[If you’re looking for any information about the Facebook “access token hack”, visit our Facebook Data Breach Lawsuit page.]
Our privacy attorneys filed a class action lawsuit against Facebook and Cambridge Analytica in the wake of news that the developer of a Facebook app scraped data from the app’s 270,000 users and their 87 million Facebook friends, and gave the data to Cambridge Analytica, a data broker, which played a role in the Trump campaign.
Allegations in Our Lawsuit
The lawsuit alleges that not only did Facebook allow third parties, such as Cambridge Analytica, access to vast troves of user information, it also did not do enough to prevent these third parties from misusing the information.
The complaint further explains that the “exploitation of Facebook data is not limited to elections or one actor,” and that Facebook engages in “surveillance capitalism,” regularly using its platform to “‘figure out [users’] personal psychological susceptibilities and then charge(s) advertisers to exploit them,'” according to Jennifer Cobb, coordinator of the Trustworthy Technologies research initiative. According to the complaint, “[t]he seemingly unrestricted surveillance and analysis of daily interactions and behaviors on the Facebook platform far exceeds user expectations of how personal data is used.”
The complaint proposes a class of:
All persons whose information or behavioral data was accessed, directly or indirectly, from the Facebook platform by Cambridge Analytica or other entities without the person’s consent or knowledge.
How To Know if Your Data Was Shared with Cambridge Analytica
Facebook has a website in their Help section where it states users can check “to see if your information may have been shared with Cambridge Analytica by the app ‘This Is Your Digital Life.'”
If you are affected, the page may also tell you what information was shared.
Cambridge Analytica Reportedly Improperly Obtained Personal Data of 50 Million Facebook Users
The New York Times reports that Cambridge Analytica, a British data-analytics company, “improperly acquired the private data” of “roughly 50 million Facebook users, and used it to target voters on behalf of the Trump campaign during the 2016 presidential election.”
According to NYT, Cambridge Analytica acquired this data by partnering with a psychology professor, Aleksandr Kogan, to develop a Facebook application that administered a “personality test.” The application, “Thisisyourdigitallife,” paid Facebook users to answer a series of questions about themselves. To receive these funds, users had to be registered U.S. voters. All told, about 270,000 people installed the application.
By installing the application, these 270,000 Facebook users granted Thisisyourdigitallife permission to access data from their Facebook accounts, per Sandy Parakilas, a former Facebook employee.
If you were among the 270,000 app users, you may not have realized that “[a]t the time … Facebook also allowed [app] developers to access your friends’ data, even though those friends had never agreed to connect to the app,” says Parakilas. As a result, the Thisisyourdigitallife application could access “friends’ status updates, check-ins, location, interests and more,” according to TechCrunch.
Professor Kogan used Thisisyourdigitallife to harvest the private information of roughly 50 million individuals who were Facebook friends with one of the app’s 270,000 users, the NYT says. Cambridge Analytica paid Kogan $1 million for data harvesting, according to The Guardian.
Facebook: This is Not a Data Breach
In a statement, Facebook said that this situation is not a “data breach” because “Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time.”
But, Facebook noted, Kogan passed the data to an unauthorized third party, who was not permitted to receive it. Facebook’s “platform policies” at the time prohibited app developers from sharing data with third parties, such as Cambridge Analytica.
Improperly Obtained Data is Used to Create Psychological Profiles of Registered US Voters
Although Cambridge Analytica received 50 million people’s raw Facebook data, only 30 million had shared enough information with Facebook to serve Cambridge Analytica’s purposes, says the NYT.
Cambridge Analytica used the information on these 30 million people to construct psychological profiles on these individuals, according to the New York Times. By analyzing what people “Liked” on Facebook, The Guardian reports, Cambridge Analytica could deduce “information about sexual orientation, race, gender, even intelligence and childhood trauma.”
Cambridge Analytica used these psychological profiles to determine who was likely to be swayed and by what type of messaging would sway them, according to an interview by The Guardian.
Psychological Profiles Used in Trump Election Campaign
In 2016, Cambridge Analytica used its psychological profiles to perform a “variety of services” for the Trump campaign, including “designing target audiences for digital ads and fundraising appeals, modeling voter turnout, buying $5 million in television ads and determining where Mr. Trump should travel to best drum up support,” according to the NYT.
In private, Cambridge Analytica has bragged that its services were behind Trump winning the election, according to the UK’s Channel 4 News.
Facebook Knew About Data Leak in 2015 and Didn't Act or Notify Users
When Facebook discovered in 2015 that Aleksandr Kogan and Cambridge Analytica had scraped profiles of millions of Americans, Facebook did nothing more than ask Kogan and Cambridge Analytica to check a box saying they had deleted the data, as Facebook itself admits in a March 16, 2018 statement. Cambridge Analytica checked the box, certifying that it had deleted the data, and under inquiry from the UK parliament, Cambridge Analytica’s CEO said that the company had never relied on its trove of Facebook profiles.
But Christopher Wylie, former Cambridge Analytica employee, says that the company checked the box, but never deleted the data. The NYT confirmed based on “[i]nterviews with a half-dozen former employees and contractors, and a review of the [Cambridge Analytica’s] emails and documents,” that Cambridge Analytica “still possesses most or all of the trove” of Facebook data.
A former Facebook privacy officer, writing in the Washington Post, said that Facebook never did more than ask companies to delete data when it discovered a privacy violation. This privacy officer stated, “[D]ata protection issues happened regularly during my tenure” at Facebook, and while Facebook contacted “many developers and demanded compliance,” it never conducted “a single audit of a developer where [Facebook] inspected the developer’s data storage” to confirm the data was deleted.
Facebook Changes Policies After a Developer Improperly Obtains, Sells Data to Cambridge Analytica
According to TechCrunch, “It was always kind of shady that Facebook let you volunteer your friends’ status updates, check-ins, location, interests and more to third-party apps,” without your friends being notified. TNW explains:
“When signing on to a new app, Facebook users are often confronted with a disconcerting choice — let Facebook access information about hundreds of your closest friends without their knowledge or permission — or perhaps just give up that particular product or service.”
Amid “privacy concerns, Facebook “shut down the Friends data API” in 2015, says TechCrunch. Facebook’s APIs, which stand for “application programming interface,” control how application developers can interact with the Facebook platform. The Friends data API was a feature that gave application developers access to data belonging to users’ friends.
Aleksandr Kogan obtained his data trove on 50 million Americans before Facebook removed the Friends data API feature, according to NYT.
Our Leadership in Data Breach & Privacy Litigation
Our firm has represented plaintiffs in complex lawsuits involving some of the nation’s largest data breaches, including litigation against Anthem, Adobe, Home Depot, Excellus Blue Cross and Blue Shield, and Banner Health, among others. In the past, we have successfully represented consumers with data breach and privacy claims involving HealthNet and Certegy Check Services.
Eric Gibbs has established himself as a leader in emerging litigation involving data breach and privacy. He was court-appointed to the four-member leadership team in the Anthem Data Breach Litigation, which recently settled for $115 million, the largest data breach settlement in history (settlement pending final Court approval). Eric secured a landmark ruling in the Adobe Systems, Inc. Privacy Litigation, which makes it easier for plaintiffs to seek relief following a breach. He was recently selected from among a pool of attorneys from across the country to serve as co-lead counsel in the Vizio, Inc., Consumer Privacy Litigation.
Eric co-founded the American Association for Justice’s Data Breach and Privacy Litigation Group, and has served as chair and organizer of several consumer privacy conferences on best practices and developments in consumer privacy litigation.