Over the weekend, reports claimed that Cambridge Analytica had bought data on tens of millions of Facebook users that had been extracted from the social network by an academic named Aleksander Kogan. Kogan did so using a personality quiz app, and claimed at the time that the data would just be used for academic purposes, not for targeting voters with tailored messaging.
Facebook apparently knew about the data abuse in 2015, and said it had gained assurances from Cambridge Analytica that the data had been deleted. The weekend reports stated that this was not the case, so Facebook on Monday said it was sending its auditors to Cambridge Analytica’s offices.
“If this data still exists, it would be a grave violation of Facebook’s policies and an unacceptable violation of trust and the commitments these groups made,” the company said in a Monday statement.
However, the British data protection authority—the Information Commissioner’s Office (ICO)—had different ideas.
The ICO launched an investigation over the weekend, after the reports came out. Like the rest of Europe, the U.K. has strict (compared to the U.S.) data protection laws that govern what can and can’t happen to people’s personal data. If the reports are shown to be true, a lot of players in this story—Facebook included—could be in significant trouble.
And on Monday, after the U.K.’s Channel 4 broadcast covert footage of Cambridge Analytica CEO Alexander Nix boasting about how the company could sway elections, the ICO stepped up its probe by applying for a warrant to search the firm’s offices. (The firm said in a statement Monday that the Channel 4 report had been “edited and scripted to grossly misrepresent the nature of those conversations and how the company conducts its business.”)
So after Facebook’s auditors, from the cybersecurity firm Stroz Friedberg, went into Cambridge Analytica’s offices on Monday evening, the ICO told them to get out.
“At the request of the U.K. Information Commissioner’s Office, which has announced it is pursuing a warrant to conduct its own on-site investigation, the Stroz Friedberg auditors stood down,” Facebook said in an update to its earlier statement.
“These investigations need to be undertaken by the proper authorities,” tweeted Damian Collins, the chair of the British Parliament’s digital, culture, media and sport select committee.
“This is a complex and far reaching investigation for my office and any criminal or civil enforcement actions arising from it will be pursued vigorously,” said Elizabeth Denham, the U.K. information commissioner.
This is all extremely unusual, if not unprecedented. The U.K.’s data protection authorities are not known for swooping into companies’ offices like this, nor for booting out experts hired by a company of Facebook’s scale—and the level of apparent coordination between the regulator and outraged lawmakers is also noteworthy.
It’s also deeply embarrassing for Facebook. Even if the firm wasn’t trying to cover anything up by sending in its own contractors, this episode may create that impression in some people’s minds. At the very least, it shows how Facebook—which, remember, told Cambridge Analytica and Kogan to delete the abused data a few years ago—only decided to check their assurances about the data’s deletion after the whole thing became an international scandal.
When Mark Zuckerberg (now billions poorer after Facebook’s share price tanked) or chief operating officer Sheryl Sandberg finally decide to come out and address the situation, they have a lot to explain.