Facebook says more than 600,000 Canadians may have had data shared with Cambridge Analytica

Facebook said Wednesday that an estimated 622,161 Canadians may have had their personaldata shared with the British data analysis company Cambridge Analytica.

Company spokesperson Meg Sinclairtold CBC News the number wasa fraction 0.7 per cent of the 87 million people it now believes may have been affected globally. The majority of those users, nearly 82 per cent, were in the U.S.

At the same time, Facebook describeda much largerdiscovery:that the majority of its 2 billion users likely hadtheir publicly available profile information scraped and collected by unknown actorsin recent years.

Such information would have been visible to friends and strangers alike, butcould have included potentially revealing data such as photos and contact information if a user had not chosen or known to change their settings to private.

The disclosures comein the wake of one of the biggestdata privacy scandals in the company's history.

It was revealed last month that an academic researcher named Aleksandr Koganhad collected information from more than 50 million Facebook users in 2014 using a personality quiz app, and then shared that information with Cambridge Analytica.

The user profile data,which included biographical information, as well as additional personal information, such as the pages eachuser had liked,was used to build psychological profiles that could help Cambridge Analytica's clients mostly political campaigns, includingDonald Trump's presidential bid better target theirads.

It may come as a surprise that a personality quiz created by a British researcher to gather data for use by U.S. political campaigns could come to ensnare so many Canadians. But the incident further underscores how the permissive nature of Facebook's design allowed Kogan to cast a net aswide as he did, collecting data on millions from just 270,000 people who did the quiz.

We didn't take a broad enough view of what our responsibility was, and that was a huge mistake. That was my mistake,- Mark Zuckerberg, Facebook CEO

"We didn't take a broad enough view of what our responsibility was," said Facebook chief executive Mark Zuckerberg in a conference call with reporters. "And that was a huge mistake. That was my mistake."

Addressing electioninterference from organizations in Russia and elsewhere, Zuckerbergsaidthe company didn't initially take the problem and data security seriously enough.

"I think in retrospect we were behind, and we didn't invest enough in it enough up front. We had thousands of people working on security but nowhere near the 20,000 we're going to have by the end of this year."

Zuckerberg said Facebook had made big strides in removing pages by Russia'sInternational Research Agency (IRA) and protecting the integrity of elections, but that he expects the company will never be done rooting out security threats.

"As long as there are people employed in Russia who have the job of trying to find ways to exploit these systems, it's going to be a never-ending battle. You never fully solve security. It's an arms race," he said.

Scraping public profiles

Facebook announced its latest findings alongside new details on its plans to restrict how third party app developers can access user data, which were first announced last week.

Among the changes, "we will also tell people if their information may have been improperly shared with Cambridge Analytica," chief technology officer Mike Schroepfer wrote in a blog post announcing Facebook's latest efforts. The feature will be made available to users next week.

But perhaps more importantly, Facebook also said it was removing the ability for users to search for other users within Facebook using a phone number or email address, because the feature had been abused by "malicious actors" seeking to scrape public profile information.

"Given the scale and sophistication of the activity we've seen, we believe most people on Facebook could have had their public profile scraped in this way,"Schroepfersaid.

Although the feature could be turned off, it was enabled by default. Zuckerbergtold reporters during the conference callthat as a result of this featurea small group of users was makinga high volume of requests for public data from asmany as hundreds of thousands of different IP addresses in order to evade detection, the company had recently discovered.

"I would assume that if you had that setting turned on [...]someone has access to your public information," he said.

Restricting access

Among the other changes introduced on Wednesday:

• Apps can no longer access a list of people attending an event or who have joined a group. Facebook will also have to approve apps that access information posted to pages or groups, and will remove personal information such as profile photos and names attached to posts in the latter.
• All apps that request access to location information (check-ins), likes, photos, posts, videos, events and groups will have to be approved by Facebook. And developerswill have to agree to "strict requirements" though what those requirements entail is not yet clear.
• Developers can no longer access a user's religious or political views, relationship status and details, custom friends lists, education and work history, fitness activity, book reading activity, music listening activity, news reading, video watch activityand games activity.
• If a user hasn't used an app 3months, the developer can no longer accessthat user's information.
• Facebook said it would delete call and message logs older than a year, and would further limit the types of data it uploads, excluding "broader data" such as the time of calls.
• Starting Monday, April 9, users will see a link at the top of their News Feed to a tool where they can see what information they've shared with third party apps.

Schroepfer said the company expects to make more changes in the coming months, but did not elaborate further.