Joe Pinkstone | The Daily Mail | Source URL

Three million Facebook users had their most intimate details exposed, it has emerged, as a new data protection scandal hits the social network.

A popular personality app failed to provide adequate protection to the ‘anonymous’ data of participants, the latest of a string of security breaches.

The quiz, called myPersonality, collected highly sensitive data – including psychometric test results that reveal how neurotic or extrovert an individual may be.

Investigators found the information was poorly protected for four years and gaining access to it was relatively easy.

Run by the University of Cambridge, the myPersonality site was founded in 2007 and allowed users to take real psychometric tests and obtain their results instantly.

The leaked information gave access to the ‘Big Five’ personality scores of 3.1 million users, according to a report from New Scientist, who broke the news.

These have been defined as openness to experience,  conscientiousness, extroversion, agreeableness and neuroticism – sometimes abbreviated to OCEAN. 

‘This type of data is very powerful and there is real potential for misuse,’ Chris Sumner at the Online Privacy Foundation told New Scientist.  

More than six million people took part in the study overall, and 40 per cent of these participants decided to share their Facebook profile information with the researchers. 

According to the University of Cambridge’s website for the myPersonality database, this resulted in ‘one of the largest social science research databases in history.  

‘This data was anonymised and samples of it were shared with registered academic collaborators around the world through the myPersonality project,’ according to the site. 

As a result of the leak, 22 million status updates from over 150,000 users could be seen. 

It also showed personal data such as age, gender and relationship status from 4.3 million people. 

Questions have been raised over the robustness of the anonymisation technique employed by the personality quiz. 

After completing the test, each user was ascribed a unique ID which brought together all their information. 

This included age, gender, location, status updates and the results of the personality quiz.

With all the information tied to one ID, finding the name of the person and demolishing anonymity could easily be achieved.

‘You could re-identify someone online from a status update, gender and date,’ said Pam Dixon at the World Privacy Forum.   

The database’s website is now offline, and so are the men involved in the scandal.  

David Stillwell and Michal Kosinski of the University of Cambridge’s The Psychometrics Centre were in charge of the database.  

Alexandr Kogan, an individual mired by the Cambridge Analytica fallout, was part of the project until 2014. 

David Stillwell has removed his Twitter and website in light of the investigation.   

The Information Commissioner’s Office says they are ‘aware’ of the incident and are making enquiries.

The leaked information gave access to the 'Big Five' personality scores of 3.1 million users. Questions have been raised over the robustness of the anonymisation technique employed by the myPersonality quiz (pictured)

The database was a huge academic success, enabling the publication of 45 scientific papers.    

Security flaws, however, rendered the project a data protection catastrophe. 

Access to the database was restricted and people had to register as a collaborator. This resulted in 280 people from 150 institutions formally accessing it.

These included universities and companies such as Facebook, Google, Microsoft and Yahoo. 

Many others were supposedly turned down for a variety of reasons. 

Cambridge Analytica approached the myPersonality database via the formal avenues and was allegedly declined on the grounds of political aspirations. 

However, it transpires that a formally rejection was easily circumnavigated as, for the last four years, a working username and password has been available online.

New Scientists reports that this log in information could be found from a single web search.

This means anyone could have accessed the database, with names and deeply personal information, in less than a minute.  

Code-sharing site GitHub is publicly available and was where the credentials were found. 

They have now been removed from the site.   

On April 7 facebook suspended myPersonality from the platform, pending an investigation. 


Communications firms Cambridge Analytica has offices in London, New York, Washington, as well as Brazil and Malaysia.

The company boasts it can ‘find your voters and move them to action’ through data-driven campaigns and a team that includes data scientists and behavioural psychologists.

‘Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections,’ with data on more than 230 million American voters, Cambridge Analytica claims on its website.

The company profited from a feature that meant apps could ask for permission to access your own data as well as the data of all your Facebook friends.

This meant the company was able to mine the information of 55 million Facebook users even though just 270,000 people gave them permission to do so.

This was designed to help them create software that can predict and influence voters’ choices at the ballot box.

The data firm suspended its chief executive, Alexander Nix, after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump.

This information is said to have been used to help the Brexit campaign in the UK.

‘We are currently investigating the app, and if myPersonality refuses to cooperate or fails our audit, we will ban it,’ said Ime Archibong, Facebook’s vice president of Product Partnerships. 

‘If at any time a username and password for any files that were supposed to be restricted were made public, it would be a consequential and serious issue,’ sa Pam Dixon.

‘Not only is it a bad security practice, it is a profound ethical violation to allow strangers to access files.’ 

This astounding revelation comes on the back of Facebook suspending around 200 apps as part of its investigation into misuse of personal data on the social network.

In the wake of the Cambridge Analytica scandal, Facebook chief executive Mark Zuckerberg promised an audit of apps that may have accessed ‘large amounts of data’ on the site.

As a result of the leak, 22 million status updates from over 150,000 users could be seen. It also showed personal data such as age, gender and relationship status from 4.3 million people

The audit will identify apps that had access to large amounts of information prior to a 2014 Facebook policy change and then investigate those whose behaviour raises concerns, Facebook said.

Writing in a blog post updating on the investigation, Facebook’s vice president of product partnerships Ime Archibong said: ‘We have large teams of internal and external experts working hard to investigate these apps as quickly as possible.

‘To date, thousands of apps have been investigated and around 200 have been suspended – pending a thorough investigation into whether they did in fact misuse any data.’

Mr Archibong said where evidence of data misuse is found, Facebook will ban the apps involved and notify the public using the same tool on its online help centre that told users if their information had been shared with Cambridge Analytica.

‘There is a lot more work to be done to find all the apps that may have misused people’s Facebook data – and it will take time,’ Mr Archibong said.

‘We are investing heavily to make sure this investigation is as thorough and timely as possible. 

‘We will keep you updated on our progress.’

The investigation is one of a series of responses from Facebook following the data scandal, with new tools having also been rolled out to users to provide clearer access app permissions and privacy settings.

However, the social network is facing continued questions from lawmakers in the UK and US, and Mr Zuckerberg has been threatened with a formal summons to appear before a parliamentary inquiry into fake news after a recent testimony by chief technology officer Mike Schroepfer was labelled ‘unsatisfactory’ after he failed to answer a number of questions from MPs.

Leave comment

Your email address will not be published. Required fields are marked with *.