The Quick and Dirty Facts About Facebook and Cambridge Analytica

You may have heard about a scandal involving Facebook, a data-mining firm called Cambridge Analytica and President Donald J. Trump's 2016 campaign. Here's a brief explainer.

What's the latest news?

— Mark Zuckerberg's reassurances at the F8 Facebook developer conference in early May that Facebook would clean up its act didn't strike our reporter as genuine.

— Facebook began running a commercial on network television in the U.S. at the end of April, aimed at reassuring users that fake news, misuse of data and abusive behavior were behind it. We ran the ad past our colleagues, most of whom weren't convinced.

— Cambridge Analytica and parent company SCL announced May 2 that they were shutting down operations. However, several other companies listing many of the same company officers as SCL, and using the same mailing address, continue to exist in the U.K.

— Facebook announced a new dating service at the F8 Facebook developer conference on May 1. It also announced a new service that would let you "clear your data" with the social network.

— WhatsApp co-founder Jan Koum announced on May 1 that he was leaving Facebook immediately, the morning after a Washington Post report that said Koum was planning to leave after disagreeing with Facebook executives over how WhatsApp user data should be handled. Facebook bought WhatsApp in 2014, and WhatsApp's other co-founder, Brian Acton, left Facebook in November 2017. Acton publicly endorsed the #DeleteFacebook slogan that arose on social media following the Cambridge Analytica revelations.

— Dr. Aleksandr Kogan, the psychology researcher painted as an unethical rogue scientist by Facebook, Cambridge Analytica and whistleblower Christopher Wylie alike, got his day in front of the U.K. Parliament's Digital, Culture, Media and Sport Committee on Tuesday, April 24. For a man portrayed as a villain, Kogan seemed affable, friendly and open.

Kogan said that Facebook "gave me the data set without any agreement signed" initially, and only later demanded a signed agreement. He portrayed Wylie as an untrustworthy double-dealer who burned bridges and made up facts. Kogan said that SCL/Cambridge Analytica never got its hands on the data collected by the "ThisIsYourDigitalLife" Facebook survery, which only "a few hundred individuals" completed; rather, the data provided to SCL was collected by earlier survey apps.

— Facebook CEO Mark Zuckerberg was questioned by 98 different U.S. senators and representatives over about 10 hours this week. Here's our take on Zuckerberg's Senate questioning, and our recap of his rather harsher grilling by congressmen.

— If you'd like to check whether your account information was provided to the app that later gave data to Cambridge Analytica, here's how.

— Buried in the notifications provided to persons whose data was accessed is a small detail that "messages" were also accessed. We've asked Facebook whether that would mean instant messages, which should be completely private, email messages (Facebook tried to start an email service several years ago) or simply comments on your postings.

— Facebook CEO Mark Zuckerberg says "I'm sorry" in his prepared statement to a U.S. House of Representatives committee.

— Apple co-founder Steve Wozniak tells USA Today that he has deactivated, but not deleted, his Facebook account.

— Facebook suspended two other third-party app makers, AggregateIQ and Cubeyou, over allegations they had misused user data.

— Ever wanted to "un-send" an instant message you'd just sent? It turns out Mark Zuckerberg can do this in Facebook Messenger. Now that the truth's out, Facebook will make this feature available to all users in the coming months.

— Facebook admitted that its computers scan Messenger messages for questionable links or images, and that messages flagged with such content get a review from a human moderator. Messages containing malicious links or objectionable images (i.e., child pornography) get blocked or deleted. This may sound like an invasion of privacy, but arguably it's a good thing.

— Facebook conceded that the data provided to Cambridge Analytica involved up to 87 million users, almost all of them U.S. residents.

— Another PR disaster for Facebook: Late Thursday (March 29), BuzzFeed posted a story revealing an internal memo from 2016 in which a senior Facebook executive justified all the company's actions as "de facto good" even if "someone dies." To be fair, the memo seemed to be taken out of context, and may have been taking a devil's advocate position to spark internal debate.

— Facebook saves video clips you've recorded with the mobile app, but not posted, several users found after downloading their Facebook data.

— Facebook announced that it would make the privacy settings on its Android apps easier to navigate, although we haven't seen any changes yet.

— The chief of the U.K. parliamentary committee that invited Mark Zuckerberg to come testify finds it "absolutely astonishing" that Zuckerberg is sending two top executives instead of coming himself.

— Three Facebook Messenger users sued Facebook in federal court Tuesday (March 27) over reports that Facebook collected logs of users' text messages and phone calls.

— Firefox browser maker Mozilla rolled out a new extension called "Facebook Container" that keeps your Facebook activity in an isolated browser window.

— It seems that Facebook CEO will indeed testify before Congress, but may be sending someone else to get grilled by British lawmakers.

— The FTC confirmed that it was indeed investigating the Facebook/Cambridge Analytica scandal, according to the Associated Press and Bloomberg News. Facebook shares, which had declined about 15 percent since the story broke last weekend, fell further at the news.

