Cambridge Analytica whistleblower reveals new documents showing how Facebook handled the data misuse scandal

Cambridge Analytica whistleblower reveals new documents showing how Facebook handled the data misuse scandal

Cambridge Analytica whistleblower Brittany Kaiser has released new documents today that suggest Facebook accepted only a simple acknowledgment on email from the firm that it had deleted data associated with 87 million Facebook users’ profiles.

The data was improperly obtained in 2014 by researchers with access to Facebook’s developer platform who were being paid by Cambridge Analytica to obtain and process social media users’ information for the purpose of targeting political ads.

In December 2015 a Guardian article about Cambridge academic Dr Aleksandr Spectre (Kogan) outlined how he had acquired the Facebook profiles for research, and that Cambridge Analytica had improperly acquired that data.

In subsequent Washington Senate hearings into the scandal, Mark Zuckerburg apologized for having failed to check that Cambridge Analytica had deleted the information.

At the time he said: “When we heard back from Cambridge Analytica that they had told us that they weren’t using the data and deleted it, we considered it a closed case. In retrospect, that was clearly a mistake. We shouldn’t have taken their word for it. We’ve updated our policy to make sure we don’t make that mistake again.”

Instead, Facebook let the political consultancy self-certify that it had destroyed the records, which it said had been acquired in violation of the social network’s rules.

Furthermore, for example, in a submission to the UK Parliament, Facebook CTO Mike Schroepfer said: “In late 2015, when we learned Kogan had shared the data, we immediately banned TIYDL [the personality quiz app used to harvest data] from our platform and demanded that he delete all data he obtained from that app. We also demanded deletion from everyone that Kogan identified as having been passed some data, including Cambridge Analytica, and certification from all parties that the deletion had been completed.”

The information Kaiser releases today appears to show a difference between Schroepfer’s account and what the emails actually say – with Facebook only asking the company to “provide us with confirmation” [of the deletion], and no mention of a specific process of certification, as Schroepfer later told the UK parliament.

Today Kaiser revealed exclusively to TechCrunch on stage at the WorldWebForum conference in Zurich that the only acknowledgment from Facebook had come in a simple email exchange with Cambridge Analytica executives.

This ’email exchange’ – which TechCrunch has not been able to independently verify at this point – as never previously been published. Kaiser released to TechCrunch what she claims is a copy of the exchange. We have reached out to Facebook for comment.

According to the document passed to us, writing on Dec 17, 2015, Alex Tayler, Chief Data Officer for Cambridge Analytica, allegedly wrote to Facebook executive Allison Hendrix saying:

“I wanted to confirm that following your inquiry, that Facebook is satisfied that CA has not breached it’s terms of service or stolen data on non-consenting individuals. If you are satisfied this matter is resolved, would it please be possible for us to have a statement from Facebook to disseminate through our PR agency? We are still finding some articles repeating the initial false allegations made by the Guardian, and would like to be able to firmly refute them in order to prevent any further reputational damage to our company. Alternatively, if Facebook would like to issue a joint press release, we would welcome the opportunity to do so.”

A day later on 18 December 2015, Hendrix replied:

“Thank you again for taking the time to speak with me last week and providing additional information into Dr. Kogan’s development of the GSR app which was funded by Cambridge Analytica (via SCL Elections). As discussed, we don’t allow any information obtained from Facebook to be purchased or sold, and we have strict friend data policies that prohibit using friend data for any purpose other than improving a person’s experience in your app. From our conversations, it is clear that these policies have been violated.

“You have told us that you received personality score data from Dr. Kogan that was derived from Facebook data, and that those scores were assigned to individuals included in lists that you maintained. Because that data was improperly derived from data obtained from the Facebook Platform, and then transferred to Cambridge Analytica in violation of our terms, we need you to take any and all steps necessary to completely and thoroughly delete that information as well as any data derived from such data, and to provide us with confirmation of the same.

“We need additional information to complete our review. As an initial matter, did you transfer any data you received from Dr. Kogan to any person or entity other than Ted Cruz’s team? Have you made any other use of the data from Dr. Kogan? If there is any additional information of which you think we should be aware, we thank you in advance for providing us with that information and for your help resolving these issues.

“Please respond at your earliest opportunity confirming when you can complete the above request to delete all data (and any derivative data), and providing the additional information I’ve requested above. As mentioned above, our review is not complete; accordingly, we may have additional questions, requests, or requirements going forward, and this email should not be construed as a waiver of any of Facebook’s rights.”

On December 19, 2015, Tayler replied:

“Dear Allison, There are several incorrect statements in your email. First and foremost, Cambridge Analytica has not transferred the data we received from Dr Kogan to Cruz for President, nor to any other party. The only data we share with our clients are lists of contact information, perhaps with a few tags attached, for target audiences we identify for them (e.g. likely donors, persuadable voters), and models that we have produced under their direction. Secondly, Cambridge Analytica did not fund the development of Dr. Kogan’s app. We did not pay GSR for their time or technology, but rather paid the third party (e.g. survey vendor) costs for the surveys they ran. Please note that GSR was
contractually obliged to us to carry out this research with the consent of the survey respondents and in line with the terms of service of their vendors.

“Having made that clear, the model we received from Dr Kogan wasn’t very accurate (in validation experiments we ran, we found his predictions only slightly better than random). For our goal of extrapolating personality scores across our whole database, his model was simply not accurate enough to use as a training set, or to apply it commercially in any other way.

“Nevertheless, we still considered the project a success in that it provided us with a proof of concept for the personality research we have since undertaken internally (which is in no way connected with Facebook). It is these data that we have collected independently of GSR about which we have built our current business offering. For this reason, and in the spirit of the good-faith relationship we would like to maintain with Facebook, we will comply with your request to delete all data we received from Dr Kogan.

“Please let me know what else you require from us as soon as possible. It is a matter of urgency that we make it clear that Cambridge Analytica has not done anything wrong.”

There was then a time-lag probably due to the break for the holidays. On 5 January 2016, Hendrix replied:

“Thank you for your timely and detailed response, and for agreeing to delete any and all data that was derived from the Facebook Platform. Can you let me know how you were storing the data and what you did to delete it?”

On January 6, 2016, Tayler replied, copying in CA CEO Alexander Nix, saying: “To be clear, we have not yet deleted the data we received from Dr Kogan, but will be happy to do so once Facebook confirms that this will resolve the matter. We are currently storing the data as csv files in an encrypted directory on our file server. When we delete the data we will simply rm -rf the directory.”

Six days later on 12 January, Hendrix: “As a reminder, you received the data inappropriately and are obligated to delete it. You’ve indicated that you would like to maintain a positive relationship with us. Having one will require deletion of the data. In addition to deleting the data from the directory, can you check to see whether your server has any backups which also contain the data? While we don’t anticipate further issues at this time, we reserve our rights and can make no guarantees.”

On Jan 18, 2016 Tayler replied:

“I can confirm that we have now deleted from our file-server the data we received from Dr Kogan in good faith that this resolves our obligation to Facebook. I also confirm that I have checked that the server contains no backups of that data. Our having deleted the data and cooperated in this matter should not be construed as an admission of any kind of wrongdoing on our part.”

On January 18, 2016, Hendrix replied: “Thank you, Alex. I will let you know if we have any follow up questions, and please don’t hesitate to reach out if you or your team have any questions on your end. Thanks again. – Ali”

This entire exchange was then forwarded by executives form the N6A PR agency to Cambridge Analytica executives and was, in turn, was obtained by Kaiser on 23 January 2016.