U.S. Senators and U.K. legislators immediately called for government action following Saturday’s high-profile reports of the mishandling of Facebook user data by the right-wing electioneering firm Cambridge Analytica.
Senator Amy Klobuchar (D-Minn.) called for Facebook CEO Mark Zuckerberg to testify before the Senate Judiciary Committee, and said that the “major breach . . . must be investigated.”
Facebook breach: This is a major breach that must be investigated. It’s clear these platforms can’t police themselves. I've called for more transparency & accountability for online political ads. They say “trust us.” Mark Zuckerberg needs to testify before Senate Judiciary.
— Amy Klobuchar (@amyklobuchar) March 17, 2018
Senator Mark Warner (D-Va.) said on Twitter that “the online political advertising market is essentially the Wild West,” and reiterated the need for a proposed bill called the Honest Ads Act that he cosponsors. The act would impose disclosure requirements for online political advertising similar to those already in place for television and other ads.
Whether it's allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it's clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency.
— Mark Warner (@MarkWarner) March 17, 2018
Representative Adam Schiff (D-Calif.) has also called for Alexander Nix, CEO of Cambridge Analytica, to speak to the House Intelligence committee.
Meanwhile, in the British homeland of Cambridge Analytica’s parent company SCL Group, member of Parliament Damian Collins has said he will ask Facebook CEO Mark Zuckerberg to testify before the parliamentary committee he chairs on digital issues, or send another senior executive to do so. U.K. information commissioner Elizabeth Denham has also said the new reports would become part of an ongoing investigation into the political use of data analytics.
Get Data Sheet, Fortune’s technology newsletter.
Klobuchar’s description of the event as a “breach” raises one of the key questions of any official investigation: whether the transfer of millions of users’ Facebook data from Cambridge researcher Aleksandr Kogan to Cambridge Analytica qualifies as a “data breach” for which Facebook bears responsibility. That could, among other implications, make it subject to laws in most U.S. states, Europe, and Britain that require notification when personal data is hacked, stolen, or otherwise compromised.
Kogan initially told Facebook that he was collecting data, ultimately amounting to roughly 50 million user profiles, for academic research purposes. But Facebook, according to reports, was aware by 2015 that Kogan had shared the data with Cambridge Analytica and SCL Group for commercial use, violating Facebook’s terms. Nonetheless, Facebook did not notify users whose data was compromised.
Following the discovery of the wrongful data sharing, Facebook required Cambridge Analytica to delete the data, but the New York Times reported Saturday that Cambridge still possesses “most or all” of it, in unencrypted form. Cambridge Analytica has said that it did destroy the data, and has further claimed to Fortune that it destroyed “all derivatives,” including any algorithms that might have been created using the data. That claim is contradicted by Christopher Wylie, a key Cambridge player turned whistleblower, who told the Times that the data was the “saving grace” that allowed Cambridge Analytica to construct the models that right-wing hedge fund backer Robert Mercer wanted to use to influence elections.
Facebook leadership, despite clearly losing control of massive amounts of user data, have strongly disputed descriptions of the event as a “breach” that would require public notification. They argue that all the data was gathered according to Facebook rules, and without compromising security systems, before being wrongly shared.
https://twitter.com/boztank/status/975018461997887494
U.S. data-breach notification laws are currently a state-by-state patchwork, and there has been little progress on a unified national version of the rules. That could leave Facebook, like Equifax before it, subject to a welter of state-level legal actions over failure to properly notify users. Though Kogan’s data gathering reportedly focused on U.S. citizens, there may also be legal exposure in Europe and Britain, both of which have strict privacy laws.
