Case Study 2: The Cambridge Analytica Scandal in Historical Perspective

Category: Research/Event Analysis (Category B) Estimated Time: 60-90 minutes Connections: Sections 2.5 (The Internet Revolution), 2.6 (The Big Data Era), 2.8.1 (Four Recurring Dynamics)

The Situation

In March 2018, investigative reports by The Guardian and The New York Times revealed that Cambridge Analytica, a British political consulting firm, had harvested the personal data of up to 87 million Facebook users without their knowledge or meaningful consent. The data had been collected through a personality quiz app called "thisisyourdigitallife," developed by academic researcher Aleksandr Kogan. Only about 270,000 users installed the app. But Facebook's API at the time allowed the app to access not only those users' data but also the data of all their Facebook friends — multiplying the reach by orders of magnitude.

Cambridge Analytica used this data to build psychographic profiles of American voters, which it claimed could be used for targeted political advertising. The firm worked on the 2016 Trump presidential campaign and was linked to the Vote Leave campaign in the 2016 Brexit referendum. The scandal triggered a global reckoning over data privacy, platform accountability, and the vulnerability of democratic processes to data-driven manipulation.

But the Cambridge Analytica story, for all its novelty, is deeply embedded in the historical patterns traced throughout this chapter. The scandal was not an aberration — it was the predictable consequence of dynamics that had been building for centuries, accelerated by the specific architecture of the surveillance business model.

Key Actors

Cambridge Analytica and SCL Group

Cambridge Analytica was a subsidiary of the SCL Group (Strategic Communication Laboratories), a British behavioral research firm with a history of political campaigns and military contracts in developing countries. SCL had used data-driven influence operations in elections across the Caribbean, Africa, and Asia before turning its methods toward Western democracies. The company's CEO, Alexander Nix, boasted in undercover recordings about the firm's capacity for entrapment, disinformation, and voter manipulation.

The firm's intellectual foundation rested on research into the "OCEAN" personality model (Openness, Conscientiousness, Extraversion, Agreeableness, Neuroticism), which it claimed could predict voter behavior and vulnerability to specific messaging. Whether these psychographic targeting methods actually worked as advertised remains contested by data scientists — but the attempt to use personal data for individualized political manipulation was itself significant.

Facebook

Facebook's role was not that of a conspirator but of an enabler. The platform's API design — which allowed third-party apps to access friends' data without those friends' consent — was a deliberate architectural choice made to encourage app development on the Facebook platform. When Facebook learned in 2015 that Kogan had shared the data with Cambridge Analytica (violating Facebook's terms of service), the company demanded that the data be deleted but did not verify that the deletion occurred, did not notify affected users, and did not disclose the breach to regulators.

Mark Zuckerberg's initial response minimized the severity of the situation. It was only after sustained media pressure, a 5% drop in Facebook's stock price, and the prospect of regulatory action that the company took more substantive steps. Zuckerberg testified before Congress in April 2018, and Facebook ultimately paid a $5 billion fine to the Federal Trade Commission in 2019 — the largest privacy penalty in U.S. history at that time, though critics noted it represented roughly one month of Facebook's revenue.

Aleksandr Kogan

Kogan, a psychology researcher at the University of Cambridge, developed the quiz app that collected the data. He transferred the data to Cambridge Analytica in violation of both Facebook's terms of service and the ethical protocols governing his academic research. Kogan later argued that what he did was common practice among academic researchers using Facebook data and that Facebook's own data practices were far more extensive than anything he had done.

The Users

The 87 million Facebook users whose data was harvested had, in the vast majority of cases, no idea it had happened. The 270,000 users who installed the quiz app had consented to sharing their own data with the app — though the consent was buried in terms of service. The millions of their friends whose data was also collected had not consented at all. They were, in the language of this chapter, data subjects who did not know they were data subjects.

