End-user openness and transparency between friends are what has made Facebook so popular in the first place. It is this globally networked popularity that has energized the commercialization of Facebook and transformed it into the global, targeted advertising platform that we know and love today, second only to Google Ads in the ever-expanding world of advertising revenue.

But what led people to share so much with their friends was Facebook’s promise of user-controlled privacy, and it is this apparently broken promise that could damage the platform in ways that are still yet to become apparent. Here is what we know so far of the Cambridge Analytica scandal and its consequences.

A Scandalous Timeline

The scandal begins with a Friday, March 16 Facebook Newsroom post by VP Paul Grewal announcing the suspension from Facebook of Cambridge Analytica (CA), its parent company Strategic Communication Laboratories (SCL), and a then-obscure Cambridge University academic by the name of Dr. Aleksandr Kogan. They were all banned from using Facebook services due to Kogan having shared Facebook user data with SCL/CA in an apparent breach of trust with Facebook’s developer guidelines. This public revelation was in response to queries from the Guardian, the New York Times and Channel 4, who were all obviously very eager to follow up with some rather salacious and explosively exaggerated details, which of course they proceeded to do.

“They want to fight a culture war in America…. Cambridge Analytica was supposed to be the arsenal of weapons to fight that culture war” Christopher Wylie

The New York Times led the following day, Saturday, March 17 with the headline ‘How Trump Consultants Exploited the Facebook Data of Millions’. This report detailed, via CA whistleblower Christopher Wylie, how his company collaborated with billionaire Trump supporter Robert Mercer and campaign manager Steve Bannon to exploit the Facebook data of 50 million users to produce a psychometric tool that “could identify the personalities of American voters and influence their behavior”.

That same day, Channel 4 in the UK helps blow the scandal wide open by interviewing former CA employee Christopher Wylie in its online video documentary titled “Whistleblower reveals to Channel 4 News data grab of 50 million Facebook profiles by Cambridge Analytica – data firm linked to Trump win”.

The Guardian followed up on Sunday, March 18 with an even more lurid story pitched as a massive Facebook data breach by Cambridge Analytica that was used to build “Steve Bannon’s psychological warfare tool” and help throw the 2016 US presidential election in Donald Trump’s favor.

Finally, Channel 4 threw explosive video fuel on the bonfire on Tuesday, March 20 with the now infamous hidden camera footage showing soon to be fired Cambridge Analytica CEO Alexander Nix bragging in reference to the Trump campaign that “We did all the research, all the data, all the analytics, all the targeting, we ran all the digital campaign, the television campaign and our data-informed all the strategy”. Throw in a few prostitutes, bribes and the suggestion of what would seem to be outright fraud, blackmail, and extortion … well, it’s a home run for the journalists!

Mainstream media around the world gleefully piled on the explosive story as the revelations kept coming, including the fact that Steve Bannon was on the board of CA; Kogan’s partner in data mining, Joseph Chancellor, now works for Facebook; Chief information security officer, Alex Stamos, will now be leaving Facebook; Mark Zuckerberg refuses to talk with UK Parliament but faces the US Congress; #DeleteFacebook movement gains momentum and celebrity backers, then promptly fades away … and so on.

The Developer and his Friends

This media circus seems to have more or less quietened down now and moved on to the next news cycle, but let’s dial the clock back a few years to get a better idea of what this scandal was all about.

So, in 2013 Cambridge University academic Aleksandr Kogan formed a non-university affiliated startup tech company called Global Science Research (GSR) with his psychologist colleague Joseph Chancellor. They used the now long discontinued Friends API to develop a Facebook app called ‘thisisyourdigitallife’. It was billed as a personality test by GSR and was used by about 300,000 Facebook users, all of whom opted in to allow the app to connect to their Facebook user profiles. However, the Friends API at the time had a rather open data policy that allowed GSR to legally collect not just their app users’ own data, but their friends’ data as well. The number of Facebook users affected was initially reported at 50 million but then updated to 87 million with the latest revelation from former CA employee Brittany Kaiser that the number may be ‘far higher’.

“The claim that this is a data breach is completely false” Facebook

Contrary to what was subsequently reported in the media, however, this was not a data breach; no one’s data was illegally compromised in a network hack, it was all done perfectly legally using the capabilities of the Friends API and in accordance with Facebook’s 2013 developer guidelines.

Reacting to other more or less unrelated privacy concerns at the time, Facebook announced the shutdown of the Friends API in 2014 with a forced migration of all Facebook apps to Graph API v2.0. The software loophole allowing Facebook apps to mine friends’ data without their permission was closed forever.

The 2013-14 user data was in this way legally acquired by Kogan’s company GSR, apparently in collaboration with SCL, but it was then on-sold to the SCL daughter company, Cambridge Analytica. It is this ambiguous relationship between GSR, SCL and CA that is potentially litigious, as the user data was passed on to CA without any user permission and for commercial purposes in a deal that Facebook will later claim breached their developer guidelines.

