How Facebook uses what it has learned about its users.
Browse through a setting called “your ad preferences” on Facebook, and you’ll see what the social media giant thinks it can predict about you for advertisers.
It may go a little like this: Based on that San Francisco Marathon ad you once clicked on, combined with the fact that you used to live in Boston, Facebook thinks that perhaps you’ll be interested in a boot camp in Newton, Mass. And then there’s that page related to Angelina Jolie you apparently clicked on once (though you can’t remember when), which leads Facebook to think you would be interested in a nonprofit for underprivileged kids — or maybe even a local acting agent.
While these assumptions may not be entirely accurate, it’s a window into the trove of data Facebook is constantly collecting. But according to revelations in the New York Times this weekend that helped send the company’s stock down 6.8 percent Monday — the most in four years — Facebook’s data has been used for more than just serving well-targeted ads. When an outside app collected it, it turned into a way for another company to create a psychological profile of potential voters before the 2016 presidential election.
“This is a wake-up call,” said Sally Greenberg, the executive director of the National Consumers League.
Several years ago, Facebook said, it gave permission to a University of Cambridge psychology professor, Aleksandr Kogan, to collect data on his app that offered a personality test. Along with the results of the personality test, Kogan also had access to the users’ locations and content they liked — as well as information from their friends’ profiles.
Facebook says Kogan then breached its rules by providing the information he was given to a data analysis firm connected to Donald Trump’s presidential
campaign, Cambridge Analytica. With the data, the company was able to connect millions of profiles to other records and thus create intricate voter profiles on millions of voters in the U.S. (Kogan told the New York Times that it was “a very standard vanilla Facebook app”).
Facebook said it asked Cambridge Analytica to delete the data in 2015, but it has since learned that the company didn’t fully comply. Cambridge Analytica told the New York Times it had deleted the data.
These revelations have thrust Facebook’s data protection rules under intense scrutiny, leaving consumers wondering who else has their personal information and what else it can be used for.
These questions come as Bay Area tech companies still grapple with revelations that the Russian government used their sites to interfere in the last presidential election. Experts say this latest bombshell report will likely lead to more regulations on tech companies and how thirdparty companies are allowed to use their data.
Facebook has promised to conduct a “comprehensive internal and external review.” It said it has hired a digital forensics firm, Stroz Friedberg, to conduct a review to see if the data in question still exists.
“Those people will never get back what we’ve taken from them,” said Pam Dixon, executive director of the World Privacy Forum. “And think of all of the other apps that still have our data that we don’t know about. We just happen to know about this one.”
Apparently there has already been fallout within the company as well. Alex Stamos, the chief information security officer, will leave Facebook after internal disagreements over how it should deal with its role in spreading disinformation, according to current and former employees briefed on the matter.
Stamos had been a strong advocate inside the company for investigating and disclosing Russian activity on Facebook, often to the consternation of other top executives, including Chief Operating Officer Sheryl Sandberg, according to the current and former employees, who asked not to be identified discussing internal matters.
After his day-to-day responsibilities were reassigned to others in December, Stamos said he would leave the company. He was persuaded to stay through August to oversee the transition of his duties because executives thought his departure would look bad, the current and former employees said.
Facebook says it has since tightened up what data it allows outside researchers to access. In 2015, the company updated its privacy policy in an attempt to help users control the flow of information. Among the changes: an interactive guide to show users how to untag pictures or block friends, and ways to opt out of certain ads across various devices. But there are still data available to developers who want to integrate certain aspects of the social network into its own service. A common way to integrate Facebook, for example, is with its log-in button. This allows users signing up for a new service to log in via Facebook, instead of having to input their personal information into the new service.
But with this simple click, the new service suddenly has access to a trove of information on the user. Not only does it have their email, birthday — and maybe even their home address — but it can also use some of that information to target them with ads.
It is features like this that propelled Facebook’s ad revenue to $40 billion last year.
One of Facebook’s partners, a video app called Musical.ly, said on Facebook’s website that the integration led to millions of sign-ups and improved its product experience.
“Through Facebook, we were able to scale Musical.ly globally, increasing user exposure through Facebook App Ads resulting in more than 8 million new users signups,” wrote company co-founder Alex Zhu.
According to Facebook, more than 10 million people log into the social network every day. But given how many companies use this integration, it is easy for users to lose track of whose hands their data have ended up in, Dixon said.
Users can see which third-party apps have their data by clicking on “Settings” in the top right corner of their Facebook home page, and then clicking on “Apps.” When a reporter pulled up her third-party apps, she found that she had opted in such that 119 apps — the majority of which she has only ever used once, or doesn’t remember ever using at all — have her Facebook information.
According to the company: “Your name, profile picture, cover photo, gender, networks, user name, and user id are always publicly available to both people and apps. Apps also have access to your friends list and any information you choose to make public.”
While the revelations of how Cambridge Analytica used Facebook information are jarring, consumers still want seamless and personalized log-in experiences — and in today’s world, avoiding social media is not an option, Dixon said. But there are ways consumers can be smarter, and more aware, of where their data are going.
“The number of apps who want to use your Facebook log-in is endless,” Greenberg said. “We all run into it. And we all use Facebook at our peril.”
The New York Times contributed to this report.