Cambridge Analytica, the Robert Mercer–backed, Steve Bannon–linked data analytics firm that worked with the Trump campaign during the 2016 election, harvested data in 2014 from over 50 million Facebook accounts without users’ permission, according to reports published this weekend in The New York Times and The Guardian and Observer.

From The Guardian:

The data was collected through an app called thisisyourdigitallife, built by academic Aleksandr Kogan, separately from his work at Cambridge University. Through his company Global Science Research (GSR), in collaboration with Cambridge Analytica, hundreds of thousands of users were paid to take a personality test and agreed to have their data collected for academic use.

However, the app also collected the information of the test-takers’ Facebook friends, leading to the accumulation of a data pool tens of millions-strong. Facebook’s “platform policy” allowed only collection of friends’ data to improve user experience in the app and barred it being sold on or used for advertising. The discovery of the unprecedented data harvesting, and the use to which it was put, raises urgent new questions about Facebook’s role in targeting voters in the US presidential election. It comes only weeks after indictments of 13 Russians by the special counsel Robert Mueller which stated they had used the platform to perpetrate “information warfare” against the US.

Some have noted that, while the specifics of Cambridge Analytica’s behavior appear to have broken some rules, selling the use of its personalized data to companies is pretty much the core of Facebook’s business model. Here’s a thread from Jay Pinho, who writes about ad tech:

This @carolecadwalla / @nickconfessore / @AllMattNYT piece has ignited a firestorm: https://t.co/yHoEVRNcGz. However, it seems like a lot of people are missing what is most significant about this story. (Disclaimer: I work in ad tech, so caveat emptor.)

— Jay Pinho (@jaypinho) March 17, 2018

Facebook's defense that Cambridge Analytica harvesting of FB user data from millions is not technically a "breach" is a more profound & damning statement of what's wrong with Facebook's business model than a "breach".

— zeynep tufekci (@zeynep) March 17, 2018

Facebook’s response to all this has been…sort of appallingly bad! It’s downplayed the claim, publishing a post saying that it was suspending Cambridge Analytica from its platform on the evening on Friday, March 16, before the Times and Observer stories broke on Saturday, and stating that only 270,000 people had downloaded thisisyourdigitallife. It spent time Saturday pushing back on the idea that this qualifies as a “data breach.” (Guardian reporter Carole Cadwalla said Facebook threatened legal action before publication over that point.) Facebook also suspended the account of the whistleblower, Christopher Wylie, who helped found Cambridge Analytica.

gotta day, really surprised that @facebook burned us by posting a notice of suspension for Cambridge Analytica et al before we published. especially since they have been so far behind this story. this attempt to appear “out front” is totally disingenuous. https://t.co/gtdbpk8Raz

— gabriel dance (@gabrieldance) March 17, 2018

This was unequivocally not a data breach. People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation. no systems were infiltrated, no passwords or information were stolen or hacked.

— Boz (@boztank) March 17, 2018

Same thing happened on a smaller level to me last year after I asked about use of custom audiences by IRA trolls. FB also did it to Fast Company regarding IRA use of Instagram. In both cases they updated an existing blog post to add important new info before journos published. https://t.co/cwJjdRqF9d

— Craig Silverman (@CraigSilverman) March 17, 2018

NYC Media Lab’s Justin Hendrix has seven follow-up questions — and most of them are for Facebook: “Why did Facebook take more than two years to inform the public of this massive breach?” “Did Facebook’s failure to disclose this breach to the public and notify its directly affected consumers break any laws?” “Did any of the Facebook embeds in the Trump campaign know that stolen data was being used for targeting?” “Did Facebook have evidence its own employees mishandled this situation? Was any disciplinary action taken?” and one last big one:

Did other organizations or individuals exploit these apparent weaknesses, and are there other breaches we do not know about?

Given the number of times that Facebook has said things that turned out to be incomplete or false–such as the ever-expanding disclosure of the number of Americans affected by the Russian disinformation campaign in the 2016 election–why should we believe that this is the only breach of this kind that occurred? It is impossible to know how much Facebook user data has been sold, traded or is just sitting on various third-party servers. Think of all the old Facebook games and apps, or any other third party use of Facebook user authentication. It is hard to imagine this is the only incident. How can the company and its senior leadership maintain public trust, and why do they deserve it?

Lawmakers in the U.S. and U.K. have begun sorting through some of these questions. (One person who’s not saying much: Brad Parscale, who was Trump’s digital director during the 2016 campaign and is his 2020 campaign manager.)

In the meantime, go check which third-party apps have access to your Facebook data.