It was only in 2015 that Facebook was informed by Guardian journalists that Kogan had shared his data with Cambridge Analytica. In response, Facebook demanded the certified deletion of all the user data downloaded by ‘thisisyourdigitallife’. Apparently, both GSR and CA complied, at least in the technical sense.

Finally, it was the March 2018 queries from the NYT, Channel 4 and the Guardian that suggested CA had retained the data for its own commercial purposes that prompted Facebook to ban Kogan, SCL, and CA, and ignited the whole imbroglio.

Facebook and Friends - Future of the global advertising platform

So what Data was Deleted and what was Retained?

Kogan claims to have used proprietary methods on the Facebook data he collected to develop a psychographic or psychometric tool useful for predicting the personality traits and preferences of a broad cross-section of the US populace. He described his approach as a ‘multi-step co-occurrence method’ which, according to Associate Professor Matthew Hindman of George Washington University, would be similar to ‘singular value decomposition’ (SVD) methods widely used in academic and commercial database research. SVD is used for the ‘dimensionality reduction’ of large datasets that was, again according to Hindman, almost certainly at the core of Kogan’s otherwise secret methodology.

Simply put, what these methods do is transform a large database by representing it in a mathematically simpler form. The bottom line here is that once treated in this way, the original raw dataset can be deleted, as Kogan and CA both claimed to have done in 2015 while retaining the derived data to put to rather efficient and commercial use. Kogan claims his method “works about as well as established voter-targeting methods based on demographics like race, age, and gender,” which could mean that Cambridge Analytics acquired a psychometric tool that can target US voters en masse with personalized political advertisements with potentially up to 85-90% accuracy!

The Consequences of Monetizing User Data

While there was no data breach, no illegal activity and the offending friends privacy loophole was closed years ago, Facebook has been dragged into a public relations nightmare centered around the red-hot trans-Atlantic media issues of election interference in both the Trump presidency and Brexit. This media frenzy has fed into the ongoing concerns about online privacy that we all share, and hammered the company’s stock market value while also leading to government investigations in the UK, the US and even Australia.

There is now a renewed and vigorous debate about introducing a tougher international regulatory compliance framework across the EU and US regarding online privacy. Where this politicized debate will eventually take us is not as yet clear but it has the potential to impact the global online advertising industry as a whole.

While Facebook will have to wait on the outcome of these governmental regulatory compliance debates just like the rest of us, the company has been quick to respond to the main issue that could very well damage its brand and business model far worse than future privacy regulations. That is the issue of its users’ trust in the platform as a whole.

“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.” Mark Zuckerberg

To give the company credit, it has hit the ground running in response to the scandal with a full review and update on its data policy, and a prolific output of revisions to developer and app access to that data over the last month. Here’s a probably by now incomplete shortlist of those updates so far:

  1. An audit of all apps that accessed large amounts of data before the 2014 API change.
  2. Audit any app with ‘suspicious activity’.
  3. Ban any developer who doesn’t agree to an audit.
  4. Ban developers who, like Kogan, misused users’ data and inform those users.
  5. Revoke an app’s access to your data if unused for three months.
  6. App sign up info to be limited to username, profile photo, and email address.
  7. Developers will need admin approval and a signed contract in order to access any private data.
  8. Simplify user privacy settings and app use with a News Feed tool.
  9. App access to Groups will need approval from both Facebook and a group admin.
  10. Approved apps will no longer be able to access a group’s member list or personal information attached to group posts.
  11. The guest list and wall posts will be excluded from the Events API.
  12. App access to the Pages API will need to be approved by Facebook.
  13. Instagram Platform API is deprecated.
  14. Opt-in call and text history for Messenger or Facebook Lite on Android, while having never collected message content, will still be reduced to only the information needed to deliver the service.
  15. Removal of a search tool that allows searching for Facebook user by phone number or email address.
  16. Simplified user interface for the bulk removal of apps and any posts they’ve made.
  17. Shutting down Partner Categories that allows third-party providers such as Experian and Oracle to offer their own database products for targeted advertising on the Facebook platform.
  18. Proposal to add a Clear History feature for more user control over what browsing history is collected and archived by Facebook.

For those readers interested in keeping up to date on these Facebook privacy updates, they can be read in full as they arrive at the Facebook Newsroom.

The company has been at pains to point out that these data policy updates do not change a user’s privacy rights or data access but are designed to make privacy issues more transparent and easier to understand. They also want to underline the fact that the company has never sold user data directly but monetizes the Facebook platform by selling advertising space and other services. And they are fully committed to regaining and maintaining the public trust in that platform going forward.

Regarding the Facebook business model, nothing changes, and Facebook Ads will continue to work the same way they did before. The same way that is, with the added bonus that Facebook‘s rigorous approach to user privacy and education outreach can only boost the public’s confidence in the online advertising industry and its innovators.

For those users that would like a revealing insight into just what data Facebook actually collects on them, they can download a zipped archive from inside their Facebook General Account Settings. It is remarkable the degree to which our lives have been dedicated to and recorded on social media this last decade or so, and a greater transparency and understanding of the Facebook user data structure, along with a more informed user base, can only benefit us all in the long run.