My problem with this 'outing' of CA is that Facebook explicitly commercially exists to harvest user data for Procter & Gamble, Johnson & Johnson, Fidelity etc etc so they can profile us. A million dollars is chump change in the crazy US election game. This all seems overly selective - it's ok for some people to profile but not for others. I'm not in favor of any of it to be clear but there is a definite political bias going on here.
Let's not forget FB itself has a formal political unit that exists to push propaganda in foreign elections, 'stifling opposition and stoking extremism'
>This all seems overly selective - it's ok for some people to profile but not for others
What's the issue here? Selective information distribution is rooted in the society, people are O.K. with some information to be known to some people while kept secret from others due to implication differences.
I.E. I'm fine to be profiled for selling me chocolates but I'm not O.K. to be profiled to be manipulated to select public officials or to make my mind about controversial topics like the god, abortions, guns etc. I expect to be exposed in a proper way to these topics, i.e. proper journalism and discussions.
There is a big difference between sharing data with companies, and allowing companies to specify as targeting rules.
Facebook lets companies bid for ads to show you, based on Facebook’s data about your interests and demographics. If you never engage with the ads there is no information leakage.
It’s the difference between telling a random person “I’ll tell my gay friends about your party” and “Did you know that Bob is dating Steve?”.
>My problem with this 'outing' of CA is that Facebook explicitly commercially exists to harvest user data for Procter & Gamble, Johnson & Johnson, Fidelity etc etc so they can profile us.
Not only conglomerates but anyone with the money and know-how. Example P&G proxy fight:
Neubecker said he has seen several ads on his Facebook feed that link to Trian’s “Revitalize P&G” website and to videos of Peltz and former P&G Chief Financial Officer Clayton Daley, who is advising Trian.
The video of Peltz features him sitting in Trian’s Park Avenue, New York City headquarters, discussing P&G’s future, gripping a Trian-labeled coffee mug that reads “Sales up, expenses down.”
In response, P&G has called upon more than a century of product marketing experience with its own “Vote Blue” campaign.
One YouTube video begins with an image of P&G’s blue logo and a banner proclaiming “Every Single Vote Matters!”. A narrator and series of slick images offer step-by-step instructions, ending by asking viewers to vote for the blue proxy card and to throw Trian’s white card in the recycling bin.
I could see a constitutional amendment barring psycho-graphic profiling from election advertising and intent. Not sure how it could be enforced because this is very technical.
Even so, there is a significant difference between Coke trying to sell me a flavored soft drink and a firm tweaking my emotions to get me to abstain from voting with false information or to vote against my best interests with false information.
There are definitely people who are susceptible to psycho-graphic warfare and we need to protect them in order to protect our democracy.
Agreed. This is marketing. The tone of the article makes it sound like some egregiously illegal scandal. The only wrongdoing is that one private entity breached the terms of service with another private entity. Innuendo.
The guy who was contracted by CA to steal the data is from Russia.
He had previously undisclosed funding from the Russian government.
CA later tried to do business from a Russian oligarch.
Choice quote:
"There are other dramatic documents in Wylie’s stash, including a pitch made by Cambridge Analytica to Lukoil, Russia’s second biggest oil producer. In an email dated 17 July 2014, about the US presidential primaries, Nix wrote to Wylie: “We have been asked to write a memo to Lukoil (the Russian oil and gas company) to explain to them how our services are going to apply to the petroleum business. Nix said that “they understand behavioural microtargeting in the context of elections” but that they were “failing to make the connection between voters and their consumers”. The work, he said, would be “shared with the CEO of the business”, a former Soviet oil minister and associate of Putin, Vagit Alekperov.
“It didn’t make any sense to me,” says Wylie. “I didn’t understand either the email or the pitch presentation we did. Why would a Russian oil company want to target information on American voters?”"
The thing about the relatively low cost of a million is that we know that many of the voters targeted by the Russians for influence on both sides were much cheaper than what your example commercial interests targeted for marketing services/products, so a million dollars on targeted campaign is much more effective than what that million dollars buys in a major media market TV ad equivalent or commercial Facebook targeted ad.
I remember when the Obama campaign hired data scientists and used targeted social networking tools to pursuade voters who were on the fence and it was heralded as brilliant and the future of politics.
I worked for a company crawling Facebook data by creating viral apps the year the original API came out. By now I am sure this is done by many companies.
Why is any of this news? My understanding is that companies harvesting social networking data via viral apps and then reselling it to perform targeted voter advertising is literally a 10 year old concept. Were any laws broken here? Were there any techniques used here that were novel or done by one political party and not the other? Why are we talking about this one firm and not the many others that surely exist that are trying to do the same thing for <insert political candidate of choice>
I am not shock by the facts that they are collecting data. The fact they are designing a psychological procedure to feed their narrative and agenda to you in an unconscious way, shaping and changing your world view, with that message only tailored to you, is very creepy to me. This doesn't sound like advertising to me, this is manipulation and brainwashing.
I guess the other question is why this hasn't been any news yet. But the answer might be that 10 years ago Tech wasn't much in the news because it was just not interesting for most people.
This has changed a lot in the last few years though, which might explain why the news agency now have to work through (at least!) 10 years of tech news backlog. I'd definitely like to see coverage of these topic from 'traditional journalists' who then bring this stuff into context and link it with politics for instance. It's a little sad that we needed the politic right and their friends to bring these things to public attention.
