What is clear is that the services Cambridge Analytica offered are increasingly coveted by modern political campaigns. Yet Facebook users had few indications of how their personal data was collected, refashioned and deployed on behalf of candidates.
A Cambridge University professor working for Cambridge Analytica in 2014 created an app, called Thisisyourdigitallife, that offered personality predictions and billed itself on Facebook as “a research app used by psychologists.”
The professor, a Russian American named Aleksandr Kogan, used the app to gain access to demographic information — including the names of users, their “likes,” friend lists, and other data. Once obtained by Cambridge Analytica, political campaigns could use those profiles to target users with highly tailored messages, ads or fundraising requests.
Facebook said 270,000 people downloaded the app. But people familiar with how such systems work — including a former Cambridge Analytica employee — said the app would have given Cambridge access to information on the friends of each of those people, a number that almost certainly reached into the tens of millions.
The Observer of London and the New York Times reported Saturday that Cambridge Analytica had gained access to information on 50 million Facebook users, citing internal documents and interviews with former employees and associates.
Facebook declined to confirm or deny this number. It issued a statement noting its past actions to limit access to this kind of personal information, which, until changes were made in 2014 and 2015, was routinely available about any users who did not explicitly act to prevent the release of what “like” buttons they had hit.
“In 2014, after hearing feedback from the Facebook community, we made an update to ensure that each person decides what information they want to share about themselves, including their friend list,” the statement said.
Facebook on Friday banned Kogan, the parent company of Cambridge Analytica and a former Cambridge employee for improperly sharing the data and failing to destroy it after concerns arose about it in 2015. Facebook had asked the parties back then to certify they would not abuse data, but it did not take further action beyond that warning.
Despite Facebook’s concerns in 2015, the social network continued to work with Cambridge Analytica. During the presidential election, Facebook employees assisting Donald Trump’s digital operation worked in the same office as Cambridge Analytica workers, according to a video by the BBC. One former Cambridge employee, Joseph Chancellor, continues to work at Facebook as a user- experience researcher, according to Facebook’s public website.
Some critics said Facebook’s actions on Friday were an insufficient response to a far-reaching data grab that had informed the decision-making of multiple political operations. Trump’s campaign paid Cambridge Analytica at least $6 million for data analysis in the final five months of a close election.
“This is more evidence that the online political advertising market is essentially the Wild West,” said Sen. Mark R. Warner (Va.), the top Democrat on the Senate Intelligence Committee, in a statement. “Whether it’s allowing Russians to purchase political ads, or extensive microtargeting based on ill-gotten user data, it’s clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency.”
Cambridge Analytica — which was funded by Trump supporter and hedge fund executive Robert Mercer, and once had on its board the president’s former senior adviser Stephen K. Bannon — has denied wrongdoing. The company has said its “psychometric profiles” could predict the personality and political leanings of most U.S. voters.
“We worked with Facebook over this period to ensure that they were satisfied that we had not knowingly breached any of Facebook’s terms of service and also provided a signed statement to confirm that all Facebook data and their derivatives had been deleted,” Cambridge Analytica said in a statement Saturday.
The company’s actions in the United States and abroad have generated scrutiny from government investigators in Britain and the United States, who have been looking at Russian interference in elections.
In December, the Wall Street Journal reported that special counsel Robert S. Mueller III had requested documents from Cambridge Analytica, including copies of emails of any company employees who worked on the Trump campaign. On Saturday, a day after Facebook banned Cambridge Analytica, Massachusetts Attorney General Maura Healey (D) said she was opening up a probe into Facebook in response to news reports about Cambridge Analytica.
Elizabeth Denham, Britain’s information commissioner, also said Saturday that she was investigating whether Facebook data “may have been illegally acquired and used.”
The investigation is part of a broader probe, launched last year, into how political parties are using data analytics to target voters. “It is important that the public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy,” Denham said in a statement.
Cambridge Analytica has faced ongoing allegations in Britain that it was involved in the 2016 E.U. referendum, or Brexit vote. The head of Cambridge Analytica, Alexander Nix, recently appeared before a British parliamentary committee that is investigating fake news and denied claims that his company worked for Leave.E.U., a pro-Brexit group.
While Nix was giving evidence, the co-founder of Leave.E.U., Arron Banks, tweeted “Nix & Cambridge Analytica are compulsive liars.”
