Skip to main content

The data that Facebook collects about its users could reveal a lot about users’ personalities. A company named Cambridge Analytica sure thought so. The FTC alleges Cambridge Analytica used false and deceptive tactics to harvest personal information from tens of millions of Facebook users – data later used to profile and target U.S. voters. The FTC’s lawsuit against the company – and a settlement with its former CEO and an affiliated app developer – includes allegations of how they violated the FTC Act by using trickery to access that data.

In 2013, Cambridge Analytica, its then-CEO Alexander Nix, and others developed an interest in research suggesting that a person’s “likes” of public Facebook pages could be used to predict a host of personality traits – for example, whether someone was an extrovert or introvert. They agreed to work with Aleksandr Kogan, a lecturer at Cambridge University’s Psychology Department, who had experience with Facebook-related research. The goal of the Cambridge Analytica-Nix-Kogan collaboration was to use Facebook information to offer voter profiling, microtargeting, and other services to U.S. campaigns and clients.

Kogan brought an interesting tool to the table: a Facebook application called the GSRApp – sometimes known as the “thisisyourdigitallife” app – that was already registered on Facebook. According to the complaints, the respondents used that app to ask users to take a personality survey. They also used it to take advantage of a Facebook developer tool called Graph API (v.1) that allowed them to collect personal information about app users and personal information about those app users’ Facebook “friends” – people who had no interaction whatsoever with the GSRApp.

Facebook had announced in April 2014 that it would no longer allow developers to collect profile data from app users’ friends. But Facebook grandfathered existing apps to allow them to continue the surreptitious data collection for an additional year. (That decision is discussed in more detail in the FTC’s settlement with Facebook also announced today.) That made Kogan’s GSRApp much more attractive to Cambridge Analytica and CEO Nix. Ultimately, according to the complaints, Kogan, Nix, and Cambridge Analytica used the harvested data to generate personality scores for app users and their friends, match those scores with U.S. voter records, and then use the information for its voter profiling and targeted advertising services.

What did the respondents tell Facebook users about what they were doing? Not the truth, alleges the FTC. Although app users were paid a small fee to answer survey questions, almost half of them initially refused to provide their Facebook profile information. To assuage that concern, the respondents allegedly made a deceptive representation when users were asked for permission to collect their Facebook information. Specifically, the GSRApp told app users:

In this part, we would like to download some of your Facebook data using our Facebook app. We want you to know that we will NOT download your name or any other identifiable information – we are interested in your demographics and likes.

That was false, alleges the FTC, because the app did collect users’ Facebook User ID, which connects individuals to their Facebook profiles, which can include users’ real names. According to the complaint, the respondents ultimately used the app to collect Facebook data from between 250,000 and 270,000 U.S. users, as well as between 50 million and 65 million of those users’ Facebook Friends, including approximately 30 million identifiable U.S. consumers.

The FTC’s administrative complaint against Cambridge Analytica, which has filed for bankruptcy, charges the company with making deceptive claims about the collection of personally identifiable information. In addition, the complaint challenges allegedly misleading claims related to Cambridge Analytica’s participation in Privacy Shield, a framework that allows companies to transfer personal data lawfully from the EU to the United States.

Nix and Kogan have agreed to settle FTC charges that they falsely claimed their app didn’t collect personally identifiable information from consumers. The proposed settlements prohibits them from making false or deceptive statements about the extent to which they collect, use, share, or sell personal information and their purpose for collecting it. The proposed orders also require them to destroy all personal information collected from consumers through the GSRApp and any related work that used that data. Once the settlements are published in the Federal Register, the FTC will accept public comments for 30 days.

The case against Cambridge Analytica remains pending, but even at this early stage, it illustrates the serious consequences when companies allegedly deceive consumers about the use of their personal information.
 

George Yurieff
July 24, 2019
As the saying goes, "The only thing free is cheese in the mouse trap." If you get "free" service for something, you have likely agreed to something which was in the fine print of the five pages which you didn't read, but rather just clicked the "Yes" box. Now the info mining is tied to your ability to use programs in your mobile telephone. Don't give them permission for accessing your family pictures and bingo...something doesn't work. Don't allow the telephone to access your location and bingo....something else doesn't work. It seems that George Orwell was a right on the mark.
Javiere Benson
July 24, 2019

In reply to by George Yurieff

I hate to say your statement is a bogus start. It is ever organization to check information to help protect the people. If the company sees something suspicious that don't give them the right to use others personal information for corruption. If we can't trust the business owner that run or own the online business then it should not be.
Michele Whalin-Hagey
August 02, 2019

In reply to by George Yurieff

I would have to say I would have thought the same, if only my device wasn't being used to spy on me by my neighbor whom has granted himself permission to my Network Name and has named his WiFi router the exact Network name and everytime I use my device, I auto connect straight into his house. There he has full administrator privileges over me and all my household devices through his desk top computer!!! It's crazy insane!! I plan on pressing charges for harrassment, stalking, pain and suffering and all counts of The Disibilities Acts I can find that he has abused!
FTC Staff
August 06, 2019

In reply to by Michele Whalin-Hagey

You can change the name of your Network and add a password to your Network to make it more secure.

You can make your router more secure to protect your home network from attacks that could come over the internet. This FTC article about Securing Your Wireless Network has tips about securing your router.

Steve
July 24, 2019
While suing the company is a great first step, as long as we continue to give them financial slaps on the wrist with no criminal penalties (i.e., jail time), corporations will continue to break the law and defraud consumers. A $5 billion fine for Facebook is laughable considering the company has a market cap of $575 billion. This provides no incentive for the company to act lawfully in the future as it's still far more lucrative for them to continue breaking the law. Think about it this way. If I'm a criminal that makes $10,000 every time I rob someone, I only get caught once every 20 times I do it, and the court gives me a $2000 fine and no jail time, I still come out $198,000 in the black. So what incentive is there for me to stop? That's a rough equivalent to Facebook receiving a $5 billion (1%) fine. I suppose I'm failing to see what the "serious consequences when companies allegedly deceive consumers about the use of their personal information." are. "Nix and Kogan have agreed to settle FTC charges that they falsely claimed their app didn’t collect personally identifiable information from consumers. The proposed settlements prohibits them from making false or deceptive statements about the extent to which they collect, use, share, or sell personal information and their purpose for collecting it. The proposed orders also require them to destroy all personal information collected from consumers through the GSRApp and any related work that used that data. Once the settlements are published in the Federal Register, the FTC will accept public comments for 30 days." How is this a deterrent? When will we see corporations held to the same criminal laws that individual citizens are? The banks involved in the financial crisis, Wells Fargo opening fraudulent accounts, and Equifax are all great examples of companies literally getting away with knowingly breaking the law and just receiving a fine.
Mor
July 26, 2019
I'm trying to understand Facebook's data policy. Does Facebook have the right to share personal data with third parties? Are shared data user data or personal data? Is there a difference between the two. Is membership in Facebook an authorization to share our personal data? Is Facebook personal information or anonymous data that third-party partners share?

More from the Business Blog

Get Business Blog updates