Washington, DC - The Federal Trade Commission (FTC), along with the State Attorneys General from New York and Massachusetts have launched investigations into Cambridge Analytica and Facebook. The FTC is focusing its efforts on Facebook while the State Attorneys general announced a joint investigation into both Cambridge Analytica and Facebook on Tuesday.

As we covered on Monday, Cambridge Analytica scraped over 50-million profiles from Facebook using an app that provided a false pretense for data collection. If you want the full story, read the article, but here’s the abridged version: Cambridge Analytica is a shell for a London-based company called SCL Group. While it may have started with noble intentions, its co-founder, Alexander Nix, turned a couple of chance encounters with Breitbart’s Steve Bannon and GOP Mega-donor Robert Mercer into funding. Unsurprisingly the group began to take a right-wing slant, eventually working for the political campaigns of Texas Senator Ted Cruz and then-candidate Donald Trump.

The company was allegedly named by Bannon. He took the Cambridge part of the name from Cambridge University where former co-founder and current whistle-blower Christopher Wylie met Aleksandr Kogan. The Russian-American professor essentially co-opted part of an app from researchers at the university. Then programmed it to scrape information from Facebook users and their friends under the guise of a personality quiz. The app was purportedly collecting data for academic purposes. That was total malarkey.

“Rules don’t matter for them, for them, this is a war, and it’s all fair,“ Wylie told the New York Times. “They want to fight a culture war in America. Cambridge Analytica was supposed to be the arsenal of weapons to fight that culture war.”

Unfortunately for Cambridge Analytica, and Facebook (more on that in a bit), the rules may start to matter now.

The investigation being carried out by the Attorneys General has already issued a letter to Facebook demanding information about the misuse of personal data. In addition, they have requested any contracts, agreements and communication that occurred between the social media giant and Cambridge Analytica, SCL Group, Nix, Kogan and former Cambridge Analytica employee, Joseph Chancellor.

Additionally, the Attorneys General want to know why Facebook failed to tell its users that their personal information had been handed over to a third party.

In a statement Friday, Facebook admitted it found out about the “violation of its terms of service” back in 2015.

The FTC is investigating Facebook’s misuse of personal data, too.

Kickstarting Investigations into Cambridge Analytica

It was Wylie that brought Cambridge Analytica into the limelight after telling The Guardian that the “company” had harvested user data from Facebook to weaponize it and help sway the US election in Trump’s favor.

There are already four investigations underway. In addition to the joint investigation by the Attorneys General from New York and Massachusetts and the FTC’s, Connecticut and Pennsylvania have also launched inquiries.

Per a statement by New York Attorney General, Eric Schneiderman:

“Consumers have a right to know how their information is used – and companies like Facebook have a fundamental responsibility to protect their users’ personal information… Today’s demand letter is the first step in our joint investigation to get to the bottom of what happened.”

In another statement, Massachusetts Attorney General Maura Healey said that Facebook needs to show that it acted responsibly with regard to the data transfer.

“Companies that control huge amounts of personal data have a legal obligation to guard against theft and misuse of that information. We are investigating to find out how and why this data was shared by Facebook and whether the appropriate steps were taken to protect it against misuse and manipulation.”

Facebook’s General Counsel, Paul Grewal, told Bloomberg that the company is conducting its own investigation.

A Few Thoughts on Facebook and Cambridge Analytica

Cambridge Analytica is what it is. As you peel back the layers of American politics, you find some pretty unscrupulous activity. It wasn’t long ago that Republican Data firm Deep Root Analytics exposed nearly all of the US’ 200-million voter records, totaling 1.1 TB, on a misconfigured database.

In fact, this is just the tip of the iceberg when it comes to political analytics. Most of us have never consented to having our personal data shared with these kinds of firms. But that’s a problem for people who care. These groups don’t. They’re using our data, pulled from a seemingly infinite number of sources, to map us. To figure out how to market to us. How to change the way we think.

