Insider Threatshigh

Cambridge Analytica: 87 Million Facebook Profiles and a Quiz App

A personality quiz app harvested Facebook profile data from 87 million users without their knowledge, with the data later used by Cambridge Analytica for political micro-targeting during the 2016 US election.

Facebook / Cambridge Analytica·2018·2 min read

Background

In 2013, academic researcher Aleksandr Kogan built "thisisyourdigitallife," a Facebook personality quiz app. Facebook's API at the time allowed apps to harvest data not just from the user who installed them but from all of that user's friends — without the friends' consent.

The Attack

Approximately 270,000 users installed Kogan's app and consented to data collection. Facebook's permissive API silently extended that consent to all of their friends' profiles — yielding 87 million records. Kogan sold this data to Cambridge Analytica in violation of Facebook's terms of service. Cambridge Analytica used the profiles to build psychographic models and micro-targeted political advertising for Donald Trump's 2016 presidential campaign and the Brexit Leave campaign.

Response

Facebook revoked Cambridge Analytica's access when the Guardian broke the story in March 2018. The FTC launched an investigation that resulted in a $5 billion fine — the largest ever against a technology company. Facebook changed its API policies to eliminate friend-of-friend data access. Cambridge Analytica filed for bankruptcy.

Outcome

The Cambridge Analytica scandal triggered GDPR enforcement focus, introduced the concept of "data harvesting" to mainstream consciousness, and forced a global reckoning about the business model of social media platforms and their responsibilities around data sharing.

Key Takeaways

  1. API permissions that allow third-party access to users' friends' data without explicit consent are a privacy violation by design
  2. App developers who sell user data in violation of platform terms create legal and reputational risk for the platform
  3. Data minimisation — collecting only what is necessary — limits the blast radius of any future misuse
  4. GDPR's right to erasure is meaningless if data has already been exported to third parties
data harvestingAPI abuseprivacypolitical manipulationsocial media

More in Insider Threats

2013critical

Edward Snowden and the NSA: The Insider Who Changed the World

2 min readInsider Threats
2010critical

Chelsea Manning: 750,000 Military Documents and Diplomatic Cables Released to WikiLeaks

2 min readInsider Threats
2018high

Tesla IP Theft: Engineer Emails 26,000 Confidential Files Before Joining Competitor

2 min readInsider Threats