Jason McELweenie/Flickr (CC-BY)
Here’s an in-depth look at the privacy fiasco that’s bringing Facebook to its knees.
Facebook is reeling from the revelation that political data firm Cambridge Analytica exploited the personal information of 50 million users. The backlash for its failure to protect user data has been unrelenting.
People worried about their privacy are leaving the site in droves as part of the trending #deletefacebook campaign. The reaction is so hostile, CEO Mark Zuckerberg was forced to publicly apologize to the world and promise that it would never happen again. Most recently, federal investigators launched inquiries into whether the company is equipped to protect the privacy of its 2.2 billion users.
The Cambridge Analytica incident may not bring down the social media giant, but it’s having a massive impact on its market value and the trust of its users, especially given its timing. Facebook’s reputation took an enormous hit late last year after we learned it sold ads to a Russian troll farm during the 2016 election.
How did we get to this point? Here’s a timeline of the Cambridge Analytica scandal, which we’ll be updating with new developments.
The Facebook/Cambridge Analytica scandal: A timeline
March 17 – Facebook scandal revealed in multiple reports
Reports from the Guardian and New York Times revealed that Cambridge Analytica, a data analytics firm that worked with President Donald Trump, had harvested the personal information of around 50 million Facebook users without permission. The information came from whistleblower Christopher Wylie, who claims to have helped build the firm and worked there until 2014.
The reports describe how Cambridge Analytica, which was funded by billionaire Robert Mercer and once employed Steve Bannon, retrieved the data from Global Science Research (GSR), a company owned by University of Cambridge professor Aleksandr Kogan. Kogan collected the data in 2013 using a “psychographic” personality test app he built called “thisisyourdigitallife.” Around 300,000 people installed the app and gave it permission to collect their personal information from Facebook, including the city they set on their profile, content they liked, and information about friends. With that level of access, Kogan gathered data on 50 million people.
While the GRS legally obtained the information, it was illegally paid by Cambridge Analytica to pass it their way so they could use it to manipulate voter behavior. Facebook learned about the privacy breach in 2015 and demanded both parties delete the data they had harvested. They agreed, but Cambridge Analytica didn’t stay true to its word. The data company has denied using the information for the 2016 presidential campaign.
March 18 – Facebook responds by suspending key players
Facebook responded to reports and budding backlash by banning Cambridge Analytica, its parent company SCL group, and Kogan. The company published a forthright blog post explaining how Kogan “lied to us” by violating its privacy policies but said the claim that the exploit is a “data breach” is “completely false.”
— Christopher Wylie (@chrisinsilico) March 18, 2018
The social network also suspended Wylie despite his efforts to bring awareness to Cambridge Analytica’s intrusive behavior.
March 19 – Facebook stocks plummet
Facebook stocks crashed in premarket trading less than 24 hours after the reports went live. Opening at $177.01, the company dipped 4 percent, resulting in a loss of $23.8 billion from its previous $538 billion market value.
Sen. Edward Markey (D-Mass.) urged Congress to hold hearings against Facebook and Cambridge Analytica. In a letter to Sen. John Thune (R-S.D.) and Sen. Bill Nelson (D-Fla.), the ranking members of the Senate Committee on Commerce, Science and Transportation, Markey said they should “move quickly” to hold the hearings since Facebook is required to “obtain explicit permission before sharing data about its users.”
Facebook and Cambridge Analytica should be made to testify before the Senate Commerce Committee so that we can get to the bottom of these disturbing reports that may impact tens of millions of Americans.https://t.co/4UE5iw8dRy
— Ed Markey (@SenMarkey) March 18, 2018
“Today, Americans’ personal data online is a valuable commodity for commercial and political interests alike,” Markey wrote in the letter. “As companies seek information about internet users’ behavior in order to gain insights that may inform strategic decision-making, Americans’ online privacy has become increasingly vulnerable.”
March 20 – Facebook holds an emergency meeting
Still determining exactly what transpired, Facebook reportedly held a company-wide meeting to discuss when and how the data was being illegally harvested. Paul Grewel, the company’s deputy general counsel, led the meeting and provided background on the incident. The event reportedly had a polling feature that let attendees ask questions.
Brian Acton, co-founder of the popular messaging app WhatsApp, called on his Twitter followers to #deletefacebook. Facebook purchased WhatsApp in 2014. Acton stayed onboard for several years after before founding his own non-profit organization.
