Information Regulator (South Africa)

316 Thabo Sehume Street

Pretoria

email: inforeg@justice.gov.za

For the attention of: Adv. P Tlakula

18 April 2018

Dear Adv. P Tlakula

RE: Reported misuse of Facebook user data by Cambridge Analytica

I am writing on behalf of Facebook Ireland Limited (“Facebook Ireland”). Representatives of

Facebook South Africa passed on your request for information dated 9 April 2018 regarding
certain past violations of Facebook’s Platform policies by third parties. Facebook Ireland is the
entity responsible for providing the Facebook service in all countries outside of the US and
Canada, including in South Africa. On that basis, Facebook Ireland is the appropriate entity to
provide you with information regarding these matters. We are sharing this information on a
voluntary basis with you now, though we continue to investigate.

Our priority is to reassure users that the trust that they place in us is deserved and that user
data is protected on Facebook's platform. You will no doubt appreciate that we have been
working hard to understand exactly what happened and to identify the steps necessary to
make sure that it doesn't happen again. Updates will be published to our newsroom 1 as
matters progress. The most up to date information available now is set out in Mark
Zuckerberg’s post enclosed (see Annex 1), and in our newsroom posts to date (see Annex 2).

We are in the process of conducting an internal investigation into the reported events, and
are consulting with the Irish Data Protection Commissioner (“IDPC”) (our lead regulator on
data protection and privacy matters outside of the US and Canada) in relation to that process.
It will take a little time to complete that work, but once it is completed the IDPC will be fully
updated and any enquiries may be referred to their office. In the interest of being open and
helpful, we are of course happy to answer any further questions you may have on this incident.

You may also wish to note that the UK’s Information Commissioner (“ICO”) is conducting an
investigation into whether “Facebook data may have been illegally acquired and used”,2 which
has included the execution of a warrant to inspect the premises of Cambridge Analytica’s
offices in London. We understand that Cambridge Analytica and the app developer involved
in this case (as explained further below) are based in the UK. We are voluntarily assisting the
ICO in relation to this investigation, and they may also be able to assist you with any further
inquiries you may have in relation to this matter.

We appreciate you keeping the information contained in this response strictly confidential.
We also respectfully request that you afford Facebook Ireland the opportunity to make

1https://newsroom.fb.com/news/
2ICO statement 24 March 2018: investigation into data analytics for political purposes https://ico.org.uk/about-the-ico/news-
and-events/news-and-blogs/2018/03/ico-statement-investigation-into-data-analytics-for-political-purposes/

Registered Facebook Ireland Limited

Office: 4 Grand Canal Square
Grand Canal Harbour Dublin 2
Registered in Ireland as a private listed company
Directors: Gareth Lambe, Shane Crehan, Yvonne Cunnane
Company No: 462932
 2

submissions to you either where: a legitimate request is made by competent authorities or
third parties for the disclosure of any information provided in this letter; or you determine to
publish, in whatever format, information relating to this case to the public.

Subject to those general points, we share the following information with you now and hope it
is useful. Please do not hesitate to contact us if you have any further questions or would like
clarification on any point.

Reported violations of Facebook Platform policy

The media has reported that a UK company, Cambridge Analytica, has misused certain
Facebook user data. While the matter is still being investigated, our current information
indicates that Cambridge Analytica was provided with Facebook user data by a third-party app
developer, Dr. Aleksandr Kogan, in breach of Facebook’s Platform policy. 3 However, it is
important to note at the outset that there has been no data breach. This is not a case of any
party infiltrating Facebook's systems or evading data security measures.

Rather in 2013, Dr. Kogan developed an app (“thisisyourdigitallife”). Dr. Kogan was not and is
not employed by Facebook. At the time, he was an academic at Cambridge University. Dr.
Kogan's app (like many other apps that used the Facebook Platform) used our generally
available Facebook Login 4 feature. Facebook Login allows third-party app developers to
request consent from Facebook users for their apps to access specified categories of user data.
At the relevant time it allowed those developers to request consent from users to access
specific categories of data shared with those users by their Facebook friends (at all times
consistent with, and subject to those friends’ privacy settings).5 The use of Facebook Login is
subject to terms set out in Facebook's Platform policy, which strictly prohibit the use and
transfer of data collected in this way for other purposes.

In the present case, once obtained by Dr. Kogan, some Facebook user data was transferred by
Dr. Kogan to Cambridge Analytica. Facebook did not permit or agree to that transfer and it
happened in violation of Facebook's Platform policy. As explained below, on learning this in
December 2015, we acted to terminate the app’s access rights to use Facebook Login and
demanded that Dr. Kogan – as well as his company at that time, Global Science Research
Limited (“GSR”) and the other entities to whom they confirmed that they had disclosed data
obtained via the app – account for and irretrievably delete all such data.

