Facebook announced on Wednesday that user data for as many as 87 million people may have been "improperly shared" with Cambridge Analytica, a data analysis firm that worked with President Donald Trump's 2016 presidential campaign.
This is the first time Facebook has publicly quantified the scope of the data harvesting scandal and is considerably more than the previously reported figure of 50 million, which had been an estimate based on accounts from former Cambridge Analytica employees and company documents.
"In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica," wrote Mike Schroepfer, chief technology officer of Facebook, in a blog post announcing new rules for how the company plans to handle user data.
The data was harvested by Cambridge University researchers through a quiz app that users downloaded and then used their Facebook accounts to access. Cambridge Analytica, a private company not affiliated with the university, was allegedly then able to build a system off that data to target U.S. citizens with political ads based on personality traits.
In addition to changing how it works with connected apps, Facebook has also changed how its "search account and recovery" feature works, which lets people search for users by phone number or email address. Schroepfer wrote that this allowed for accounts to be found and then have their public info "scraped" — an issue that could have affected all of Facebook's 2.13 billion users. The feature has now been disabled.
"Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way," Schroepfer wrote. "So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.
Facebook said it will begin notifying users at the top of their News Feeds on Monday, April 9, if their information may have been improperly shared with Cambridge Analytica. Facebook's 2.13 billion users will also be provided with a link at the top of their feeds to see the apps they use, review the information they share with those apps and steps to remove them, if they choose.
In a statement on Wednesday, Cambridge Analytica said it "licensed data for no more than 30 million people" from GSR, a research company. They said that data was not used to target voters in the 2016 presidential election.
"Our contract with GSR stated that all data must be obtained legally, and this contract is now a matter of public record," the statement said. "We took legal action against GSR when we found out they had breached this contract."
When Facebook contacted Cambridge Analytica to say the data was improperly gathered, the company said it "immediately deleted the raw data from our file server, and began the process of searching for and removing any of its derivatives in our system."
"When Facebook sought further assurances a year ago, we carried out an internal audit to make sure that all the data, all derivatives, and all backups had been deleted, and gave Facebook a certificate to this effect," the statement said. "We are now undertaking an independent third-party audit to demonstrate that no GSR data remains in our systems."
The disclosure comes one week before Facebook CEO Mark Zuckerberg is set to testify for the first time before Congress. The billionaire CEO is set to testify before the House Energy and Commerce Committee on April 11, where he'll discuss how the company protects user data.
During a rare hour-long call with reporters, Zuckerberg answered questions about the latest disclosures and how Facebook plans to correct course after the biggest scandal of its 14-year existence.
Throughout the call, Zuckerberg acknowledged several times that he has made mistakes, but when asked by NBC News whether he was the best person to continue running Facebook, he said: "Yes."
"I think life is about learning from mistakes and figuring out what to do to move forward. A lot of people ask what I'd do differently," he said. "The reality of this is when you're building something like Facebook, there are going to be things you mess up. I don't think anyone is going to be perfect, but I think everyone should learn from mistakes and continuing to be better."
Zuckerberg said that includes "building things people like and make their lives better."
"I'm the first to admit I didn't take a broad enough view," he said. "Billions of people do love our service, build relationships on a day to day basis. I'm proud of our company."
With strict data privacy regulations taking effect in Europe next month, Zuckerberg pledged that the same settings will be available to everyone around the world - but said the settings pages may look different.
He also said it is "not enough to just give people a voice" and that Facebook has a duty to make sure "people aren't using that voice to hurt or spread misinformation."
Zuckerberg also said he wanted to clear up any misperceptions about what Facebook actually does with user data.
"People put the information there themselves," he said. "We haven't been able to quit this notion for years that we sell data to advertisers. We don't."
"Even if we wanted to, it wouldn't make sense to," he said. "[We] could do a better job to make these things understandable: The way we run this service, we share information and use that to help people connect and we run ads to make it a service that everyone can afford."