It is time. #deletefacebook
— Brian Acton (@brianacton) March 20, 2018
A number of pundits noted how Acton spoke up despite becoming a billionaire in large part because of Facebook.
March 21 – Zuckerberg finally arrives, apologizes
After three days of unsettling silence, Zuckerberg finally addressed the Cambridge Analytica incident in a post to his Facebook account. He said what happened was his responsibility, but changes made to the platform—for example, app owners can no longer gather info about a user’s friends—would prevent this from happening again. The polarizing CEO came up with a three-step plan going forward: investigate third-party apps, restrict developers’ access to user data on the whole, and give users tools to see what data of theirs is being shared.
I want to share an update on the Cambridge Analytica situation — including the steps we've already taken and our next…
In what has become a defining quote, Zuckerberg said: “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.” Later that day, Zuckerberg publically apologized in an interview with CNN.
JUST IN: Facebook CEO Mark Zuckerberg on the Cambridge Analytica scandal: "This was a major breach of trust, and I'm really sorry that this happened." He pledges a “full forensic audit” to ensure no more breaches occur. http://cnn.it/2pvvxgK
Posted by CNN on Wednesday, March 21, 2018
“This was a major breach of trust, and I’m really sorry that this happened,” Zuckerberg said on CNN. “Our responsibility now is to make sure this doesn’t happen again.”
Zuckerberg also said he’d be willing to testify in front of Congress “if it’s the right thing to do.”
March 22 – Donald Trump brags about Cambridge Analytica
In a Twitter post, Trump appeared to boast about his partnership with Cambridge Analytica, saying people are no longer claiming his use of social media was less robust than Clinton’s during the 2016 election.
Remember when they were saying, during the campaign, that Donald Trump is giving great speeches and drawing big crowds, but he is spending much less money and not using social media as well as Crooked Hillary’s large and highly sophisticated staff. Well, not saying that anymore!
— Donald J. Trump (@realDonaldTrump) March 22, 2018
While the president didn’t outright name the data firm, his timing suggests he was referring to Cambridge Analytica, which worked on his 2016 presidential campaign.
March 23 – Elon Musk deletes SpaceX and Tesla accounts
In a bizarre Twitter exchange, business magnate Elon Musk learned about his company’s Facebook pages and then promised to delete them. Both the SpaceX and Tesla accounts vanished within hours of his tweet.
I didn’t realize there was one. Will do.
— Elon Musk (@elonmusk) March 23, 2018
While the prominent executive didn’t reference Cambridge Analytica by name, his actions were clearly a response to Facebook’s privacy troubles. The two companies had a combined Facebook following of more than 5 million people. Musk also threatened to delete his Instagram, since the Facebook-owned company was “borderline” because “FB influence is slowly creeping in.”
March 23 – Zuckerberg gets invited to testify
The House Energy and Commerce Committee formally called on Zuckerberg to testify in front of the House of Representatives.
Bipartisan E&C leaders send formal invitation to Facebook CEO Mark Zuckerberg testify before the committee >> https://t.co/MtFXFPIJjT
— Energy and Commerce (@HouseCommerce) March 23, 2018
The agency, tasked to report on the public’s marketplace interests, said the allegations “raise many concerns about what user information app developers are given access to, how app developers are given access to users’ information on the Facebook Platform, what has happened to Facebook users’ information since the functionality was launched in 2007, and whether there are other entities misusing user information.”
March 23 – British investigators raid Cambridge Analytica offices
Officers from Britain’s Information Commissioner’s Office, a data watchdog group, raided the offices of London-based Cambridge Analytica for nearly seven hours. The organization was granted a search warrant by the British High Court judge to determine whether the data group tampered with the U.K.’s Brexit vote. The ICO says it will analyze and consider the evidence before taking the next step.
Zuckerberg used full-page ads to publish an apology in multiple U.S. and U.K. newspapers. The statement says he wishes they had done more at the time since social networks have “a responsibility to protect your information.”
Echoing his previous statements, he outlined the steps Facebook will take to prevent this sort of leak from happening again.
— CNET (@CNET) March 25, 2018
“We’re also investigating every single app that had access to large amounts of data before we fixed this. We suspect there are others. And when we find them, we will ban them and tell everyone affected.”
March 26 – FTC confirms probe
The Federal Trade Commission revealed a “non-public” investigation into Facebook’s privacy practices.