Despite years of reports of developers abusing data, Facebook’s processes for dealing with developers who broke the company’s rules were lax, said two former Facebook employees whose job it was to review data use by third parties. The company does not audit developers who siphon data, the people said. If a developer was found to have broken the rules — usually because of a story in the news — the company would give them a warning or kick them off the platform, but it did not take steps to ensure that data taken inappropriately had been deleted, they said.
Sandy Parakilas, a former privacy manager at Facebook, said that during his tenure at Facebook, the company did not conduct a single audit of developers.
Facebook “relied on the word of Kogan and Cambridge Analytica to delete the data, rather than conducting an audit, which they had a right to do in the case of Kogan. They did not investigate further even after it became clear that CA had bragged about having 5,000 data points on every American, data which likely came from Facebook. They only banned Kogan and CA yesterday to get in front of the press cycle,” Parakilas said. “During my 16 months at the company, I don’t recall Facebook ever using its audit rights on a developer.”
Technology researchers also criticized Facebook and Cambridge over the weekend.
“Cambridge Analytica overstates their capabilities because they play in the shadows. They willingly cheat and ignore privacy rules and data ethics in order to win,” said social media analyst Jonathan Albright, research director of the Tow Center for Digital Journalism at Columbia University.
Analysts raised legal questions about Facebook’s actions on Saturday, including if it ran afoul of its 2011 consent decree with the Federal Trade Commission. That decree specified that Facebook must give consumers clear and prominent notice and obtain their express consent before their information is shared beyond the privacy settings they have established.
The question of whether Cambridge used the data from the 270,000 people to mine information about their friends could constitute a breach of its agreement, said Siva Vaidhyanathan, a professor of media studies at the University of Virginia.
In a statement, Facebook said, “We reject any suggestion of violation of the consent decree. We respected the privacy settings that people had in place. Privacy and data protections are fundamental to every decision we make.”
After launching its services for congressional candidates in the 2014 cycle, Cambridge Analytica made a dramatic public entry into U.S. presidential politics in 2015, working on what was touted at the time as a groundbreaking voter outreach effort on behalf of Sen. Ted Cruz (R-Tex.). At first, Cruz campaign officials credited Cambridge’s “psychographic targeting” techniques — including its use of Facebook data — with elevating Cruz to the top tier of presidential hopefuls. But later, some officials expressed disappointment in some of Cambridge’s work.
The company initially surveyed more than 150,000 households across the country and scored respondents using five basic traits: openness, conscientiousness, extroversion, agreeableness and neuroticism. Cruz campaign officials said the company developed its correlations in part by using data from Facebook that included subscribers’ likes. That data helped make the Cambridge data particularly powerful, campaign officials said at the time.
Cambridge’s work for the Cruz campaign ultimately proved uneven, according to campaign officials, who said that while the firm’s data scientists were impressive, the psychographic analysis did not bear fruit as hoped.
Cambridge Analytica then moved on to serve as the Trump campaign’s data-science provider. While company officials said they did not have sufficient time to employ psychographics in that campaign, they did data modeling and polling that showed Trump’s strength in the industrial Midwest, shaping a homestretch strategy that led to his upset wins in Michigan, Wisconsin and Pennsylvania.
SCL, Cambridge’s parent company, has said it has worked in 100 countries, including serving military clients with techniques in “soft power,” or persuasion. Nix described it as a modern-day upgrade of early efforts to win over a foreign population by dropping propaganda leaflets from the air.
Among its clients: NATO’s Strategic Communications Center of Excellence, which hired SCL to conduct a two-month training session in 2015 at its Riga, Latvia, facility for NATO personnel, followed by additional sessions in Ukraine, Moldova and Georgia, officials said. The nearly $1 million contract was financed by Canada, as part of its support to help NATO allies counter Russia’s influence in the region.
SCL’s main offering, first developed by its affiliated London think tank in 1989, involves gathering vast quantities of data about an audience’s values, attitudes and beliefs, identifying groups of “persuadables,” and then targeting them with tailored messages. SCL began testing the technique on health and development campaigns in Britain in the early 1990s, then branched out into international political consulting and later defense contracting.
In a 2015 article for a NATO publication, Steve Tatham, a British military psychological operations expert who leads SCL’s defense business outside of the United States, explained that one of the benefits of using the company’s techniques is that it “can be undertaken covertly.”
“Audience groups are not necessarily aware that they are the research subjects and government’s role and/or third parties can be invisible,” he wrote.
Tony Romm, Matea Gold and Karla Adam contributed to this report. Adam reported from London.