A long sought-after internal document, obtained Friday morning by NBC News and subsequently made public by Facebook and the D.C. attorney general’s office, throws into question what and when the social media giant first learned about the violation of tens of millions of users' private data.
The document reveals that Facebook first learned about unconfirmed reports of a potential data violation in September 2015. The company sought to address the issue then but was not made aware of the full scope of the problem until a Guardian report was published in December 2015.
The timeline is significant because Facebook CEO Mark Zuckerberg has testified that the company only learned from the Guardian's report that developer Aleksandr Kogan sold user data to Cambridge Analytica, a violation of Facebook's policy prohibiting researchers from selling or sharing data with third parties.
But the Securities and Exchange Commission filed a complaint in July stating that Facebook employees had "requested an investigation" into Cambridge's "possible 'scraping'" of data in September 2015 — three months before the Guardian report was published.
Related
Facebook critics have cited the apparent disparity between Zuckerberg's testimony and the SEC complaint as evidence that company executives either ignored the staffers' concerns or misled the public about what the social media giant knew and when.
The document, a record of correspondence among Facebook employees, suggests both the SEC and Zuckerberg are right: Employees requested an investigation — and began an investigation — into "possible 'scraping'" in September. But they did not learn that Kogan had sold the data to Cambridge Analytica and violated Facebook policy until the story went public in December 2015.
The issue was first brought to Facebook's attention on Sept. 29, 2015, by a political partner who was curious about the parameters of the company's privacy policy. At the outset, one employee voiced concern that many of Facebook's political partners could be "on the edge" of the policy and "possibly over."
Another employee responded: "I'm passing this to DevOps for initial review. They can help investigate. ... At a high level it is possible these services comply with our terms, but it is also possible they do not."
The next day, an employee wrote: "I imagine it would be *very* difficult to engage in data-scraping activity as you described while still being compliant with [Facebook's privacy policy]." But later that day, another employee wrote: "It's very likely these companies are not in violation of any of our terms."
The debate continued, and by Oct. 13 one employee stated that "there are likely a few data policy violations here."
But a week later, on Oct. 20, another employee wrote that while there appeared to be a data policy violation, "it is hard to understand specifically what they are violating without having a conversation" with the partners in question.
From Oct. 20 until the morning of Dec. 11, the majority of correspondence pertained to employees' efforts to set up calls with the political partners, some of whom were "slow to respond."
Then, on Dec. 11 at 9:45 a.m., an employee wrote: "Can you expedite the review of Cambridge Analytica or let us know what the next steps are? Unfortunately, this firm is now a PR issue as this story is on the front page of the Guardian website."
At 10:06 a.m., an employee wrote: "This is hi pri [high priority] at this this point ... We need to sort this out ASAP."
The Guardian story stated, among other things, that Kogan's private outfit, Global Science Research, had entered into a contract with Cambridge Analytica's parent company to provide them with Facebook user data.
At 10:11 a.m., after reading the Guardian report, an employee wrote: "Here's a link to Global Science Research, the "for profit" arm of [Cambridge Analytica] mentioned in the article.”
The employee added: “We had not heard of this [organization] before the article.”
