Cambridge Analytica email chain with Facebook sheds new light on data misuse scandal

Mike Butcher

Cambridge Analytica whistleblower Brittany Kaiser has released new documents today that illuminate the initial jockeying between the company and Facebook as they discussed the need for Cambridge Analytica to delete data associated with 87 million Facebook users' profiles.

The data was improperly obtained in 2014 by researchers with access to Facebook's developer platform who were being paid by Cambridge Analytica to obtain and process social media users' information for the purpose of targeting political ads.

In December 2015 a Guardian article about Cambridge academic Dr Aleksandr Spectre (Kogan) outlined how he had acquired the Facebook profiles for research, and that Cambridge Analytica had improperly acquired that data.

In subsequent Washington Senate hearings into the scandal, Mark Zuckerberg apologized for having failed to check that Cambridge Analytica had deleted the information.

At the time he said: “When we heard back from Cambridge Analytica that they had told us that they weren’t using the data and deleted it, we considered it a closed case. In retrospect, that was clearly a mistake. We shouldn’t have taken their word for it. We’ve updated our policy to make sure we don’t make that mistake again.”

Instead, Facebook let the political consultancy self-certify via email and then in a signed document [found below] that it had destroyed the records, which the social network said had been acquired in violation of its rules.

Cambridge Analytica data deletion certification from CEO Alexander Nix, delivered to Facebook in January 2016

Furthermore, for example, in a submission to the UK Parliament, Facebook CTO Mike Schroepfer said: "In late 2015, when we learned Kogan had shared the data, we immediately banned TIYDL [the personality quiz app used to harvest data] from our platform and demanded that he delete all data he obtained from that app. We also demanded deletion from everyone that Kogan identified as having been passed some data, including Cambridge Analytica, and certification from all parties that the deletion had been completed."

The information Kaiser releases today reveals the initial exchange where Facebook only requested by email that CA delete the data -- and only asked the company to “provide us with confirmation” [i.e. of deletion], with no mention of a specific process of 'certification', as Schroepfer later told the UK parliament. It wasn't until January 2016 that Facebook received the signed certification from Cambridge Analytica CEO Alexander Nix vowing the company had deleted the data.

Today Kaiser revealed exclusively to TechCrunch on stage at the WorldWebForum conference in Zurich the initial email exchange with Cambridge Analytica executives.

This 'email exchange' - which TechCrunch has not been able to independently verify at this point - has never previously been published. Kaiser released to TechCrunch what she claims is a copy of the exchange. We have reached out to Facebook for comment.

According to the document passed to us, writing on Dec 17, 2015, Alex Tayler, Chief Data Officer for Cambridge Analytica, allegedly wrote to Facebook executive Allison Hendrix saying:

“I wanted to confirm that following your inquiry, that Facebook is satisfied that CA has not breached it's terms of service or stolen data on non-consenting individuals. If you are satisfied this matter is resolved, would it please be possible for us to have a statement from Facebook to disseminate through our PR agency? We are still finding some articles repeating the initial false allegations made by the Guardian, and would like to be able to firmly refute them in order to prevent any further reputational damage to our company. Alternatively, if Facebook would like to issue a joint press release, we would welcome the opportunity to do so.”

A day later on 18 December 2015, Hendrix replied:

“Thank you again for taking the time to speak with me last week and providing additional information into Dr. Kogan’s development of the GSR app which was funded by Cambridge Analytica (via SCL Elections). As discussed, we don’t allow any information obtained from Facebook to be purchased or sold, and we have strict friend data policies that prohibit using friend data for any purpose other than improving a person’s experience in your app. From our conversations, it is clear that these policies have been violated.

“You have told us that you received personality score data from Dr. Kogan that was derived from Facebook data, and that those scores were assigned to individuals included in lists that you maintained. Because that data was improperly derived from data obtained from the Facebook Platform, and then transferred to Cambridge Analytica in violation of our terms, we need you to take any and all steps necessary to completely and thoroughly delete that information as well as any data derived from such data, and to provide us with confirmation of the same.

“We need additional information to complete our review. As an initial matter, did you transfer any data you received from Dr. Kogan to any person or entity other than Ted Cruz’s team? Have you made any other use of the data from Dr. Kogan? If there is any additional information of which you think we should be aware, we thank you in advance for providing us with that information and for your help resolving these issues.

