Criminal Justice & the Rule of Law Cybersecurity & Tech

The Cambridge Analytica-Facebook Debacle: A Legal Primer

Andrew Keane Woods
Tuesday, March 20, 2018, 4:16 PM

What Happened?

Photo: Flickr/rulenumberone2

Published by The Lawfare Institute
in Cooperation With

What Happened?

On March 17, the New York Times revealed that Cambridge Analytica, the British data analysis firm with ties to Robert Mercer and Stephen K. Bannon and that was hired by the Trump campaign, “harvested private information from the Facebook profiles of more than 50 million users without their permission.” This set off a firestorm in the U.S. and the U.K. as regulators announced they would get to the bottom of what went wrong. Sen. Ron Wyden asked Facebook a series of hard-hitting questions. Massachusetts Attorney General Maura Healey announced an investigation into the matter, followed by the New York attorney general. And the U.K.’s information commissioner, Elizabeth Denham, said she would seek a warrant to search Cambridge Analytica’s computers. This in turn sent Facebook stock plunging—down nearly 7 percent by the market’s close on Monday, March 19 and down nearly another two points on Tuesday, March 20. On Monday night, the New York Times revealed that Facebook’s chief security officer, Alex Stamos, is stepping down after much internal disagreement with the way the firm handled concerns about misinformation in the 2016 elections.

A Breach Of Trust, If Not A Computer

The data that Cambridge Analytica obtained seems to have come from Aleksandr Kogan, a researcher at Cambridge University who convinced hundreds of thousands of Facebook users to take a Facebook-linked personality quiz—thereby granting Kogan access, through Facebook’s developer platform, to a treasure trove of user data. Kogan then shared this information with Cambridge Analytica. This was reported as a “breach” in the Times, which prompted security experts to explain that this was categorically distinct from the kind of breach that Equifax suffered, where an intruder used technical trickery to gain unauthorized access to the firm’s networks, unbeknownst to the firm.

Kogan’s access to the data (if not his later use) was known to Facebook and seemingly consistent with Facebook’s developer application programming interface (API) at the time. This is how Kogan was able to access 50 million user profiles through only a few hundred thousand quiz-takers. You take Kogan’s quiz, and a thousand of your closest friends are also scooped up.

Facebook’s chief security officer, Stamos, pointed this out in a now-gone tweet:

Andrew Keane Woods is a Professor of Law at the University of Arizona College of Law. Before that, he was a postdoctoral cybersecurity fellow at Stanford University. He holds a J.D. from Harvard Law School and a Ph.D. in Politics from the University of Cambridge, where he was a Gates Scholar.

Subscribe to Lawfare