Another Cambridge app data scandal returns to haunt Facebook

15 May 2018

University of Cambridge. Image: Pajor Pawel/Shutterstock

Just when Facebook thought it was out of the privacy woods, some pesky Cambridge researchers were found to be at it again with their quiz apps.

The spectre of the Cambridge Analytica data scandal has returned to haunt Facebook.

It has emerged that another app called myPersonality had also been collecting data, and the personal information of as many as 3m users who installed it on their Facebook profile may have been exposed.

The psychology app in turn was then passed on to hundreds of researchers, according to a report from New Scientist, including answers to intimate questionnaires.

According to New Scientist, academics at the University of Cambridge distributed the data from the personality quiz app to hundreds of researchers via a website that had insufficient security in place. The data was left vulnerable to access for four years and was apparently pretty easy to access by doing a quick web search.

The revelation comes just months after Facebook was rocked to the core and had billions wiped from its share value when the story broke that political consultancy Cambridge Analytica enlisted a Cambridge professor called Dr Aleksandr Kogan to collect data through a personality quiz called This Is Your Digital Life.

What began as a few thousand downloads spiralled to the collection of data without the permission of about 87m users. And Facebook is still trying to get to the bottom of how such apps were able to gather hordes of data.

Last night (14 May), Facebook announced that it has suspended 200 apps pending a “thorough investigation” into whether or not they misused Facebook user data.

A quizzical situation

The latest revelation indicates that a different set of researchers at Cambridge University was able to collect user information with their consent through a personality app called myPersonality.

That was straightforward enough until the group made much of the data available online through a web portal.

More than 6m people completed the tests on the myPersonality app and nearly half (the 3m individuals at the heart of this) agreed to share data from their Facebook profiles with the project.

And, although the data was anonymised with names removed, it is feared that the intimacy of the information is understood to have made it possible to identify some of the quiz respondents.

To get access to the data, people could register as a collaborator to the project and more than 280 people from 150 institutions did so, including researchers from Facebook, Google, Microsoft and Yahoo.

The information would not be available for users without valid credentials, such as a permanent academic contract. But there was a workaround: a username and password was posted on GitHub and it could be found easily by a web search.

The datasets – which were marketed as ‘mind-reads audiences’ as part of a spin-out company called Cambridge Personality Research – are understood to have been controlled by two researchers at the University of Cambridge’s The Psychometrics Centre, David Stillwell and Michal Kosinski.

Kogan – the researcher at the centre of the Cambridge Analytica scandal – had previously been a part of the project.

The UK’s data watchdog, the Information Commissioner’s Office, is investigating the latest revelations.

Facebook is understood to have suspended myPersonality from its platform on 7 April.

Ime Archibong, vice-president of product partnerships at Facebook, said in a blogpost this week that Facebook will investigate all apps that had access to large amounts of information before the company changed its platform policies in 2014.

He said that any app that refused or failed an audit will be banned.

“The investigation process is in full swing, and it has two phases,” Archibong said.

“First, a comprehensive review to identify every app that had access to this amount of Facebook data. And second, where we have concerns, we will conduct interviews, make requests for information (RFI) – which ask a series of detailed questions about the app and the data it has access to – and perform audits that may include on-site inspections.

“We have large teams of internal and external experts working hard to investigate these apps as quickly as possible. To date, thousands of apps have been investigated and around 200 have been suspended, pending a thorough investigation into whether they did in fact misuse any data. Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website. It will show people if they or their friends installed an app that misused data before 2015 – just as we did for Cambridge Analytica,” Archibong said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com