Cambridge Analytica's harvesting of data on 50 million Americans and its support for the Brexit campaign have prompted internal and external probes of both Facebook and the data analytics firm – with the Federal Trade Commission (FTC) throwing its hat into the ring and the social media giant hiring independent forensic auditors.
Facebook said Monday evening that auditor Stroz Friedberg was on-site at the Cambridge Analytica offices in London “to conduct a comprehensive audit.” Cambridge University professor Alexsandr Kogan, whose app was used to persuade 270,000 Facebook users to submit to a psychological test then used to harvest data on 50 million users, has agreed to a similar audit. Whistleblower Christopher Wylie who “thus far has declined,” Facebook said in a post.
“This is part of a comprehensive internal and external review that we are conducting to determine the accuracy of the claims that the Facebook data in question still exists,” the post said, noting that the company, Wylie and Kogan had previously certified the data's destruction. “If this data still exists, it would be a grave violation of Facebook's policies and an unacceptable violation of trust and the commitments these groups made.”
When the auditors arrived at Cambridge Analytica's London offices, they were asked to stand down by the office of the U.K. Information Commissioner, “which has announced it is pursuing a warrant to conduct its own on-site investigation.”
The Federal Trade Commission (FTC) is also looking into the matter, Bloomberg reported, to see if Facebook ran afoul a 2011 consent decree, which required it to obtain user consent when privacy settings were changed or risk paying $40,000 per day for each violation.
The report cited the social media company as denying "any suggestion of violation of the consent decree" in the Cambridge Analytica case.
"We respected the privacy settings that people had in place," the company said in the statement. "Privacy and data protections are fundamental to every decision we make."
But Andy Patel, cybersecurity researcher at F-Secure, noted, “Cambridge Analytica had/has access to the same information as anyone else using Facebook for business purposes” and that “other firms are most certainly harvesting data in a similar manner in order to more accurately target their own marketing campaigns.”
Facebook reportedly “changed the way their APIs worked, in order to stop apps from accessing friends' profiles back in 2015,” said Patel. “Businesses won't change the way they collect, store, or use Facebook data unless Facebook decides to introduce further limits on what information can be obtained via their API.”
Pointing to the General Data Protection Regulation (GDPR) set to go in effect in May, Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, said that “government regulations can thwart some of these practices and serve as the protection for consumer rights” since “companies found non-compliant will suffer financially” and “the regulations reinforce” how important data protection and privacy are.
“The reality is companies are in business to make money — and it's the job of compliance professionals to help them do so. They must therefore balance the need to help their company realize the potential of its data, while making sure they also protect that information” said Simberkoff. “It's the Chief Privacy Officer's responsibility to help their organizations navigate a world where individuals face a paradox with personal privacy — knowing information placed on the internet and available publicly can be used in unintended ways, regardless of the company's original intent.”
Cambridge Analytica suspended CEO Alexander Nix while the company conducts a full investigation after Nix was heard in videos filmed by London's Channel 4 News boasting to an undercover reporter that the company orchestrated bribery and entrapment schemes.
He also claimed that the firm ran Trump's digital campaign. “We did all the research, all the data, all the analytics, all the targeting, we ran all the digital campaign, the television campaign and our data informed all the strategy,” Nix said.
He claimed that the group used a secret private email system, setting “emails with a self-destruct time” so that “after they've been read, two hours later, they disappear. There's no evidence, there's no paper trail, there's nothing.”
Cambridge Analytica's board said, “In the view of the board Mr. Nix's recent comments secretly recorded by Channel 4 News do not represent the values or operations of the firm.”