Information Regulator (South Africa)
316 Thabo Sehume Street
For the attention of: Adv. P Tlakula
18 April 2018
Dear Adv. P Tlakula
RE: Reported misuse of Facebook user data by Cambridge Analytica
I am writing on behalf of Facebook Ireland Limited (“Facebook Ireland”). Representatives of Facebook South Africa passed on your request for information dated 9 April 2018 regarding certain past violations of Facebook’s Platform policies by third parties. Facebook Ireland is the
entity responsible for providing the Facebook service in all countries outside of the US and Canada, including in South Africa. On that basis, Facebook Ireland is the appropriate entity to provide you with information regarding these matters. We are sharing this information on a voluntary basis with you now, though we continue to investigate.
Our priority is to reassure users that the trust that they place in us is deserved and that user data is protected on Facebook's platform. You will no doubt appreciate that we have been working hard to understand exactly what happened and to identify the steps necessary to make sure that it doesn't happen again. Updates will be published to our newsroom as matters progress. The most up to date information available now is set out in Mark Zuckerberg’s post enclosed (see Annex 1), and in our newsroom posts to date (see Annex 2).
We are in the process of conducting an internal investigation into the reported events, and are consulting with the Irish Data Protection Commissioner (“IDPC”) (our lead regulator on data protection and privacy matters outside of the US and Canada) in relation to that process. It will take a little time to complete that work, but once it is completed the IDPC will be fully updated and any enquiries may be referred to their office. In the interest of being open and helpful, we are of course happy to answer any further questions you may have on this incident.
You may also wish to note that the UK’s Information Commissioner (“ICO”) is conducting an investigation into whether “Facebook data may have been illegally acquired and used which has included the execution of a warrant to inspect the premises of Cambridge Analytica’s offices in London. We understand that Cambridge Analytica and the app developer involved in this case (as explained further below) are based in the UK. We are voluntarily assisting the ICO in relation to this investigation, and they may also be able to assist you with any further inquiries you may have in relation to this matter.
We appreciate you keeping the information contained in this response strictly confidential. We also respectfully request that you afford Facebook Ireland the opportunity to make submissions to you either where: a legitimate request is made by competent authorities or third parties for the disclosure of any information provided in this letter; or you determine to publish, in whatever format, information relating to this case to the public.
Subject to those general points, we share the following information with you now and hope it is useful. Please do not hesitate to contact us if you have any further questions or would like clarification on any point.
Reported violations of Facebook Platform policy
The media has reported that a UK company, Cambridge Analytica, has misused certain Facebook user data. While the matter is still being investigated, our current information indicates that Cambridge Analytica was provided with Facebook user data by a third-party app developer, Dr. Aleksandr Kogan, in breach of Facebook’s Platform policy. 3 However, it is important to note at the outset that there has been no data breach. This is not a case of any party infiltrating Facebook's systems or evading data security measures.
Rather in 2013, Dr. Kogan developed an app (“thisisyourdigitallife”). Dr. Kogan was not and is not employed by Facebook. At the time, he was an academic at Cambridge University. Dr. Kogan's app (like many other apps that used the Facebook Platform) used our generally available Facebook Login 4 feature. Facebook Login allows third party app developers to request consent from Facebook users for their apps to access specified categories of user data. At the relevant time it allowed those developers to request consent from users to access specific categories of data shared with those users by their Facebook friends (at all times consistent with, and subject to those friends’ privacy settings).5 The use of Facebook Login is subject to terms set out in Facebook's Platform policy, which strictly prohibit the use and transfer of data collected in this way for other purposes.
In the present case, once obtained by Dr. Kogan, some Facebook user data was transferred by Dr. Kogan to Cambridge Analytica. Facebook did not permit or agree to that transfer and it happened in violation of Facebook's Platform policy. As explained below, on learning this in December 2015, we acted to terminate the app’s access rights to use Facebook Login and demanded that Dr. Kogan – as well as his company at that time, Global Science Research Limited (“GSR”) and the other entities to whom they confirmed that they had disclosed data obtained via the app – account for and irretrievably delete all such data.
The app did not obtain sensitive account information such as passwords or financial information. The third party app developer in this case only had access to data that users who installed the app consented to give to the app and, in the case of such users’ friends, data that those friends published on the Facebook Platform and that was made available to the app in accordance with their privacy settings. Facebook Platform policies in place at the relevant time imposed a number of requirements on app developers. The exact language of these policies changed during the relevant period, but consistently required the following:
Delete all of a person’s data you have received from us (including friend data) if that person asks you to;
Only use friend data (including friends list) in the person’s experience in your app;
Don’t transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker or other advertising or monetizationrelated service;
Request only the data and publishing permissions your app needs.
We learned that Dr. Kogan may have shared data from his app with Cambridge Analytica in violation of our Platform policy from The Guardian newspaper, which published a story on the matter on 11 December 2015.7 We acted to terminate the app’s access rights to use Facebook Login by 17 December 2015. We also assessed what further action was necessary and appropriate to enforce our Platform policies. These actions included demanding that Dr. Kogan and GSR identify the nature of data collected, how it was used, and to whom they had disclosed the data. We further demanded that Dr. Kogan and GSR - as well as the other entities they identified as having received any data obtained via the app - account for and irretrievably delete all such data. We contacted the third parties identified by Dr. Kogan and GSR directly to secure legal certifications that all Facebook user data they had obtained was accounted for and destroyed. We also sought an explanation of how those third parties had shared the data received while they held it. These parties included Cambridge Analytica’s parent company, SCL Limited. Each of Dr. Kogan, GSR and SCL Limited certified to Facebook that they had irretrievably deleted the data they had received.