“The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers,” Tom Pahl, acting director of the Federal Trade Commission’s Bureau of Consumer Protection, said in a statement. “Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act.”
He continued, “Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”
March 26 – Stock update paints a red picture
Facebook stocks fell further after the FTC confirmed its investigation. Its shares dropped another 5 percent, bringing its valuation to around $439 billion. A drop of more than $100 billion brought it below its value at the start of 2018 and back to its lowest point since July 2017.
March 26 – Tim Cook offers his take on Facebook
Speaking at a China developer forum in Beijing, Apple CEO Tim Cook says “well-crafted” regulation is required to prevent further incidents from occurring.
“It’s clear to me that something, some large profound change is needed,” Cook said, according to Reuters. “I’m personally not a big fan of regulation because sometimes regulation can have unexpected consequences to it; however, I think this certain situation is so dire, and has become so large, that probably some well-crafted regulation is necessary.”
March 27 – Zuckerberg refuses to speak with U.K. lawmakers
While Zuckerberg agreed to testify before Congress, he has refused to explain the data scandal to British lawmakers. Instead, the CEO will either send Chief Technology Officer Mike Schroepfer or Chief Product Officer Chris Cox to speak before the parliament’s Digital, Culture, Media, and Sport committee, Reuters reports.
Conservative politician and chairman of the committee Damien Collins said he would “still like to hear from Mr Zuckerberg as well” but is “very happy to invite Mr Cox to give evidence.” Cox is considered one of the most important executives at the company alongside Sheryl Sandberg, Facebook’s chief operating officer.
“Facebook has got many questions to answer that their executives have failed to answer in previous appearances before our Committee,” Collins said. “As Mark Zuckerberg’s deputy we hope that Chris Cox has the sufficient authority and operational responsibility to concretely answer these questions. Given the seriousness of these issues we still believe that Mark Zuckerberg is the right person to give evidence, and would like him to confirm if he will make himself available to the Committee. He stated in interviews that if he is the right person to appear he will appear. We think he is the right person and look forward to hearing from him.”
Mark Zuckerberg declines request to appear before U.K. parliamentary committee and @DamianCollins. Recommends his Chief Technology Officer and Chief Product Officer instead. Full letter here: pic.twitter.com/Q6EueSHu8a
— Joe Mayes (@Joe_Mayes) March 27, 2018
Rebecca Simon, the head of public policy for Facebook U.K., wrote a letter in response to the lawmaker’s request where she listed all the changes Facebook is making to its platform. You can read the full statement in the above tweet.
“Facebook fully recognizes the level of public and Parliamentary interest in these issues and support your belief that these issues must be addressed at the most senior levels of the company by those in an authoritative position,” Stimson wrote. “As such Mr Zuckerberg has personally asked one of his deputies to make themselves available to give evidence in person to the Committee.”
March 27 – Zuckerberg agrees to testify
Mark Zuckerberg has agreed to testify before Congress, according to CNN, which citing “Facebook sources.” The CEO will reportedly attend the hearing “within a matter of weeks,” and Facebook has already started preparing statements.
Cambridge Analytica whistleblower Christopher Wylie claimed before a committee of British members of Parliment that Facebook uses phone microphones to improve its ad targeting, though he did not provide evidence for the allegations.
“It’s not to say they’re listening to what you’re saying. It’s not natural language processing,” Wylie said. “That would be hard to scale. But to understand the environmental context of where you are to improve the contextual value of the ad itself is possible.”
April 4 – Date set for Zuckerberg’s testimony
Mark Zuckerberg will appear before the House Energy and Commerce Committee on April 11 at 10am ET. The hearing will be livestreamed on YouTube.
Chairman Greg Walden and ranking member of the committee Frank Pallone, Jr. released a joint statement confirming the appearance.
“This hearing will be an important opportunity to shed light on critical consumer data privacy issues and help all Americans better understand what happens to their personal information online. We appreciate Mr. Zuckerberg’s willingness to testify before the committee, and we look forward to him answering our questions on April 11th.”
April 4 – Facebook increases the number of users affected by the Cambridge Analytica scandal to 87 million
Buried in a blog post about changes Facebook is making to clarify its terms of service, the company casually increased the number of people affected by Cambridge Analytica’s efforts to 87 million, up from 50 million.
“In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica,” Facebook CTO Mike Schroepfer wrote in a blog post.