The app did not obtain sensitive account information such as passwords or financial
information. The third party app developer in this case only had access to data that users who
installed the app consented to give to the app and, in the case of such users’ friends, data that
those friends published on the Facebook Platform and that was made available to the app in
accordance with their privacy settings. Facebook Platform policies in place at the relevant time
imposed a number of requirements on app developers. The exact language of these policies
changed during the relevant period, but consistently required the following:

• Delete all of a person’s data you have received from us (including friend data) if that
person asks you to;

• Only use friend data (including friends list) in the person’s experience in your app;

3 The current version of this policy can be found here: https://developers.facebook.com/policy
4 https://developers.facebook.com/docs/facebook-login
5 As explained below, this ability was restricted on the version of our platform in operation since 30 April 2014

Registered Facebook Ireland Limited

Office: 4 Grand Canal Square
Grand Canal Harbour Dublin 2
Registered in Ireland as a private listed company
Directors: Gareth Lambe, Shane Crehan, Yvonne Cunnane
Company No: 462932
 3

• Don’t transfer any data that you receive from us (including anonymous, aggregate, or
derived data) to any ad network, data broker or other advertising or monetization-
related service;

• Request only the data and publishing permissions your app needs.6

We learned that Dr. Kogan may have shared data from his app with Cambridge Analytica in
violation of our Platform policy from The Guardian newspaper, which published a story on the
matter on 11 December 2015.7 We acted to terminate the app’s access rights to use Facebook
Login by 17 December 2015. We also assessed what further action was necessary and
appropriate to enforce our Platform policies. These actions included demanding that Dr.
Kogan and GSR identify the nature of data collected, how it was used, and to whom they had
disclosed the data. We further demanded that Dr. Kogan and GSR - as well as the other entities
they identified as having received any data obtained via the app - account for and irretrievably
delete all such data. We contacted the third parties identified by Dr. Kogan and GSR directly
to secure legal certifications that all Facebook user data they had obtained was accounted for
and destroyed. We also sought an explanation of how those third parties had shared the data
received while they held it. These parties included Cambridge Analytica’s parent company,
SCL Limited. Each of Dr. Kogan, GSR and SCL Limited certified to Facebook that they had
irretrievably deleted the data they had received.

As soon as we learned recently, as a result of pre-publication inquiries received from The

Guardian, The New York Times and Channel 4 in March 2018, that possible questions existed
as to whether some relevant parties had actually deleted data as they had legally certified to
us that they had, we have been seeking to investigate. As yet, we have obtained no proof
which contradicts the deletion certifications but we are continuing to look into the issue,
whilst ceding to the investigation of the UK Information Commissioner. The ICO has asked that
we hold off on certain auditing and fact-finding steps pending completion of their own
investigation.

As stated in Mark Zuckerberg’s post (see Annex 1), we introduced changes to our Platform
from 30 April 2014 (with then existing apps being allowed up to a year thereafter to move to
the updated Platform) to significantly restrict the data that apps such as Dr. Kogan’s are able
to access via Facebook Login. These actions would prevent any app like Dr. Kogan's from being
able to access data to this extent today. We also announced some further important steps
for the future of our Platform on 21 March 2018 (see Annex 2) with a view to taking action on
potential past abuse and putting stronger protections in place to prevent future abuse. 8

Both Dr. Kogan and Cambridge Analytica acted as independent third party data controllers
with regard to the data they obtained (i.e. they had control of and made the processing
decisions in respect of the data). While we are doing what we can to investigate such matters
ourselves, they are the parties that can answer further questions about how they used
relevant data.

6 These requirements are currently found in sections 2,3 and 7 of our Platform policy https://developers.facebook.com/policy
7 https://www.theguardian.com/us-news/2015/dec/11/senator-ted-cruz-president-campaign-facebook-user-data
8 https://newsroom.fb.com/news/2018/03/cracking-down-on-platform-abuse/

Registered Facebook Ireland Limited

Office: 4 Grand Canal Square
Grand Canal Harbour Dublin 2
Registered in Ireland as a private listed company
Directors: Gareth Lambe, Shane Crehan, Yvonne Cunnane
Company No: 462932
 4

Access to the personal data of Facebook users located in South Africa by third parties

The current information that we have with respect to South African user data is as follows:9

• We understand that 13 people in South Africa installed the app throughout its lifetime
on the Facebook Platform (i.e., from November 2013 when the app went live to no
later than 17 December 2015), which is 0.004% of the app’s total worldwide installs.

• We further understand that 96,121 additional people in South Africa were potentially
affected, as friends of people who installed the app that did not install the app
themselves.

• This yields a total of 96,134 potentially affected people in South Africa, which is 0.11%
of the global number of potentially affected people.

I should also make the following points on the approach that we have taken to identify people
affected:

• Location has been used to identify those affected. Location is not an indication of
nationality or citizenship and may not, in some cases, indicate actual place of
residence.

• These figures do not include people who may have installed the app but then
subsequently deleted their Facebook account, as we no longer hold that data.

