007 invited outside developers to build their businesses off Facebook’s data, giving them ready access to the friend lists, “likes” and affinities that connect millions of Facebook users. Practically any engineer who could persuade a Facebook user to download an app or to sign into a website using Facebook’s popular “log-in through Facebook” feature would have been able to access not only the profile, behavior and location of that Facebook user but also that of all the user’s Facebook friends, developers said.
Such information can be extremely valuable to marketers and political campaigns for tailoring messages, ads and fundraising pitches. As long as the developers didn’t misrepresent themselves, Facebook allowed the data to be stored on developers’ databases in perpetuity.
Facebook changed its policy in 2015 after concerns about misuse of data by third parties and a shift in strategy tied to its relationships with developers.
The question of what Facebook permitted — and how everyday users understood those permissions — is under a new spotlight in the wake of the Cambridge revelations. In that case, the 270,000 people who downloaded an app authorized an academic working with Cambridge Analytica to collect their data. But Cambridge Analytica was able to vacuum up data from millions more people, analysts estimate, without their permission through the friends lists of the initial group.
On Monday, Facebook said it will audit Cambridge Analytica to determine whether the company had deleted the data it took inappropriately.
Cambridge Analytica did not respond to requests for comment Monday. Over the weekend, the firm said it “fully complies with Facebook’s terms of service.”
Congressional calls for Facebook officials to testify on Capitol Hill grew louder and more bipartisan Monday as lawmakers demanded that the tech giant explain how Cambridge Analytica obtained its data. The increasingly sharp and personal tenor of the requests, many of which sought an appearance by Zuckerberg, raised the odds of a fresh round of potentially contentious hearings — after Facebook defended itself in fall hearings about Russian manipulation of its site connected to the 2016 election.
“While Facebook has pledged to enforce its policies to protect people’s information, questions remain as to whether those policies are sufficient and whether Congress should take action to protect people’s private information,” Sens. Amy Klobuchar (D-Minn.) and John Neely Kennedy (R-La.) wrote in a joint letter to Sen. Charles E. Grassley (R-Iowa), chairman of the Senate Judiciary Committee.
A spokesman for Grassley said the senator had not decided whether to hold a hearing.
Facebook’s shares closed down 6.8 percent on Monday, at their lowest price in several weeks.
Cambridge Analytica obtained the data through a psychological testing app, called Thisisyourdigitallife, that offered personality predictions and billed itself on Facebook as “a research app used by psychologists.” Facebook said 270,000 people downloaded the app. That allowed the collection of data on 50 million “friends,” the New York Times and the Observer of London have reported.
“Facebook made it easy for app developers to collect users’ friends’ data,” said Nick Soman, an entrepreneur who collected the locations of Facebook users’ friends to enhance his social app LikeBright, which no longer exists.
Facebook did not conduct an audit of Cambridge Analytica in 2015 when the violations were first discovered, according to Facebook. Instead, it asked Cambridge, the psychologists and an affiliate company to promise it would delete the ill-gotten information.
“The model was to build and grow and figure out monetization,” said Sandy Parakilas, a former Facebook operations manager who oversaw developers’ privacy practices until 2012. “Protecting users did not fit into that.” Parakilas, as well as a contractor who worked on these issues at Facebook until 2016, said that Facebook did not conduct a single audit of developers during their tenures.
The Federal Trade Commission and European regulators had reviewed and were familiar with the company’s data policies at the time, Facebook said Monday. The company says that any user who downloaded an app or used the sign-on feature had to agree to a permissions screen that said, “This app will receive the following info: your public profile, friend list, birthday, groups, current city, photos, and personal description and your friends’s birthdays, photos, and likes.”
But two former FTC officials said that Facebook’s allowing the psychologist to take so much data about a person’s friends could constitute a violation of a 2011 consent decree with the agency.
Under that agreement, Facebook is required to notify and get explicit permissions from users before data about them is shared beyond the privacy settings that they have established. The fines for breaking the consent decree are $40,000 per violation, which could add up to billions of dollars if the estimated 50 million users whose data was taken by Cambridge were taken into account. The FTC declined to comment.
Facebook has denied violating the consent decree. “We reject any suggestion of violation of the consent decree,” Facebook said in a statement to The Washington Post late Saturday. “We respected the privacy settings that people had in place. Privacy and data protections are fundamental to every decision we make.”
David Vladeck, a former director of the FTC’s Bureau of Consumer Protection, said that because the practice of collecting friend data went well beyond Cambridge, “that in itself may be a serious problem, especially given the language of the consent decrees, which differentiates between users and others.”
Sen. Richard Blumenthal (D-Conn.) urged the FTC on Monday to investigate Facebook. “FTC should immediately investigate and sanction apparent breach by Facebook of its 2011 agreement guaranteeing protection of consumer info — now a hollow promise,” Blumenthal wrote on Twitter.
Facebook once appeared to acknowledge that some data collection by developers ran counter to the expectations of Facebook users. In a 2014 news release announcing new restrictions to its developer policies, a Facebook executive wrote, “We’ve heard from people that they are often surprised when a friend shares their information with an app.” That admission may indicate that people had not been given adequate understanding of how their data and their friends’ data were used by third parties.
Facebook “goes into this endless hairsplitting that people should have known,” said Marc Rotenberg, president and executive director of the Electronic Privacy Information Center, a nonprofit advocacy group that has brought privacy cases before the FTC. “No one could have known that their friends were disclosing their personal data on their behalf. It’s entirely illogical, and it breaks the consent law.”
Facebook has the ability to ban, sue, warn or audit developers of apps who break their policies. The social network has occasionally cracked down: In 2014, Facebook blocked two advertising partners, HasOffers and Kontagent, for violating policies on retaining customer data and failing to notify partner companies about their data collection practices.
In 2011, Carol Davidsen, director of data integration and media analytics for Obama for America, built a database of every American voter using the same Facebook developer tool used by Cambridge, known as the social graph API. Any time people used Facebook’s log-in button to sign on to the campaign’s website, the Obama data scientists were able to access their profile as well as their friends’ information. That allowed them to chart the closeness of people’s relationships and make estimates about which people would be most likely to influence other people in their network to vote.
“We ingested the entire U.S. social graph,” Davidsen said in an interview. “We would ask permission to basically scrape your profile, and also scrape your friends, basically anything that was available to scrape. We scraped it all.”
FarmVille’s developer, Zynga, and Tinder did not immediately respond to requests for comment.