Cambridge Analytica, the data analytics firm that worked with Donald Trump during his US Presidential campaign, amassed a massive chunk of Facebook user data for some 50 million people without ever getting their permission, investigative reports by The New York Times and the Observer revealed. In an effort to get ahead of the controversy, Facebook on Saturday announced that it had suspended accounts for Strategic Communication Laboratories (SCL), the parent company of Cambridge Analytica.

Here is a low down of everything you need to know about the Facebook-Cambridge Analytica story.

What did Cambridge Analytica do?

Cambridge Analytica reportedly played a key role in mapping out the behaviour of voters in the run-up to the 2016 US election and helped the Brexit campaign during United Kingdom’s EU referendum. The Observer last year accused the firm of “hijacking” democracy for its involvement in the Brexit campaign.

In June 2016, Donald Trump’s presidential campaign hired Cambridge Analytica to take over its data operations. Trump’s campaign paid millions of dollars to Cambridge Analytica, which was funded by the president’s billionaire donor Robert Mercer.

In December, special counsel Robert Mueller called for company documents as part of his investigation into possible collusion between Trump’s presidential campaign and Russia.

How did they do this?

In the blog post announcing the suspensions, Facebook deputy general counsel Paul Grewal explained out how Strategic Communication Laboratories (SCL) came into possession of the user data. In 2015, Aleksandr Kogan, a psychology professor at Cambridge University, created an app named “thisisyourdigitallife” that promised to predict aspects of users’ personalities. Around 270,000 people downloaded the app and signed in using their Facebook accounts, giving Kogan access to information about their city of residence, Facebook content they had liked, and information about their friends.

Through Kogan’s company Global Science Research (GSR), hundreds of thousands of users were paid to take a personality test and agreed to have their data collected for academic use.

Kogan passed the data to SCL and one Christopher Wylie from data harvesting firm Eunoia Technologies, in violation of Facebook rules that prevent app developers from giving away or selling users’ personal information. Facebook says it learned of the violation that year and removed his app from its platform. It also asked Kogan and his associates to certify that they had destroyed the improperly collected data. Everyone said that they did. They lied.

“Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted,” Grewal wrote. “We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made. We are suspending SCL/Cambridge Analytica, Wylie and Kogan from Facebook, pending further information.”

How did 270,000 become 50 million?

When people use Facebook Login to sign up for an app, they give the app’s developer access to a range of information from their Facebook profile — things like their name, location, email or friends list. This is what happened with Kogan’s app “thisisyourdigitallife”. Some 270,000 people used Facebook Login to create accounts, and thus opted in to share personal profile data with Kogan.

Okay, so that’s 270,000. How did Kogan and his buddies access data from 50 million profiles. Here’s the kicker: back in 2015, Facebook also allowed developers to collect some information from the friend networks of people who used Facebook Login. That means while a single user may have agreed to hand over their data, developers could also access some data about their friends. Facebook says this was part of their terms of service but it has subsequently been changed to limit something like this.

Through those 270,000 people who opted in, Kogan was able to get access to data from some 50 million Facebook users, according to the NYT report. That data could have included information about people’s locations and interests, photos, status updates and check-ins.

An excerpt from NYT’s story,

“[Kogan] ultimately provided over 50 million raw profiles to the firm, Mr. Wylie said, a number confirmed by a company email and a former colleague. Of those, roughly 30 million contained enough information, including places of residence, that the company could match users to other records and build psychographic profiles. Only about 270,000 users — those who participated in the survey — had consented to having their data harvested.”

It must be noted that all of this happened just as Facebook intended it to happen by design. The data collection and extrapolation followed the company’s rules and guidelines. The only violation that Kogan committed was selling the data to a third party.

Facebook’s response

What followed after the story broke, were some incredibly tone-deaf responses from Facebook executives who passed the buck on to users and third-party developers.

