FACT CHECK: Did Cambridge Analytica ‘Hack’ Facebook?

Emily Larsen | Fact Check Reporter

Many people on Twitter claimed that data analytics firm Cambridge Analytica hacked Facebook to access the personal information of 50 million users.

“Hey so the Facebook hack is a HUGE deal. Cambridge Analytica had info on 50 million people and gave that data to the Trump US election campaign,” said one tweet.

“I deactivated Facebook and Instagram due to pathetic response to Cambridge Analytica and Russia hack,” another user tweeted.

“Cambridge Analytica were given a programme by a mysterious Russian geek that enabled them to hack and harvest Facebook’s members details,” another tweet said.

Verdict: False

A professor harvested the data with authorization from Facebook and did not hack any systems. He then gave the data to Cambridge Analytica.

Fact Check:

Cambridge Analytica is under fire for improperly obtaining the data of 50 million Facebook users in order to build “psychographic” profiles to better target and persuade potential voters. The firm consulted for President Donald Trump’s 2016 presidential campaign.

Facebook authorized Aleksandr Kogan, a psychology professor at Cambridge University, to harvest user data through a personality quiz app starting in 2014. At the time, Facebook allowed third-party apps to collect information on not only the users who opted-in, but also the data of those users’ Facebook friends. About 270,000 people explicitly consented to the terms of the app, which then allowed Kogan to save data from 50 million Facebook profiles by accessing friend profiles.

Kogan told Facebook that the data would be used for academic purposes, but he provided it to Cambridge Analytica. Facebook later changed its policies to limit the amount of friends data that third-party apps can access.

The firm said that it deleted the data two years ago, but the New York Times reported that Cambridge Analytica still possessed “most or all of the trove.” Whistleblower Christopher Wylie, a former Cambridge Analytica employee, told The Observer that “everything was built on the back of that data. The models, the algorithm. Everything.”

While major media organizations have not claimed that Cambridge Analytica hacked Facebook, some, including The Guardian and CNBC, called the scandal a “data breach.” Facebook and some tech reporters say that this terminology is misleading and incorrect.

“The claim that this is a data breach is completely false,” Paul Grewal, Facebook VP and Deputy General Counsel, said in a statement. “People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

VICE Motherboard decided to not call the story a “data breach” in order to highlight the “troubling” fact that Facebook allowed the data collection. “We can condemn the misuse of this data, and Facebook’s data collection practices, without calling it a data breach, a term that may confuse readers,” Lorenzo Franceschi-Bicchierai, a staff writer at VICE Motherboard, wrote.

Legally, the way that the information was collected from Facebook may not be considered a “breach.” But it could be considered a “data breach” that Kogan provided the data to Cambridge Analytica when he told Facebook that it would be used for academic research.

Edward McAndrew, a partner at Ballard Spahr LLP and co-practice leader of the law firm’s privacy and data security group, told The Daily Caller News Foundation that “there doesn’t need to be unauthorized access into a protected system” to legally constitute a data breach. “Someone can share protected information with an unauthorized person, and that’s a data breach,” he said.

Delaware, for example, changed its laws to clarify that “breach” can mean “unauthorized acquisition of qualifying personal information,” regardless of “whether the ‘system’ of a ‘person’ who owns, licenses or maintains that data has been compromised.” Puerto Rico’s law specifies that situations in which a person “obtained authorization under false representation with the intention of making illegal use of the information” can count as a violation of the security system.

The data, though, would have to qualify as protected personal information. State statutes vary, but the legal definition of personal information can include date of birth, social security number, state identification number, health information and account passwords.

It is not clear whether Kogan’s app collected information that would qualify as personal information under data breach laws. The app did harvest public Facebook profile information such as “likes.” About 30 million of the profiles contained enough information for Cambridge Analytica to create individual personality profiles, according to The Intercept.

“State data breach notification laws are just one set of laws that Facebook needs to be concerned about here,” said McAndrew. “Of paramount concern is the FTC’s consent order from 2011, which prohibited them from sharing user data without authorization.”

The Federal Trade Commission (FTC) opened an investigation into whether Facebook violated its agreement with the FTC following the consent order. One question the agency may consider is whether the agreement means that Facebook can be held responsible for what third-party apps, like Kogan’s personality app, do with the user data that they obtain.

Though Cambridge Analytica did not hack Facebook and it is unclear whether the scandal legally qualifies as a data breach, Facebook founder and CEO Mark Zuckerberg conceded that there was a breach of trust.

“This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it,” Zuckerberg wrote in a statement.

Follow Emily on Twitter

Have a fact check suggestion? Send ideas to [email protected]

All content created by the Daily Caller News Foundation, an independent and nonpartisan newswire service, is available without charge to any legitimate news publisher that can provide a large audience. All republished articles must include our logo, our reporter’s byline and their DCNF affiliation. For any questions about our guidelines or partnering with us, please contact [email protected].

Emily Larsen

Fact Check Reporter