> Were any laws broken here?
In Germany they would have broken it by that. At least here every website needed already 10 years ago not only Terms of Services but also a data privacy section/page. Such a page would be of no use if you could collect data from people before they even visit your website.
> I remember when the Obama campaign hired data scientists and used targeted social networking tools to pursuade voters who were on the fence and it was heralded as brilliant and the future of politics.
If you go back to 2008 election, the media was praising Obama as the first social media president. Remember how well obama used youtube, myspace, facebook, reddit and the burgeoning social space during his election? It's strange how the media is now attacking the social media space they loved so much because trump won the election.
> Why is any of this news?
I think it's because the media and the democrats and a large segment of the elites need something to blame for trump's win. They don't want to blame hillary or themselves for the loss, so they attack social media.
During the 2016 election, Trump was complaining about foreign interference in the elections. And Obama stated there was no foreigner interference and that Trump was whining because he was losing in the polls. Back then, the traditional media was backing obama and mocking trump. Now that trump has won, the traditional media is the one pushing the foreign interference narrative.
But I guess it is all conjecture. But ever since trump won the election, there has been a relentless propaganda campaign against social media by the establishment. You can't go a day without seeing a propaganda piece on traditional or social media about how bad social media is.
Isn’t harvesting data prohibited by Facebook TOS? (Not to say that people don’t still do it). Also, could you elaborate on what kind of data you get access to by doing this data harvesting versus just using Facebook targeting data that Facebook explicitly gives advertisers access to? I’m curious because fb gives a lot of targeting criteria, so I’m wondering what kinds of things this harvesting unlocks. Sentiment analysis on post language or something?
They harvested personal info of people. Something against FB policy and against the law. That is why it is news.
I understand that Hacker News has been accused of turning into reddit since reddit became a thing, but when the top most comment is from a guy who didn't even bother to read the article linked, there is a very little in the way distinction between the two sites.
And do you think the so-called "Russian influence" and the special counsel investigation have much substance to them anyways? Everybody can see from a mile how charged everything has become in American politics. They drum up the rhetoric on this one simply because they perceive Trump as their enemy and want him down no matter what, even though their "own" candidate might well have done the same thing or at least very similar things.
If this incident helps protect user privacy further it would be great. However I doubt it would happen at all. Most likely they'd just take this opportunity to aim another round of barrage at Trump instead of talking any substance about the issue itself. The purpose of this reportage is political attack against Trump instead of any concern for privacy in the first place.
Using fb to advertise for Obama, Trump, etc, is ok
However that's not what has been done, but the a) use of shills and fake personas to pump up opinion b) creation of fake "grassroots movements" and "news articles" with a divisive purpose
"Why is any of this news? My understanding is that companies harvesting social networking data via viral apps and then reselling it to perform targeted voter advertising is literally a 10 year old concept."
Other team didn't realize such thing as the internet exists?
(I'm outraged that this thing hit the news, as if it wasn't something already known)
Did you not read the article? Millions of users took a personality test that had nothing to do with politics, and that data was sold to the Trump campaign for targeting.
I used to make fb apps, any app gets full access to fb's user graph as long as they request the relevant permissions.
Users don't comprehend what permissions they are giving to apps they run. A quiz site getting full access is not surprising.
Once an app has any amount of access the only thing stopping them from harvesting their own clone of your data is an agreement in the ToS that you won't store PII for more than x hours.
These rules are like the bare minimum to stop good actors. If you're a bad actor fb does not do a single thing to protect users from you. As evident in this report fb is also not above blaming the users for the hostile environment fb created and placed them in.
There must be countless copies of harvested fb data out there. My employer at the time once realized we were accidentally storing some PII permanently in a derived field. If good actors can't even keep above the law what do you think the ecosystem looks like in the shadows?
IMO we aren't having the right conversation with fb over how they mistreat our PII and we should loosen the definition of that term when companies like the one in the article can infer our political preferences from the innocuous bits of our lives we tag on facebook.
We should be asking why even an authorized API that can't stop you from copying the data doesn't count as a systemetized data breach.
> We should be asking why even an authorized API that can't stop you from copying the data doesn't count as a systemetized data breach.
Is your argument that no company should offer any developer APIs at all? It's impossible to stop apps from storing data that they have access to, given malicious intent.
This is like saying that the existence of the Google Calendar API is a "systemetized data breach" because an app could copy data from it once authorized by a user.
I was curious how the figure leaped from the 270k cited in the Facebook press release to this 50M figure.
It sounds like they never had full access to the Facebook profiles beyond the 270k who installed the app, but just harvested the friend lists of those 270k. This doesn't give the app developer full access to the friends' profile data, but I guess once you have the network of friend connections you can use other public data sources to fill in or infer the gaps. And of course some of those 50M will have FB profiles that are fully public open books ready for anyone to harvest.
I will say as someone who has developed Facebook apps, the whole ecosystem is pretty much on the honor system for protecting user data. There are some seemingly random and capricious (and often erroneous) abuse detection algorithms, but once an app has access to user data who knows what they do with it and whether it was kept secure -- surely Facebook has no idea unless they perform invasive manual physical audits.
You could get access to the full friends‘ user profile data in Graph API earlier than v2.0. If you had 500 friends, and granted friends_* OAuth permissions to an app, the app had access to 501 user profiles.
