Cybercrime , Cyberwarfare / Nation-State Attacks , Data Loss Prevention (DLP)

Probes Begin as Facebook Slammed by Data Leak Blowback

CSO Leaves Early, Stock Dives, Outrage Abounds
Probes Begin as Facebook Slammed by Data Leak Blowback
Sign outside Facebook's headquarters in Menlo Park, California. (Source: Facebook)

Facebook may be facing the fight of its life. The social media company faces mounting pressure and a collective outcry over data from millions of its user profiles having been collected by a voter-profiling firm once retained by the Trump campaign.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

In recent days, a flurry of events has resulted in a sharp drop in Facebook's stock price, the early departure of its chief security officer and a showdown at the offices of data analysis firm Cambridge Analytica.

The still-unfolding scandal is bringing renewed focus to Facebook's privacy practices, with many observers questioning whether the social media company has been too liberal in granting access to what is arguably one of the world's most valuable - and potentially dangerous - data sets.

Cambridge Analytica, owned by British military contractor SCL Group, obtained profile data for as many as 60 million Facebook users. The firm specializes in writing algorithms that tease out individuals' political leanings and receptiveness to certain kinds of messages (see Facebook Attempts to Explain Data Leak, Denies 'Breach').

On March 19, Cambridge Analytica denied using Facebook data for its work with Trump's campaign. (Source: Cambridge Analytica)

The European Parliament plans to investigate whether the Facebook data was misused, Politico reports. In the U.K., Prime Minster Theresa May says the situation is "very concerning" and called on Facebook to cooperate with an investigation launched Saturday by the Information Commissioner's Office, according to the Independent.

In the U.S, two U.S. senators have called for Facebook CEO Mark Zuckerberg to testify before Congress.

There are concerns over how the Facebook data was used. Trump's campaign, which hired Cambridge Analytica in June 2016, paid the company $6.2 million, according to Reuters, citing Federal Election Commission records.

On Monday, Cambridge Analytica said it has made clear since 2016 that the Facebook data was not used for its work with Trump's campaign, including personality-targeted advertising.

Was The Data Deleted?

Questions about how Cambridge Analytica may have influenced voters in the U.S. and U.K. have been circulating for months. But in recent days, events have moved quickly, including the company facing sharp questions over whether it still retains the Facebook data. The company denies this, but former officials cited in news reports this past weekend published by The New York Times and the Observer say the company may still have it.

Facebook on Monday said it hired digital forensics firm Stroz Friedberg to audit Cambridge Analytica's systems. Investigators were sent to the Cambridge Analytica's offices, but then called off.

"At the request of the U.K. Information Commissioner's Office, which has announced it is pursuing a warrant to conduct its own onsite investigation, the Stroz Friedberg auditors stood down," the company writes in a blog post.

Cambridge Analytica acquired the data from Alexsandr Kogan, who is a psychology professor at Cambridge University. With permission from Facebook, Kogan deployed an app called "thisisyourdigitallife," which paid users to participate in a personality survey.

Aleksandr Kogan (Source: University of Cambridge)

Around 270,000 people signed into the app. But due to Facebook's privacy controls, the app could also collect data on people who didn't have a specific privacy setting enabled.

While estimates vary, the app could have collected personal data from between 30 million to 60 million Facebook accounts. Facebook contends that Kogan lied to the company and violated its policies by passing the data to Cambridge Analytica.

CNN reports that Kogan's app was initially presented to Facebook as part of a research program within the University of Cambridge's psychology department. CNN also reports that Kogan says he changed the terms and conditions of the app to inform users that their data could be sold commercially. Facebook, however, says it wasn't informed of the change.

Although Kogan's app was deployed with Facebook's approval, the social media site subsequently changed its rules and says such an app would no longer be approved.

Facebook, after discovering in 2015 that the data collected by Kogan's app had been shared with others, says it received guarantees from Cambridge Analytica, SCL Group, Kogan and a former Cambridge Analytica data scientist, Chris Wylie, that the data had been destroyed.

"If this data still exists, it would be a grave violation of Facebook's policies and an unacceptable violation of trust and the commitments these groups made," Facebook said on Monday. "We are moving aggressively to determine the accuracy of these claims."

Whistleblower Lights a Fire

Kogan's passing of the data to Cambridge Analytica had been known for more than a year. But the situation prompted fresh concern after Wylie gave an in-depth interview to the Observer. He described his tenure at the company and how it used advanced data analysis with the aim of influencing public opinion for its clients.

Wylie told NBC's Today show on Monday that Cambridge Analytica's goal was to explore "mental vulnerabilities" in people to create content that could convince people that false narratives were true.

"This is a company that really took fake news to a next level by pairing it with algorithms," Wylie told the show.

Chris Wylie, a former data scientist with Cambridge Analytica, speaks with the Today show on March 19.

Cambridge Analytica claimed on Monday that Wylie, who at one point met former Trump adviser Steve Bannon, "is misrepresenting himself and the company throughout his comments."

Wylie's allegations have heightened concerns that have lingered since the 2016 U.S. president election about how social media platforms were used - particularly by Russia - to influence public opinion and peddle divisive narratives.

Cambridge Analytica is facing further questions about its business following a broadcast by Channel 4 in the U.K. The station secretly filmed CEO Alexander Nix discussing how the company could mount secret influence campaigns, including entrapping politicians with bribes and sex workers.

In a statement, Cambridge Analytica says the Channel 4 report was scripted to "grossly misrepresent the nature of those conversations and how the company conducts its business."

Nonetheless, Nix says: "I deeply regret my role in the meeting and I have already apologized to staff. I should have recognized where the prospective client was taking our conversations and ended the relationship sooner."

Facebook's CSO Departs

The reckoning over platform manipulation has been a source of conflict within Facebook, according to The New York Times, which on Monday reported that CSO Alex Stamos will leave the company after sparring with executives' response to disinformation campaigns.

Stamos, a well-known figure in the information security community, had been scheduled to leave in August, following his day-to-day duties having been reassigned to others in December 2017, reportedly because he didn't think Facebook had done enough to battle disinformation campaigns waged via its platform.

On Sunday, Stamos weighed in on the unfolding Cambridge Analytica situation on Twitter, but then deleted a series of tweets that appeared to defend Facebook's actions.

Stamos left Yahoo in 2015 following a tumultuous time where it was revealed the company was forced by the U.S. government to install a secret email-scanning program.

"It's going to be quite hard for @facebook to say they're 'fighting the good fight' after losing @alexstamos," tweets Ashkan Soltani, an independent privacy and security researcher who formerly served as the chief technologist of the Federal Trade Commission. "This doesn't bode well."

The privacy saga also overflowed into the stock markets on Monday. Facebook had its worse day in five years, with its stock price falling 6.8 percent, wiping upwards of $35 billion from its market value.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.