Historical Echoes

The Colonial Census Parallel

The Cambridge Analytica scandal echoes the colonial census dynamics discussed in Section 2.2. In both cases, a powerful institution classified a population into categories without the population's knowledge or consent, and those classifications were used for purposes the population did not endorse — resource extraction in the colonial case, political manipulation in the Cambridge Analytica case.

The psychographic profiles that Cambridge Analytica built are a modern form of the classification systems that colonial administrators imposed on colonized populations. In British India, the census hardened fluid social identities into rigid categories that could be administered. On Facebook, the OCEAN personality model reduced the complexity of human psychology to five variables that could be targeted. In both cases, the classification served the interests of the classifier, not the classified.

The Punch Card Logic

Like IBM's punch card systems, Facebook's data infrastructure was not designed for the specific abuse Cambridge Analytica committed. Facebook built its API to facilitate a thriving app ecosystem that would keep users on the platform and generate more data for advertising. But the same infrastructure that enabled social gaming apps and personality quizzes also enabled large-scale data harvesting for political manipulation. The dual-use dynamic (Section 2.8.1) is unmistakable: the same platform feature that connects friends also exposes friends to third-party data access.

The Governance Lag

The Cambridge Analytica scandal is a textbook illustration of the governance lag. Facebook launched in 2004. The Cambridge Analytica data was harvested in 2014. The scandal broke in 2018. The FTC fine came in 2019. The EU's General Data Protection Regulation — which would have made the data harvesting illegal under European law — took effect in May 2018, literally weeks after the scandal broke. In the United States, no comprehensive federal data protection law existed (and as of this writing, still does not). The governance gap between what was technically possible and what was legally prohibited was wide enough to drive a political operation through.

The Burden Falls Downward

Whose data was harvested? Overwhelmingly, ordinary users — people who used Facebook to share family photos, connect with friends, and follow news. Who profited? Cambridge Analytica's clients, political campaigns with the resources to hire data consultants, and Facebook itself, which had built the data infrastructure that made the harvesting possible. The asymmetry between the data-rich (the platforms and their political clients) and the data-poor (the users) reproduced the same pattern visible in every era the chapter examines.

What Was New

While the historical echoes are instructive, the Cambridge Analytica scandal also introduced genuinely novel elements.

Scale and speed. Colonial censuses took years to administer and analyze. The Cambridge Analytica data was harvested from 87 million people through a single app in a matter of weeks — a compression of time that would have been unimaginable in any previous era.

The "friend of a friend" problem. Previous data collection systems required some interaction between the collector and the subject — a census enumerator knocked on your door, a credit agency processed your loan application. The Facebook API allowed data to be collected about people who had never interacted with the collecting party at all. This is a fundamentally new form of information asymmetry.

The weaponization of intimacy. Facebook data was powerful precisely because it was intimate — likes, shares, comments, and relationship statuses that revealed political leanings, personality traits, and emotional vulnerabilities. Previous political campaigns used demographic data (age, zip code, party registration). Cambridge Analytica aspired to use psychological data — what makes you angry, what makes you afraid, what makes you click.

The blurred line between advertising and manipulation. All political advertising seeks to persuade. But Cambridge Analytica's approach — designing individualized messages calibrated to exploit specific psychological vulnerabilities — raised questions about whether targeted political advertising crosses a line from persuasion into manipulation. This question had no precedent in earlier data governance debates.

The Governance Response

The Cambridge Analytica scandal accelerated several governance developments:

• GDPR enforcement. The EU's General Data Protection Regulation, already enacted, gained urgency and public support. The scandal validated the regulation's emphasis on consent, data minimization, and the right to be informed.
• The FTC settlement. Facebook's $5 billion fine, while criticized as insufficient, established the precedent that platform companies could face financial consequences for data protection failures.
• Platform API restrictions. Facebook dramatically curtailed third-party app access to user data, closing the specific vulnerability that Cambridge Analytica had exploited.
• Whistleblower recognition. Christopher Wylie, a former Cambridge Analytica employee who disclosed the data harvesting to journalists, became a prominent figure in the movement for data rights — demonstrating the power of individual actors within the governance ecosystem.
• Public awareness. Perhaps most significantly, the scandal made "data privacy" a mainstream political issue. The #DeleteFacebook movement, Congressional hearings, and sustained media coverage shifted public understanding of the data economy in ways that years of academic warnings had not.