From the very beginning there has been a rule that you were not allowed to persist data more than a few days in your own dB. But it was obvious there was no way for fb to verify what you did or did not keep.
There has never been substantial control on profile data harvest on fb. It was whatever you could get users to okay, which was a lot given the value your app had to appear to provide.
From the interview, the architect of the system says Facebook detected the download of data (50 million users' data might crush smaller companies.) and asked what was going on and he just told them it was for academic purposes so Facebook let it pass. Also when Facebook told them to delete it later, CA said they did but didn't.
Minor point of confusion -- this article refers multiple times to a "data breach". ("...one of the largest-ever breaches of Facebook data...", "At the time of the data breach...", "...first reported the breach...")
As far as I can tell, there is no data breach, right? It sounds like CA got facebook data through an app they wrote, thisisyourdigitallife, which did some shady things.
Also, "The New York Times is reporting that copies of the data harvested for Cambridge Analytica could still be found online".
Basically FB gave the data away. Apps have access to the data but they're not allowed to give/sell it to third parties. In this case the rules were ignored. Probably many other companies with API access have also ignored the rules. In this case FB didn't make much of an effort at all to prevent it from happening so it's reasonable to assume the practice is rampant. There's likely many copies of large parts of FB data out there (left on laptops on trains or on unprotected FTP/HTTP servers, etc.).
One thing other commenters haven't mentioned is that Facebook asked the other parties to delete the data and promise never to use it again and the other parties even certified that they had done so, but the whistleblower is alleging they lied to Facebook.
OK, this feels like it will bring about the end. Of something. Facebook? Massive use of data for political campaigns? Anything?
If we keep consuming news like this, and do nothing, it's going to scalate massively. Same way as when Snowden told people they were spyed on and they collectively shrugged and continued with their lives as if nothing had happened.
We, people in tech, have a massive moral burden to educate 'normals' on the meaning of news like this!
To a certain degree, this is a problem that Facebook has already taken steps against in the last years.
Remember that Facebook gives you zero access to users’ data just for being an advertiser. This scheme relied on users granting access to an app.
Data access by apps was curtailed two or three years ago to no longer include friends’ data. The permissions dialog has also become far more granular. From my observation, apps seem to mostly respect facebook’s rules on data scarcity, i. e. asking only for the data they actually need.
GDPR will enshrine this principle in law at least for European citizen, and it’s somewhat likely that it will have some effect far beyond the borders of Europe.
Regarding elections, first steps will likely align the law with that for TV advertisement. Clear information about an ad’s sponsor should be required, as well as the selectors used to target you. I’ve also heard some chatter about requiring a public repository for all ads. Right now, there might be waves of, for example, racists ads that never get reported in the news because the targeting never hits those people that would consider the ad problematic. The Atlantic is running a pilot program with a chrome extensions that records all advertisement you see on Facebook for such a repository.
In the current political climate, it’s unfortunately unlikely that the US will lead with new regulation. But there are a few decent agencies in the US that can squeeze a lot of mileage out of laws already on the books (the special prosecutor, and even the FEC). Social media companies are also quite scared, both because they fear a hit to their business, and because most of their excecutive do retain some humanity. You can also expect individual European companies to get out the big guns, seeing Trump and other Russia-backed populists rattling the core of the current consensus on liberal, open, civil societies.
The IETF's BCP#188 document is one of many consequences of Snowden, its title is "Pervasive Monitoring Is an Attack", and the text begins "Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible".
Almost literally right now, IETF 101 is starting in London, and one of the things presented will be a series of proposals by people who claim they (or organisations they work for, the IETF is only for people, corporations can't participate they can just send people to it) have a legitimate reason to snoop on TLS traffic. TLS 1.3 is designed, following BCP#188, to make such snooping impossible without ongoing assistance from one of the endpoints (if the endpoint is co-operating with the snooping there's mathematically nothing anybody can do) and they would dearly like to return to an era when they could snoop with just a little one time assistance. Now, maybe this would have been stiffly resisted anyway, but BCP#188 means anybody who isn't sure has an existing IETF document telling them exactly why this is a terrible idea.
The first Ad Sales pitch deck for TheFacebook.com included a slide showing how advertisers can target students based on their sexual orientation, political bend, dating interests, gender, age, education, and social graph. All of which can be used to discriminate based on protected variables, like gender, sexuality, age, mental disability, and race.
This will not be the end, and has been like this from the very beginning. If foreign companies can get access to this information, then intelligence agencies certainly can too.
The problem is that regular people no longer have a place to communicate. It used to be that the workplace, church, neighborhood or union meetings were the place to socialize and discuss these issues and take collective action. Now we have nowhere to turn to. Modern nomadic culture alongside temporary jobs, low trust and personalized news all make sure that we cannot take collective action on anything.
We need to find a new way to communicate before this cancer becomes so widespread that the last bastillions are lost.
It was extremely attractive. It could also be deemed illicit, primarily because Kogan did not have permission to collect or use data for commercial purposes. His permission from Facebook to harvest profiles in large quantities was specifically restricted to academic use. And although the company at the time allowed apps to collect friend data, it was only for use in the context of Facebook itself, to encourage interaction. Selling data on, or putting it to other purposes, – including Cambridge Analytica’s political marketing – was strictly barred.
It also appears likely the project was breaking British data protection laws, which ban sale or use of personal data without consent. That includes cases where consent is given for one purpose but data is used for another.
