Facebook says more than 600,000 Canadians may have had data shared with Cambridge Analytica

Facebook said Wednesday that an estimated 622,161 Canadians may have had their personal data shared with the British data analysis company Cambridge Analytica.

Company spokesperson Meg Sinclair told CBC News the number was a fraction — 0.7 per cent — of the 87 million people it now believes may have been affected globally. The majority of those users, nearly 82 per cent, were in the U.S.

At the same time, Facebook described a much larger discovery: that the majority of its 2 billion users likely had their publicly available profile information scraped and collected by unknown actors in recent years. 

Such information would have been visible to friends and strangers alike, but could have included potentially revealing data such as photos and contact information if a user had not chosen — or known — to change their settings to private.

The disclosures come in the wake of one of the biggest data privacy scandals in the company's history.

It was revealed last month that an academic researcher named Aleksandr Kogan had collected information from more than 50 million Facebook users in 2014 using a personality quiz app, and then shared that information with Cambridge Analytica.

The user profile data, which included biographical information, as well as additional personal information, such as the pages each user had liked, was used to build psychological profiles that could help Cambridge Analytica's clients — mostly political campaigns, including Donald Trump's presidential bid — better target their ads.

It may come as a surprise that a personality quiz created by a British researcher — to gather data for use by U.S. political campaigns — could come to ensnare so many Canadians. But the incident further underscores how the permissive nature of Facebook's design allowed Kogan to cast a net as wide as he did, collecting data on millions from just 270,000 people who did the quiz. 

We didn't take a broad enough view of what our responsibility was, and that was a huge mistake. That was my mistake,- Mark Zuckerberg, Facebook CEO

"We didn't take a broad enough view of what our responsibility was," said Facebook chief executive Mark Zuckerberg in a conference call with reporters. "And that was a huge mistake. That was my mistake."

Addressing election interference from organizations in Russia and elsewhere, Zuckerberg said the company didn't initially take the problem — and data security — seriously enough.

"I think in retrospect we were behind, and we didn't invest enough in it enough up front. We had thousands of people working on security but nowhere near the 20,000 we're going to have by the end of this year."

Zuckerberg said Facebook had made big strides in removing pages by Russia's International Research Agency (IRA) and protecting the integrity of elections, but that he expects the company will never be done rooting out security threats.

"As long as there are people employed in Russia who have the job of trying to find ways to exploit these systems, it's going to be a never-ending battle. You never fully solve security. It's an arms race," he said.

Scraping public profiles

Facebook announced its latest findings alongside new details on its plans to restrict how third party app developers can access user data, which were first announced last week.

Among the changes, "we will also tell people if their information may have been improperly shared with Cambridge Analytica," chief technology officer Mike Schroepfer wrote in a blog post announcing Facebook's latest efforts. The feature will be made available to users next week.

But perhaps more importantly, Facebook also said it was removing the ability for users to search for other users within Facebook using a phone number or email address, because the feature had been abused by "malicious actors" seeking to scrape public profile information.

"Given the scale and sophistication of the activity we've seen, we believe most people on Facebook could have had their public profile scraped in this way," Schroepfer said.

Although the feature could be turned off, it was enabled by default. Zuckerberg told reporters during the conference call that — as a result of this feature — a small group of users was making a high volume of requests for public data from as many as hundreds of thousands of different IP addresses in order to evade detection, the company had recently discovered. 

"I would assume that if you had that setting turned on [...] someone has access to your public information," he said.

Restricting access

Among the other changes introduced on Wednesday:

• Apps can no longer access a list of people attending an event or who have joined a group. Facebook will also have to approve apps that access information posted to pages or groups, and will remove personal information such as profile photos and names attached to posts in the latter.
• All apps that request access to location information (check-ins), likes, photos, posts, videos, events and groups will have to be approved by Facebook. And developers will have to agree to "strict requirements" — though what those requirements entail is not yet clear.
• Developers can no longer access a user's religious or political views, relationship status and details, custom friends lists, education and work history, fitness activity, book reading activity, music listening activity, news reading, video watch activity and games activity.
• If a user hasn't used an app 3 months, the developer can no longer access that user's information.
• Facebook said it would delete call and message logs older than a year, and would further limit the types of data it uploads, excluding "broader data" such as the time of calls.
• Starting Monday, April 9, users will see a link at the top of their News Feed to a tool where they can see what information they've shared with third party apps. 

Schroepfer said the company expects to make more changes in the coming months, but did not elaborate further.