— At least some of the Facebook apps for Android log the user's call and texts, a New Zealand developer discovered. We confirmed it ourselves.

— The psychologist at the center of the Cambridge Analytica/Facebook storm had previously worked with Facebook on a large-scale social study, the Washington Post found.

— Facebook CEO Mark Zuckerberg finally spoke out about the still-growing scandal, five days in. He pledged to limit the amount of data collected by third-party apps, but did not offer any changes regarding Facebook's fundamental business model.

— Meanwhile, British Member of Parliament Damian Collins sent a letter to Zuckerberg imploring that the CEO come testify before U.K. lawmakers.

Collins noted that previous answers by Facebook executives to lawmakers' questions "have been misleading."

"It is now time to hear from a senior Facebook executive with the sufficient authority to give an accurate account of this catastrophic failure of process," Collins wrote. "I hope that this representative will be you."

— Aleksandr Kogan, the Russian academic who legitimately collected the Facebook data, but then passed it along to Cambridge Analytica, complained that he's being scapegoated.

"We thought we were doing something that was really normal," Kogan told the BBC. "Thousands and maybe tens of thousands of apps were doing the exact same thing."

— Cambridge Analytica CEO Alexander Nix has been suspended from the company. But that's less momentous than it may seem, as Cambridge Analytica is in some ways a front for Strategic Communication Laboratories, or SCL, which Nix is still involved with.

Even as Nix stepped away from Cambridge Analytica, online sleuths dug up that he'd recently become a director of Emerdata Ltd., yet another company that involves several people associated with SCL. On Friday, March 16, just before the Facebook/Cambridge Analytica scandal broke, Emerdata added Rebekah Mercer, daughter of Cambridge Analytica bankroller Robert Mercer, and a woman named Jennifer Mercer to its board.

Credit: Pixinoo/Shutterstock

(Image credit: Pixinoo/Shutterstock)

As of this writing, Nix is on the board of 10 British companies, including Cambridge Analytica's British arm. Those 10 companies share a total of two street addresses.

The Mercers, however, are on the boards of only Emerdata, which may indicate that it's being set up as the successor to Cambridge Analytica.

— The state of New York has joined the existing investigation by the state of Massachusetts into the Facebook data misuse.

Canada has launched its own investigation.

— One of the founders of WhatsApp, which Facebook now owns, seemed to support quitting Facebook.

— The first lawsuits over the Facebook scandal have appeared.

— The U.S. Federal Trade Commission (FTC) is launching an investigation to decide if Facebook's handling of user data, in regards to Cambridge Analytica, is in violation of a 2011 consent decree, Bloomberg reports. The 2011 settlement saw Facebook agree that it would get user consent if changes were made to privacy settings.

If the FTC finds Facebook as having violated the terms, it can fine the company "more than $40,000 a day per violation." In a previous statement, Facebook rejected the notion that it had violated the consent decree.

Theoretically, if each of the 50 million people whose data was affected was a U.S. resident, and each account is taken to constitute a violation of the agreement, Facebook could face a fine of $2 trillion.

The actual fine, if there is any, will probably be far less.

What happened with Facebook and Cambridge Analytica?

The New York Times and the Observer newspaper in Britain revealed Saturday that Cambridge Analytica, a political data-mining and consulting firm, got hold of the personal information of 50 million Facebook users and may have later used it to craft ads and messages for President Trump's 2016 campaign. (That figure was later updated by Facebook itself to 87 million.)

50 million! That's a huge data breach!

Yes and no. It's not quite a breach, because Facebook willingly allowed the data to be collected. But Facebook was misled about the ultimate goal of the data collection.

Facebook had thought the data was being collected for an academic study conducted by a firm called Global Science Research (GSR). But Aleksandr Kogan, the Cambridge professor who ran GSR and obtained the data, sold it and the methods of analyzing it to Cambridge Analytica and its British parent company, Strategic Communication Laboratories (SCL). That was a violation of Facebook's rules.

For its part, Cambridge Analytica says that GSR and Kogan misled Cambridge Analytica by telling them the data was safe to use.

How can I find out if my personal data was involved?

Right now, you probably can't. Cambridge Analytica and SCL say they no longer have the data, although that's in dispute. Facebook has not disclosed which of its users had their data collected. U.K. residents can file a Subject Access Request with the Information Commissioner's Office to get a copy of data that any U.K. company has about them, but again, the Cambridge Analytica and SCL say the Facebook data is long gone.

MORE: Facebook Privacy Tips: How to Protect Yourself Now

What does Cambridge Analytica do?

It analyzes opinion polls and other indicators of social and political trends, as well as data about different types of individuals, to identify issues and messages that might sway voters toward certain candidates or issues. It also has a marketing arm that does the same for commercial products.

How did Cambridge Analytica use the Facebook data?

It analyzed Facebook users' posts, likes and friends lists to determine trends and issues concerning potential voters, grouped voters into many different categories, and came up with ways to influence those potential voters' opinions.

What's the political fallout so far?

