Le inchieste di Guardian e New York Times su Cambridge Analytica: la violazione di dati personali di 50 milioni di utenti usando Facebook, che cosa è successo

Secondo due documentate inchieste del Guardian e del New York Times la società Cambridge Analytica ha violato i profili Facebook di 50 milioni di utenti per ottenere i loro dati personali in un dei più vasti data breach ,  ovvero violazione di dati personali, della storia. Cambridge Analytica è legata all’ex consigliere di Trump, Steve Bannon ed ha collaborato nelle campagne elettorali di Donald Trump stesso e in quella a favore della Brexit.

Cambridge Analytica nel 2014 ha avuto un finanziamento da 15 milioni di dollari dal finanziatore repubblicano Robert Mercer e vede Steve Bannon, stratega della campagna presidenziale per Trump, nel board della società.

Nell’inchiesta del Guardian, Christopher Wylie, esperto di analisi dei dati che ha lavorato con Cambridge Analytica ha portato diverse prove sull’uso improprio dei dati. Facebook nega che la raccolta di decine di milioni di profili sia nata da una violazione dei dati anche se secondo il Guardian Facebook fin dal 2015 aveva scoperto la gigantesca violazione.

A whistleblower has revealed to the Observer how Cambridge Analytica – a company owned by the hedge fund billionaire Robert Mercer, and headed at the time by Trump’s key adviser Steve Bannon – used personal information taken without authorisation in early 2014 to build a system that could profile individual US voters, in order to target them with personalised political advertisements.

Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”

Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals.

Per il New York Times copie dei dati raccolti per Cambridge Analytica si trovano ancora online; il suo team di reporting aveva visto alcuni dei dati grezzi.

So the firm harvested private information from the Facebook profiles of more than 50 million users without their permission, according to former Cambridge employees, associates and documents, making it one of the largest data leaks in the social network’s history. The breach allowed the company to exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.

An examination by The New York Times and The Observer of London reveals how Cambridge Analytica’s drive to bring to market a potentially powerful new weapon put the firm — and wealthy conservative investors seeking to reshape politics — under scrutiny from investigators and lawmakers on both sides of the Atlantic.

Christopher Wylie, who helped found Cambridge and worked there until late 2014, said of its leaders: “Rules don’t matter for them. For them, this is a war, and it’s all fair.”

Secondo la CBS Facebook sapeva dell’accaduto da due anni, ma non ha fatto nulla.

Facebook knew for two years that a data firm harvested data from more than 50 million profiles of U.S. voters without their permission but did nothing to protect its users, Guardian reporter Carole Cadwalladr told CBSN on Saturday. Cadwalladr said Facebook threatened to sue in a bid to prevent The Guardian publishing an exposé on the data harvesting. She believes Facebook didn’t inform users of the misuse of data because it wasn’t in the company’s best interest. The Guardian story, based on interviews with whistleblower Chris Wylie who worked for the firm, published online on Saturday.

“This continual pattern that we’ve seen with Facebook — trying to shut the story down, finally when it has no choice, acknowledge it. They’ve just really got to do better,” she said.

La tesi di Cambridge Analytica che parla di cancellazione dei dati è confutata da Wired ha la conferma che fossero in uso ancora lo scorso anno e che spiega come in effetti Facebook non abbia verificato l’uso dei dati estratti.

The weekend’s revelations don’t paint Facebook in a positive light, either. After two years in which Facebook has struggled to explain how Russian propaganda and fake news proliferated on the platform, it now must explain one of its fundamental flaws: Facebook offers unprecedented data to its paying clients, but has next to no controls in place to ensure that data will be handled properly.

 And yet, Facebook shares some of the blame. The company’s executives have repeatedly been brought before Congress to testify about how the platform was used and abused during the 2016 election. The fact that the company discovered a major data breach by a vendor to the Trump campaign seems worthy of public disclosure well before three years have passed. “Facebook never comes forward with information until their backs are against the wall,” said Jonathan Albright, research director at Columbia University’s Tow Center for Digital Journalism. “This is a mess.”

Il 16 marzo, poche ore prima dell’uscita dei reportage di Guardian e NYT, Facebook ha deciso di sospendere gòi account di Strategic Communication Laboratories e Cambridge Analytica spiegando in un post le ragioni della scelta e precisando poi il 17 marzo che non c’è stata fuga di dati personali dato che gli interessati hanno avuto accesso ai dati attraverso un’app e che nessun sistema è stato infiltrato e che non sono state rubate password o informazioni dai loro sistemi.

Facebook accusa Cambridge Analytica di aver violato le politiche sulla gestione dei dati degli utenti e aver conservato impropriamente i dati degli stessi pur avendo promesso che li avrebbe distrutti. Nell’annunciare la sospensione Facebook non entra nel dettaglio di come Cambridge Analytica ha usato i dati o se li ha dati alla campagna di Trump.

Protecting people’s information is at the heart of everything we do, and we require the same from people who operate apps on Facebook. In 2015, we learned that a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government and military work around the globe. He also passed that data to Christopher Wylie of Eunoia Technologies, Inc.

