Facebook was informed privacy breach app might sell user data

Aliya Ram and Hannah Kuchler
Chesnot | Getty Images

Facebook was informed that the app at the center of a massive data leak could sell user data to third parties, according to documents seen by the Financial Times, raising fresh questions about how the company protects its users' data.

The social network was sent terms and conditions for the second version of the survey app, which pulled user data that was then leaked to Cambridge Analytica, the data analytics firm. These contradicted Facebook's own platform policies, according to Chris Wylie, the former Cambridge Analytica employee turned whistleblower.

But the social network relied on an automated process to accept updates, so no employee at Facebook may have seen the app's new policy, which disclosed that it could sell and transfer the data.

The first version of the app, which was reviewed by Facebook, said the opposite: it claimed to be a "research program" and said "users will be informed that the data will be carefully protected and never used for commercial purposes", the social network said.

But the Financial Times has seen a copy of a document submitted to the company by Aleksandr Kogan, the academic who built the survey app that ran on the social network. The data collected via the app was passed on to Cambridge Analytica and used to gather the information of up to 50 million users.

Read more from Financial Times:
A moment of weakness for Tech's oligopolists
Apple seeks to take advantage of Facebook's woes
If Facebook is so smart, why does it keep selling me slippers?

In the document, Global Science Research, Mr Kogan's company, outlined terms and conditions that asked users for permission to collect information, including their likes and status updates as well as those of their Facebook friends. The terms stated that the company would have the right to "edit, copy, disseminate, publish, transfer, append or merge with other databases, sell, license . . . and archive your contribution and data".

Mr Wylie told the Financial Times in an interview that Facebook "didn't really do anything to safeguard the data", adding that the terms and conditions raised questions about why Facebook agreed to an app that explicitly broke its rules.

"There were a lot of apps at the time that were pulling lots of data — including from friend networks — and Facebook wasn't exactly proactive in asking questions or finding out where that data went," he said. "It is sort of an existential question for Facebook: do they want to be a data-harvesting company or do they want to be a community of users?"

Facebook said its policies in 2014, when Mr Kogan collected the data, prohibited app developers from selling, licensing or purchasing any data obtained from Facebook or its services. The terms and conditions also prohibited apps from transferring data "to any ad network, data broker or other advertising or monetisation-related service".

Mr Kogan told the Financial Times he was "surprised" at being accused of breaking Facebook's policies. "I don't know any app whose terms of service and privacy policy comply with what Facebook says is its privacy policy," he said. "If they really care, then why do they do nothing to enforce it?"

In separate documents published by the UK parliament's digital, culture, media and sport committee on Thursday, Mr Kogan's company was explicit that it was operating under Facebook's old terms of service, and he would not be able to collect the data under the new policy which came into force for all apps in 2015. The documents that Mr Wylie handed to the committee included an agreement between GSR and SCL, Cambridge Analytica's parent company, dated June 2014. This was after Facebook had announced a change for news apps but the social network allowed a year for existing apps to adjust.

Mark Zuckerberg, Facebook's chief executive, said last week that his company had "made mistakes". "There's more to do, and we need to step up and do it," he said. Facebook had already tightened the rules around app developers, including putting in place a more comprehensive app review process, before the revelations.

Mr Zuckerberg said when Facebook was told by The Guardian in 2015 that Mr Kogan had shared data with Cambridge Analytica, it banned the app and asked both parties to "formally certify that they had deleted all improperly acquired data".