The Washington, D.C., attorney general said it will sue Facebook over the Cambridge Analytica scandal on Wednesday.
D.C. prosecutors said in the lawsuit that Facebook misled users in violation of the District’s Consumer Protection Procedures Act by allowing them to download an app produced by Cambridge Analytica which then improperly collected private information from the users without making them aware.
“We’re reviewing the complaint and look forward to continuing our discussions with attorneys general in DC and elsewhere,” said a Facebook spokesperson in a statement to CNBC.
The district attorney said the maximum penalty under the act is $5,000 “per violation.” It was not immediately clear what may constitute a single violation according to the law.
Prosecutors said 852 D.C. users downloaded the misleading application provided by Cambridge Analytica but that a much larger portion of D.C. residents, approximately 340,000 people, had their data collected because they were friends of those initial users through Facebook. This could mean Facebook faces a fine of up to $1.7 billion if all 340,000 instances are considered “violations” under the statute.
“We think change clearly needs to take place at that company,” said D.C. Attorney General Karl Racine.
The effort is not part of a multistate effort, said Racine in a Wednesday press briefing about the lawsuit, and he was unsure if a wider effort involving more state lawsuits had been organized.
Here’s the full press release announcing the lawsuit:
Attorney General Karl A. Racine today sued Facebook, Inc. for failing to protect its users’ data, enabling abuses like one that exposed nearly half of all District residents’ data to manipulation for political purposes during the 2016 election.
In its lawsuit, the Office of the Attorney General (OAG) alleges Facebook’s lax oversight and misleading privacy settings allowed, among other things, a third-party application to use the platform to harvest the personal information of millions of users without their permission and then sell it to a political consulting firm.
In the run-up to the 2016 presidential election, some Facebook users downloaded a “personality quiz” app which also collected data from the app users’ Facebook friends without their knowledge or consent. The app’s developer then sold this data to Cambridge Analytica, which used it to help presidential campaigns target voters based on their personal traits. Facebook took more than two years to disclose this to its consumers. OAG is seeking monetary and injunctive relief, including relief for harmed consumers, damages, and penalties to the District.
“Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used,” said AG Racine. “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.”
Facebook, Inc., headquartered in Menlo Park, California, is a digital social networking service with more than 2 billion active users around the world. Through a website and a mobile application, Facebook allows users to communicate and share content with personalized networks of “friends.”
As part of its business model, Facebook collects data that touches on every aspect of users’ personal lives. This includes information provided by the user (name, gender, birthdate, email address, hometown, interests, education, political affiliation, photos, messages, etc.) and information about users’ digital behavior (their friends, “likes,” “shares,” clicks on the site, and more).
Facebook offers social networking services for free and uses the personal data it collects to sell targeted advertising to marketers. It also allows third-party developers to build applications that operate on the Facebook platform and offer services including calendar and email integration, games, and quizzes.
In 2013, Facebook allowed Aleksandr Kogan, a researcher affiliated with England’s Cambridge University, and his company, Global Science Research (GSR), to launch an app on the Facebook platform called “thisisyourdigitallife.”
The app claimed to be a personality quiz and offered to generate a personality profile in exchange for users downloading the app and granting it access to their Facebook data. Although only 852 Facebook users in the District installed Kogan’s app, it also collected the personal information of those users’ Facebook friends—amounting to nearly half of all District residents. GSR then sold that information to Cambridge Analytica, a political consulting firm.
An investigation by OAG found that this abuse was among the many examples of Facebook’s failure to protect consumers’ data adequately. The investigation found that Facebook violated the District’s Consumer Protection Procedures Act (CPPA), which prohibits unfair and deceptive trade practices. Among the ways that Facebook harmed consumers, the complaint alleges, are:
Misleading users about the security of their data: Facebook represented to users that it would protect the privacy of their personal information, and that it required applications and third-party developers to respect consumers’ privacy. However, Facebook allowed Kogan to collect and sell the data of users who had not downloaded or used Kogan’s app.
Failing to properly monitor third-party apps’ use of data: Although Facebook was aware as early as 2014 that Kogan wanted to download the personal information not only of his app’s users, but also of his users’ friends, Facebook failed to monitor or audit the app to see if it was abiding by Facebook’s policies for third-party applications and user data.
Making it difficult for users to control data settings for apps: Facebook maintained confusing and ambiguous privacy and applications settings that made it difficult for consumers to control how their data was shared. Instead of allowing users to control access to their information on third-party apps directly from its main privacy settings page, Facebook required users to go to a different part of its platform for third-party app privacy settings. This made it harder for consumers to realize that apps could be harvesting their data.
Failing to disclose the Cambridge Analytica breach to consumers for more than two years: Facebook first became aware in 2015 that Cambridge Analytica had obtained millions of users’ data. The company conducted a cursory investigation and confirmed that the data had been improperly harvested from users and then sold to Cambridge Analytica. However, Facebook did not inform users affected by the breach until 2018.
Failing to ensure users’ improperly obtained data was deleted: Even after it confirmed its users’ data had been improperly harvested, Facebook took Cambridge Analytica at its word that the company had deleted the data. They did this even though Facebook staffers were embedded with the Trump campaign and other campaigns, working alongside Cambridge Analytica staff to use the data to target voters.
Failing to inform consumers that some companies could override data privacy settings: Facebook also failed to inform consumers that it granted certain companies, many of whom were mobile device makers, special permissions that enabled those companies to access consumer data and override consumer privacy settings.
OAG is seeking an injunction to ensure Facebook puts in place protocols and safeguards to monitor users’ data and to make it easier for users to control their privacy settings. In addition, OAG is seeking restitution for consumers, penalties, and costs.
James E Windsor, Overpasses News Desk
December 19th, 2018