Facebook faces another CA-like scandal, suspends CubeYou

09 Apr 2018

Facebook is suspending a data analytics firm called CubeYou from its platform after CNBC notified the company that CubeYou was collecting information about users through quizzes.

CubeYou misleadingly labeled its quizzes "for non-profit academic research", then shared user information with marketers, CNBC reported. The scenario is similar to how Cambridge Analytica received unauthorized access to data from as many as 87 million Facebook user accounts to target political marketing.
Like Cambridge Analytica, the company sold data that had been collected by researchers working with the Psychometrics Lab at Cambridge University.
The CubeYou discovery suggests that collecting data from quizzes and using it for marketing purposes was far from an isolated incident. Moreover, the fact that CubeYou was able to mislabel the purpose of the quizzes — and that Facebook did nothing to stop it until the company was told about the problem — suggests the platform has little control over this activity.
The social media giant, however, disputed the implication that it can't exercise proper oversight over these types of apps, telling CNBC that it can't control information that companies mislabel. Upon being notified of CubeYou's alleged violations, Facebook said it would suspend all CubeYou's apps until a further audit could be completed.
"These are serious claims and we have suspended CubeYou from Facebook while we investigate them," Ime Archibong, Facebook vice president of product partnerships, said in a statement.
"If they refuse or fail our audit, their apps will be banned from Facebook. In addition, we will work with the UK ICO [Information Commissioner's Office] to ask the University of Cambridge about the development of apps in general by its Psychometrics Centre given this case and the misuse by Kogan," he said. Aleksander Kogan was the researcher who built the quiz used by Cambridge Analytica.
"We want to thank CNBC for bringing this case to our attention," Archibong added.
The revelation comes as Facebook chief executive Mark Zuckerberg prepares to answer questions before Congress this week stemming from the Cambridge Analytica scandal. The Senate Commerce and Judiciary committees and the House Energy and Commerce Committee are expected to quiz him on what the site is doing to enhance user privacy, and prevent foreign actors from using Facebook to meddle in future elections.
Since the Cambridge Analytica scandal erupted, Zuckerberg has assumed personal responsibility for the data privacy leaks, and the company has launched several initiatives to increase user control over their data.
CubeYou boasts on its website that it uses census data and various web and social apps on Facebook and Twitter to collect personal information. CubeYou then contracts with advertising agencies who want to target certain types of Facebook users for ad campaigns.
CubeYou's site says it has access to personally identifiable information (PII) such as first names, last names, emails, phone numbers, IP addresses, mobile IDs and browser fingerprints.
On a cached version of its website from 19 March, the company also said it keeps age, gender, location, work and education, and family and relationship information. Additinally, CubeYou's site also has likes, follows, shares, posts, likes to posts, comments to posts, check-ins, and mentions of brands / celebrities in a post. Interactions with companies are tracked back to 2012 and are updated weekly, the site said.
"This PII information of our panelists is used to verify eligibility (we do not knowingly accept panelists under the age of 18 in our panel), then match and / or fuse other online and offline data sources to enhance their profiles," CubeYou wrote.
The company's website currently claims it has more than 10 million opted-in panelists, but the cached 19 March version said it had "an unbiased panel of more than 45 million people globally."
CubeYou collected a lot of this data through online apps that are meant to be entertaining or fun. An ad agency exec who met with the company confirmed CubeYou said it mostly collects information through quizzes.
According to its web site, one of CubeYou's "most viral apps" is a Facebook quiz created in conjunction with the University of Cambridge called "You Are What You Like." It is meant "to predict a user's personality based on the pages s/he liked on Facebook".
Two versions of this app still were active on Facebook as of Sunday morning, according to CNBC. The most recent version of this app has been renamed "Apply Magic Sauce," (YouAreWhatYouLike.com redirects to ApplyMagicSauce.com), and existed on the platform as recently as Sunday morning. Another version still called "You Are What You Like" is also available.
When a user clicks on the "App Terms" link for the Apply Magic Sauce app, it links to a page saying that the information collected through the quiz is intended for "non-exclusive access for research purposes only" and only for "non-profit academic research that has no connection whatsoever to any commercial or profit-making purpose or entity".
After CNBC contacted Facebook for this story, Facebook said there were two previous versions of the app named "You Are What You Like," one created in 2013, which was deleted by the developer, and one submitted later in 2013.
Both of those prior versions had similar disclaimers on Facebook about being used for academic research purposes.
In addition, those prior versions were able to get access to information from friends of the people who took the quiz - as also happened in the Cambridge Analytica case. Until 2015, Facebook allowed developers to access information on Facebook friends as long as the original app user opted-in, a loophole that expanded the database of personal information considerably.
If the original user still remained opted in, CubeYou could theoretically still access their data.
When reached for comment, CubeYou CEO Federico Treu said the company was involved with developing the app and website, but only worked with Cambridge University from December 2013 to May 2015.
It only collected data from that time and has not had access since June 2015 to data from new people who have taken the quiz, Treu said
He also pointed out that the YouAreWhatYouLike.com website has different —and looser — terms of usage than the Facebook terms that CNBC discovered.
Treu also denied CubeYou has access to friends' data if a user opted in, and said it only connects friends who have opted into the app individually.
Cambridge University said CubeYou's involvement was limited to developing a website.