Facebook doesn’t know exactly who or how many of its users had their personal information funneled to Cambridge Analytica, Mark Zuckerberg said Wednesday, but it’s narrowed down the list to 87 million potential victims.
In a conference call with reporters that veered between a sweeping mea culpa and a broad technical discussion, Facebook’s beleaguered CEO ran down some of the steps the company is taking to combat abuse of its platform. “For the first decade we were really focused on all the good that connecting people can bring,” said Zuckerberg. “But it’s clear now that we didn’t do enough, we didn’t focus enough on preventing abuse and thinking through how people could use these tools to do harm as well… That was a huge mistake. It was my mistake.”
Zuckerberg is seemingly the last to become aware of Facebook’s dark side. The 33-year-old billionaire famously scoffed at talk of Russian election interference, and all but ignored the Cambridge Analytica scandal when it first broke surface in 2015. It’s amid an avalanche of new disclosures—Facebook deleted another 138 Kremlin troll pages this week—and growing scrutiny from Congress, regulators and stockholders, that Zuckerberg described the initial steps he’s taking on what he sees as a long, three-year slog toward the rehabilitation of his college dorm creation, including new technical restrictions on what developers can access through the company’s API, and closing vulnerabilities in Facebook’s design.
One of those discoveries is that automated bots have been using Facebook’s search functions to scrape publicly-viewable Facebook profiles in bulk—producing datasets vastly larger than the Cambridge Analytica trove, though limited to public profiles.
The issue here is that Facebook allowed users to find friends by searching on a person’s phone number or email address. It was a convenient feature. But within the last few days, according to Zuckerberg, Facebook discovered that bad actors were using that functionality to perform rapid, automated searches on a scale larger than suspected, slurping down public profiles by the millions.
Facebook’s primary countermeasure against that kind of bulk profile harvesting was rate-limiting, i.e. blocking rapid-fire search queries originating from the same Internet Protocol, or IP, address. The unknown botmasters bypassed that protection by cycling “through many thousands, or hundreds of thousands, of IP addresses to evade rate limiting,” said Zuckerberg.
Facebook removed the email and phone search capabilities entirely on Wednesday. “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” wrote Facebook chief technology officer Mike Schroepfer in a blog post.
Zuckerberg is set to testify before the House Energy and Commerce Committee on April 11. Last month Facebook acknowledged that Cambridge Analytica, a UK-based political consulting firm that later worked for the Trump campaign, held profile data on millions of Facebook users without their consent and in violation of Facebook’s policies. Reports suggested about 50 million users were swept into the database, but on Wednesday Facebook upped that figure to as many as 87 million, and said most were in the United States.
In the call with reporters Zuckerberg clarified that the 87 million figure represents the maximum number of profiles potentially harvested by a personality quiz deployed by researcher Aleksandr Kogan in 2014, who then passed the data to Cambridge Analytica. The app gathered information on the 300 thousand Facebook users who ran it, and on all those users’ friends. But Facebook’s logs don’t show who those friends were at the exact moment the app was active, and don’t show exactly which profiles were sucked down. “We don’t have logs going back for when exactly Kogan’s app conducted queries,” said Zuckerberg.
Zuckerberg told CNN’s Anderson Cooper last month that in response to the Cambridge Analytica data spill Facebook would develop a tool “where anyone can go and see if their data was a part of this.” Based on Wednesday’s details, the best such a tool could do is tell you whether or not your profile is one of the 87 million profiles that could have been grabbed.
For his part, Zuckerberg evidently hasn’t checked to see if he’s on the list, and he told reporters that he doesn’t know whether or not he ran the rogue app himself. “I certainly use a lot of apps,” Zuckerberg said. “I mean, I don’t know if I used that one specifically, but I’m a power user of the Internet here.”