Subscribe

Facebook’s Cambridge Analytica Controversy Could Be Big Trouble for the Social Network. Here’s What to Know

Facebook CEO Mark Zuckerberg at the annual Facebook F8 developers conference in San Jose, Calif. on April 18, 2017. Stephen Lam—Reuters

50 million Facebook users had their data harvested without their consent

The fallout from Facebook’s data scandal involving Cambridge Analytica continues this week, as more information came to light confirming that at least 87 million Facebook users were impacted by hidden data harvesting — an update from the “tens of millions” figure that Facebook previously said were touched by its ongoing privacy crisis.

Facebook, which is the largest social media company in the world, admitted today that the number was much higher than previously believed at the bottom of a blog post written by Chief Technology Officer Mike Schroepfer.

“In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica,” he wrote.

More from TIME

He laid out nine ways Facebook is now working on to better protect user information, saying that the changes will limit the ways apps are allowed to collect and share people’s information.

Third party apps will now be restricted from accessing certain kinds of user information they could previously collect from Facebook features like Events, Groups and Pages. Other changes include updates to the ways third-party apps can collect data related to logins for things like “check-ins, likes, photos, posts, videos, events and groups,” the company’s statement reads.

It also says that apps will no longer be allowed to collect personal data such as “religious or political views, relationship status and details, custom friends lists, education and work history, fitness activity, book reading activity, music listening activity, news reading, video watch activity, and games activity.”

The social media juggernaut also announced that it has disabled certain features in “search and account recovery” to prevent people’s public profiles from being scraped by “malicious actors.” It is also completely shutting down its Partner Categories, which is “a product that lets third-party data providers offer their targeting directly on Facebook,” the statement says.

A new feature is also being added to everyone’s newsfeed — a link at the top of the page that will allow users to see what information apps they use have collected about them, and also allow users to remove those apps if they choose. Facebook pledged to alert those users whose personal data was improperly collected by Cambridge Analytica.

Facebook also posted a link to updated policies for Instagram, which it owns.

While the users affected are mainly in the U.S., the BBC has also reported that about one million of the 87 million users impacted are based in the U.K.

Facebook’s announcement that almost 90 million users were affected comes on the heels of the news that CEO Mark Zuckerberg will testify before Congress on April 11.

The drama began when the $500 billion company admitted earlier in March that data analysis firm Cambridge Analytica, which has close ties to President Trump’s election campaign and right-leaning megadonors, used data that had been collected from millions of users without their consent. Facebook has since suspended Cambridge Analytica’s access to its platform.

Facebook continues to take a beating from commentators and investors alike as its stock keeps plunging — the company’s market cap dropped $50 billion alone during first week that the scandal came to light, becoming its largest ever two-day drop. Meanwhile, lawmakers in the U.S. and the U.K. who demanded Zuckerberg explain his company’s practices may finally get some answers during his testimony next week.

Here’s what to know about Facebook’s latest crisis.

What is Cambridge Analytica?

Cambridge Analytica is a political analysis firm that claims to build psychological profiles of voters to help its clients win elections. The company is accused of buying millions of Americans’ data from a researcher who told Facebook he was collecting it strictly for academic purposes. Facebook allowed Aleksandr Kogan, a psychology professor at the University of Cambridge who owns a company called Global Science Research, to harvest data from users who downloaded his app. The problem was that Facebook users who agreed to give their information to Kogan’s app also gave up permission to harvest data on all their Facebook friends, as well, according to the Guardian.

The breach occurred when Kogan then sold this data to Cambridge Analytica, which is against Facebook’s rules. Facebook says it has since changed the way it allows researchers to collect data from the platform as a result.

Christopher Wylie, a whistleblower who worked at Cambridge Analytica before quitting in 2014, claimed on NBC’s Today Show Monday morning that the firm was “founded on misappropriated data of at least 50 million Facebook users.”

Wylie added that Cambridge Analytica’s goal was to establish profiling algorithms that would “allow us to explore mental vulnerabilities of people, and then map out ways to inject information into different streams or channels of content online so that people started to see things all over the place that may or may not have been true.”

The data firm initially told British Parliament it did not collect people’s information without their content during a hearing in February, but later admitted in a statement to the New York Times that they did in fact obtain the data, though the company claims to have deleted the information as soon as it found out it violated Facebook’s privacy rules.

Cambridge Analytica issued a number of press releases in the days following the explosive media reports, saying that it “strongly denies the claims” it acted improperly.

