US trade commission sues Cambridge Analytica for duping FB users

Washington, July 25

The US trade commission has filed a lawsuit against Cambridge Analytica, accusing the UK-based data company of adopting “deceptive tactics” to obtain personal information of Facebook users, a day after it imposed a whopping USD 5 billion fine on the social media giant for privacy violations.

Cambridge Analytica (CA) is accused of acquiring data from up to 87 million Facebook profiles for use in political campaigns around the world.

The USD 5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy. In addition to paying the penalty, it has also agreed to submit itself to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy.

The Federal Trade Commission (FTC) on Wednesday alleged that Cambridge Analytica, its former CEO Alexander Nix and app developer Aleksandr Kogan deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their profile data.

“They employed deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting,” it said in a press release issued on Wednesday.

The FTC also announced settlement with Nix and Kogan, saying the duo has agreed to administrative orders restricting how they conduct any business in the future and requiring them to delete or destroy any personal information they collected.

The Cambridge Analytica, however, has filed for bankruptcy and has not settled the FTC’s allegations.

Kogan is the developer of a Facebook application called the GSRApp— also referred to as the “thisisyourdigitallife” app.

The GSRApp asked its users to answer personality and other questions, and collected information such as the “likes” of public Facebook pages by the app’s users and by the “friends” in their social network.

During 2014, the FTC alleges, Kogan, together with Cambridge Analytica and Nix, developed, used, and analysed data obtained from the GSRApp to generate personality scores for the app users and their Facebook friends.

The company then matched these personality scores with US voter records and used them for its voter profiling and targeted advertising services, FTC said.

For this project, Kogan was able to re-purpose an existing app he had on the Facebook platform, which allowed the app to harvest Facebook data from app users and their Facebook friends.

In April 2014, Facebook announced it would no longer allow app developers to access data from an app user’s Facebook friends.

Facebook, however, allowed developers with existing apps on the Facebook platform to access this data for another year.

The FTC alleges that the GSRApp took advantage of this access to collect Facebook profile data from its 2,50,000 to 2,70,000 users located in the United States, as well as 50 million to 65 million of those users’ Facebook friends, including at least 30 million identifiable US consumers.

The app users were paid a nominal fee to take the GSRApp survey. Almost half of the app users, however, originally refused to provide their Facebook profile information.

To address this issue, the GSRApp began telling app users that it would not “download your name or any other identifiable information — we are interested in your demographics and likes.”         

The FTC, however, alleges that this was false and that the GSRApp in fact collected users’ Facebook User ID, which connects individuals to their Facebook profiles, as well as other personal information such as their gender, birth date, location and their friend lists.

In addition, the FTC alleged that Cambridge Analytica falsely claimed until at least November 2018 that it was a participant in the EU-US Privacy Shield framework, even though the company allowed its certification to lapse in May 2018.

The Privacy Shield establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with the EU law. PTI