CubeYou Cambridge-like app collected data on millions from Facebook
CubeYou misleadingly labeled its quizzes "for non-profit academic research," then shared user information with marketers. The scenario is eerily similar to how Cambridge Analytica received unauthorized access to data from as many as 87 million Facebook user accounts to target political marketing.
Like Cambridge Analytica, the company sold data that had been collected by researchers working with the Psychometrics Lab at Cambridge University.
The CubeYou discovery suggests that collecting data from quizzes and using it for marketing purposes was far from an isolated incident. Moreover, the fact that CubeYou was able to mislabel the purpose of the quizzes — and that Facebook did nothing to stop it until CNBC pointed out the problem — suggests the platform has little control over this activity.
Facebook, however, disputed the implication that it can't exercise proper oversight over these types of apps, telling CNBC that it can't control information that companies mislabel. Upon being notified of CubeYou's alleged violations, Facebook said it would suspend all CubeYou's apps until a further audit could be completed.
"These are serious claims and we have suspended CubeYou from Facebook while we investigate them," Ime Archibong, Facebook vice president of product partnerships, said in a statement.
"If they refuse or fail our audit, their apps will be banned from Facebook. In addition, we will work with the UK ICO [Information Commissioner's Office] to ask the University of Cambridge about the development of apps in general by its Psychometrics Centre given this case and the misuse by Kogan," he said. Aleksander Kogan was the researcher who built the quiz used by Cambridge Analytica.
"We want to thank CNBC for bringing this case to our attention," Archibong added.
The revelation comes as Facebook CEO Mark Zuckerberg prepares to answer questions before Congress this week stemming from the Cambridge Analytica scandal. The Senate Commerce and Judiciary committees and the House Energy and Commerce Committee are expected to quiz him on what the site is doing to enhance user privacy, and prevent foreign actors from using Facebook to meddle in future elections.
Since the Cambridge Analytica scandal erupted, Facebook CEO Mark Zuckerberg has claimed personal responsibility for the data privacy leaks, and the company has launched several initiatives to increase user control over their data.
CubeYou's site says it has access to personally identifiable information (PII) such as first names, last names, emails, phone numbers, IP addresses, mobile IDs and browser fingerprints.
On a cached version of its web site from March 19, it also said it keeps age, gender, location, work and education, and family and relationship information. It also has likes, follows, shares, posts, likes to posts, comments to posts, check-ins and mentions of brands/celebrities in a post. Interactions with companies are tracked back to 2012 and are updated weekly, the site said.
"This PII information of our panelists is used to verify eligibility (we do not knowingly accept panelists under the age of 18 in our panel), then match and/or fuse other online and offline data sources to enhance their profiles," CubeYou wrote.
The company's web site currently claims it has more than 10 million opted-in panelists, but the cached March 19 version said it had "an unbiased panel of more than 45 million people globally." (Click the images in this story to make them bigger.)
An ad agency exec who met with the company confirmed CubeYou said it mostly collects information through quizzes.
According to its web site, one of CubeYou's "most viral apps" is a Facebook quiz created in conjunction with the University of Cambridge called "You Are What You Like." It is meant "to predict a user's personality based on the pages s/he liked on Facebook."
Two versions of this app still were active on Facebook as of Sunday morning. The most recent version of this app has been renamed "Apply Magic Sauce," (YouAreWhatYouLike.com redirects to ApplyMagicSauce.com), and existed on the platform as recently as Sunday morning. Another version still called "You Are What You Like" is also available.
Both of those prior versions had similar disclaimers on Facebook about being used for academic research purposes.
In addition, those prior versions were able to get access to information from friends of the people who took the quiz -- as also happened in the Cambridge Analytica case. Until 2015, Facebook allowed developers to access information on Facebook friends as long as the original app user opted-in, a loophole that expanded the database of personal information considerably.
If the original user still remained opted in, CubeYou could theoretically still access their data to this day.
CubeYou and Cambridge U's response
It only collected data from that time and has not had access since June 2015 to data from new people who have taken the quiz, Treu said
He also pointed out that the YouAreWhatYouLike.com website has different -- and looser -- terms of usage than the Facebook terms that CNBC discovered.
The web site says, "the information you submit to You Are What You Like may be stored and used for academic and business purposes, and also disclosed to third parties, including for example (but not limited to) research institutions. Any disclosure will be strictly in an anonymous format, such that the information can never be used to identify you or any other individual user." (Italics added by CNBC.)
He also denied CubeYou has access to friends' data if a user opted in, and said it only connects friends who have opted into the app individually.
Cambridge University said CubeYou's involvement was limited to developing a website.
"We were not aware of Cubeyou's claims on their blog," the University of Cambridge Psychometrics Center said in a statement.
"Having had a look now, several of these appear to be misleading and we will contact them to request that they clarify them. For example, we have not collaborated with them to build a psychological prediction model -- we keep our prediction model secret and it was already built before we started working with them," the institution said.
"Our relationship was not commercial in nature and no fees or client projects were exchanged. They just designed the interface for a website that used our models to give users insight on their [the users'] data. Unfortunately collaborators with the University of Cambridge sometimes exaggerate their connection to Cambridge in order to gain prestige from its academics' work," it added.
'A great place for us to get smart about the consumer'
CubeYou's web site says its customers include global communications firm Edelman, and sports and entertainment agency Octagon. It also works with advertising agencies including 72 and Sunny (which counts Google, Adidas and Coors Light as clients), the Martin Agency (Discover, Geico, Experian), and Legacy Marketing (L'Oreal, Hilton, TGI Fridays), among others.
The site does not say which CubeYou data was used on which projects, but all agencies' testimonials talk about how CubeYou's data has allow more understanding of potential customers.
"CubeYou is a great place for us to get smart about the consumer," one customer testimonial from Legacy Marketing says. "We primarily use Mintel for our research, but there's very little consumer segmentation and I think that the greatest benefit of a tool like CubeYou is you can get highly nuanced data about demographics, psychographics and interests so easily."