Like all app developers, Kogan requested and gained access to information from people after they chose to download his app. His app, “thisisyourdigitallife,” offered a personality prediction, and billed itself on Facebook as “a research app used by psychologists.” Approximately 270,000 people downloaded the app. In so doing, they gave their consent for Kogan to access information such as the city they set on their profile, or content they had liked, as well as more limited information about friends who had their privacy settings set to allow it.

Although Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time, he did not subsequently abide by our rules. By passing information on to a third party, including SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, he violated our platform policies. When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed. Cambridge Analytica, Kogan and Wylie all certified to us that they destroyed the data.

A sua volta Cambridge Analitica nega in un comunicato gli addebiti e ribadisce di aver seguito le regole di Facebook con cui sta lavorando per risolvere la situazione. Nello stesso comunicato parla del ruolo di Global Science Research (GSR) che ottenne i dati attraverso una API di Facebook.

Cambridge Analytica​’s Commercial and Political divisions ​use social media platforms ​for outward marketing, delivering data-led and creative content to targeted audiences. They do not use or hold data from Facebook profiles​. In 2014, we contracted a company led by a seemingly reputable academic at an internationally-renowned institution to undertake a large scale research project in the United States.

This company, Global Science Research (GSR), was contractually committed by us to only obtain data in accordance with the UK Data Protection Act and to seek the informed consent of each respondent. GSR was also contractually the Data Controller (as per Section 1(1) of the Data Protection Act) for any collected data. GSR obtained Facebook data via an API provided by Facebook.

When it subsequently became clear that the data had not been obtained by GSR in line with Facebook’s terms of service, Cambridge Analytica deleted all data received from GSR.

Secondo le indagini giornalistiche infatti i dati erano stati raccolti attraverso un’app chiamata thisisyourdigitallife realizzata da Aleksandr Kogan dell’Università di Cambridge. Attraverso la Global Science Research in collaborazione con Cambridge Analytica, centinaia di migliaia di utenti sono stati pagati per sostenere un test della personalità e hanno accettato di raccogliere i loro dati per uso accademico. Poi però l’app ha prelevato anche le informazioni dei loro amici su Facebook, portando via appunto i dati di decine di milioni di persone.

Channel 4 News ha realizzato un utile video reportage che mette insieme gli attori della vicenda

Quanto accaduto ha scatenato un dibattito imporante in USA e UK sul ruolo, sul potere e sui necessari obblighi che deve rispettare Facebook

American and British lawmakers demanded on Sunday that Facebook explain how a political data firm with links to President Trump’s 2016 campaign was able to harvest private information from more than 50 million Facebook profiles without the social network’s alerting users. The backlash forced Facebook to once again defend the way it protects user data.

Senator Amy Klobuchar of Minnesota, a Democratic member of the Senate Judiciary Committee, went so far as to press for Mark Zuckerberg, Facebook’s chief executive, to appear before the panel to explain what the social network knew about the misuse of its data “to target political advertising and manipulate voters.”

Damian Collins, a Conservative lawmaker in Britain who is leading a parliamentary inquiry into fake news and Russian meddling in the country’s referendum to leave the European Union, said this weekend that he, too, would call on Mr. Zuckerberg or another top executive to testify. The social network sent executives who handle policy matters to answer questions in February.

In Italia Riccardo Luna ha ricostruito la storia e si chiede quale fosse il partito italiano che ha lavorato con Cambridge Analytica 

Sul sito web, dove si citano oltre cento campagne elettorali in cinque continenti in 25 anni, a dispetto del fatto che è stata fondata appena 5 anni fa, tra le pratiche di successo è in evidenza l’Italia. “Nel 2012”, si legge, “CA ha realizzato un progetto per un partito italiano che stava rinascendo e che aveva avuto successo per l’ultima volta negli anni ‘80”. Usando – prosegue la nota – l’Analisi della Audience Target, CA ha rimesso gli attuali e i passati membri del partito assieme con i potenziali simpatizzanti per sviluppare una riorganizzazione della strategia che soddisfaceva i bisogni di entrambi i gruppi. La struttura organizzativa moderna e flessibile che è risultata dal lavoro di CA ha suggerito riforme che hanno consentito al partito di ottenere risultati molto superiori alle aspettative in un momento di grande turbolenza politica in Italia”.

Negli Stati Uniti è partita una petizione per chiedere a Facebook di notificare ai 50 milioni di utenti che i loro dati sono stati portati via, dato che ad oggi Facebook non l’ha ancora fatto.

Because of the sensitive nature of these parties, and because it should be liable to its users for such breaches, Facebook has a duty to inform all users affected by this breach.

Notification should include all users whose data was directly or indirectly shared with these parties, and how that information was used to target them with political advertising by Cambridge Analytica, the Cruz or Trump campaigns, or any other entity that CA did business with.

L’informazione e i botta e risposta si sono trasferiti su Twitter

Facebook ha tentato di convincere il Guardian a non pubblicare l”inchiesta come descritto da John Mulholland  editor della testata via Twitter

e che Facebook ha sospeso l’account di Christopher Wylie

Caroline Orr doctoral fellow alla Virginia Commonwealth  che ha raccontato in passato le contaminazioni fra campagna elettorale USA e Russia spiega che Joseph Chancellor  founding director di Global Science Research ora lavora per Facebook