Listen to this story
When I began reading about the scandal involving Facebook and data analytics firm Cambridge Analytica, I was curious to see if any publications had assembled a timeline of what had happened. That’s because, like many of you, I’m best able to understand a story when it’s explained chronologically. But I couldn’t find any news outlet that offered this sequential approach.
So, I made one myself. At its core, this is a story about how Facebook’s systematic refusal to police its own platform — even at the urging of its own employees — led to third party developers harvesting data from 87 million Americans, most without their consent.
I’m intentionally omitting any of my personal opinions and instead allowing the timeline of events, which includes sources and has been fact-checked, to speak for itself. Cybersecurity is a topic I’ve written about before, which you can check out in my ongoing series.
The Firewall - Medium
Cybercrime is on the rise. With more of our lives and devices connected to the internet, protecting your data is…
Our lives are increasingly digital, and most of us want our data to be convenient and transportable, but security is often overlooked in the name of convenience. As such, it’s worth noting that Facebook is no different than any other social media platform or free web service. It’s our responsibility to understand that when digital platforms and services are offered to us for free, we end up being the actual product.
That means, at the end of the day, each of us is partially responsible for what we willingly share online.
Now, onto the timeline.
The SCL Group (previously known as Strategic Communication Laboratories) is founded by Nigel Oakes. His company, a self-described “global election management agency,” studies how best to shift mass behavior and opinion. Oakes theorizes that tactics rooted in psychology and anthropology would be more successful than traditional advertising methods in influencing public opinion. He’s correct, and SCI quickly makes its “name advising governments and militaries on what it called ‘psy ops.’” In fact, as Slate reported, the company’s own literature “describes SCL’s niche specialties as ‘psychological warfare,’ ‘public diplomacy,’ and ‘influence operations.’” At a recent military technology conference, they ran a simulated full-scale ops-center showcasing simulations on such matters ranging from “natural disasters to political coups.”
Dr. Michal Kosinski, enters Cambridge University to study psychometrics, a field concerned with the theory and technique of psychological measurement. He and partner David Stillwell research how predictive our online behaviors are in relation to other important information about our lives. Stillwell created a Facebook personality quiz app in 2007 and later refined it with Kosinski’s help. Millions of people on Facebook took the quiz — some multiple times — providing the researchers with “the largest dataset combining psychometric scores with Facebook profiles ever to be collected.” They soon discover that Facebook likes are remarkably accurate at predicting additional information about who we are. But just how accurate?
Kosinski proved that, with of an average of 68 Facebook “likes,” he could predict users’ skin color (with 95 percent accuracy), sexual orientation (88 percent accuracy), and their affiliation to the Democratic or Republican party (85 percent). Intelligence, religious affiliation, as well as alcohol, cigarette and drug use, could also be determined. Kosinski could even deduce whether someone’s parents were divorced.
November 29, 2011
Facebook settles charges with the Federal Trade Commission (FTC) that it “deceived” its hundreds of millions of users by not protecting their data in the ways they’d promised. The FTC explains the various deceptions in a damning 8-point memo, stating that, moving forward, Facebook is barred “from making any further deceptive privacy claims” and “requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.” The settlement also entails that any future violations “may result in a civil penalty of up to $16,000.”
During this time, Facebook’s developer guidelines allow all third-party developers to harvest data about users and each of those user’s Facebook friends, a feature called “friends permissions.” Developers are required to sign an agreement to keep data safe but, unfortunately, no one is enforcing that agreement. Sandy Parakilas is Facebook’s platform operations manager during this time, a role that made him responsible for policing data breaches by third-party developers. “In the time I was there, I didn’t see them conduct a single audit of a developer’s systems,” he claims. For several years, he informs managers and senior executives of the possible dangers. The company is unwilling to investigate his claims and he leaves the company in 2012.
