The data that Facebook collects about its users could reveal a lot about users’ personalities. A company named Cambridge Analytica sure thought so. The FTC alleges Cambridge Analytica used false and deceptive tactics to harvest personal information from tens of millions of Facebook users – data later used to profile and target U.S. voters. The FTC’s lawsuit against the company – and a settlement with its former CEO and an affiliated app developer – includes allegations of how they violated the FTC Act by using trickery to access that data.
In 2013, Cambridge Analytica, its then-CEO Alexander Nix, and others developed an interest in research suggesting that a person’s “likes” of public Facebook pages could be used to predict a host of personality traits – for example, whether someone was an extrovert or introvert. They agreed to work with Aleksandr Kogan, a lecturer at Cambridge University’s Psychology Department, who had experience with Facebook-related research. The goal of the Cambridge Analytica-Nix-Kogan collaboration was to use Facebook information to offer voter profiling, microtargeting, and other services to U.S. campaigns and clients.
Kogan brought an interesting tool to the table: a Facebook application called the GSRApp – sometimes known as the “thisisyourdigitallife” app – that was already registered on Facebook. According to the complaints, the respondents used that app to ask users to take a personality survey. They also used it to take advantage of a Facebook developer tool called Graph API (v.1) that allowed them to collect personal information about app users and personal information about those app users’ Facebook “friends” – people who had no interaction whatsoever with the GSRApp.
Facebook had announced in April 2014 that it would no longer allow developers to collect profile data from app users’ friends. But Facebook grandfathered existing apps to allow them to continue the surreptitious data collection for an additional year. (That decision is discussed in more detail in the FTC’s settlement with Facebook also announced today.) That made Kogan’s GSRApp much more attractive to Cambridge Analytica and CEO Nix. Ultimately, according to the complaints, Kogan, Nix, and Cambridge Analytica used the harvested data to generate personality scores for app users and their friends, match those scores with U.S. voter records, and then use the information for its voter profiling and targeted advertising services.
What did the respondents tell Facebook users about what they were doing? Not the truth, alleges the FTC. Although app users were paid a small fee to answer survey questions, almost half of them initially refused to provide their Facebook profile information. To assuage that concern, the respondents allegedly made a deceptive representation when users were asked for permission to collect their Facebook information. Specifically, the GSRApp told app users:
In this part, we would like to download some of your Facebook data using our Facebook app. We want you to know that we will NOT download your name or any other identifiable information – we are interested in your demographics and likes.
That was false, alleges the FTC, because the app did collect users’ Facebook User ID, which connects individuals to their Facebook profiles, which can include users’ real names. According to the complaint, the respondents ultimately used the app to collect Facebook data from between 250,000 and 270,000 U.S. users, as well as between 50 million and 65 million of those users’ Facebook Friends, including approximately 30 million identifiable U.S. consumers.
The FTC’s administrative complaint against Cambridge Analytica, which has filed for bankruptcy, charges the company with making deceptive claims about the collection of personally identifiable information. In addition, the complaint challenges allegedly misleading claims related to Cambridge Analytica’s participation in Privacy Shield, a framework that allows companies to transfer personal data lawfully from the EU to the United States.
Nix and Kogan have agreed to settle FTC charges that they falsely claimed their app didn’t collect personally identifiable information from consumers. The proposed settlements prohibits them from making false or deceptive statements about the extent to which they collect, use, share, or sell personal information and their purpose for collecting it. The proposed orders also require them to destroy all personal information collected from consumers through the GSRApp and any related work that used that data. Once the settlements are published in the Federal Register, the FTC will accept public comments for 30 days.
The case against Cambridge Analytica remains pending, but even at this early stage, it illustrates the serious consequences when companies allegedly deceive consumers about the use of their personal information.