“In 2014 we received Facebook data and derivatives of Facebook data from another company, GSR, that we engaged in good faith to legally supply data for research,” the statement reads. “After it subsequently became known that GSR had broken its contract with Cambridge Analytica because it had not adhered to data protection regulation, Cambridge Analytica deleted all the Facebook data and derivatives, in cooperation with Facebook… This Facebook data was not used by Cambridge Analytica as part of the services it provided to the Donald Trump presidential campaign.”

Facebook also issued a statement on its website Monday saying that the claim there was a data breach is “completely false” and Facebook users “gave their consent” when they signed up for certain kinds of apps, like the one Kogan exploited for data collection purposes. The social media juggernaut also maintained that “no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

Who is the Cambridge Analytica whistleblower?

Christopher Wylie, a former employee of Cambridge Analytica, spoke out about the firm’s practices on the Today Show Monday morning after previously giving an interview to the New York Times. Wylie, who quit the company in 2014, said he believes it’s important for Americans to know what companies are doing with their personal information, as well as whether Cambridge Analytica’s practices influenced the democratic process.

“This was a company [Cambridge Analytica] that really took fake news to the next level by powering it with algorithms,” he said in an interview on the Today Show Monday morning.

Wylie also claimed that Cambridge Analytica has been in talks with Russian oil companies and employs a psychologist who works on Russia-funded projects. Any ties between Cambridge and Russia could complicate matters for Facebook, which has spent the past several months grappling with accusations that Moscow used it and other social media networks to meddle in the 2016 U.S. elections.

In a statement, Cambridge Analytica said Wylie left the company to found a rival firm.

“Their source is a former contractor for Cambridge Analytica – not a founder as has been claimed – who left in 2014 and is misrepresenting himself and the company throughout his comments,” the company said.

What is Cambridge Analytica’s connection to Steve Bannon?

Onetime Trump campaign advisor and Former White House Chief Strategist Steve Bannon was previously vice president of Cambridge Analytica’s board, according to the New York Times. Wylie told the Guardian that Bannon was his boss at Cambridge Analytica. Bannon has been involved in propping up right-wing political groups for years, having been the executive chairman and co-founder of Breitbart News, a far right-wing digital publication, until he stepped down from the position in January.

Additionally, Republican megadonor and onetime Breitbart News CEO Robert Mercer, who has funded numerous conservative campaigns at every level of government, invested $15 million in Cambridge Analytica. His daughter, Rebekah Mercer was also a board member of the political data firm. The Mercers originally supported Ted Cruz’ presidential campaign, but became patrons of the Trump campaign after Cruz bowed out of the 2016 presidential race.

The Times reported that through their family foundation the Mercer’s have donated more than $100 million to conservative causes — $10 million of which went to Breitbart News, and another $6 million that went to the Government Accountability Institute, a nonprofit founded by Bannon.

What does Mark Zuckerberg say?

Facebook executives responded to the crisis on Wednesday by issuing statements on the social media platform.

Zuckerberg admitted that Facebook made mistakes and acknowledged that his company failed to responsibly protect the data of customers.

He gave a timeline explaining how the improper data harvesting occurred, and said that in 2014 the company changed its practices to limit the ability of “abusive apps” to collect data from users and their other Facebook friends who did not give consent.

“In 2007, we launched the Facebook Platform with the vision that more apps should be social…To do this, we enabled people to log into apps and share who their friends were and some information about them….In 2013, a Cambridge University researcher named Aleksandr Kogan created a personality quiz app. It was installed by around 300,000 people who shared their data as well as some of their friends’ data. Given the way our platform worked at the time this meant Kogan was able to access tens of millions of their friends’ data.”

Zuckerberg also acknowledged that journalists informed Facebook as early as 2015 that Kogan shared this data with Cambridge Analytica, and said the company subsequently banned Kogan’s apps from the social network because they violated Facebook policies.

“This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that,” he wrote on Facebook.

He also said the company will investigate all apps that had “access to large amount of information” before the 2014 policy changes, and that Facebook plans to further restrict developers’ access to Facebook users’ data moving forward. The company will also make it easier for users to deny permission to third party developers that collect their personal information. As part of this effort, the company plans to move its privacy tool to the top of the News Feed.

Facebook’s Chief Operating Officer Sheryl Sandberg shared Zuckerberg’s post on her own Facebook page, saying she “deeply regrets” that the company did not do more to address the problem. Facebook will also start to ban developers who misuse “personally identifiable information” and alert users when Facebook learns their data has been misused, she wrote.

Outbrain

More from TIME