Facebook reveals Cambridge Analytica breach may be much bigger than estimated

In a shocking admission on a blog post published yesterday, April 4, Facebook admitted that Cambridge Analytica might have had access to the personal information and data of 87 million people, 37 million more than originally estimated. In the post, which focused largely on the changes the platform has made over the last couple of weeks to its data privacy policies and app permissions, Mike Schroepfer, the company’s Chief Technology Officer, wrote that the platform believed that “the Facebook information of up to 87 million people – mostly in the US – may have been improperly shared with Cambridge Analytica”.

Mark is due to appear before the US Congress’s energy and commerce committee on April 11, in what might be only the first of multiple such appearances.

However, Facebook has also tried valiantly to rescue the situation. Since a post by Mark two weeks ago where he highlighted a three-point action plan to improve Facebook’s data policies, the platform has made a raft of changes. Mike’s blog post mentions nine key ones:

• Changes to Events API, that prevent apps from accessing guest posts and information on Facebook Events, and stricter requirements to meet before third-party apps can use the Events API.
• Changes to Groups API, that will require all third-party apps accessing a group to get permission from Facebook and a group admin. The apps will also no longer be able to access the names and information of group members.
• All future access to the Pages API to read posts and comments for information will have to be approved by Facebook.
• Changes to Facebook Login, that will restrict the amount of information third-party applications can ask for when asking users to use Facebook Login; also, if users don’t use an application for 3 months or more, developers will lose access to their information.
• A raft of changes to the Instagram Platform API, including restricting content to public information like follows and mentions, the ability to “read public media on a user’s behalf”, the ability to “read a user’s own profile info and media”, etc.
• Users will no longer be able to search for other users on Facebook by typing in just their phone number or email address.
• Facebook has assured users that applications like Messenger or Facebook Lite on Android do not store the content of messages sent via them, and all data logs older than a year will be automatically deleted.
• The company recently announced the shutdown of Partner Categories, a feature that let third-party businesses upload and access their own information on users in the form of hashed lists.
• Starting April 9, Facebook will show all users an option at the top of their News Feed that highlights what apps have been granted permission to user data, and what data is shared with them. Users can cancel app permissions they’re concerned about; as part of this process, they will also be told if their information has been shared with Cambridge Analytica in the recent leak.

Facebook has insisted on denying that the Cambridge Analytica episode was a “data breach”. However, the revelation that a lot more users may have had their personal information compromised than was originally believed is unlikely to help Facebook restore confidence. For its part, Cambridge Analytica responded to this news in a press release, saying, “Today Facebook reported that information for up to 87 million people may have been improperly obtained by research company GSR [Global Science Research]. Cambridge Analytica licensed data for no more than 30 million people from GSR, as is clearly stated in our contract with the research company. We did not receive more data than this...We are now undertaking an independent third-party audit to demonstrate that no GSR data remains in our systems.”