Data analytics company Cambridge Analytica (CA) is founded as an offshoot of the now 20-year-old SCL Group with an initial backing of $15 million provided by hedge fund mogul, Robert Mercer, a longtime supporter and donor to conservative candidates and causes. The company is co-founded by a political operative named Christopher Wylie who has ties to people from Barack Obama’s presidential campaigns. CA’s goals were (and still are) to use large sets of data to help their clients score political victories using highly targeted marketing campaigns. Their public list of political clients are all conservatives.
May 29, 2014
Global Science Research Ltd (GSR) is incorporated by psychologists Alexandr Kogan and Joseph Chancellor. The filing reports that they’ve self-classified as a “market research and public opinion polling”company.
CA co-founder Christopher Wylie learns of Stillman and Kosinski’s research. According to the NY Times, Wylie recruits the researchers to join to Cambridge Analytica; according to Vice, he taps Aleksandr Kogan — co-founder of GSR and an assistant professor in the psychology department at the University of Cambridge — to do the recruiting. What’s clear from all reports is that Stillman and Kosinski decline the offer once they learn of SCL’s use of data in politics. As a result, CA contracts with GSR to create the quiz app for them instead, underwriting the $800,000 cost of creating the app and paying people to take it. Kogan is paid no money, but he’s allowed to keep a copy of the data for his own research purposes. He posts on job boards — under “Global Science Research” — that he’ll pay a few bucks for Americans to take his quiz, resulting in about 270,000 people signing up and participating, providing Kogan with an initial data set. However, as a result of Facebook’s “friends permission” guidelines, Kogan not only has access to data about the quiz-takers, he also has access to information about all of their Facebook friends.
“And so that means that, all of a sudden, I only need to engage 50,000, 70,000, 100,000 people to get a really big data set really quickly, and it’s scaled really quickly. We were able to get upwards of 50 million plus Facebook records in the span of a couple of months.”
— Christopher Wylie, Co-founder of and former Director of Research at Cambridge Analytica
Kogan’s app saved this trove of personal data from 50 million users into a private database—something that Facebook expressly prohibits in Section 3, article 10 of their developer policies—and gave it to Cambridge Analytica, which then used that data to make 30 million “psychographic” profiles about voters.
Steve Bannon begins serving as Cambridge Analytica’s vice president. He holds this position for over two years until August 2016 when he’s tapped to run Donald Trump’s presidential campaign.
After issuing a warning a year earlier, Facebook alters its developer policies, ending third parties’ ability to access harvested data from its previous “friends permission” guidelines.
Alex Stamos joins Facebook as their Chief Security Officer (CSO). According to the New York Times, “He and other Facebook executives, such as Ms. Sandberg, disagreed early on over how proactive the social network should be in policing its own platform.”
Joseph Chancellor resigns his directorship of GSR as noted on the company’s filing page.
Chancellor is hired by Facebook as a quantitative social psychologist.
The Guardian reports that Ted Cruz’s presidential campaign has been using data mined from unsuspecting Facebook users. Facebook confirms the leak but keeps it from going public. Facebook requests that Cambridge Analytica delete the data that it’s acquired via Dr. Kogan’s quiz app. In a March 2018 statement, CA later claims it has deleted all of the data in question.
The Trump Presidential Campaign, now led by Steve Banon, hires Cambridge Analytica, paying the firm nearly $6 million for their services in the final months of the 2016 campaign. In this same month, the Democratic National Committee (DNC) announces that it’s been attacked by Russian hackers. Stamos, who is still the CSO at Facebook, assembles a group of engineers to scour the social media platform for Russian activity.
Now two years after the data harvesting took place, Christopher Wylie states that Facebook finally reached out to him to ask for all GSR and CA data to be deleted. According to MSN: “Mr. Wylie said the letter asked the data to be deleted immediately, tick a box saying it had been done, and send the letter back to Facebook.”
