Document reveals how Facebook downplayed early Cambridge Analytica concerns
Internal Facebook correspondence from September 2015, released as part of a US government lawsuit on Friday, reveals new details about Facebook’s early knowledge of potentially improper data collection by Cambridge Analytica.
The existence of the internal discussion was first reported by the Guardian in March 2019. That report marked Facebook’s first acknowledgement that some of its employees were aware of concerns about improper data practices by Cambridge Analytica four months before the Guardian’s 11 December 2015 article exposed them.
Facebook’s lack of candor about this earlier knowledge to both investors and the press was one of the subjects of a Securities and Exchange Commission (SEC) complaint that Facebook settled by paying a $100m fine in July. Facebook did not admit or deny the SEC’s allegations as part of its settlement.
But the correspondence – which the Washington DC attorney general’s office fought for months to unseal as part of its lawsuit – provides new insight into how Facebook staff reacted, or did not react, to concerns about the use of user data by political campaign consultants.
A request to clarify Facebook’s policies for how political campaigns could legitimately use Facebook data appears to have languished with little attention or “resources”, until after the Guardian reported in 2015 on Cambridge Analytica’s use of Facebook data to create “psychographic profiles” of voters for Ted Cruz’s campaign. At that point, the topic was flagged as “hi pri” [high priority].
The Observer’s March 2018 report on Cambridge Analytica’s continued use of the data and links to Donald Trump’s campaign erupted into an international scandal, inspiring global outrage over the company’s failure to protect users’ personal data and wiping $134bn off Facebook’s market value as its stock price plunged.
The correspondence was initiated on 22 September 2015, when a Facebook staff member requested clarification on Facebook’s policies for political consultancies that were scraping data to match Facebook profiles to the lists of voters that campaigns use, known as voter files. (The names of Facebook employees are redacted.)
“We suspect many of these companies are doing similar types of scraping, the largest and most aggressive on the conservative side being Cambridge Analytica … a sketchy (to say the least) data modeling company that has penetrated our market deeply.”
The employee requested clarity on Facebook’s policies and an investigation into “what Cambridge specifically is actually doing”, as well as further information about the activities of another political consultancy, NationBuilder.
No one appears to have responded for a week, and on 29 September another message was sent reiterating that political clients were submitting “pointed questions … around what is in bounds versus what is out of bounds”. “Many companies seem to be in on the edge – possibly over,” the staffer wrote.
This second message prompted a handful of responses with differing opinions on the legitimacy of the data practices. One respondent said the request was being passed to “DevOps for initial review”. Another respondent said that their “hunch” is that the data-scraping was “likely non-compliant” with a number of Facebook’s Platform Policies, but noted that it was difficult to decide without more information about how Cambridge Analytica was tapping into Facebook’s system.
One staffer appeared intent on tamping down on expectations that Facebook would expend “resources” to proactively investigate the apps that were extracting data from its users, however.
“To set expectations, we can’t certify/approve apps for compliance, and it’s very likely these companies are not in violation of any of our terms,” the employee wrote. “If we had more resources, we could discuss a call with the companies to get a better understanding, but we should only explore that path if we do see red flags.”
Facebook had a headcount of 11,996 employees and $15.8bn in cash or cash equivalents as of 30 September 2015, according to financial filings.
Discussion on the thread lagged after that message and focused on other political consultancies until 11 December 2015, when the Guardian published its exposé.
“Can you expedite the review of Cambridge Analytica or let us know what the next steps are?” an employee wrote on the thread that morning. “Unfortunately, this firm is now a PR issue as this story is on the front page of the Guardian website.”
Another staffer added: “Hi everyone – this is hi[gh] pri[ority] at this point. This story just ran in the Guardian and is now prompting other media requests. We need to sort this out ASAP.”
Over the course of the rest of the day, discussion focused on understanding the relationship between GSR, a company formed by Aleksandr Kogan, a former Cambridge University academic, which extracted the data of tens of millions of Facebook users, and Cambridge Analytica, which obtained the data from Kogan and GSR for use in political campaigning.
The discussion also revealed a number of additional links between Facebook employees and the academics responsible for the research underpinning Cambridge Analytica’s psychometric targeting.
One said that they were “good friends” with Michal Kosinski, an erstwhile colleague of Kogan’s at Cambridge. Kosinski had helped pioneer the use of Facebook data to predict personality traits.
“Alex Kogan was my postdoc supervisor at Cambridge, although I left before he founded GSR,” a second employee wrote. “I have a cursory understanding on the basic principles behind GSR’s products and data collection methods, if that helps. Feel free to ask me anything.”
(Another of Kogan’s Cambridge postdoc students, Joseph Chancellor, had been hired by Facebook in November 2015, but he does not appear to be referenced in the thread. Chancellor co-founded GSR with Kogan and, according to Kogan, was an equal partner in the enterprise.)
A third person pointed out a direct relationship between Facebook and Kogan, writing: “It sounds like Facebook has worked with this ‘Aleksandr Kogan’ on research with the Protect & Care team.” The Guardian reported on Kogan’s research collaborations with Facebook in 2018.
Facebook late last week released a string of emails that discuss the social media giant’s internal conversation over the possibility that some Facebook contractors were violating the company’s terms of service when extracting data from profiles.
The documents were released due to agreement between Facebook and the District of Columbia attorney general’s office. Facebook originally refused the attorney general’s request for the documents to be released as they were part of court filings in connection with the attorney general’s lawsuit against Facebook over the Cambridge Analytica breach. However, last week the two sides came to terms and Facebook agreed to release redacted versions. The information contained in these emails had already been included in court documents filed previously.
A spokesperson for DC Attorney General Karl Racine told The Hill the office wanted the docs released “because we believe the American people have a right to know what and when Facebook knew about its data security weaknesses.”
“We believe this document has the potential to confuse two different events surrounding our knowledge of Cambridge Analytica. One involved unconfirmed reports of scraping — accessing or collecting public data from our products using automated means — and the other involved policy violations by Aleksandr Kogan, an app developer who sold user data to Cambridge Analytica. This document proves the issues are separate; conflating them has the potential to mislead people,” Facebook wrote.
Cambridge Analytica is mentioned in the email string, but at first is not the primary focus of the conversation. Facebook said in a blog post that releasing the documents could cause further confusion between what happened when researcher Aleksandr Kogan sold data on millions of Americans to Cambridge Analytica for use in the 2016 presidential election and the data scraping incidents.
The emails were sent between September 22, 2015 and May 9, 2106 center on whether or not companies that were scraping publicly facing data found on Facebook profile pages were doing so in violation of Facebook’s policies. However, Cambridge Analytica enters the conversation in December 2015 when the Guardian broke the story about that firm
Several of those involved in the email chain did believe the data scraping companies had exceeded what was allowed. In one case the email noted a project by the company Nation Builder that looked at a Facebook page run by ForAmerica and create a database using the page’s 7.6 million likes to identify people who like ForAmerica posts. This data would them be layered over additional data points like methods of contact and interests and once a certain critical mass is obtained that data would be compared to a separate database of names, phone numbers, emails of 82 million conservatives, Christians and their friends.
A Facebook employee said, “There are likely a few data policy violations here. They can’t collect information from public posts and share the information with any type of data company.”
In July the U.S. Federal Trade Commission penalized Facebook $5 billion as punishment for what it described as deceptive privacy practices, and imposed new restrictions on the social media giant. Facebook likewise announced that it has agreed to the terms of the deal. At the same time the Department of Justice officially filed a legal complaint against Facebook, accusing the company of misrepresenting to consumers the extent to which they could control the privacy of their data and to which Facebook made their data available to third parties.