This was unequivocally not a data breach. People chose to share their data with third-party apps and if those third-party apps did not follow the agreements with us/users it is a violation,” longtime Facebook executive Andrew Bosworth said on Twitter.

Facebook’s Chief Security Officer, Alex Stamos also tweeted out in defence of the company’s policies and echoed the ‘this is not a breach’ sentiment. In a series of now-deleted tweets, Stamos said,  “Kogan did not break into any systems, bypass any technical controls, our use a flaw in our software to gather more data than allowed. He did, however, misuse that data after he gathered it, but that does not retroactively make it a ‘breach.’” Stamos continued, “several other prominent platforms, like Android and iOS allow access to friend (contact) data with user permission. Like us, those platforms have policies about the use of data, but misusing contacts gathered knowingly from a phone is also not a ‘breach’

The tone-deaf response caused enough outrage that Stamos, had to backtrack. He deleted his original tweets, saying he wasn’t so good at “talking about these things in the reality of 2018.” Specifically, he said he didn’t know how to balance his personal beliefs with his responsibility to Facebook and his co-workers, amid all the criticism.

“We have collectively been too optimistic about what we build and our impact on the world,” Stamos tweeted on Saturday. “Believe it or not, a lot of the people at these companies, from the interns to the CEOs, agree.”

Facebook’s entire business depends on users sharing their most personal data via its social network so that they can be served targeted advertisements. But the company’s “not a breach” argument isn’t likely to go down well with users or make them feel any safer using the platform. Especially given that it’s already under fire for missing that Russian actors were purchasing US election ads on the site to sway voter opinions, as well as spreading fake news on the platform.

Facebook suspends the whistleblower’s account

The Observer’s report profiled Christopher Wylie, who revealed himself to be the architect of the technology that Cambridge Analytica used. Wylie used more colourful language and described himself as the designer of “Steve Bannon’s psychological warfare mindfuck tool.”

Wylie found himself at the center of one of the biggest stories of the year and he has been vocal about how this technology was weaponised and misused. He explained to Channel 4 News how the whole thing worked. Here are some excerpts from that interview.

“Imagine I go and ask you: I say, ‘Hey, if I give you a dollar, two dollars, could you fill up this survey for me, just do it on this app’, and you say, ‘Fine’.”

“I don’t just capture what your responses are, I capture all of the information about you from Facebook, but also this app then crawls through your social network and captures all that data also.”

“By you filling out my survey, I capture 300 records on average.”

“And so that means that, all of a sudden, I only need to engage 50000, 70000, 100000 people to get a really big data set really quickly, and it’s scaled really quickly.”

“We were able to get upwards of 50 million-plus Facebook records in the span of a couple of months.”

“Almost none of the individuals knew about how their data was used.”

But as Jonathan Shieber on TechCrunch writes, “Tech hath no fury like a multi-billion dollar social media giant scorned.”

And now Christopher Wylie is facing that fury. He tweeted out that he has been suspended by Facebook, “..For blowing the whistle. On something they have known privately for 2 years.”

Carole Cadwalldr who wrote the story for the Observer also tweeted that Wylie has been kicked off other Facebook-owned platforms as well, “Plaintive phone call from Chris: he’s also banned from WhatsApp. And – outraged voice! – Instagram. “But how am I going to curate my online identity?” he says. The Millennials’ first great whistleblower? And Facebook hitting him where it hurts.”

On lifting the suspension, Facebook said, “Mr. Wylie has refused to cooperate with us until we lift the suspension on his account. Given he said he ‘exploited Facebook to harvest millions of people’s profiles,’ we cannot do this at this time.”

Cambridge Analytica’s response

Cambridge Analytica has unsurprisingly dismissed all allegations. The company said it was “quite obvious” Wylie “had a grudge to bear” and dismissed his accusations as “pure fantasy”. The company added it only receives and uses data that has been obtained legally and fairly.

