How a Russian-American Researcher Got Private Data of 50 Million Facebook Users

It’s easier than you might think — and that is frightening

Last Updated: March 19, 2018 @ 10:04 AM

How does an academic get his hands on information about 50 million Facebook users? Create an app.

That’s what Russian-American psychology professor Dr. Aleksandr Kogan did in 2014. What you’re not supposed to do, however, is turn around and sell that data to an analytics firm — especially one with ties to a presidential campaign, like Cambridge Analytica had to Donald Trump’s 2016 run.

Sharing such information, whether for free or profit, is a violation of the social media website’s policy. It also could potentially influence the political future of an entire country, some people would argue — especially those who wish their info wasn’t leaked to a group tied to then-Trump strategist Steve Bannon.

Kogan’s “thisisyourdigitallife” app, which was downloaded by approximately 270,000 Facebook members, was billed as “a research app used by psychologists,” and offered users a personality prediction.

In downloading the app, a user gave consent for Kogan to access information about their location, content they “like” and what Mark Zuckerberg’s company qualified as some “limited information” about friends without strict privacy settings.

Oh, and don’t call this whole thing a “data breach,” Facebook insists.

“The claim that this is a data breach is completely false,” the company said on Saturday. “Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

If you were able to build an app and get hundreds of thousands of people to download it, like Kogan did, you could mine info to build your own “pyschographic profiles.” The information was freely available to app developers via Facebook. Cambridge Analytica ultimately used its data — including a look at what users “liked” on the social network  — to build 30 million profiles.

In several since-deleted tweets, Facebook Chief Security Officer Alex Stamos explained over the weekend why this was allowed under Facebook’s old rules for developers.

“At the time of this quiz [app written to collect data], the Facebook API allowed app developers to see a larger portion of the data available to a user than we do now. This included names and likes from friends, There were privacy controls available to both the user of the app and their friends,” said Stamos.  “The ability to get friend data via API, with the permission of a user, was documented in our terms of service, platform documentation, the privacy settings and the screen users to login to apps.”

Ironically, Cambridge Analytica used the same strategy — grab information, examine it, and use to target specific users — that Facebook has used to build an advertising powerhouse.

Still, the usage and sharing of the information in this case is where the deception and thievery comes in.

Facebook originally said on Friday that “Kogan lied to us” by passing data collected from his app to Cambridge Analytica and Christopher Wylie of Eunoia Technologies, Inc. The popular platform said that when it learned of the violation in 2015, it removed Kogan’s app, and insisted that all parties destroy the information.

Turns out, that last part may not have happened.

“We are moving aggressively to determine the accuracy of these claims,” Facebook said of the agreed-upon “Move to Trash” that sounds like it didn’t go through.

“We are committed to vigorously enforcing our policies to protect people’s information,” it continued. “We will take whatever steps are required to see that this happens. We will take legal action if necessary to hold them responsible and accountable for any unlawful behavior.”

Sean Burch contributed to this report.