The Information Commissioner’s Office is to investigate a possible data breach affecting more than 50 million Facebook users.
It comes as a whistleblower told a newspaper how Cambridge Analytica, a data analytics firm that worked with Donald Trump’s election team, used personal information taken without permission in early 2014 to build a system that could profile US voters so they could be targeted with personalised political advertisements.
The company is owned by hedge-fund billionaire Robert Mercer and was led at the time by Mr Trump’s key adviser Steve Bannon.
Christopher Wylie, who worked with an academic at Cambridge University to obtain the data, told The Observer: “We exploited Facebook to harvest millions of people’s profiles and built models to exploit what we knew about them and target their inner demons. That was the basis that the entire company was built on.”
The paper says documents show that by late 2015, Facebook had discovered that information had been gathered on an unprecedented scale that affected 50 million people.
According to the New York Times, some of the information could still be found online. It said journalists had viewed some of the raw data which was collected through an app called thisisyourdigitallife.
The app was developed by Cambridge University professor Aleksandr Kogan through his company Global Science Research (GSR) in collaboration with Cambridge Analytica.
Hundreds of thousands of users were paid to take a personality test and agreed to have their data collected for academic use.
But as well as the data, the app also reportedly collected the information of their Facebook friends, allowing a massive data bank to be built.
Cambridge Analytica told The Observer that its contract with GSR stipulated that Mr Kogan should seek informed consent for data collection and it had no reason to believe he would not.
The paper quotes a company spokesman saying GSR was “led by a seemingly reputable academic at an internationally renowned institution who made explicit contractural commitments to us regarding its legal authority to license data to SCL Elections”.
SCL Elections, an affiliate, worked with Facebook to ensure it was satisfied no terms had been “knowingly breached” and provided a signed statement that all data and derivatives had been deleted, the spokesman said.
Cambridge Analytica also said none of the data was used in the 2016 presidential election.
The Information Commissioner’s Office commissioner Elizabeth Denham said: “We are investigating the circumstances in which Facebook data may have been illegally acquired and used.
“It’s part of our ongoing investigation into the use of data analytics for political purposes which was launched to consider how political parties and campaigns, data analytics companies and social media platforms in the UK are using and analysing people’s personal information to micro target voters.
“It is important that the public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy.
“We are continuing to invoke all of our powers and are pursuing a number of live lines of inquiry. Any criminal and civil enforcement actions arising from the investigation will be pursued vigorously”.
Meanwhile, a second investigation is taking place in the US.
Massachusetts Attorney General Maura Healey posted a link to the New York Times article on Twitter, saying: “Massachusetts residents deserve answers immediately from Facebook and Cambridge Analytica. We are launching an investigation.”
Facebook has suspended Cambridge Analytica while it carries out its own investigation and has warned it may take legal action against the company.
Facebook’s legal counsel Paul Grewal said in a blog: “When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed. Cambridge Analytica, Kogan and Wylie all certified to us that they destroyed the data.
“Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted. We are moving aggressively to determine the accuracy of these claims.”