In response to its Facebook ban, Cambridge Analytica said it fully complied with the platform’s terms of services. “Cambridge Analytica ’s Commercial and Political divisions use social media platforms for outward marketing, delivering data-led and creative content to targeted audiences. They do not use or hold data from Facebook profiles,” the company said.

“No data from GSR (Kogan’s company) was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign.

“Cambridge Analytica only receives and uses data that has been obtained legally and fairly. Our robust data protection policies comply with US, international, European Union, and national regulations.”

Anger over the entire episode

The entire episode has once again brought into focus the issue of private data and how it should be handled. Facebook has a problematic track record on privacy. Its business model is built on gathering personal data. It knows your real name, who your friends are, your likes and interests, where you have been, what websites you have visited, what you look like and how you speak. All of this is used to serve Facebook’s primary customers, advertisers.

But people are beginning to see how private data can be weaponised to manipulate democracies and misinform people.

Director of the Web Policy Foundation said:

“Today’s story on Facebook and Cambridge Analytica drives home why we need platforms to be fully transparent and accountable in the age of big data. Once our personal data is in someone else’s hands, it’s extremely difficult to take back control — with potentially disastrous results for public safety, discourse and democracy. Platforms must fully embrace their responsibility to do whatever it takes to keep user data safe from abuse.”

Tech entrepreneur Mark Suster pointed out on Twitter that the vulnerability exploited by Cambridge Analytica and Kogan was something that he had highlighted for years. He even shared slides to a presentation made 8 years ago at CalTech that had highlighted this.

Suster said, “Everybody knew 3rd party apps had access to data on you, your friends & family. I’ve been highlighting this publicly for years. Nobody cared because every app company benefited.”

Strong reactions have also come in from the political establishment. “This is a major breach that must be investigated,” demanded Democratic Senator Amy Klobuchar of Minnesota. “It’s clear these platforms can’t police themselves. I’ve called for more transparency and accountability for online political ads. They say ‘trust us’.” She added: “Mark Zuckerberg needs to testify before Senate Judiciary.”

Damian Collins, a Conservative Member of Parliament in Britain who is leading a parliamentary inquiry into fake news and Russian meddling in the country’s referendum to leave the European Union, said that he, too, would call on Mark Zuckerberg or another top executive to testify.

“It is not acceptable that they have previously sent witnesses who seek to avoid answering difficult questions by claiming not to know the answers,” Mr. Collins said in a statement. “This also creates a false reassurance that Facebook’s stated policies are always robust and effectively policed.”

The UK’s Information Commissioner is to investigate the “circumstances in which Facebook data may have been illegally acquired and used”. The Information Commissioner, Elizabeth Denham, said this will form part of an ongoing inquiry into the “use of data analytics for political purposes”.

“We are continuing to invoke all of our powers and are pursuing a number of live lines of inquiry. Any criminal and civil enforcement actions arising from the investigation will be pursued vigorously,” Denham added.

Cambridge Analytica and India

An interesting angle that has emerged from all of this is Cambridge Analytica’s past involvement in Indian elections and their efforts to reach out to the two major political parties in the country the BJP and the Congress ahead of the 2019 general elections.

The Hindustan Times reported that Cambridge Analytica, and its India partner, Oveleno Business Intelligence (OBI) Private Limited, have spoken to both the Congress and the BJP for a possible collaboration for their 2019 Lok Sabha election campaigns.

The recent allegations will not deter the firm and its India partner from continuing their collaboration till Cambridge Analytica is found to “violate Indian law”, OBI’s CEO Amrish Tyagi told HT.

Tyagi told HT that social media legislation and regulation was complex and diverse in different jurisdictions. “What may be illegal and unethical in one place may not be in India and vice versa. So it is too early to say anything.” On its website, Cambridge Analytica says it was contracted for an in-depth electorate analysis for the Bihar assembly elections in 2010. “Our client achieved a landslide victory, with over 90% of total seats targeted by CA being won,” it adds.