Technically perhaps correct, but for the victims it seems rather irrelevant to me.
In a data breach, someone would have used a technical vulnerability or some other (e.g. social engineering) vulnerability of Facebook to get illegitimate access to the data.
In this case Facebook simply gave them access to the data and took their word that they won't misuse it.
Now maybe the latter situation might not be a data breach in the classical sense, but I don't see how it makes it any better for the victims. If anything it seems worse -- Facebook didn't even try to protect their data.
Don't you think that it can be a breach in the same sense of a breach by phishing? After all, both of the cases are about people giving their "secrets" for one reason but the info being used for something else.
I mean, in the case of traditional phishing the user is tricked to provide the password by impersonating a banking site, getting their funds stolen and in the case in question, the users are tricked to provide personal information by being promised some kind of personality analysis but their data is used for political propaganda that they didn't asked for resulting in life-changing consequences du to politics.
Right. They basically just made an app on FB then had users accept the permissions. The horribly beautiful thing about FB permissions is that almost every single app will request EVERYTHING, and if you deny even a single permission that the app doesn't even seem to need, then the app will break or won't let you use it. So every user is indoctrinated into just clicking accept regardless of the supposed "granular" permissions. They are granular as in granulated sand, falls right through your fingers.
Every single definition I find classifies this as a data breach.
> A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
You are nitpicking a small part of an article (incorrectly) and it distracts from the main point: A foreign power is working with American billionaires to subvert democracy and install a dictator. This is a serious issue and one of the biggest news stories of our time.
> This wasn't a data breach
Yes it was.
> it was a misuse of data by a third party.
So a bank robber who gets into the vault just misused the locks? Or the security guard misused his eyes? This was a data breach. Your language makes it sound less serious than it is, and you are wrong. This was a data breach.
Edit: Less than 30 seconds in, this post is already downvoted. I won't complain about downvotes of course, but it's insane that no conversation is actually allowed to happen on this site without burying one side. I spoke with a neutral tone, didn't do any name calling, I'm not looking for a fight. But downvotes within seconds! You can't silence me HN. I'll keep commenting my opinions and facts no matter how much you don't like what I'm saying.
Nitpicking breach or misuse is silly and distracts from the actual substance of the article. It was a breach, by the way.
I think I finally understand what the point of Facebook apps is and why they've always felt in some way dodgy. It's been clear for years that Facebook apps can get your user data, and that of your friends, and that Facebook designed them that way and were aware of that. The Guardian article even mentions that one of the apps used by GSR to gather data for Cambridge Analytica triggered Facebook security protocols trying to pull too much data.
What I didn't understand is why Facebook would grant this - maybe at some point they needed viral apps on the platform and giving user data away encouraged people to make them - but why did it still work a few years ago? But this article made it click: all you can really do to monetise or use millions of profiles of Facebook users is target them with ads, and Facebook is the only place you can target those ads effectively given Facebook user data, and the more data you have the more effective those ads are, the more you pay Facebook.
Facebook don't sell user data, they've long said that - and it's true. They sell the ability to target advertising to their users, and you can do that a whole lot better if you have their user data. So they don't sell it, they give an API for their users to freely give it away, knowing that once you've done all your analysis on it you'll conclude that you should spend money paying Facebook to actually deliver your messages to those users.
> Facebook denies that the harvesting of tens of millions of profiles by GSR and Cambridge Analytica was a data breach. It said in a statement that Kogan “gained access to this information in a legitimate way and through the proper channels” but “did not subsequently abide by our rules” because he passed the information on to third parties.
This is exactly how Facebook was designed. You get a stupid quiz or photo frame in exchange for a copy of your friends list. It's always worked that way, and it's why Facebook OAuth was more popular than Google+ and other Oauth since 5+ years ago -- because app devs can make more money from Facebook OAuth since it comes with a copy of your friends list, so they prefer to integrate Facebook.
So... If I were in Cambridge Analytica's position, employed to influence the US election, one of the first things I'd do is match this data with any data I could find on voting patterns. Which reminds me, didn't some of the Russian APTs hack into state voter databases?
You don't need to hack into voter databases - most people register for the party they vote for and that is public information(along with their home address, phone number, and whether they voted in past elections).
I think it is much more important to focus on an investigation to make clear to the public how this data was used. That i think will lead into a much more interesting story. No one seems to want to go there and i don't understand why. Maybe because a lot of its clients are political parties/political individuals around the world and they do not want to be ousted for using "public opinion manipulation technology" on a wide scale.
I once told a sales rep from my ISP to stop trying to sell me on a phone subscription to which he replied that "I probably signed up for a Facebook competition or something" as if that justified it. (I don't have a Facebook account.)
One of the worst things Facebook did was to just destroy any expectation of privacy.
This kind of work combining propaganda and disinformation with AI models and feedback into them to get a progressive change of belief is fascinating. I think of this as the first of many wars democracy will fight against AI and we are currently loosing.
This comment is from the “Duped” article that has a different headline and more detail.
For example, "Weev" got 3 years for downloading ATT user data. I wonder whether Bannon&Co would get anything ... So far it doesn't look like FB makes any push for CFAA case here. I wonder what would FB do if instead of Bannon it were a nobody like the above mentioned "weev".
50M doesn't strike much in FB scale, that's until...
At the time, more than 50 million profiles represented around a third of active North American Facebook users, and nearly a quarter of potential US voters.
