On March 26, 2017, the Federal Trade Commission (FTC) confirmed that it is investigating Facebook relating to the recent controversy surrounding the collection and sale of user data.1 Cambridge Analytica suspiciously obtained the data of 87 million Facebook users, which has been used for targeted political advertising.2 There is conflicting information about what, if any, effect Cambridge Analytica had on any election, or if it was employed in the 2016 presidential election.3 Although the story has been making major headlines recently, the data in question has been acknowledged in the news since Ted Cruz’s presidential campaign in 2015, when he hired Cambridge Analytica.4

The saga began in 2014, when Aleksandr Kogan, an academic at Cambridge University, developed a Facebook app that was designed to gather information about Facebook users.5 This app was a personality quiz that generated results based in part on information gathered from the user’s Facebook profile. The app collected and stored all the information it was using to generate results—but it didn’t stop there. To use the app, users were required to grant the app access to their “friends.” Once granted access, the app then collected and stored information from friends’ profiles. Any information that was visible to friends was available to the app, even if a user’s profile was not set to “public.”

To maximize data collection, Kogan used Amazon’s Mechanical Turk platform to hire people to download the app.6 These postings were specifically for American “Turkers,” and Turkers were paid one or two dollars to download the app, granting access to their friends’ data and spread the use of the app.7 Amazon claims that this was a violation of the platform’s terms of service and that it suspended the requester when it learned of the misuse in 2015.8 However, there are reports that Amazon had received multiple complaints of the misuse very shortly after Kogan’s original postings but allowed Kogan to continue using the platform for a year.9

Over 270,000 people used Kogan’s app, but, because of the covert access to users’ entire network of friends, the app allegedly obtained information on over 50 million Facebook users.10 Sometime in 2015, Kogan sold the data to Cambridge Analytica.11 According to Facebook, this was a violation of the Facebook policy that Kogan accepted as a condition of his ability to use the app for research.12 Facebook became aware of the connection between the app and controversy over the data used in Ted Cruz’s campaign and requested that Cambridge Analytica delete the data.13 While not exactly a “breach,” which suggests that Facebook’s security systems failed, there is a major question whether users received notice that their data was accessible to applications used by their friends.

According to a former Cambridge Analytica employee, whistleblower Christopher Wylie, the data was not deleted, and it was used by the company to make targeted advertising more effective in the 2016 election.14 Other sources “close to Cambridge” have reported that the data was accessible as recently as a year ago.15 Cambridge Analytica claims to have deleted all of the data, as requested by Facebook.16 The company also claims that the data was not used in the Trump presidential campaign.17

Adding injury to insult, this is not the first time Facebook has been in hot water with the FTC for allowing third-party access to user data. The FTC filed a complaint in 2011 accusing Facebook of misleading users into believing that only their ‘friends’ could view their profiles, when in fact third-parties could still access the information, and effectively hiding the controls to prevent third-party access.18 Facebook entered a consent agreement, without admitting guilt, which required that Facebook obtain explicit consent from users before changing the way data is shared with third-parties.19 Additionally, the agreement required that Facebook implement clear policies and procedures to inform users about what data is being shared with third-parties and how users can control what is shared.20 If the FTC finds that Facebook did violate the consent agreement, Facebook could be on the hook for civil penalties of up to $40,000 per day.21