Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens

Our report that a political firm hired by the Trump campaign acquired access to private data on millions of Facebook users has sparked new questions about how the social media giant protects user information.

Who collected all that data?

Cambridge Analytica, a political data firm hired by President Trump’s 2016 election campaign, gained access to private information on more than 50 million Facebook users. The firm offered tools that could identify the personalities of American voters and influence their behavior.

Cambridge has been largely funded by Robert Mercer, the wealthy Republican donor, and Stephen K. Bannon, a former adviser to the president who became an early board member and gave the firm its name. It has pitched its services to potential clients ranging from Mastercard and the New York Yankees to the Joint Chiefs of Staff.

On Monday, a British TV news report cast it in a harsher light, showing video of Cambridge Analytica executives offering to entrap politicians. A day later, as a furor grew, the company suspended its chief executive, Alexander Nix.

What kind of information was collected, and how was it acquired?

The data, a portion of which was viewed by The New York Times, included details on users’ identities, friend networks and “likes.” The idea was to map personality traits based on what people had liked on Facebook, and then use that information to target audiences with digital ads.

Researchers in 2014 asked users to take a personality survey and download an app, which scraped some private information from their profiles and those of their friends, activity that Facebook permitted at the time and has since banned.

The technique had been developed at Cambridge University’s Psychometrics Center. The center declined to work with Cambridge Analytica, but Aleksandr Kogan, a Russian-American psychology professor at the university, was willing.

Dr. Kogan built his own app and in June 2014 began harvesting data for Cambridge Analytica.

He ultimately provided over 50 million raw profiles to the firm, said Christopher Wylie, a data expert who oversaw Cambridge Analytica’s data harvesting. Only about 270,000 users — those who participated in the survey — had consented to having their data harvested, though they were all told that it was being used for academic use.

Facebook said no passwords or “sensitive pieces of information” had been taken, though information about a user’s location was available to Cambridge.

So was Facebook hacked?

Facebook in recent days has insisted that what Cambridge did was not a data breach, because it routinely allows researchers to have access to user data for academic purposes — and users consent to this access when they create a Facebook account.

But Facebook prohibits this kind of data to be sold or transferred “to any ad network, data broker or other advertising or monetization-related service.” It says that was exactly what Dr. Kogan did, in providing the information to a political consulting firm.

Dr. Kogan declined to provide The Times with details of what had happened, citing nondisclosure agreements with Facebook and Cambridge Analytica.

Cambridge Analytica officials, after denying that they had obtained or used Facebook data, changed their story last week. In a statement to The Times, the company acknowledged that it had acquired the data, though it blamed Dr. Kogan for violating Facebook’s rules and said it had deleted the information as soon as it learned of the problem two years ago.

But the data, or at least copies, may still exist. The Times was recently able to view a set of raw data from the profiles Cambridge Analytica obtained.

What is Facebook doing in response?

The company issued a statement on Friday saying that in 2015, when it learned that Dr. Kogan’s research had been turned over to Cambridge Analytica, violating its terms of service, it removed Dr. Kogan’s app from the site. It said it had demanded and received certification that the data had been destroyed.

Facebook also said: “Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted. We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made. We are suspending SCL/Cambridge Analytica, Wylie and Kogan from Facebook, pending further information.”

In a further step, Facebook said Monday that it had hired a digital forensics firm “to determine the accuracy of the claims that the Facebook data in question still exists.” It said that Cambridge Analytica had agreed to the review and that Dr. Kogan had given a verbal commitment, while Mr. Wylie “thus far has declined.”

What are others saying?

Facebook, already facing deep questions over the use of its platform by those seeking to spread Russian propaganda and fake news, is facing a renewed backlash after the news about Cambridge Analytica. Investors have not been pleased, sending shares of the company down more than 8 percent since Friday.

■The Federal Trade Commission said Tuesday it is investigating whether Facebook violated a 2011 consent agreement to keep users’ data private.

■ In Congress, Senators Amy Klobuchar, a Democrat from Minnesota, and John Kennedy, a Republican from Louisiana, have asked to hold a hearing on Facebook’s links to Cambridge Analytica. Republican leaders of the Senate Commerce Committee, led by John Thune of South Dakota, wrote a letter on Monday to Mark Zuckerberg, Facebook’s chief executive, demanding answers to questions about how the data was collected.

■ A British Parliament committee sent a letter to Mr. Zuckerberg asking him to appear before the panel to answer questions on Facebook’s ties to Cambridge Analytica.

■ The attorney general of Massachusetts, Maura Healey, announced on Saturday that her office was opening an investigation. “Massachusetts residents deserve answers immediately from Facebook and Cambridge Analytica,” she said in a Twitter post. Facebook’s lack of disclosure on the harvesting of data could violate privacy laws in Britain and several states.

This article originally appeared on The New York Times