Sorry for the crappy formatting, can't edit now, so here's pprint version:
At the time, more than 50 million profiles represented around
a third of active North American Facebook users, and nearly
a quarter of potential US voters.
Nothing new about Campaign Data companies. In fact knew of a South San Francisco company called 'Campaign Data' in the '90s that ran a SAS on DECUnix. They collected voter registrar data from counties for targeted voting campaigns. Usually for passing more restrictive laws or raising taxes. Like raise property taxes for schools; send flyers to renters with kids and send nothing to homeowners with no kids. It was always in a way, unfair and evil.
Let's be realistic here. This headline is nothing but partisanship. The only reason this is exaggerated as a "data breech" is because of the connection to the Trump campaign.
The real scandal is that such data is so easily harvested and freely available.
I'd be interested in seeing how much of facebook's data repository was used in targeted political ads by all parties. Including Russian agitators who have been shown playing both sides.
There are at least 25 scandals surrounding the Trump administration currently that are each worse than the two pseudo-scandals surrounding HRC that Conservatives managed to drum up, I. e. E-Mails and “Benghazi”. And ts not like FOX and the entire US Congress have less power than the Guardian.
So, no: “They are all the same” isn’t just cynical and useless. It’s also wrong.
It's essential to hold the President publicly accountable for his actions, especially when illicit actions pervert the foundation of the United States, the democratic process. That's not partisan; that's normal, healthy democracy; that's the primary public good provided by journalism.
I hadn’t thought of it like this before, but from a political POV everyone’s vote, whether they are a dole bludger or a quantum physiscist, are worth the same. So really, to win an election .. take that as you will. Identifying these people is a very profitable area.
Interesting side note .. in Australia we assign school funding based on the highest education received or wage class of the parent (classes A, B ... E or such).
1) Facebook collects and builds a profile about you
2) Facebook allows third parties to target advertisements based on the profile
3) Advertisements are tracked
4) Browsing habits and advertisement tracking reconstructs who was targeted
This is hardly news... Facebook ads cannot target specific users, they only target audience segments.
It's actually far easier to create ads targeted at segments with likely political beliefs, and Marketers have access to aggregate numbers of niche segments today.
There's no need to scrape people's profiles or get down to the individual level.
China has more. They have enough that this is a drop in the bucket. While they might be as blatant and ineffective as Russia by interfering with an election, they want a low profile and to maximize capture of revenue, so they are more about making money than trying to put feces on the face of the American political process.
You people should pick your battles. It would help if you knew the battlefield first.
olivermarks|8 years ago
https://www.bloomberg.com/news/features/2017-12-21/inside-th...
mrtksn|8 years ago
What's the issue here? Selective information distribution is rooted in the society, people are O.K. with some information to be known to some people while kept secret from others due to implication differences.
I.E. I'm fine to be profiled for selling me chocolates but I'm not O.K. to be profiled to be manipulated to select public officials or to make my mind about controversial topics like the god, abortions, guns etc. I expect to be exposed in a proper way to these topics, i.e. proper journalism and discussions.
underwater|8 years ago
Facebook lets companies bid for ads to show you, based on Facebook’s data about your interests and demographics. If you never engage with the ads there is no information leakage.
It’s the difference between telling a random person “I’ll tell my gay friends about your party” and “Did you know that Bob is dating Steve?”.
thisisit|8 years ago
Not only conglomerates but anyone with the money and know-how. Example P&G proxy fight:
https://www.reuters.com/article/us-procter-gamble-trian-inve...
Neubecker said he has seen several ads on his Facebook feed that link to Trian’s “Revitalize P&G” website and to videos of Peltz and former P&G Chief Financial Officer Clayton Daley, who is advising Trian.
The video of Peltz features him sitting in Trian’s Park Avenue, New York City headquarters, discussing P&G’s future, gripping a Trian-labeled coffee mug that reads “Sales up, expenses down.”
In response, P&G has called upon more than a century of product marketing experience with its own “Vote Blue” campaign.
One YouTube video begins with an image of P&G’s blue logo and a banner proclaiming “Every Single Vote Matters!”. A narrator and series of slick images offer step-by-step instructions, ending by asking viewers to vote for the blue proxy card and to throw Trian’s white card in the recycling bin.
Trian won this fight.
ChicagoDave|8 years ago
Even so, there is a significant difference between Coke trying to sell me a flavored soft drink and a firm tweaking my emotions to get me to abstain from voting with false information or to vote against my best interests with false information.
There are definitely people who are susceptible to psycho-graphic warfare and we need to protect them in order to protect our democracy.
mbostleman|8 years ago
IAmEveryone|8 years ago
Only apps have limited access to the data that you agree to share in the app install dialog.
The article you linked does not even mention any of the companies.
enraged_camel|8 years ago
You should read this:
https://www.theguardian.com/news/2018/mar/17/data-war-whistl...
Three particularly important points:
The guy who was contracted by CA to steal the data is from Russia.
He had previously undisclosed funding from the Russian government.
CA later tried to do business from a Russian oligarch.
Choice quote:
"There are other dramatic documents in Wylie’s stash, including a pitch made by Cambridge Analytica to Lukoil, Russia’s second biggest oil producer. In an email dated 17 July 2014, about the US presidential primaries, Nix wrote to Wylie: “We have been asked to write a memo to Lukoil (the Russian oil and gas company) to explain to them how our services are going to apply to the petroleum business. Nix said that “they understand behavioural microtargeting in the context of elections” but that they were “failing to make the connection between voters and their consumers”. The work, he said, would be “shared with the CEO of the business”, a former Soviet oil minister and associate of Putin, Vagit Alekperov.
