Data Loss Prevention (DLP) , Governance & Risk Management , Privacy

Report: Facebook App Exposed 3 Million More Users' Data

Revenge of the Personality Test, Take Two
Report: Facebook App Exposed 3 Million More Users' Data
Researchers reportedly used the myPersonality app on Facebook to gather psychometric data from millions of users.

Researchers at the University of Cambridge gathered personal data from millions of Facebook users via an app called myPersonality and provided it to non-academic users, also using it as part of a commercial venture designed to improve targeted advertising, according to a report from New Scientist.

See Also: OnDemand | The Four Steps to Build a Modern Data Protection Platform

The myPersonality proeject was created by David Stillwell while he was an undergraduate at the University of Nottingham; he's now part of the University of Cambridge's Psychometrics Center. The project was for a time also led by Michal Kosinski, who was previously part of the center but who now runs his own lab at Stanford University.

New Scientist says 6 million Facebook users completed the myPersonality personality test and half agreed to share their data with the project, which promised that their names would be removed before the data was anonymously shared with others.

One analysis of the data set included in the "Emotions and Personality in Personalized Services," a book published in 2016, says that it "contains data regarding Facebook users, their preferences (Facebook likes), various demographic information, as well as psychometric data from different tests that users have participated in."

More than 280 people from Facebook, Google, Microsoft and Yahoo - among nearly 150 other institutions - accessed the data, New Scientist reports.

It also reports that Stillwell and Kosinski formed a spin-off company, Cambridge Personality Research, which used the myPersonality data sets to power a tool they sold for targeting individuals with advertising.

Facebook didn't immediately respond to a request for comment. But a spokesman told New Scientist that it suspended myPersonality on April 7 for potentially violating Facebook's data-sharing policies.

"We are currently investigating the app, and if myPersonality refuses to cooperate or fails our audit, we will ban it," Ime Archibong, Facebook's vice president of product partnerships, told New Scientist.

Officials at the Psychometrics Center say they dispute aspects of the New Scientist report. "Psychometrics Center is one of over 80 academic institutions whose researchers have benefited from access to anonymized datasets, made available by the myPersonality project," a spokesman tells Information Security Media Group. "This project has made a tremendous contribution to scientific research and was administered by ... Stillwell and Kosinski via a password-protected website, with access being subject to strict terms and conditions."

New Scientist reports that access credentials for the dataset have been circulating on the web, which could have allowed an unknown number of unapproved individuals to have accessed the data as well.

The Psychometrics Center spokesman says: "It has recently come to light that a professor of computer science at the University of Michigan breached the registered collaborator terms by publishing their login credentials online. Immediate action was taken to contain the incident - the first of its kind in the project's six-year history."

U.K. Privacy Watchdog Investigates

Britain's Information Commissioner's Office, which enforces the country's data protection laws, says it's investigating.

"We are aware of an incident related to the myPersonality app and are making enquiries," an ICO spokeswoman tells ISMG.

Alexander Kogan, a separate Cambridge University researcher, created This Is Your Digital Life - a personality test that paid users to take it, and then used that data for commercial purposes. Officials at the university's Psychometrics Center say Kogan was never a part of it.

Facebook last month warned that via Kogan's app, up to 87 million people may have had their personal details transferred to Cambridge Analytica, a London-based data analytics firm that worked on Donald Trump's 2016 U.S. presidential campaign as well as the 2016 "Brexit" referendum over the U.K.'s membership in the EU.

Facebook contends that Kogan lied to the social network and violated its policies by passing the data to Cambridge Analytica. Kogan, however, contends that he's been scapegoated by Facebook and that he suspects that thousands of other researchers may have been operating in a similar manner. Kogan also says he didn't know his data would be used to target voters.

Facebook Probes Data Handling

In the wake of the scandal triggered by the public being alerted to Cambridge Analytica and others having obtained Facebook users' personal data and potentially used it to target them with advertising and disinformation campaigns, Facebook CEO Mark Zuckerberg also appeared before Congress last month to answer questions.

Facebook has launched its own investigation into how researchers use - or potentially abuse - its platform, promising to clamp down as well as name names.

Facebook says that until 2014, when it changed its policies, apps could have had access to very large sets of user data.

On Monday, Facebook said in a blog post that it's identified at least 200 more apps via which more Facebook user data may have been exposed.

"To date thousands of apps have been investigated and around 200 have been suspended - pending a thorough investigation into whether they did in fact misuse any data," Facebook's Archibong says in the blog post. "Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website. It will show people if they or their friends installed an app that misused data before 2015 - just as we did for Cambridge Analytica."

Earlier this month, Cambridge Analytica announced that it was shutting down. The company has continued to deny that it used any Facebook data in support of its work on Donald Trump's campaign.

Regulators, Lawmakers Investigate

Britain's privacy watchdog, the Information Commissioner's Office, says that despite the company declaring bankruptcy, it will continue to investigate and "pursue individuals and directors" as well as any successor companies, where appropriate.

On Thursday, Parliament's Digital, Culture, Media and Sport Committee, which continues an investigation into fake news and disinformation, issued a formal summons for Alexander Nix, the former CEO of Cambridge Analytica, to reappear before the committee. He previously testified on Feb. 27.

"We are summoning Mr. Nix to Parliament to get to the truth about an extremely serious issue affecting over 1 million U.K. Facebook users, and potentially voters in elections worldwide," says Tory MP Damian Collins, who chairs the committee.

Nix previously declined to appear, saying it would be improper to do so while investigations by the ICO and the Electoral Commission remain ongoing. Both of those organizations, however, informed the committee that having Nix testify would not impede their investigations in any way.

Cambridge Analytica is only one of a number of data analytics firms whose actions are being investigated by U.S. and U.K. regulators and lawmakers (see No Surprise: Cambridge Analytica Tries to Exit Data Scandal).

Big Data: 'Perils and Possibilities'

Irrespective of the outcome of those investigations, the University of Cambridge's Psychometrics Center says that it's more important than ever for academic researchers to be able to investigate both the "perils and possibilities" of big data by gleaning how large data sets collected by social media platforms can be used for, or against, individuals.

"It is paramount that more research on social media data be conducted in the academic sphere, and not only by private tech companies who run secret experiments on their users," the Psychometrics Center spokesman says.

This story has been updated with comments from the University of Cambridge's Psychometrics Center.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.