When Facebook co-founder Mark Zuckerberg posted a status update Wednesday on the still-unfolding Cambridge Analytica scandal, he called it an “issue,” a “mistake” and a “breach of trust.” But he didn’t say it was a data breach.
Ever since the news broke this weekend that the U.K. firm Cambridge Analytica obtained information about 50 million Facebook users without their knowledge, the social media site has been carefully avoiding using those words. Executives are profusely apologizing but stopping short of characterizing the situation as a data breach — a phrase that brings to mind images of hacker frantically typing in a dark room or stolen credit card numbers being shared online.
Facebook has 1.4 billion daily users it doesn’t want to scare off with the “data breach” characterization. But was it?
Depends who you ask.
Here’s what happened: A few years ago, a researcher put together a Facebook personality quiz that asked participants to download an app and give him access to their friends’ data. About 270,000 people consented, which ultimately led to some 50 million profiles being scraped for information. The researcher then gave to Cambridge Analytica, and the company used it to build profiles it sold to clients as political research.
That amounts to a data breach if you’re using a general definition, like the one cybersecurity company Trend Micro has on its website: “an incident wherein information is stolen or taken from a system without the knowledge or authorization of the system’s owner.”
It counted for the Observer, which helped break the story and in its first sentence called the debacle “one of the tech giant’s biggest ever data breaches.” Ditto tech entrepreneur Narendra Rocherolle, who flatly tweeted Saturday that “when you allow 3rd parties to access my data in a manner inconsistent with the rules and policies. That is a data breach.”
Facebook, of course, disagrees. Deputy general counsel Paul Grewal released a statement on Saturday writing that “the claim that this is a data breach is completely false” because the researcher got consent from everyone involved. Andrew “Boz” Bosworth, Facebook’s former vice president of ads, took a similar stance.
Publications like Motherboard are trying to walk the line. The outlet pointed out that the Facebook news is different than last year’s 140 million-person Equifax data breach, which took place when hackers exploited a vulnerability in its software. But it also mentioned that Facebook’s entire business centers around collecting huge amounts of information from its users, so the whole operation isn’t extremely secure.
Still, others — like Sen. Amy Klombuchar, the democrat from Minnesota — are playing it safe and just using the word “breach.”