“It didn’t make any sense to me,” says Wylie. “I didn’t understand either the email or the pitch presentation we did. Why would a Russian oil company want to target information on American voters?”"
stevenwoo|8 years ago
eecks|8 years ago
Sources on this?
mattnewton|8 years ago
stef25|8 years ago
rtx|8 years ago
doubt_me|8 years ago
[deleted]
ur_all_autistic|8 years ago
[deleted]
JPGalt|8 years ago
[deleted]
gfodor|8 years ago
I worked for a company crawling Facebook data by creating viral apps the year the original API came out. By now I am sure this is done by many companies.
Why is any of this news? My understanding is that companies harvesting social networking data via viral apps and then reselling it to perform targeted voter advertising is literally a 10 year old concept. Were any laws broken here? Were there any techniques used here that were novel or done by one political party and not the other? Why are we talking about this one firm and not the many others that surely exist that are trying to do the same thing for <insert political candidate of choice>
tanilama|8 years ago
blablabla123|8 years ago
This has changed a lot in the last few years though, which might explain why the news agency now have to work through (at least!) 10 years of tech news backlog. I'd definitely like to see coverage of these topic from 'traditional journalists' who then bring this stuff into context and link it with politics for instance. It's a little sad that we needed the politic right and their friends to bring these things to public attention.
> Were any laws broken here?
In Germany they would have broken it by that. At least here every website needed already 10 years ago not only Terms of Services but also a data privacy section/page. Such a page would be of no use if you could collect data from people before they even visit your website.
zombieprocesses|8 years ago
If you go back to 2008 election, the media was praising Obama as the first social media president. Remember how well obama used youtube, myspace, facebook, reddit and the burgeoning social space during his election? It's strange how the media is now attacking the social media space they loved so much because trump won the election.
> Why is any of this news?
I think it's because the media and the democrats and a large segment of the elites need something to blame for trump's win. They don't want to blame hillary or themselves for the loss, so they attack social media.
During the 2016 election, Trump was complaining about foreign interference in the elections. And Obama stated there was no foreigner interference and that Trump was whining because he was losing in the polls. Back then, the traditional media was backing obama and mocking trump. Now that trump has won, the traditional media is the one pushing the foreign interference narrative.
But I guess it is all conjecture. But ever since trump won the election, there has been a relentless propaganda campaign against social media by the establishment. You can't go a day without seeing a propaganda piece on traditional or social media about how bad social media is.
clay_the_ripper|8 years ago
bmsleight_|8 years ago
IMHO, but I am not a lawyer - clearly the law was broken, Data Protection Act.
tim333|8 years ago
I think the clue is in the article:
> ... Russians ... had used the platform to perpetrate “information warfare” against the US
muddi900|8 years ago
I understand that Hacker News has been accused of turning into reddit since reddit became a thing, but when the top most comment is from a guy who didn't even bother to read the article linked, there is a very little in the way distinction between the two sites.
SZJX|8 years ago
If this incident helps protect user privacy further it would be great. However I doubt it would happen at all. Most likely they'd just take this opportunity to aim another round of barrage at Trump instead of talking any substance about the issue itself. The purpose of this reportage is political attack against Trump instead of any concern for privacy in the first place.
raverbashing|8 years ago
Using fb to advertise for Obama, Trump, etc, is ok
However that's not what has been done, but the a) use of shills and fake personas to pump up opinion b) creation of fake "grassroots movements" and "news articles" with a divisive purpose
https://thinkprogress.org/russia-facebook-pages-sophisticate...
https://www.reddit.com/r/RussiaLago/comments/7y6ola/there_ha...
stefek99|8 years ago
See my post: https://www.facebook.com/mstefanow/posts/10156280067194886
Since when NO NEWS is NEWS?
"Why is any of this news? My understanding is that companies harvesting social networking data via viral apps and then reselling it to perform targeted voter advertising is literally a 10 year old concept."
Other team didn't realize such thing as the internet exists?
(I'm outraged that this thing hit the news, as if it wasn't something already known)
thomzi12|8 years ago
When did Obama’s campaign ever do that?
golemiprague|8 years ago
[deleted]
banned1|8 years ago
[deleted]
heckanoobs|8 years ago
Users don't comprehend what permissions they are giving to apps they run. A quiz site getting full access is not surprising.
Once an app has any amount of access the only thing stopping them from harvesting their own clone of your data is an agreement in the ToS that you won't store PII for more than x hours.
These rules are like the bare minimum to stop good actors. If you're a bad actor fb does not do a single thing to protect users from you. As evident in this report fb is also not above blaming the users for the hostile environment fb created and placed them in.
There must be countless copies of harvested fb data out there. My employer at the time once realized we were accidentally storing some PII permanently in a derived field. If good actors can't even keep above the law what do you think the ecosystem looks like in the shadows?
IMO we aren't having the right conversation with fb over how they mistreat our PII and we should loosen the definition of that term when companies like the one in the article can infer our political preferences from the innocuous bits of our lives we tag on facebook.