September 19, 2016
Alexander Nix, CEO of Cambridge Analytica, presents at the “Concordia Summit,” an annual global affairs conference, where he explains that CA has changed the world of political campaigning using psychographic data. He explains how the power of psychometrics had allowed CA to boost Senator Ted Cruz’s name recognition during the Republican primaries. He also says the following about the infamous quiz that Aleksandr Kogan created for them: “[W]e have four to five thousand data points on every adult in the United States” and “by having hundreds and hundreds of thousands of Americans undertake this survey, we were able to form a model to predict the personality of every single adult in the United States of America.”
Privately, the team assembled by Facebook CSO Alex Stamos has “uncovered evidence that Russian operatives had aggressively pushed DNC leaks and propaganda on Facebook.” Publically, Mark Zuckerberg—Facebook’s CEO— dismisses the notion that fake news on his platform somehow influenced the 2016 election, calling it a “pretty crazy idea.”
Under pressure from Facebook leadership, Stamos and others release a watered down report on how Facebook might be used as a propaganda tool, but never mentions Russia by name.
May 18, 2017
Time Magazine reports in a highly-detailed article that Russia has been using Facebook to conduct cyberpropaganda, which forces Facebook to also admit so publicly.
October 6, 2017
October 25, 2017
Julian Assange tweets that he had been contacted by Cambridge Analytica prior to the U.S. presidential elections in November 2016 but had declined working with them. The matter of why CA had contacted him is up for debate.
October 31, 2017
Colin Stretch, vice-president and general counsel at Facebook testifies before a Senate panel regarding Russia’s use of social media platforms (Google, Twitter and Facebook) in the run up to the 2016 elections. Then Minnesota Senator Al Franken asks him, “How did Facebook, which prides itself on being able to process billions of data points and instantly transform them into personal connections for its users, somehow not make the connection that electoral ads paid for in rubles were coming from Russia? Those are two data points! American political ads and Russian money: rubles. How could you not connect those two dots??!” The counsel’s answer doesn’t satisfy Senator Franken.
November 2017 — January 2018
An undercover, hidden video investigation by Britain’s Channel 4 captures Cambridge Analytica CEO Alexander Nix admitting to using entrapment to help his clients beat their political opponents. He offers to send “Ukrainian girls” to candidates’ houses, or to blackmail them by capturing video footage of the politicians agreeing to unsavory deals.
November 19, 2017
In the wake of revelations about how Russia used Facebook to influence the 2016 presidential election, Congress asks executives from Facebook to come to Capitol Hill for questioning. Sandy Parakilas — Facebook’s former platform manager for operations back in 2011 and 2012 — pens an op-ed in The New York Times blasting Facebook as “a company that prioritized data collection from its users over protecting them from abuse,” and suggesting that “lawmakers shouldn’t allow Facebook to regulate itself. Because it won’t.”
According to the New York Times, Facebook’s CSO Alex Stamos, who reports to Facebook’s general counsel, proposes that he report directly to higher-ups. Facebook executives reject that proposal and instead reassign his entire team.
March 16, 2018
Exactly one day ahead of global headlines sharing the news, Facebook announces they’ve suspended both Cambridge Analytica and its parent company, SCL Group, for violating Facebook’s platform policies, specifically by passing data that Aleksandr Kogan had amassed from his quiz app to CA and Christopher Wylie. After Facebook kept the story secret for over two years, the misuse of some 50 million American Facebook users was about to go global.
March 17, 2018
Both the New York Times and the Guardian publish stories about the harvesting of Kogan’s data to feed Cambridge Analytica’s business with the Trump campaign, with the aid of Christopher Wylie’s testimony. The same day, Facebook updates its announcement from the previous day insisting that there was no data breach because “everyone involved gave their consent.” At 12:26 a.m., they claim 270,000 user accounts were compromised. By 1:19 p.m., that number has swollen to 50 million.
