Facebook today revealed that the Cambridge Analytica data leak affected up to 87 million people, most of whom reside in the US. Previously, it was believed that the leak impacted 50 million.
On a call with reporters, Facebook CEO Mark Zuckerberg said the company's logs do not indicate an exact number of affected individuals. Facebook came up with the 87 million number "in the last couple days" by calculating and tallying up the maximum possible number of friends each person who downloaded the app in question had at any given time.
Thus, the number of affected individuals may actually be lower, but Zuckerberg said he's "confident it's not more than 87 million."
In a statement, Cambridge Analytica disputed Facebook's assessment. "Cambridge Analytica licensed data for no more than 30 million people," the company said. "We did not receive more data than this."
Cambridge Analytica maintains that it was duped by Dr. Aleksandr Kogan, who scraped the Facebook data and sold it to Cambridge. Its deal with Kogan "stated that all data must be obtained legally, and this contract is now a matter of public record. We took legal action against [Kogan] when we found out they had breached this contract."
All data obtained from Facebook users has been deleted, it said.
Zuckerberg went on to take responsibility for the data leak, and acknowledged the company should have done more to protect users' privacy. "We understand we need to take a broader view of our responsibility," Zuckerberg said. "We aren't just building tools but need to take responsibility for how people use those tools."
Meanwhile, when asked whether anyone at Facebook has been fired over the debacle, Zuckerberg said no. The CEO also said the #DeleteFacebook movement spurred by the scandal has had "no meaninful impact" on Facebook's user numbers.
"Even if we can't measure a change, it still speaks to people's feeling that this is a major breach of trust, and we have a lot of work to do to repair that," Zuckerberg said.
Changes Ahead
On Monday, April 9, Facebook plans to start adding a link to the top of News Feed showing a list of the apps and websites connected to your account, and the data those services have access to. From that link, you'll be able to remove any apps you no longer want connected to your account (something you can already do via App Settings).
"As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica," Facebook Chief Technology Officer Mike Schroepfer wrote in a blog post.
Facebook has also ended a feature that allowed people to search for other Facebook users by typing their phone number or email address into the search bar because "malicious actors...abused these features."
Facebook has had rate limiting in place, so automated systems could only search a specific number of numbers or emails at a time, but scammers cycled through "hundreds of thousands of IP addresses" to avoid detection, according to Zuckerberg.
"Given the scale and sophistication of the activity we've seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature," Facebook said today. "We're also making changes to account recovery to reduce the risk of scraping as well."
During the call with reporters, Zuckerberg also said Facebook plans "to run the controls for GDPR across the world." The General Data Protection Regulation (GDPR) will be the global law of the land starting on May 25, 2018, and will require any company that does business with European Union-based residents to maintain strict data protection protocols.
Yesterday, Reuters reported that Zuckerberg "stopped short" of extending GDPR protections globally; today, he said he was "surprised" by that story since he'd told the reporter he did indeed back the move. But he did concede that it probably won't be "exactly the same format" in every country; Facebook will "need to see what makes sense."
Facebook also today proposed updates to its terms of service and data policy in an effort to make them easier to understand. Users can review the updated documents and provide their feedback for the next seven days. Once finalized, Facebook will publish the documents and ask users to agree to them.
"These updates are about making things clearer," Facebook Chief Privacy Officer Erin Egan and Deputy General Counsel Ashlie Beringer wrote in a blog post. "We're not asking for new rights to collect, use or share your data on Facebook. We're also not changing any of the privacy choices you've made in the past.
Meanwhile, Facebook CEO Mark Zuckerberg is headed to Capitol Hill next week to testify before the House Energy and Commerce Committee about the data leak.
Editor's Note: This story was updated at 5:45 p.m. ET with details from the Facebook call and with Cambridge Analytica's statement.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
