WIRED sat down with Facebook CEO Mark Zuckerberg for a Q&A about the recent Cambridge Analytica scandal and other problems related to both the company and the huge amount of personal data it collects on people:
Nicholas Thompson: You learned about the Cambridge Analytica breach in late 2015, and you got them to sign a legal document saying the Facebook data they had misappropriated had been deleted. But in the two years since, there were all kinds of stories in the press that could have made one doubt and mistrust them. Why didn’t you dig deeper to see if they had misused Facebook data?
Mark Zuckerberg: So in 2015, when we heard from journalists at The Guardian that Aleksandr Kogan seemed to have shared data with Cambridge Analytica and a few other parties, the immediate actions that we took were to ban Kogan’s app and to demand a legal certification from Kogan and all the other folks who he shared it with. We got those certifications, and Cambridge Analytica had actually told us that they actually hadn’t received raw Facebook data at all. It was some kind of derivative data, but they had deleted it and weren’t [making] any use of it.
In retrospect, though, I think that what you’re pointing out here is one of the biggest mistakes that we made. And that’s why the first action that we now need to go take is to not just rely on certifications that we’ve gotten from developers, but [we] actually need to go and do a full investigation of every single app that was operating before we had the more restrictive platform policies—that had access to a lot of data—and for any app that has any suspicious activity, we’re going to go in and do a full forensic audit. And any developer who won’t sign up for that we’re going to kick off the platform. So, yes, I think the short answer to this is that’s the step that I think we should have done for Cambridge Analytica, and we’re now going to go do it for every developer who is on the platform who had access to a large amount of data before we locked things down in 2014.
Based on my experience running web sites, I suspect Zuckerberg and Facebook had no idea data was being siphoned. They likely implemented some rate control mechanisms, but had – have – zero situational awareness of how that data is being downloaded and by what companies. They merely provide access and that is where things end.
Even if there were some rate controls put into place, just like with traditional network breaches, if the actors data exfiltration technique was to slowly trickle it out, that will be difficult to detect unless the analysts are really paying close attention. I am not saying this is what happened with Cambridge Analytica, but it is a plausible scenario for some form of Facebook corporate deniability.
If that is the case, then it is just terrible platform design. It boils down to too much of release fast mentality, without properly thinking through the implications of deploying features and capabilities. Unintended consequences are hard to fully understand in advance, but still, Facebook has an extremely talented workforce and I find it hard to believe had they slowed down and thoroughly considered their approach they could not have envisioned this type of scenario.
No matter how the data left Facebook, the company is complicit. It is their platform and they need to be more cognizant about how third-party access is being used, and to eradicate actors using it maliciously.