Following a barrage of attacks from a chorus of critics rightly concerned about its monopolistic power and flawed transparency efforts, Facebook is facing now two new bombshells. First, the company was charged a £500,000 fine by the British Information Commissioner’s Office for the Cambridge Analytica leak, New York Times reporters Adam Satariano and Sheera Frenkel report.
If that wasn’t enough, a CNNTech report reveals another massive privacy abuse Facebook has been hiding from the American people: a Russian company with links to the Kremlin used a Facebook extension to collect data on unknowing users. These reports highlight, yet again, why the FTC must break up Facebook by spinning off WhatsApp, Instagram, and Messenger; impose strong privacy rules on the platform; and find the corporate monopoly in violation of its 2011 consent decree with the commission.
The must-read pieces are as it follows below.
New York Times
“Facebook was hit with the maximum possible fine in Britain for allowing the political consulting firm Cambridge Analytica to harvest the information of millions of people without their consent, in what amounts to the social network’s first financial penalty since the data leak was revealed.
The fine of 500,000 pounds, or about $660,000, represents a tiny sum for Facebook, which brings in billions of dollars in revenue every year. But it is the largest fine that can be levied by the British Information Commissioner’s Office, an independent government agency that enforces the country’s data-protection laws.
The agency has been investigating the potential misuse of personal data by political campaigns since May 2017. The examination took on new urgency after The New York Times and other organizations reported in March that Cambridge Analytica, which was based in London, had improperly gathered the data of up to 87 million Facebook users. Cambridge Analytica, which had ties to President Trump’s campaign, used the information to build psychographic profiles of American voters.
In an initial report of its investigation on Tuesday, the Information Commissioner’s Office said it had concluded that “Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others. The fine is the first punitive action against Facebook since the reports about Cambridge Analytica surfaced. Since the revelations, Facebook has grappled with regulatory scrutiny on both sides of the Atlantic. Its chief executive, Mark Zuckerberg, has appeared before Congress to answer questions about his company earlier this year and also met with European lawmakers.
In the United States, Facebook faces multiple inquiries by federal agencies. The Justice Department and the F.B.I. each recently broadened their inquiries into Cambridge Analytica by also focusing on Facebook. In addition, the Securities and Exchange Commission has started an investigation into Facebook’s statements on the matter, and the Federal Trade Commission is looking into whether the company violated a privacy agreement with the agency.
Facebook will have a chance to respond to the Information Commissioner Office’s initial report. A full version of the report, thought to be coming on Wednesday, is expected to detail the ways in which data gleaned from social media companies is increasingly being used to target voters by political campaigns.
Facebook did not answer a request for comment, and sent a written statement. In it, Facebook’s chief privacy officer, Erin Egan, said the Silicon Valley company was working with the British agency on its investigation and was reviewing the report.
“As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” Ms. Egan said in the statement.
The report from the Information Commissioner’s Office was the result of the closely fought campaign in Britain to leave the European Union. The report faulted both sides of the Brexit campaign for misusing online data to reach highly categorized segments of voters, and called for stricter policies to ensure the internet is not misused in future elections.
With its findings, British authorities also took aim at Cambridge Analytica and its British affiliate, the SCL Group. The Information Commissioner’s Office said it was pursuing a criminal prosecution of SCL Elections Ltd., the company from which Cambridge Analytica was spun out, for not properly dealing with the agency’s enforcement actions. Another company linked to Cambridge Analytica, Aggregate IQ, also faces punishment for its involvement.
The Information Commissioner’s Office said the investigation was continuing, and the agency said it was waiting for responses from Facebook. The agency said it also sent out “warning letters” to 11 political parties, compelling them to agree to audits of their own data practices.
The chairman of a British parliamentary committee that is also investigating Facebook praised the findings of the data commissioner.
“Facebook users will be rightly concerned that the company left their data far too vulnerable to being collected without their consent by developers working on behalf of companies like Cambridge Analytica,” said Damian Collins, the chairman of the panel conducting the investigation in the House of Commons. “The number of Facebook users affected by this kind of data scraping may be far greater than has currently been acknowledged.”
“A Russian internet company with links to the Kremlin was among the firms to which Facebook gave an extension which allowed them to collect data on unknowing users of the social network after a policy change supposedly stopped such collection.
Facebook told CNN on Tuesday that apps developed by the Russian technology conglomerate Mail.Ru Group, were being looked at as part of the company’s wider investigation into the misuse of Facebook user data in light of the Cambridge Analytica scandal.
Facebook told CNN that the Mail.Ru Group developed hundreds of Facebook apps, some of which were test apps that were not made public. Only two apps were granted an extension, lasting two weeks, that would have allowed them to collect friend data beyond the cut-off date, Facebook said.