In fact, “changing audience behavior” is a selling point for SCL Group, the company behind Cambridge Analytica. In truth, Cambridge Analytica is a shell company. All of the contracts that it was awarded were passed to SCL. And while Cambridge Analytica says it has suspended Nix, its CEO, until further notice he’s still on the board at SCL. Additionally, an undercover video sting by UK Channel 4 may have caught Nix and a couple of fellow executives speaking freely about their tactics.

The videos show a series of meetings between Nix and [Now-interim CEO Alexander] Tayler, as well as SCL Elections managing director Mark Turnbull and a Channel 4 reporter posing as a fixer for a wealthy client in Sri Lanka looking to influence local elections. In the video, Nix discusses filming political opponents accepting bribes and sending “some girls around to the candidate’s house.” The Channel 4 video also shows Nix expressing an apparent willingness to spread fake news, saying, “It sounds a dreadful thing to say, but these are things that don’t necessarily need to be true, as long as they’re believed.”

Nix and SCL have both argued that the conversation was edited to look more incriminating, but Nix also admits to saying those things. He claimed that he entertained some absurd suggestion to spare the wealthy Sri Lankan embarrassment. As you do.

Regardless, Cambridge Analytica looks dishonest at best, downright malicious at worst. But this is hardly an isolated incident when it comes to American politics.

But what about Facebook?

Why didn’t it notify its users?

Especially given that it became aware of this in 2015.

This looks even worse when you factor in all the problems the platform had with the 2016 election. While there was probably no way for Facebook to know what the data was really being used for (it was told it was for academic purposes), its inaction may have enabled other companies and firms of the same ilk to continue these activities through 2016.

The bigger issue is the fact that Facebook was giving its data away to anyone using the Graph API.

"If you were one of these developers, and you got a user to give you access to their Facebook account (say, to log in or to use your app), you got a data payout that is unlikely ever to be replicated in history. It wasn’t just the user’s data — but all the data of that user’s friends on Facebook."

Today, Mark Zuckerberg made a statement on his Facebook page regarding the Cambridge Analytica situation.

"I started Facebook, and at the end of the day I’m responsible for what happens on our platform. I’m serious about doing what it takes to protect our community. While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn’t change what happened in the past. We will learn from this experience to secure our platform further and make our community safer for everyone going forward."

He also wrote:

"We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you."

Here’s where that goes sideways, outside of the millions of apps that were integrated with Facebook at the time and could have been pulling data, there are also a handful of companies that relied on the Graph API. Those companies went under. But we have no idea what they did with that data, who they sold it to, gave it to, etc.

James Allworth, a fellow at Christensen Institute and Harvard Business Review writer compared it to when nukes go missing after a state fails.

Regardless, right now Facebook seems to be operating in a moral gray area. And it starts with the fact that this wasn’t technically a breach. Cambridge Analytica didn’t exploit holes in Facebook security or hack them or anything. They grabbed data under false pretenses. That’s really more of a leak, though even that descriptor comes up a little bit short. Facebook is calling it a “violation of its terms of service.”

Either way, it seems like Facebook is justifying its lack of response or user notification on the fact that this wasn’t technically a breach and doesn’t require the same reporting. Facebook is hiding behind semantics.

That’s not ethical. But it’s also not illegal.

It’s a moral gray area.

It’s also unacceptable, and while this time there likely won’t be any major financial penalties domestically, the EU doesn’t play around. Once the GDPR goes into effect on May 25, if this kind of thing happens in Europe and Facebook doesn’t notify anyone, it’s going to cost 4% of its global turnover from the previous fiscal year. Global turnover is a very European way of saying gross revenue.

Facebook reported $45,653,000,000 in gross revenue in 2017. That would work out to a fine of $1.826 BILLION (with a B).

The craziest thing is that Facebook can easily weather that. Facebook makes that in a little over two and a half weeks. That in itself may be a criticism of the GDPR’s penalty system. For SMBs, these fines are potentially back-breaking. For a large company like Facebook or Amazon or Google, it’s a little more than a drop in the bucket.

That means they can continue to play fast and loose with our data. The rest of us better watch out.