But the governance response also illustrated the lag's persistence. Cambridge Analytica shut down in May 2018, but its methods were already being replicated by other firms. Facebook restricted its API, but the company continued to collect and monetize user data on a vast scale. The FTC fine was large but not structurally transformative. And the United States still lacks a comprehensive federal privacy law.

Discussion Questions

1. Consent and Architecture. The 270,000 users who installed Kogan's app clicked "agree" on a terms-of-service page. Their 87 million friends did not consent at all. How should we think about consent when platform architecture allows data to flow beyond the original consent relationship? Is there a meaningful way to implement consent in networked environments?

2. The Efficacy Question. Some data scientists argue that Cambridge Analytica's psychographic targeting didn't actually work — that its effects on the 2016 election were negligible. Does the efficacy of the manipulation matter morally, or is the attempt to manipulate voters using private data sufficient grounds for concern?

3. Platform Responsibility. Facebook built the API that enabled the data harvesting, profited from the data economy it created, and failed to act when it learned of the violation in 2015. But it did not commission the data harvesting and was not a party to Cambridge Analytica's political work. How should we assign responsibility among the platform, the app developer, the political consultancy, and the political campaigns that hired them?

4. Historical Analogy Assessment. This case study draws parallels between the Cambridge Analytica scandal and colonial census-taking, IBM's punch card systems, and the surveillance business model. Which of these analogies do you find most illuminating? Are any of them misleading? What do the analogies reveal, and what do they obscure?

5. Systemic vs. Individual Response. After the scandal, millions of users considered deleting Facebook. Is individual action (deleting your account) an adequate response to systemic data governance failures? What structural changes would be more effective?

Mini-Project Options

Option A: Data Flow Mapping. Using publicly available information, create a visual map of how data flowed in the Cambridge Analytica scandal — from Facebook users, through the quiz app, to Kogan, to Cambridge Analytica, to political campaigns, to targeted voters. At each stage, identify what consent mechanisms existed (if any), what governance mechanisms applied (if any), and where the flow could have been interrupted.

Option B: Comparative Governance Analysis. Research how three different jurisdictions (e.g., the United States, the European Union, and one additional country of your choice) responded to the Cambridge Analytica scandal through legislation, regulation, or enforcement action. Compare the speed, scope, and effectiveness of each response. What does the comparison reveal about different approaches to data governance?

Option C: Modern Echoes. Research a post-2018 case in which personal data was used for political targeting or influence operations (e.g., in elections in Brazil, India, the Philippines, or other contexts). Write a 1500-word analysis comparing the case to Cambridge Analytica: What was similar? What was different? Did the governance reforms prompted by Cambridge Analytica make a difference?

References

• Cadwalladr, Carole, and Emma Graham-Harrison. "Revealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data Breach." The Guardian, March 17, 2018.
• Confessore, Nicholas. "Cambridge Analytica and Facebook: The Scandal and the Fallout So Far." The New York Times, April 4, 2018.
• Wylie, Christopher. Mindfck: Cambridge Analytica and the Plot to Break America*. New York: Random House, 2019.
• Zuboff, Shoshana. The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. New York: PublicAffairs, 2019.
• Laterza, Vito. "Cambridge Analytica, Independent Research and the National Interest." African Affairs 120, no. 478 (2021): 119-138.
• ICO (Information Commissioner's Office). Investigation into the Use of Data Analytics in Political Campaigns. London: ICO, November 2018.
• Federal Trade Commission. "FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook." Press release, July 24, 2019.
• Isaak, Jim, and Mina J. Hanna. "User Data Privacy: Facebook, Cambridge Analytica, and Privacy Protection." Computer 51, no. 8 (2018): 56-59.