Senator Mark Warner, the top Democrat on the Senate Intelligence Committee, said in a statement to CNN that Facebook’s relationship with Mail.Ru deserved further scrutiny.
“In the last 6 months we’ve learned that Facebook had few controls in place to control the collection and use of user data by third parties. Now we learn that the largest technology company in Russia, whose executives boast close ties to Vladimir Putin, had potentially hundreds of apps integrated with Facebook, collecting user data. If this is accurate, we need to determine what user information was shared with mail.ru and what may have been done with the captured data,” Warner said.
Prior to 2015, in some cases, when Facebook users interacted with the apps built by third-party developers on Facebook, the developer not only received data about that user, but also about the users’ friends — including name, gender, birthdate, location, photos, and what they “liked” on Facebook.
In 2014 Facebook announced it was changing the policy, and would restrict developers’ access to data on app users’ friends by May 2015.
But two weeks ago, Facebook told Congress that it gave 61 companies, including Mail.Ru, an extension on access to the data beyond May 2015. The admission came in a list of written answers Facebook provided to the House Energy and Commerce Committee.
Ime Archibong, Facebook’s vice president of partnerships, told CNN on Tuesday that Facebook had not found any evidence that the Mail.Ru Group had misused Facebook user data, but acknowledged that the investigation is continuing and would not answer if Facebook even has the ability to determine how the Russian company used data derived from Facebook.
Facebook would not say how much user data the Mail.Ru Group obtained or if any data was obtained about American citizens. The company declined to elaborate on its methods for determining how Mail.Ru may have used personal data, citing confidentiality between Facebook and developers.
Archibong said that Facebook was devoting significant resources to investigating app developers, but he wouldn’t say if Russian-built apps were being prioritized for investigation over others.
In a written statement provided to CNN after his interview on Tuesday, Facebook VP Archibong said, “Facebook is a global company with users all over the world so we work with developers globally to bring our services to people everywhere — as long as those developers adhere to our platform policies. Mail.ru, one of the top five largest internet companies in the world, has built apps for the Facebook platform and for other major platforms, including iOS and Android for years. We’ve found no indication of misuse with Mail.ru. If we find misuse, we ban the developers.”
Mail.Ru told CNN that it had not been contacted by Facebook about its investigation into the misuse of user data. Facebook told CNN it had contacted Mail.Ru about the investigation, but didn’t say when it first reached out.
Mail.Ru Group is controlled by USM Holdings, a company founded by Alisher Usmanov, who was included on a list the U.S. Treasury Department published in January of Russian billionaires with ties to the Kremlin.
Russian investor Yuri Milner was the chairman of Mail.Ru Group until he stepped down in 2012. Milner told Forbes he served as a member of then-Russian President Dmitry Medvedev’s innovation commission from 2009 to 2011.
The New York Times reported last year that Milner invested in Facebook and Twitter with hundreds of millions of dollars from Russian state institutions funneled through offshore shell companies, though Milner’s companies have since sold those holdings. In interviews for that report, Milner said the Russian government money was no different from other international investments, and he said he focuses on business and philanthropy, not politics.
Mail.Ru’s large portfolio of companies includes an online gaming division. Mail.RU told CNN in a statement that it had launched approximately 20 Facebook games.
The company said it acted in accordance with Facebook’s terms and conditions and that it had not collected data on Facebook users, including Americans, to promote its “social games with social mechanics within Facebook.”
The company said American users account for no more than 5% of its Facebook app audience.
Facebook CEO Mark Zuckerberg ordered an investigation into potential misuse of Facebook user data gathered through third-party apps a few days after the Cambridge Analytica story broke in March.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again,” Zuckerberg said in a Facebook post at the time.
An app developer working for Cambridge Analytica in 2014 built an online survey that gathered data on tens of millions of Americans, most of whom had never downloaded or taken the survey. Cambridge Analytica went on to work for Donald Trump’s 2016 presidential campaign.
The revelations came a few months after it emerged that the Internet Research Agency (IRA), a Russian government-linked troll group, posed as American activists on social media, including Facebook, in the run-up to the 2016 election and after.
In April of this year, Facebook removed pages it said the IRA ran targeting Russian-speakers. Similar pages are still active on Vkontakte, a Russian social media network owned by the Mail.Ru Group.
Despite Zuckerberg’s pledge, Facebook’s ability to determine how data on its users may have been stored is limited.
Sandy Parakilas, a former Facebook employee who now works at the Center for Humane Technology told CNN, “Unfortunately there is no way for Facebook to know what happened to the data once it left its servers, so there’s no way for them to know if there was any misuse of not.”