Cambridge Analytica, the data analytics firm that helped Donald Trump get elected president, amassed a trove of Facebook user data for some 50 million people without ever getting their permission, according to a report from the New York Times.
Facebook is in another awkward situation. The company claims that it wasn’t breached, and that while it has suspended Cambridge Analytica from its service, the social giant is not at fault. Facebook contends that its technology worked exactly how Facebook built it to work, but that bad actors, like Cambridge Analytica, violated the company’s terms of service.
On the other hand, Facebook has since changed those terms of service to cut down on information third parties can collect, essentially admitting that its prior terms weren’t very good.
So how did Cambridge Analytica get Facebook data on some 50 million people?
Facebook’s chief security officer, Alex Stamos, tweeted a lengthy defense of the company, which also included a helpful explanation for how this came about. (He later deleted the tweets, saying he “should have done a better job weighing in,” though you can see screenshots of some of them below.)
Facebook offers a number of technology tools for software developers, and one of the most popular is Facebook Login, which lets people simply log in to a website or app using their Facebook account instead of creating new credentials. People use it because it’s easy — usually one or two taps — and eliminates the need for people to remember a bunch of unique username and password combinations.
When people use Facebook Login, though, they grant the app’s developer a range of information from their Facebook profile — things like their name, location, email or friends list. This is what happened in 2014, when a Cambridge University professor named Dr. Aleksandr Kogan created an app called “thisisyourdigitallife” that utilized Facebook’s login feature. Some 270,000 people used Facebook Login to create accounts and thus opted in to share personal profile data with Kogan.
Back in 2014, though, Facebook also allowed developers to collect some information on the friend networks of people who used Facebook Login. That means that while a single user may have agreed to hand over their data, developers could also access some data about their friends. This was not a secret — Facebook says it was documented in their terms of service — but it has since been updated so that this is no longer possible, at least not at the same level of detail.
Through those 270,000 people who opted in, Kogan was able to get access to data from some 50 million Facebook users, according to the Times. That data trove could have included information about people’s locations and interests, and more granular stuff like photos, status updates and check-ins.
The Times found that Cambridge Analytica’s data for “roughly 30 million [people] contained enough information, including places of residence, that the company could match users to other records and build psychographic profiles.”
This all happened just as Facebook intended for it to happen. All of this data collection followed the company’s rules and guidelines.
Things became problematic when Kogan shared this data with Cambridge Analytica. Facebook contends this is against the company’s terms of service. According to those rules, developers are not allowed to “transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker or other advertising or monetization-related service.”
As Stamos tweeted out Saturday (before later deleting the tweet): “Kogan did not break into any systems, bypass any technical controls, our use a flaw in our software to gather more data than allowed. He did, however, misuse that data after he gathered it, but that does not retroactively make it a ‘breach.’”
The problem here is that Facebook gives a lot of trust to the developers who use its software features. The company’s terms of service are an agreement in the same way any user agrees to use Facebook: The rules represent a contract that Facebook can use to punish someone, but not until after that someone has already broken the rules.
Facebook is not alone in this world of data sharing. The major mobile platforms like iOS and Android allow developers to collect people’s contact lists with permission. Twitter has a login feature similar to Facebook Login, and so do Google and LinkedIn.
This article originally appeared on Recode.net.