April 9 – Facebook suspends two more firms for exploiting user data
Facebook suspended two more companies linked to the Cambridge Analytica data scandal: Canadian data firm AggregateIQ and data analytics company CubeYou.
The social network told the Guardian that it would remove AggregateIQ from the site after reports linked it to SCL, the parent firm of Cambridge Analytica.
“[AggregateIQ] may, as a result, have improperly received FB user data, we have added them to the list of entities we have suspended from our platform while we investigate,” a spokesperson for the social network said.
Christopher Wylie, the whistleblower who revealed Cambridge Analytica’s data harvesting practices, said in a testimony before a parliamentary committee that AggregateIQ used Cambridge Analytica’s database to influence the U.K.’s Brexit election.
The company denied the allegations in a statement on its website. “AggregateIQ has never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica,” its main page reads.
Facebook also suspended CubeYou after CNBC reported the company for harvesting user data from quiz apps and selling it to marketers. The company falsely labeled its quizzes “for non-profit academic research” before allegedly selling it to third-party ad firms.
It’s unclear how many users were affected. CubeYou’s CEO denied the allegations. Facebook thanked CNBC for bringing it to the company’s attention and suspended CubeYou as it conducts an investigation.
Facebook began posting alerts at the top of News Feeds for users who were affected by the data breach. The notices include a link showing which third-party apps are still using their data.
Users who don’t want certain developers seeing their personal information can use a new bulk-delete feature Facebook added.
A quicker way to determine whether your account was affected is by visiting Facebook’s support page and reading the notice under “Was My Information Shared?”
April 10 – Cambridge Analytica also pulled data from messages and Facebook posts
Buried in the News Feed notices that tell users whether their information was affected by the data breach is a troubling disclosure about the type of information stolen. Cambridge Analytica appears to have harvested the private messages of 1,500 people who granted the “This is Your Digital Life” app permission, Wired reports.
“A small number of people who logged into ‘This Is Your Digital Life’ also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you.”
Cambridge Analytica also gained access to information from the friends of the app’s users, though it remains unclear how many total users were affected.
April 26 – Facebook admits not reading offending app’s terms of service
Facebook admitted it neglected to read the terms and service of the app that improperly harvested and sold user data.
Testifying before U.K. lawmakers, Facebook CTO Mike Schroepfer said the social network did an “automated check” of the document in 2014 but did not read its contents.
Aleksandr Koga, the creators of the offending “This is Your Digital Life” app, had previously criticized Facebook for failing to call out the agreements written in the terms.
“This is the frustrating bit, where Facebook clearly has never cared. I mean, it never enforced this agreement,” Kogan said. “They’ll let you know if you do anything wrong. I had a terms of service that was up there for a year and a half that said I could transfer and sell the data. Never heard a word.”
Kogan also said in an interview with 60 Minutes that “tens of thousands” of apps similarly mishandled data.
May 16 – Zuck agrees to meet the European Parliament, rejects the U.K. again
Mark Zuckerberg has agreed to meet with members of the European Parliament to discuss Facebook’s ongoing privacy crisis.
Mark Zuckerberg, Facebook CEO and founder, has accepted our invitation. He will come to the European Parliament. My full statement ⤵️ pic.twitter.com/FdmuDPl8Wb
— Antonio Tajani (@EP_President) May 16, 2018
Antonio Tajani, the parliament’s president, said in a statement posted to his Twitter page that Zuckerberg would travel to Brussels as soon as next week. He will meet leaders of the parliament’s political groups and the chair and the rapporteur of the Committee for Civil Liberties, Justice, and Home Affairs.
The parliament will separately organize committee hearings with Facebook to focus on the impact of privacy protection on the electoral process in Europe. Zuckerberg will not be in attendance.
“I welcome Mark Zuckerberg’s decision to appear in person before the representatives of 500 million Europeans. It is a step in the right direction towards restoring confidence,” Tajani said.
Facebook confirmed the decision in a statement.
“[We] appreciate the opportunity for dialogue, to listen to their views and show the steps we are taking to better protect people’s privacy,” the company said.
Interestingly, Facebook has once again denied the U.K.’s request for Zuckerberg to answer privacy questions in front of its parliamentary committee. It has threatened to impose an official summons on Zuckerberg to attend a hearing when he next visits the country. It’s not clear why the CEO appears to be playing favorites.
Editor’s note: This article is regularly updated for relevance.