We should be asking why even an authorized API that can't stop you from copying the data doesn't count as a systemetized data breach.
traek|8 years ago
Is your argument that no company should offer any developer APIs at all? It's impossible to stop apps from storing data that they have access to, given malicious intent.
This is like saying that the existence of the Google Calendar API is a "systemetized data breach" because an app could copy data from it once authorized by a user.
nl|8 years ago
But yes, you are right that I’m sure lots of apps kept that data and sold it.
patja|8 years ago
It sounds like they never had full access to the Facebook profiles beyond the 270k who installed the app, but just harvested the friend lists of those 270k. This doesn't give the app developer full access to the friends' profile data, but I guess once you have the network of friend connections you can use other public data sources to fill in or infer the gaps. And of course some of those 50M will have FB profiles that are fully public open books ready for anyone to harvest.
I will say as someone who has developed Facebook apps, the whole ecosystem is pretty much on the honor system for protecting user data. There are some seemingly random and capricious (and often erroneous) abuse detection algorithms, but once an app has access to user data who knows what they do with it and whether it was kept secure -- surely Facebook has no idea unless they perform invasive manual physical audits.
tobilg|8 years ago
bredren|8 years ago
There has never been substantial control on profile data harvest on fb. It was whatever you could get users to okay, which was a lot given the value your app had to appear to provide.
stevenwoo|8 years ago
forapurpose|8 years ago
That's completely speculative, and we don't need more speculative information ... I'd much prefer to wait for evidence.
loxias|8 years ago
As far as I can tell, there is no data breach, right? It sounds like CA got facebook data through an app they wrote, thisisyourdigitallife, which did some shady things.
Also, "The New York Times is reporting that copies of the data harvested for Cambridge Analytica could still be found online".
The link is: https://www.nytimes.com/2018/03/17/us/politics/cambridge-ana...
Anyone know what they're talking about? I haven't heard of any 50-million-profile data dump, and I really like collecting corpora...
frankzinger|8 years ago
Basically FB gave the data away. Apps have access to the data but they're not allowed to give/sell it to third parties. In this case the rules were ignored. Probably many other companies with API access have also ignored the rules. In this case FB didn't make much of an effort at all to prevent it from happening so it's reasonable to assume the practice is rampant. There's likely many copies of large parts of FB data out there (left on laptops on trains or on unprotected FTP/HTTP servers, etc.).
It's a 'breach' from the users' perspective.
gscott|8 years ago
ENOTTY|8 years ago
Maybe that's legally actionable.
urlwolf|8 years ago
If we keep consuming news like this, and do nothing, it's going to scalate massively. Same way as when Snowden told people they were spyed on and they collectively shrugged and continued with their lives as if nothing had happened.
We, people in tech, have a massive moral burden to educate 'normals' on the meaning of news like this!
IAmEveryone|8 years ago
Remember that Facebook gives you zero access to users’ data just for being an advertiser. This scheme relied on users granting access to an app.
Data access by apps was curtailed two or three years ago to no longer include friends’ data. The permissions dialog has also become far more granular. From my observation, apps seem to mostly respect facebook’s rules on data scarcity, i. e. asking only for the data they actually need.
GDPR will enshrine this principle in law at least for European citizen, and it’s somewhat likely that it will have some effect far beyond the borders of Europe.
Regarding elections, first steps will likely align the law with that for TV advertisement. Clear information about an ad’s sponsor should be required, as well as the selectors used to target you. I’ve also heard some chatter about requiring a public repository for all ads. Right now, there might be waves of, for example, racists ads that never get reported in the news because the targeting never hits those people that would consider the ad problematic. The Atlantic is running a pilot program with a chrome extensions that records all advertisement you see on Facebook for such a repository.
In the current political climate, it’s unfortunately unlikely that the US will lead with new regulation. But there are a few decent agencies in the US that can squeeze a lot of mileage out of laws already on the books (the special prosecutor, and even the FEC). Social media companies are also quite scared, both because they fear a hit to their business, and because most of their excecutive do retain some humanity. You can also expect individual European companies to get out the big guns, seeing Trump and other Russia-backed populists rattling the core of the current consensus on liberal, open, civil societies.
tialaramex|8 years ago
Almost literally right now, IETF 101 is starting in London, and one of the things presented will be a series of proposals by people who claim they (or organisations they work for, the IETF is only for people, corporations can't participate they can just send people to it) have a legitimate reason to snoop on TLS traffic. TLS 1.3 is designed, following BCP#188, to make such snooping impossible without ongoing assistance from one of the endpoints (if the endpoint is co-operating with the snooping there's mathematically nothing anybody can do) and they would dearly like to return to an era when they could snoop with just a little one time assistance. Now, maybe this would have been stiffly resisted anyway, but BCP#188 means anybody who isn't sure has an existing IETF document telling them exactly why this is a terrible idea.
Nazare|8 years ago
This will not be the end, and has been like this from the very beginning. If foreign companies can get access to this information, then intelligence agencies certainly can too.
John_KZ|8 years ago
We need to find a new way to communicate before this cancer becomes so widespread that the last bastillions are lost.
734786710934|8 years ago
thisisit|8 years ago
https://www.theguardian.com/technology/2018/mar/17/facebook-...
It was extremely attractive. It could also be deemed illicit, primarily because Kogan did not have permission to collect or use data for commercial purposes. His permission from Facebook to harvest profiles in large quantities was specifically restricted to academic use. And although the company at the time allowed apps to collect friend data, it was only for use in the context of Facebook itself, to encourage interaction. Selling data on, or putting it to other purposes, – including Cambridge Analytica’s political marketing – was strictly barred.