“Please respond at your earliest opportunity confirming when you can complete the above request to delete all data (and any derivative data), and providing the additional information I’ve requested above. As mentioned above, our review is not complete; accordingly, we may have additional questions, requests, or requirements going forward, and this email should not be construed as a waiver of any of Facebook’s rights.”

On December 19, 2015, Tayler replied:

“Dear Allison, There are several incorrect statements in your email. First and foremost, Cambridge Analytica has not transferred the data we received from Dr Kogan to Cruz for President, nor to any other party. The only data we share with our clients are lists of contact information, perhaps with a few tags attached, for target audiences we identify for them (e.g. likely donors, persuadable voters), and models that we have produced under their direction. Secondly, Cambridge Analytica did not fund the development of Dr. Kogan's app. We did not pay GSR for their time or technology, but rather paid the third party (e.g. survey vendor) costs for the surveys they ran. Please note that GSR was
contractually obliged to us to carry out this research with the consent of the survey respondents and in line with the terms of service of their vendors.

“Having made that clear, the model we received from Dr Kogan wasn't very accurate (in validation experiments we ran, we found his predictions only slightly better than random). For our goal of extrapolating personality scores across our whole database, his model was simply not accurate enough to use as a training set, or to apply it commercially in any other way.

"Nevertheless, we still considered the project a success in that it provided us with a proof of concept for the personality research we have since undertaken internally (which is in no way connected with Facebook). It is these data that we have collected independently of GSR about which we have built our current business offering. For this reason, and in the spirit of the good-faith relationship we would like to maintain with Facebook, we will comply with your request to delete all data we received from Dr Kogan.

“Please let me know what else you require from us as soon as possible. It is a matter of urgency that we make it clear that Cambridge Analytica has not done anything wrong."

There was then a time-lag probably due to the break for the holidays. On 5 January 2016, Hendrix replied:

“Thank you for your timely and detailed response, and for agreeing to delete any and all data that was derived from the Facebook Platform. Can you let me know how you were storing the data and what you did to delete it?”

On January 6, 2016, Tayler replied, copying in CA CEO Alexander Nix, saying:

“To be clear, we have not yet deleted the data we received from Dr Kogan, but will be happy to do so once Facebook confirms that this will resolve the matter. We are currently storing the data as csv files in an encrypted directory on our file server. When we delete the data we will simply rm -rf the directory.”

Six days later on 12 January, Hendrix:

“As a reminder, you received the data inappropriately and are obligated to delete it. You’ve indicated that you would like to maintain a positive relationship with us. Having one will require deletion of the data. In addition to deleting the data from the directory, can you check to see whether your server has any backups which also contain the data? While we don’t anticipate further issues at this time, we reserve our rights and can make no guarantees.”

On Jan 18, 2016 Tayler replied:

“I can confirm that we have now deleted from our file-server the data we received from Dr Kogan in good faith that this resolves our obligation to Facebook. I also confirm that I have checked that the server contains no backups of that data. Our having deleted the data and cooperated in this matter should not be construed as an admission of any kind of wrongdoing on our part.”

On January 18, 2016, Hendrix replied:

“Thank you, Alex. I will let you know if we have any follow up questions, and please don't hesitate to reach out if you or your team have any questions on your end. Thanks again. - Ali”

This entire exchange was then forwarded by executives from the N6A PR agency to Cambridge Analytica executives and was, in turn, obtained by Kaiser on 23 January 2016.

[Correction 11:30am Pacific: This article originally stated that Facebook accepted merely the email exchange published above as proof that Cambridge Analytica had deleted data attained from Facebook. However, Facebook later received a more formal signed document from Cambridge Analytica CEO Alexander Nix claiming the data had been deleted. This story has been updated to reflect that Facebook received this additional certification, which we reproduce here.]

Facebook did indeed testify under oath that they got a certification of the data deletion. (See: Facebook’s testimony under oath to the Senate Judiciary (Page 126) in answers to Ranking Member Senator Feinstein here).

But this was a full 16 months before they received the Nix statement referred to above and several weeks after a report by Swiss researchers Hannes Grassegger and Mikael Krogerus titled “The Data That Turned the World Upside Down,” which was a detailed account of how C.A.’s psychological modeling was used by the Trump campaign (Jan 28 2017).

It should be noted that the 2016 US election occurred during those sixteen months, allowing Facebook to take in tens of millions of dollars in political advertising.]