Now we know why Facebook gave Cambridge Analytica the boot on Friday. What's less clear is why it took so long.
The social media company was aware as far back as late 2015 that, starting in early 2014, the Trump-linked U.K data firm had secretly harvested profile data belonging to 50 million users, according to a follow-up report from The Observer. The paper calls it Facebook's biggest data breach to date.
The details come from a whistleblower, Christopher Wylie, who said he worked with Aleksandr Kogan, a student at Cambridge University, to obtain the data. Kogan created an app called 'thisisyourdigitallife' that paid users to take a personality test. Participants had to sign in through their Facebook login and agree to let their data be used for academic purposes.
The app went beyond its seemingly stated scope, however, pulling in data from the friends lists of any test-takers. Facebook's platform policy only allows developers the use of friend data to enhance a user's personal experience. The app put that data, from more than 50 million profiles in all, to work instead.
All the data mined from the app became a vital piece of the software Cambridge Analytica used to profile United States voters and serve them with personalized ads ahead of the 2016 election. The U.K. firm has been credited in the past for playing a key role in Donald Trump's ascent to the White House.
'We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis that the entire company was built on,' Wylie said.
According to The Observer, Facebook 'took only limited steps to recover and secure the private information of more than 50 million individuals' after learning of the 'unprecedented' data harvesting in late 2015. It's not clear why more drastic steps weren't taken back then, though yesterday's action is easier to decode.
Facebook's Friday suspension of Cambridge Analytica from the platform came four days after The Observer asked the social media company for comment on the whistleblower's story. Wylie, a Canadian data analytics expert, was also suspended while the investigation plays out.
Wylie provided The Observer with a dossier of evidence illustrating Cambridge Analytica's misuse of the data, including emails, invoices, contracts, and bank transfers that point to the scope of the breach. Also in the dossier is an August 2016 letter from Facebook lawyers instructing Wylie to destroy any data collected by Global Science Research, Kogan's front company.
The letter arrived just a few days before Stephen K. Bannon, a part owner of Cambridge Analytica and former vice president of the company's board, signed on as Trump's campaign manager.
Facebook takes the position that data harvested by GSR and Cambridge Analytica doesn't qualify as a breach. In a statement given to The Observer, the social media company claims Kogan's app 'gained access to this information in a legitimate way and through the proper channels' but 'did not subsequently abide by our rules' as the info was passed along to third parties.
The company also said Kogan's app was removed in 2015, and anyone with access to the data had to certify that it had been destroyed. That timing doesn't line up with Wylie's August 2016 letter, however.
'We are committed to vigorously enforcing our policies to protect people’s information. We will take whatever steps are required to see that this happens,' Facebook vice president Paul Grewal said in a statement.