The app developer who surreptitiously gathered and shared 50 million Facebook user profiles says the company was officially notified of his actions but failed to stop it. Aleksandr Kogan, a research associate in the department of psychology at the University of Cambridge, turned over his Facebook-generated personality research to the political consulting firm Cambridge Analytica. In an email to university colleagues he called Facebook’s side of the story a ‘fabrication’.
He said that in 2014 he used an official Facebook Inc platform for developers to change the terms and conditions of his app from ‘research’ to ‘commercial use’, and that at no point then did the social media company object. Kogan’s position contradicts Facebook’s stance that Kogan violated the company’s terms and services and then lied about it. “We clearly stated that the users were granting us the right to use the data in broad scope, including selling and licensing the data,” Kogan wrote in a March 18 email obtained by Bloomberg. “These changes were all made on the Facebook app platform and thus they had full ability to review the nature of the app and raise issues.”
Facebook says that at the time Kogan launched his commercial app there were privacy rules in place that clearly stated it was against company policies to transfer user data externally once obtained, and to use friends’ data for anything other than measuring internal user experiences. “Kogan violated Facebook’s policies whether or not he stated his intention to do so in his own terms of service,” said Andy Stone, a Facebook spokesman. Kogan has agreed to an audit by independent digital forensics investigators hired by Facebook.
Chief Executive Officer Mark Zuckerberg’s global social media network is under intense scrutiny as it tries to respond to one of the biggest data leaks in its 14-year history. In 2015 Facebook discovered that Kogan’s app, a personality quiz, had obtained direct access to 270,000 user profiles and in turn millions more friends who didn’t realize their default privacy settings had allowed the app to harvest their personal information.
Kogan passed the information gleaned from the quizzes to Cambridge Analytica, the data firm that helped Donald Trump win the US presidential election in 2016. When Facebook found out about Kogan’s external transfer of the data, it removed his app from the site and asked Kogan to delete the data. Facebook reportedly understood that the researcher complied. A series of news reports called into question whether Kogan in fact ever removed the data. Kogan says he did.
Kogan’s interpretation of events is potentially critical in better understanding what Facebook knew and when. On Tuesday, a Facebook shareholder filed a class action lawsuit in San Francisco federal court claiming that the company was negligent in failing to disclose the extent of the leak. Regulators in the US and in Europe are probing Facebook’s handling of the data, and US congressional leaders are demanding that Zuckerberg personally testify about the incident. Zuckerberg addressed the situation Wednesday, saying Facebook will investigate all apps that have access to large data and ban developers that misuse identifiable information.
In the email, Kogan says that he hadn’t been interviewed by the Federal Bureau of Investigation or any other law enforcement agencies, but would have no problem doing so. He wrote that his app originally started as an academic project but turned to a commercial venture after being approached by the UK affiliate of Cambridge Analytica, SCL Group, around 2013. He then formed a company called Global Science Research Ltd, and changed the name of his app to GSRApp, while also modifying the privacy terms from academic to commercial.
The app recruited Facebook users through a program called Qualtrics and then asked them to complete a series of surveys. “Through the app, we collected public demographic details about each user (name, location, age, gender), and their page likes (e.g., the Lady Gaga page). We collected the same data about their friends whose security settings allowed for their friends to share their data through apps. Each user who authorized the app was presented with both a list of the exact data we would be collecting, and also a Terms of Service detailing the commercial nature of the project and the rights they gave us as far as the data. Facebook themselves have been on the record saying that the collection was through legitimate means.”
Kogan went on to say that the personality profiles that he gathered ended up not being particularly useful for making predictions needed for micro-targeting. “In fact, from our subsequent research on the topic,” he wrote, “we found out that the predictions we gave SCL were 6 times more likely to get all 5 of a person’s personality traits wrong as it was to get them all correct. In short, even if the data was used by a campaign for micro-targeting, it could realistically only hurt their efforts.”
He also detailed some of the personal intrigue behind his story, including his role in a study at St. Petersburg State University working on a series of personality traits called the ‘dark triad’, including narcissism, psychopath and Machiavellianism. Kogan was born in the former Soviet Union but moved to New York City at age 7. The fact that he recently changed his last name from Kogan to Spectre after getting married should alarm nobody, he said.
“If I am a Russian spy, I am the world’s dumbest spy – I did, after all, change my last name to the James Bond villains,” he wrote.