It also appears likely the project was breaking British data protection laws, which ban sale or use of personal data without consent. That includes cases where consent is given for one purpose but data is used for another.
anonymouz|8 years ago
In a data breach, someone would have used a technical vulnerability or some other (e.g. social engineering) vulnerability of Facebook to get illegitimate access to the data.
In this case Facebook simply gave them access to the data and took their word that they won't misuse it.
Now maybe the latter situation might not be a data breach in the classical sense, but I don't see how it makes it any better for the victims. If anything it seems worse -- Facebook didn't even try to protect their data.
mrtksn|8 years ago
I mean, in the case of traditional phishing the user is tricked to provide the password by impersonating a banking site, getting their funds stolen and in the case in question, the users are tricked to provide personal information by being promised some kind of personality analysis but their data is used for political propaganda that they didn't asked for resulting in life-changing consequences du to politics.
goldenkey|8 years ago
sambe|8 years ago
johnchristopher|8 years ago
(not sure if you meant /s)
nemothekid|8 years ago
cryptoz|8 years ago
> A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
cryptoz|8 years ago
> This wasn't a data breach
Yes it was.
> it was a misuse of data by a third party.
So a bank robber who gets into the vault just misused the locks? Or the security guard misused his eyes? This was a data breach. Your language makes it sound less serious than it is, and you are wrong. This was a data breach.
Edit: Less than 30 seconds in, this post is already downvoted. I won't complain about downvotes of course, but it's insane that no conversation is actually allowed to happen on this site without burying one side. I spoke with a neutral tone, didn't do any name calling, I'm not looking for a fight. But downvotes within seconds! You can't silence me HN. I'll keep commenting my opinions and facts no matter how much you don't like what I'm saying. Nitpicking breach or misuse is silly and distracts from the actual substance of the article. It was a breach, by the way.
mcintyre1994|8 years ago
What I didn't understand is why Facebook would grant this - maybe at some point they needed viral apps on the platform and giving user data away encouraged people to make them - but why did it still work a few years ago? But this article made it click: all you can really do to monetise or use millions of profiles of Facebook users is target them with ads, and Facebook is the only place you can target those ads effectively given Facebook user data, and the more data you have the more effective those ads are, the more you pay Facebook.
Facebook don't sell user data, they've long said that - and it's true. They sell the ability to target advertising to their users, and you can do that a whole lot better if you have their user data. So they don't sell it, they give an API for their users to freely give it away, knowing that once you've done all your analysis on it you'll conclude that you should spend money paying Facebook to actually deliver your messages to those users.
fjsolwmv|8 years ago
This is exactly how Facebook was designed. You get a stupid quiz or photo frame in exchange for a copy of your friends list. It's always worked that way, and it's why Facebook OAuth was more popular than Google+ and other Oauth since 5+ years ago -- because app devs can make more money from Facebook OAuth since it comes with a copy of your friends list, so they prefer to integrate Facebook.
yeldarb|8 years ago
The /friends endpoint only returns friends of the user who have also already installed your application.
gaius|8 years ago
auntienomen|8 years ago
oh_sigh|8 years ago
shiftfocustime|8 years ago
mistermann|8 years ago
dawhizkid|8 years ago
phonypho|8 years ago
ceejayoz|8 years ago
kmfrk|8 years ago
One of the worst things Facebook did was to just destroy any expectation of privacy.
thisisit|8 years ago
http://www.pnas.org/content/110/15/5802
fjsolwmv|8 years ago
megous|8 years ago
https://twitter.com/chrisinsilico/status/975335430043389952
andy_ppp|8 years ago
This comment is from the “Duped” article that has a different headline and more detail.
trhway|8 years ago
unknown|8 years ago
[deleted]
myth_buster|8 years ago
myth_buster|8 years ago
svbill|8 years ago
allthenews|8 years ago
The real scandal is that such data is so easily harvested and freely available.
I'd be interested in seeing how much of facebook's data repository was used in targeted political ads by all parties. Including Russian agitators who have been shown playing both sides.
IAmEveryone|8 years ago
So, no: “They are all the same” isn’t just cynical and useless. It’s also wrong.
forapurpose|8 years ago
aetherspawn|8 years ago
Interesting side note .. in Australia we assign school funding based on the highest education received or wage class of the parent (classes A, B ... E or such).
inetknght|8 years ago
muddi900|8 years ago
unknown|8 years ago
[deleted]
dreta|8 years ago
unknown|8 years ago
[deleted]
whiddershins|8 years ago
GenYCubeJockey|8 years ago
[deleted]
hux_|8 years ago
matt4077|8 years ago
matchagaucho|8 years ago
It's actually far easier to create ads targeted at segments with likely political beliefs, and Marketers have access to aggregate numbers of niche segments today.
There's no need to scrape people's profiles or get down to the individual level.
matchagaucho|8 years ago
My original comment was more in response to user vs segment level targeting.
MechEStudent|8 years ago
You people should pick your battles. It would help if you knew the battlefield first.
threeseed|8 years ago
I am so glad you know more than the UK, EU, US etc governments who have identified Russia as the primary source of instability for elections.
And since when has this been an either/or scenario. You can focus on both Russia and China.
mistermann|8 years ago