Social network failed to make firm delete valuable models derived from data until campaign was over
Facebook’s failure to compel Cambridge Analytica to delete all traces of data from its servers – including any “derivatives” – enabled the company to retain predictive models derived from millions of social media profiles throughout the US presidential election, the Guardian can reveal.
Leaked emails reveal that when Cambridge Analytica told Facebook almost a year before the election that it had deleted data harvested from tens of millions of Facebook users, it stopped short of agreeing to also erase derivatives of the data.
The correspondence, obtained by the Guardian, also raises questions about the accuracy of the testimony that Facebook’s chief executive, Mark Zuckerberg, gave to the US Congress last month.
Derivatives of data, which can include predictive models, or clusters of populations in psychological groupings, can be highly valuable to companies involved in micro-targeting advertisements to voters. Data scientists say such models and analysis are often more valuable than underlying raw data.
It was derived formulas that Cambridge Analytica is understood to have kept, despite a request from Facebook for them to be deleted in December 2015.
Donald Trump hired Cambridge Analytica after he became the Republican nominee months later and, according to two former employees, the company retained models and aggregated versions of Facebook data throughout the presidential campaign and beyond. Facebook did not secure confirmation that the models had also been deleted until April 2017.
Cambridge Analytica, which announced this week that it was closing down, has repeatedly denied Facebook data or psychographic targeting techniques were used in the Trump campaign. Questions about how Cambridge Analytica was able to hold on to models are likely to intensify, however, after the disclosure of the emails, which reveal how Facebook first responded to news that the company had obtained data pertaining to millions of users without their express permission.
Zuckerberg told the Senate last month that Facebook had “commanded” Cambridge Analytica to “delete any of the data that they had, and their chief data officer told us that they had” when the social media company first heard about the scandal, in December 2015.
The following day, Zuckerberg was asked by House representative Jan Schakowsky whether Facebook had asked the company to also delete derivatives of the Facebook data. “Yes, congresswoman,” Zuckerberg replied. “In 2015, when we first learned about it, we immediately demanded that the app developer and the firms that he sold it to delete the data. And they all represented to us that they had.”
When the Facebook founder was pressed further over whether derivatives had been deleted, he said he was unable to state categorically whether the companies had fulfilled their promise, but added: “What they represented to us is that they have.”
Zuckerberg’s account conflicts with a months-long correspondence between Facebook and Cambridge Analytica that began in December 2015.
It was prompted by a story in the Guardian that revealed how Cambridge Analytica, which was at the time working with the Ted Cruz campaign, had acquired the data of tens of millions of Facebook users from the Cambridge University psychologist Aleksandr Kogan, who had culled the data using an online personality test.
Facebook and Cambridge Analytica initially appeared to treat the huge data breach as a public relations issue, and the latter’s chief data officer, Alex Tayler, even went so far as to ask if the two companies could issue a joint press release to absolve the firm of wrongdoing.
Days later a senior Facebook official tasked with responding to data breaches on the platform informed Tayler that Facebook’s policies had been violated. “We need you to take any and all steps necessary to completely and thoroughly delete that information as well as any data derived from such data,” they said. The official asked additional questions about how the Cruz campaign was using the Facebook data and asked him to respond “at your earliest opportunity confirming when you can complete the above request to delete all data [and any derivative data]”.
Several weeks of back-and-forth followed in which Tayler sought to elicit assurances from Facebook that his firm would maintain its working relationship with the Silicon Valley giant. In a 19 December email, Tayler told Facebook the company’s user data had not been particularly effective in building predictive personality models.
“For this reason, and in the spirit of the good-faith relationship we would like to maintain with Facebook, we will comply with your request to delete all data we received from Dr Kogan,” he wrote. Tayler, however, made no reference in that email or any subsequent exchanges in that period to Facebook’s request that the company also delete data derived from Kogan’s survey.
The next month, in January 2016, the Facebook official followed up, thanking Cambridge Analytica for “for agreeing to delete any and all data that was derived from the Facebook platform”. Facebook wrote: “Can you let me know how you were storing the data and what you did to delete it?”
Tayler replied that the company had still not deleted the data. “Will be happy to do so once Facebook confirms that this will resolve the matter.,” he wrote.
Another week passed before the Facebook followed up with a reminder that the data had been inappropriately received and Cambridge Analytica was obliged to delete it. “You’ve indicated that you would like to maintain a positive relationship with us. Having one will require deletion of the data,” the official wrote.
A week later, Tayler emailed Facebook to confirm Cambridge Analytica had “now deleted from our file-server the data we received from Dr Kogan … I also confirm that I have checked that the server contains no backups of that data.” Again, in what appears to have been a legalistic sleight of hand, he made no mention of Facebook’s request to also delete derivatives.
The Facebook official replied: “Thank you, Alex. I will let you know if we have any follow-up questions, and please don’t hesitate to reach out if you or your team have any questions on your end. Thanks again.”
A former Cambridge Analytica executive conceded that Facebook could easily have insisted the company delete models it had built from Kogan’s data, and speculated that Facebook was aware of the enormous profits it was making from political advertising from clients such as Cambridge Analytica.
“They could have just banned us from the platform there and then,” the source said. “But let’s be frank. Given where we were in the primary cycle, we were responsible for spending millions of dollars on their platform.”
It was not until April 2017, 16 months after Facebook initially asked for derived data to be erased, that the social media giant received official certification from the firm that it no longer held “data derived” from Facebook.
“We received an email confirmation from Cambridge Analytica in January 2016 stating that they had deleted the data and that their server contained no back-ups,” a Facebook spokesperson said. Nine months later, in September 2016, the firm “reiterated to us through their lawyers that all Facebook data including derivative data had been deleted, the spokesperson added. “We later obtained a deletion certification from Cambridge Analytica formally confirming that they had deleted all improperly acquired data.”
Two former Cambridge Analytica employees, both of whom have knowledge of the firm’s data storage, said that models and other personal information derived from Facebook data were retained throughout 2016 and into 2017.
One of the former employees described seeing aggregated data listing the interests of Facebook users on company servers toward the end of 2016.
“The data was not on the central database,” the source said. “It was in a hidden corner of the server that could only be accessed if you knew where it was … I was surprised. We had been previously told this data was not there and we could not use it on client products.”
It is also understood that data derived from the Facebook dataset was discovered in an audit of the company’s services in spring 2017.
Cambridge Analytica does, however, appear to have been aware that retaining such data may have been controversial.
Around March 2017, following a series of revelations by the Observer journalist Carole Cadwalladr which prompted inquiries from the Information Commissioner’s Office, there was an internal audit at Cambridge Analytica to find any traces of the Facebook data.
One of the former employees said staff were instructed that all traces of Facebook data had to be completely wiped from the company’s servers, including laptops. “They were taking this very seriously,” the former employee said. “They looked through all our files. They didn’t want any trace of that Facebook data left.”
Cambridge Analytica denied there was ever a “secret cache” of Facebook data from Kogan’s company Global Science Research (GSR). A Cambridge Analytica spokesperson said it “confirmed to Facebook” that it had deleted “all the data from our file-server that we had received from GSR” in January 2016, and at that time began the process of searching for and deleting derivatives of that data.
“This was a lengthy process,” the spokesperson added, saying it was not completed for another 16 months. “In April 2017, we signed a certification to Facebook that we had permanently deleted all GSR data and derivatives.”
Read more: www.theguardian.com