• These figures also may be over-inclusive. We have not retained data regarding when
individual users installed the app. As a result, we have had to include in these figures
anyone who installed the app during its lifetime, and anyone who may have been
friends on Facebook with any of those people at the time between when the app first
became active on the Facebook Platform in November 2013 and when the app’s
access to friends’ data was limited in May 2015. They also include users who may have
changed their settings to disallow sharing of their data with apps authorized by their
friends, due to limited historical information about when or how those settings were
updated. We believe this figure may over-count the total number of users whose data
was in fact accessed by the app; however, we wanted to be as comprehensive as
possible in our analysis.

• These figures may be significantly larger than the actual count of people whose data
was shared with Cambridge Analytica by Dr. Kogan. This understanding is consistent
with the contract between GSR and SCL Limited that has recently been made public
and indicates that Dr. Kogan agreed to transfer data relevant to people in only 11 US
states.10

9 I note that the numbers of affected users originally reported for South Africa were different to those stated in this letter. I
confirm that the numbers stated in this letter are our accurate current assessment of users potentially affected and their
friends.
10Published by the UK Parliament House of Commons Digital, Culture, Media and Sport Committee as provided to them at page
67 of the written evidence by Christopher Wylie on 27 March 2018 and available here:
https://www.parliament.uk/documents/commons-committees/culture-media-and-
sport/Chris%20Wylie%20Background%20papers.pdf. Schedule 2 of this GSR Data Technology and Subscription Agreement
dated 4 June 2014 states that GSR will supply data in relation to 11 US states (Arkansas, Colorado, Florida, Iowa, Louisiana,
Nevada, New Hampshire, North Carolina, Oregon, South Carolina and West Virginia).

Registered Facebook Ireland Limited

Office: 4 Grand Canal Square
Grand Canal Harbour Dublin 2
Registered in Ireland as a private listed company
Directors: Gareth Lambe, Shane Crehan, Yvonne Cunnane
Company No: 462932
 5

Informing users and next steps

From 9 April 2018, we have been showing people a link at the top of their News Feed so they
can see what apps they use — and the information they have shared with those apps. People
are also able to remove apps that they no longer want. As part of this process we have been
telling people if their information may have been improperly shared with Cambridge
Analytica.11

As explained above, the actions that we have taken since 30 April 2014 prevent any app like
Dr. Kogan’s from being able to access data to this extent today. As also explained above, we
are taking further important steps with a view to taking action on potential past abuse and
putting stronger protections in place to prevent future abuse. We’re going to set a higher
standard for how developers build on Facebook, what people should expect from them, and,
most importantly, from us. We will:

1. Review our Platform. As explained above, we will investigate all apps that had
access to large amounts of information before we changed our Platform in 2014 to
reduce data access, and we will conduct a full audit of any app with suspicious activity.
If we find developers that misused personally identifiable information, we will ban
them from our Platform.

2. Tell people about data misuse. We will, to the extent possible, tell people affected
by apps that have misused their data. To that end, we have built a way for people to
know if their data might have been accessed via “thisisyourdigitallife”. Moving
forward, if we remove an app for misusing data, we will tell everyone who used it.

3. Turn off access for unused apps. If someone has not used an app within the last
three months, we will turn off the app’s access to their information.

4. Restrict Facebook Login data. We are changing Facebook Login, so that in the next
version, we will reduce the data that an app can request without app review to include
only name, profile photo and email address. Requesting any other data will require
our approval.

5. Encourage people to manage the apps they use. We already show people what
apps their accounts are connected to and how to control what data they’ve permitted
those apps to use. Going forward, we are going to make these choices more
prominent and easier to manage.

6. Reward people who find vulnerabilities. We have also expanded Facebook’s bug
bounty program12 so that people can also report to us if they find misuse of data by
app developers.

11 https://newsroom.fb.com/news/2018/04/restricting-data-access/
12 https://newsroom.fb.com/news/2018/04/data-abuse-bounty/

Registered Facebook Ireland Limited

Office: 4 Grand Canal Square
Grand Canal Harbour Dublin 2
Registered in Ireland as a private listed company
Directors: Gareth Lambe, Shane Crehan, Yvonne Cunnane
Company No: 462932
 6

We are continuing to investigate this matter and are happy to provide you with further
information if that would be helpful. For the avoidance of doubt, we are providing this
information on a voluntary basis and in the hope that it assists you.

Yours sincerely

Yvonne Cunnane

Head of Data Protection, Facebook Ireland Limited

Annexes

Annex 1 - Mark Zuckerberg’s post

Annex 2 - Facebook newsroom posts to date

Registered Facebook Ireland Limited

Office: 4 Grand Canal Square
Grand Canal Harbour Dublin 2
Registered in Ireland as a private listed company
Directors: Gareth Lambe, Shane Crehan, Yvonne Cunnane
Company No: 462932