As soon as we learned recently, as a result of pre-publication inquiries received from The Guardian, The New York Times and Channel 4 in March 2018, that possible questions existed as to whether some relevant parties had actually deleted data as they had legally certified to us that they had, we have been seeking to investigate. As yet, we have obtained no proof which contradicts the deletion certifications but we are continuing to look into the issue, whilst ceding to the investigation of the UK Information Commissioner. The ICO has asked that we hold off on certain auditing and fact finding steps pending completion of their own investigation.
As stated in Mark Zuckerberg’s post (see Annex 1), we introduced changes to our Platform from 30 April 2014 (with then existing apps being allowed up to a year thereafter to move to the updated Platform) to significantly restrict the data that apps such as Dr. Kogan’s are able to access via Facebook Login. These actions would prevent any app like Dr. Kogan's from being able to access data to this extent today. We also announced some further important steps for the future of our Platform on 21 March 2018 (see Annex 2) with a view to taking action on potential past abuse and putting stronger protections in place to prevent future abuse.
Both Dr. Kogan and Cambridge Analytica acted as independent third party data controllers with regard to the data they obtained (i.e. they had control of and made the processing decisions in respect of the data). While we are doing what we can to investigate such matters ourselves, they are the parties that can answer further questions about how they used relevant data.
Access to the personal data of Facebook users located in South Africa by third parties
The current information that we have with respect to South African user data is as follows:
We understand that 13 people in South Africa installed the app throughout its lifetime on the Facebook Platform (i.e., from November 2013 when the app went live to no later than 17 December 2015), which is 0.004% of the app’s total worldwide installs.
We further understand that 96,121 additional people in South Africa were potentially affected, as friends of people who installed the app that did not install the app themselves.
This yields a total of 96,134 potentially affected people in South Africa, which is 0.11% of the global number of potentially affected people.
I should also make the following points on the approach that we have taken to identify people affected:
Location has been used to identify those affected. Location is not an indication of nationality or citizenship and may not, in some cases, indicate actual place of residence.
These figures do not include people who may have installed the app but then subsequently deleted their Facebook account, as we no longer hold that data.
These figures also may be over inclusive. We have not retained data regarding when individual users installed the app. As a result, we have had to include in these figuresbl anyone who installed the app during its lifetime, and anyone who may have been friends on Facebook with any of those people at the time between when the app first became active on the Facebook Platform in November 2013 and when the app’s access to friends’ data was limited in May 2015. They also include users who may have changed their settings to disallow sharing of their data with apps authorized by their friends, due to limited historical information about when or how those settings were updated. We believe this figure may over-count the total number of users whose data was in fact accessed by the app; however, we wanted to be as comprehensive as possible in our analysis.
These figures may be significantly larger than the actual count of people whose data was shared with Cambridge Analytica by Dr. Kogan. This understanding is consistent with the contract between GSR and SCL Limited that has recently been made public and indicates that Dr. Kogan agreed to transfer data relevant to people in only 11 US states.
Informing users and next steps
From 9 April 2018, we have been showing people a link at the top of their News Feed so they can see what apps they use — and the information they have shared with those apps. People are also able to remove apps that they no longer want. As part of this process we have been telling people if their information may have been improperly shared with Cambridge Analytica.
As explained above, the actions that we have taken since 30 April 2014 prevent any app like Dr. Kogan’s from being able to access data to this extent today. As also explained above, we are taking further important steps with a view to taking action on potential past abuse and putting stronger protections in place to prevent future abuse. We’re going to set a higher standard for how developers build on Facebook, what people should expect from them, and, most importantly, from us. We will:
Review our Platform. As explained above, we will investigate all apps that had access to large amounts of information before we changed our Platform in 2014 to reduce data access, and we will conduct a full audit of any app with suspicious activity. If we find developers that misused personally identifiable information, we will ban them from our Platform.
Tell people about data misuse. We will, to the extent possible, tell people affected by apps that have misused their data. To that end, we have built a way for people to know if their data might have been accessed via “thisisyourdigitallife”. Moving forward, if we remove an app for misusing data, we will tell everyone who used it.
Turn off access for unused apps. If someone has not used an app within the last three months, we will turn off the app’s access to their information.
Restrict Facebook Login data. We are changing Facebook Login, so that in the next version, we will reduce the data that an app can request without app review to include only name, profile photo and email address. Requesting any other data will require our approval.
Encourage people to manage the apps they use. We already show people what apps their accounts are connected to and how to control what data they’ve permitted those apps to use. Going forward, we are going to make these choices more prominent and easier to manage.
Reward people who find vulnerabilities. We have also expanded Facebook’s bug bounty program so that people can also report to us if they find misuse of data by app developers.
We are continuing to investigate this matter and are happy to provide you with further information if that would be helpful. For the avoidance of doubt, we are providing this information on a voluntary basis and in the hope that it assists you.
Head of Data Protection, Facebook Ireland Limited