March 19, 2018
Facebook announces that they’ve hired independent forensic auditors to conduct an audit of Cambridge Analytica. They state that while Aleksandr Kogan was willing to submit to an audit, Christopher Wylie was not. On the same day, it is revealed that Facebook’s Chief Security Officer (CSO) Alex Stamos will be leaving the company, citing “internal disagreements over how the social network should deal with its role in spreading disinformation.”
Also on this day the NY Times publishes a story about CSO Stamos having specific tension with Facebook COO Sheryl Sandberg. Two days later, they alter the story, to scrub Sandberg’s name from the reporting. One of the three reporters who wrote the original article confirmed the change.
March 20, 2018
Cambridge Analytica CEO Alexander Nix is suspended, following revelations from the Channel 4 undercover video report that he suggested entrapment and extortion to help CA clients win elections.
March 21, 2018
Aleksandr Kogan, appears on BBC Radio 4. He explains how his quiz app works and calls the claim, made by Alexander Nix, that he was the one who approached CA with the data from millions of Facebook users “a fabrication.” Rather, Kogan explains, it was CA that approached him and even drew up the terms of service for their joint Facebook app. He also confirms that he received no money from the endeavor, but was promised access to the data for his own research purposes.
On the same day, Facebook CEO Mark Zuckerberg posts his version of the timeline of events. Referencing comments made at the 2014 F8 conference — Facebook’s annual developer conference — he writes, “In 2014, to prevent abusive apps, we announced that we were changing the entire platform to dramatically limit the data apps could access.” While that announcement was made and took effect for all new Facebook apps, he doesn’t mention that its implementation for any previous Facebook app didn’t come until one year later.
March 22, 2018
Appearing on CNN, Zuckerberg apologizes for the “breach of trust,” calling developers like Kogan “scammy.” He misstates that changes to Facebook’s developer platform were made to correct this in 2014 but only for any new app to arrive on the platform. Changes announced in 2014 for all older Facebook apps weren’t implemented until April 2015.
March 23, 2018
Brittany Kaiser, a former director at Cambridge Analytica, steps forward as a second whistle-blower. She details the ways in which CA used social media to help the Trump campaign place 10,000 ads that were most favorable to the candidate and most hostile to Hillary Clinton in the months leading up to the election. The ads were viewed billions of times, according to documents obtained by the Guardian provided by Kaiser, demonstrating the power of CA’s precision methodology.
March 26, 2018
In an attempt to win back trust from the public, Facebook announces new Developer Guidelines that fail to comment on any user data harvested prior to 2014. On the same day, the FTC announces that they are opening a new investigation into Facebook, specifically regarding the FTC mission of “enforcement action against companies that fail to honor their privacy promises.” Around the same time, a former FTC director who oversaw the November, 29 2011 settlement weighs in to the Washington Post:
“This is a company that is, in my view, likely grossly out of compliance with the FTC consent decree. I don’t think that after these revelations they have any defense at all.”
— David Vladeck, former FTC director of consumer protection who oversaw the 2011 consent decree
March 28, 2018
Facebook announces that — over the next six months — they will phase out “Partner Categories”, an industry standard, allowing 3rd parties to help target advertising on Facebook. On the same day, Channel 4 news reveals — despite claims made by Kogan, Nix, and Cambridge Analytica that all data harvested from Kogan’s Facebook app had been deleted — that data from 136,000 Facebook users in Colorado are still circulating. And there may be more, as the New York Times reports:
April 4, 2018
Facebook admits that the number of users whose data has been harvested by Kogan’s quiz app is now closer to 87 million. This is tens of millions more than all previous estimates. Facebook buries this detail in the second to last paragraph of a press release from Chief Technology Officer Mike Schroepfer. Later this same day, Mark Zuckerberg announces that up to two billion Facebook users may have been affected by the actions of “malicious actors.”
