Facebook denies hiding Cambridge Analytica evidence to UK investigation

13 Aug 2019

Image: Dominic Lipinski/PA

Facebook has denied any prior knowledge of compromised data as part of the Cambridge Analytica scandal, as reported in the US.

Facebook has denied its executives gave contradictory evidence to a parliamentary committee that was investigating the Cambridge Analytica data scandal. Chair of the UK Department for Digital, Culture, Media and Sport (DCMS) select committee, Damian Collins, had written to the social media giant earlier this month asking for clarification on points made by two of its executives before the committee.

He suggested a complaint filed by the US Securities and Exchange Commission (SEC) appeared to show Facebook staff knew about data being compromised earlier than its senior staff acknowledged to MPs.

The complaint claimed that while Facebook staff first raised concerns on the matter in September 2015, Facebook executives said the site first learned of the data misuse through media reports in December 2015.

A lengthy response

However, in a letter responding to Collins, Facebook’s UK head of public policy, Rebecca Stimson, said the company had “truthfully answered questions” on the issue and, rather than contradictions, had provided accounts of two separate events.

“The evidence given to the committees by Mike Schroepfer (chief technology officer), Lord Allan (vice-president for policy solutions), and other Facebook representatives is entirely consistent with the allegations in the SEC Complaint filed 24 July 2019,” she wrote.

“In their evidence, Facebook representatives truthfully answered questions about when the company first learned of Aleksandr Kogan/GSR’s improper transfer of data to Cambridge Analytica, which was in December 2015 through The Guardian’s reporting. We are aware of no evidence to suggest that Facebook learned any earlier of that improper transfer.

“As we have told regulators, and many media stories have since reported, we heard speculation about data scraping by Cambridge Analytica in September 2015. We have also testified publicly that we first learned Kogan sold data to Cambridge Analytica in December 2015. These are two different things and this is not new information. The allegation in the SEC’s complaint that is the focus of your letter does not concern Kogan/GSR’s improper transfer of data to Cambridge Analytica.

“Rather, as previously reported, that allegation relates to rumours in September 2015 that Cambridge Analytica was promoting its ability to scrape user data from public Facebook pages. The scraping of data from public pages (which is unfortunately common for any internet service) is different from, and has no relationship to, the illicit transfer to third parties of data obtained by an app developer (which was the subject of the December 2015 Guardian article and of Facebook representatives’ evidence).

“We also followed up other media reports about Cambridge Analytica’s activity to see if we could find evidence of abuse, but this led us back to their legal certification from January 2016 that they had deleted the data, as we made clear to the committee in our evidence.”

‘Facebook reacted quickly to the allegations’

Stimson also responded to the DCMS committee’s concerns about the social network’s reaction to the data breach. Collins’ letter had asked for clarification on “why no action was taken until 2018” after the SEC complaint suggested Facebook staff were also aware of data misuse “throughout 2016 and beyond”.

“As the committee has already heard, Facebook personnel reacted quickly to the Guardian allegations, contacting Cambridge Analytica and Kogan directly to obtain first oral and later written confirmation from both that the data had been deleted,” she said.

“Cambridge Analytica further certified that it had never used the data for commercial purposes. Facebook employees therefore believed as early as January 2016 that the situation had been resolved. The SEC’s allegations in this regard are therefore consistent with the evidence provided to the committee.”

Last month, the social network was fined $5bn by the US Federal Trade Commission (FTC) over its handling of user data in the Cambridge Analytica scandal. Facebook also agreed to strict new internal oversight rules around data privacy as part of a settlement with the FTC.

It includes mechanisms that mean founder and chief executive Mark Zuckerberg will have to personally certify the company’s compliance with privacy measures and the company must submit quarterly privacy reviews to show its measures are working, with Zuckerberg potentially personally liable for any breaches which then occur.

– PA Media