A U.S. senator, Amy Klobuchar (D.-Minnesota), wants Facebook head Mark Zuckerberg to appear before the Senate Judiciary Committee. Two other Democratic congressmen, Sen. Mark Warner of Virginia and Rep. Adam Schiff of California, want a Congressional investigation. British lawmakers are making similar demands.

The state of Massachusetts has launched an investigation into the collection of Facebook data, as has Britain's data-protection agency. Special counsel Robert Mueller has already been examining Cambridge Analytica as part of his investigation into alleged Russian meddling in the 2016 presidential election.

How and when was this data collected?

Aleksandr Kogan, the Cambridge professor behind GSR, wrote a Facebook survey app in 2014 that asked Facebook users about their opinions and habits in exchange for a small reward. Only about 270,000 Facebook users actually took the survey. But because of Facebook's permissions at the time, the survey software was able to "scrape" data from the accounts of the Facebook friends of Facebook users who took the survey, finally collecting data on about 50 million Facebook users.

Yes. Facebook thought it would be OK as long as the data was used only for academic purposes.

Can I really expose my Facebook friends by answering a survey?

Not any more, or at least not to the same extent. Facebook shut down that functionality in 2015.

When did Facebook learn that the data had been handed over to Cambridge Analytica, and what did it do?

Facebook says that it learned in 2015 that the data had been misused. It sent a sternly worded letter to Cambridge Analytica, GSR and former Cambridge Analytica/SCL contractor Christopher Wylie, telling all three parties that they must delete the data. Facebook did not ask for proof that the data had been deleted.

MORE: How to Delete Your Facebook Account

Why didn't Facebook inform affected users in 2015 that their data had been collected by this survey and given to a private company?

You'll have to ask Facebook that. It may have broken the law by not disclosing the misuse of personal data. (Its stock dipped seven percent Monday.)

Was the data deleted?

Alexander Nix, the head of Cambridge Analytica and SCL, testified before Britain's House of Commons in February 2018 that the companies no longer held any Facebook data. But reporters from the Times and the Observer said that this month, they were shown what appeared to be personal data pertaining to Facebook users. A source told them that "gigabytes" of such data collected by Cambridge Analytica's app still existed.

Why is this all coming to light now?

Christopher Wylie, the Canadian data-mining expert who worked for SCL and Cambridge Analytica in 2013 and 2014, told his side of the story to the Times and the Observer. Wylie says he chose to do so after he saw that Nix had told Parliament that Cambridge Analytica and SCL that it had never used Facebook data for political purposes. Wylie says Nix was lying.

What has Facebook's reaction been to the story?

The editor of the Observer says Facebook threatened to sue the Observer before the stories were published Saturday. Over the weekend, Facebook executives took to Twitter to insist that this does not constitute a data breach. In a statement posted Friday, Facebook said it has suspended the Facebook accounts of Cambridge Analytica, the Cambridge professor who wrote the data-scraping app, and Christopher Wylie, the data miner who is now blowing the whistle.

UPDATE: Facebook on Monday (March 19) said it had hired Stroz Friedberg, a well-known digital forensics firm, to audit the use of Facebook data by Cambridge Analytica, SCL, GSR and the company that Wylie founded after he left SCL in 2014. Facebook said all but Wylie had agreed to cooperate with the audit.

How is the Trump campaign involved?

In order to take part in the 2014 congressional midterm campaigns, SCL, a British firm, needed an American front company. (Foreigners are not allowed to work on American political campaigns, but it appears many Britons and Canadians did so in this case, possibly violating U.S. law.) So it created an American subsidiary called Cambridge Analytica that was bankrolled by Robert Mercer, a hedge-fund billionaire. Mercer, his daughter Rebekah Mercer, and Breitbart editor Steve Bannon (later a Trump campaign advisor and White House advisor) were named directors of Cambridge Analytica.

Was Cambridge Analytica created to elect Trump?

No. The company was created to help conservative Republican candidates in the 2014 congressional elections. During the 2016 presidential campaign, the Mercers initially backed Sen. Ted Cruz, but then switched to Trump when he became the front-runner for the Republican nomination.

Why is Britain involved in this?

SCL is a British company. It also worked for the pro-Brexit side during the months leading up to the 2016 referendum that decided Britain should leave the European Union.

How is Russia involved in this?

Alexandr Kogan, the Cambridge professor who collected the Facebook data, is a Russian national. In addition to his Cambridge post, he holds a position at a university in Saint Petersburg, Russia. SCL has apparently discussed working with Lukoil, a Russian oil company whose boss is close to Russian president Vladimir Putin.

Are more revelations about this yet to come?

Probably. Channel 4, a British television channel, plans to broadcast an expose of Cambridge Analytica this week, and portions of the broadcast have already aired on American networks. Cambridge Analytica is reportedly trying to stop the Channel 4 broadcast. (UPDATE: Two parts of the expose has aired, and include footage of company head Alexander Nix boasting that the company specializes intrapping opposing candidates with bribes and prostitutes.)

Should I trust Facebook any more?

You should never trust Facebook, or any company that provides a free online service, to handle your data properly.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.