Facebook has revealed that more than 87 million users, including 311,000 based in Australia, were harvested by an app developer working for Cambridge Analytica in the lead up to the 2016 US election.
It has now investigated much of the two billion user network was exposed to Cambridge Analytica scandal and said it will privately inform those affected on Monday. This will include about 2.1% of the 15 million users in Australia.
The social media network has also removed 70 Facebook and 65 Instagram accounts — as well as 138 Facebook Pages — that were controlled by the Russia-based Internet Research Agency (IRA).
The extent of the Cambridge Analytica scandal is far greater than the 50 million to 60 million users previously thought to be exposed by Cambridge Analytica whistleblower Christopher Wylie.
Cambridge Analytica says it only licensed data for "no more than 30 million people from GSR", which it says is clearly stated in a contract with the research company.
"We did not receive more data than this," the data analytics firm added. "Our contract with GSR stated that all data must be obtained legally, and this contract is now a matter of public record. We took legal action against GSR when we found out they had breached this contract."
Cambridge Analytica says it has "deleted the raw data from our file server, and began the process of searching for and removing any of its derivatives in our system" and provided Facebook with a document that certifies this.
Facebook has faced growing pressure in the wake of the scandal with brands including Tesla, Mozila and German bank Commerzbank pausing activity on the social network.
More than US$100 million has been wiped off the value of Facebook's in recent weeks. A respected media analyst, Pivotal Research Group's Brian Wieser, warned Facebook is “exhibiting signs of systemic mismanagement” that represent a “ different class of problem”, and investors need to consider “whether or not the company will conclude that it has grown in a manner that has proven to be untenable or whether it needs to significantly improve how it is managed”.
In response, Facebook Australia boss William Easton has apologised and the social media platform has taken measures to tighten the data that app developers are able to access on a user's profile and friends list as well as the ability of advertisers to use third party data sources.
Facebook said it will also show all users how they can check what information they have shared with app developers (see image below).
It is unclear what other apps were used by developers to harvest Facebook user data for nefarious purposes or how widespread the problem is.
Facebook has taken further steps to tighten the amount of user data app developers have access to on Facebook Events, Groups and Pages.
It has also restricted the amount of personal information app developers can obtain through Facebook login, barring questions like religious and political preferences, relationship status, friends' list and employment details.
The social network will also remove the ability to search by telephone number or email, warning: “Malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery.
“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.”
Facebook said it will also delete all call and text logs that are older than one year.
'The IRA has no place on Facebook'
Facebook has removed pages and accounts that belong to Russia-based Internet Research Agency. All of the ads that were linked to the IRA have also been removed.
An investigation found that 95% of IRA-linked content was in Russian and targeted at people living in Russia, neighbouring countries and Brazil (see chart).
Facebook said the ban followed an investigation into the IRA's use of its platform, which revealed it had used inauthentic accounts to deceive and manipulate people.
"The IRA has repeatedly used complex networks of inauthentic accounts to deceive and manipulate people who use Facebook, including before, during and after the 2016 US presidential elections," Facebook chief security officer Alex Stamos said in a blog.
"It’s why we don’t want them on Facebook. We removed this latest set of Pages and accounts solely because they were controlled by the IRA — not based on the content. This included commentary on domestic and international political issues, the promotion of Russian culture and tourism as well as debate on more everyday issues.
Stamos said Facebook expects to find more bad actors and "will take them down too".
"But we’ll keep fighting and we’re investing heavily in more people and better technology to constantly improve safety on Facebook," Stamos added.
Examples of the IRA's activity on Facebook are below.
AdNews joined a global press call this morning with Zuckerberg - check it out here.
Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at firstname.lastname@example.org