April 10 & 11, 2018
Zuckerberg testifies before Congress. He apologizes for the breach of users’ data saying: “It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here.” When asked on April 10th before two Senate Committees if Facebook had notified the FTC in 2015 when it first learned about the Cambridge Analytica data misuse, the answer is no:
The European Union’s General Data Protection Regulation (GDPR) is regarded as the strongest consumer data rights and protection policies in the world. When asked by Senator Maria Cantwell if those kinds of consumer-first data regulations should be enacted in the US, Facebook’s CEO responds that Facebook already has plans to implement those kinds of policies, regardless of “the regulatory outcome”.
The next day, when testifying before a House Committee, he’s even more clear on the matter with Congressman Gene Green:
April 18, 2018: It is revealed that Facebook — facing a May 25th, 2018 deadline for the implementation of GDPR — will shift the servers managing data users in Africa, Asia, Australia and Latin America to servers in the United States. Once those data are moved to the US and controlled from there, they will no longer be subject to GDPR, but instead to the more lax privacy laws in the US. Approximately 1.5 Billion Facebook users will now receive less privacy and data protection than their EU user counterparts.
May 2, 2018
In a statement, parent company SCL announces that Cambridge Analytica has filed for insolvency in the U.K. and for bankruptcy in the U.S. All CA operations will now cease and, notably, the company blames “damage caused to the business by the unfairly negative media coverage” as the reason for the closure. CNN’s story on the shutdown features a quote from former CA cofounder and whistleblower, Christopher Wylie:
“Cambridge Analytica has been exposed as a company undermining democratic institutions around the world. There are still many unanswered questions, and we must be sure that its decision to close is not merely a rebranding exercise or a way to circumvent ongoing investigations.”
May 14, 2018
In a statement from their VP of Product Partnerships, Facebook announces the results from auditing thousands of apps on their platform. They state that “around 200 have been suspended — pending a thorough investigation into whether they did in fact misuse any data.” The names of the applications are not released, so consumers are left wondering if any of the connected FB apps they currently use are among those suspended. Instead, they point everyone to a generic Facebook help page that simply tells you IF your data has been compromised.
May 15th, 2018
The New York Times reports that the FBI is investigating the now defunct Cambridge Analytica organization. “The investigation by the Justice Department and FBI appears to focus on the company’s financial dealings and how it acquired and used personal data pulled from Facebook and other sources, the Times said.”
July 25th, 2018
Facebook’s shares plunge as much as 24% on concerns of slowing growth and rising costs due to, unsurprisingly, the need to better police its platform.
July 31st, 2018
Facebook announces that they have detected “coordinated inauthentic behavior before the United States midterm elections that could be linked to the Internet Research Agency (IRA), a Russian-based group with ties to the Kremlin.” As a result, 32 pages and accounts are removed from both the Facebook and Instagram platforms. Zuckerberg, in a public post, states that “Security isn’t a problem you ever completely solve. We face sophisticated and well-funded adversaries, including nation states, that are always evolving and trying new attacks. But we’re learning and improving quickly too, and we’re investing heavily to keep people safe.”
August 1st, 2018
Alex Stamos, the Chief Security Officer (CSO) at Facebook announces that his final day at the company will be later this month. The company has decided to replace him with… NO ONE. “We are not naming a new CSO, since earlier this year we embedded our security engineers, analysts, investigators, and other specialists in our product and engineering teams to better address the emerging security threats we face,” a Facebook spokesman said in an email. Stamos was one of the few people at the company who was willing to aggressively fight and publicize Russia’s misuse of the Facebook platform. However, he often met with with pushback from Facebook’s top management. One of those top managers who pushed back, responded to Stamos’ announcement publicly, on his timeline:
As the story continues to unravel—and believe me, it will— I will continue to update my timeline, so check back. Additionally, if you are an employee at any of the companies involved with this story and wish to anonymously contact me with further relevant details, please ask how to contact me via secure, encrypted channels.
In my next installment, I outline the ways you can lock down, back-up, deactivate or even delete your Facebook account. I also discuss a few of my top choices for newer social networks that honor and protect your privacy.