Peter Elbaum | 10.17.18 | Code Insights

Cambridge Ana-cynical: Understanding Facebook’s Information & API Scandal


  • analytics
  • facebook
  • Web
  • web development

Cambridge Analytica Scandal

A Cambridge psychology professor, Alexander Kogan, developed a survey app on Facebook’s platform that surreptitiously mined personal data from users and their friends. Kogan used this data, such as page likes, to form a predictive model that generated voter profiles. Cambridge Analytica bought this data and used it to target voters in the 2016 presidential election. In March 2018, reporting from NYT & the Guardian exploded this story, which had previously been reported in December 2015.

This may affect you if:

  1. You have Facebook
  2. You’re hand rolling authentication for your apps
  3. You use auth middleware like Passport or Devise
  4. You have social plugins & share buttons on your app or site
  5. You want access to more than just your own information

How Did We Get Here?

Cambridge Analytica is a London-based offshoot of the SCL Group, founded by Robert Mercer and Steve Bannon. Christopher Wylie, a Cambridge Analytica employee and former graduate student in fashion trend forecasting, decided to alert the news media about the data breach and became the scandal’s whistleblower. In total, data from 87 million accounts was accessed without authorization.

Is This Actually a Scandal?

Cambridge Analytics Scandal

On one hand, yes. Many people gave up their data without consent to a third party, most likely in violation of Facebook’s own privacy policy. 

On the other hand, the information about the public APIs was available for anyone to see on the Facebook Developer site. In a way, we shouldn’t be surprised by this, especially because Facebook has not shown a particular interest in privacy.

The question is, can we put responsibility on the user for being informed, even if the entity housing user data is deceptive? Data collection is largely unregulated in the U.S. One consequence of the lack of legislation around data collection is that BlackBerry, Amazon, Samsung, Apple got FB data via a private API which allowed them access to user data and users’ friend data. Essentially, device makers could receive events, location, relationship status and more through private channels. Facebook justified this access by explaining that Facebook doesn’t view the device makers as a third party, but sees them as providing an extension of “the Facebook experience.” In granting this access, Facebook violated a 2011 FTC decree against overriding user preferences.

What Led You to Investigate These APIs?

I started this journey by wanting to build a tool to help remember birthdays. The way Facebook APIs have changed in response to the scandal make this simple app idea impossible. The reaction caused some serious fallout:

  1. Broken features. Instagram locked down an API in April that was scheduled for July 3 with no warning; decreased rate limit from 2000 to 500 calls per user per hour.
  2. No more search by username/email. This was the greatest impact to UX. In addition APIs for follower lists, relationships and commenting on public content have changed, even how you recover your account is more difficult now.
  3. Major Implications. The changes have major implications for companies that provide products around social media engagement & metrics.
  4. Who’s taking care of our data? Facebook has shown they’ll do the bare minimum (and sometimes less) that the government and public pressure forces them to. The person who’ll take the best care of your data is you.

In short, the Facebook APIs are now more difficult to work with. Before the scandal more information was available, but now users are mostly limited to querying for their own data. The changes are essentially a reaction to public pressure from the scandal.

How Can I Learn More About the Facebook APIs?

The Facebook Developers site has a Graph API Explorer which allows you to make queries against the main API. I also created a small app which calls the API and displays real data. In both environments users must add each field to a token to get the desired data, which is part of what makes working with this API difficult.

Facebook Api GIF - Find & Share on GIPHY
Facebook Api GIF - Find & Share on GIPHY
  1. https://giphy.com/gifs/facebook-api-mySXDgJZRROtCDUohB
  2. https://giphy.com/gifs/facebook-api-xW2IIfPEnA2DETF7fK/links

You can also see the Github link for the code here.

Remember: it’s up to you to secure your data. Stay safe out there.

Peter Elbaum is a software engineer for Smashing Boxes, specializing in Angular, React and Redux. Thanks for the image Vox. While this piece was created independently from your authors thoughts, we agree completely and the imagery was just too good not to share.

Careers at Smashing Boxes


Open Positions

We don’t just make great products, we help build great companies.


Contact Us

Get exclusive access to Smashing Boxes news, case studies, and events.

Sign up now
close ×

Get exclusive access to Smashing Boxes news, case studies, and events. Sign up now!

* indicates required