Facebook and its CEO Mark Zuckerberg are in a whale of trouble and not just because the company has lost tens of billions of dollars in market value in recent weeks.
We now know that during years of essentially policing itself, Facebook allowed Russian trolls to buy U.S. election ads, advertisers to discriminate by race, hate groups to spread fake news and, because facebook shirked privacy concerns, a company called Cambridge Analytica was able to surreptitiously gain access to personal data mined from as many as 87 million Facebook users.
"If I had any inkling that what we were going to do was going to destroy my relationship with Facebook, I would've never done it."
The man who mined that data for Cambridge Analytica is a scientist named Aleksandr Kogan. He's at the center of the Facebook controversy because he developed an app that harvested data from tens of millions of unwitting Facebook users.
Lesley Stahl: The main infraction, the main charge is that you sold the data.
Aleksandr Kogan: So I mean, at the time I thought we were doing everything that was correct. You know, I was kinda acting, honestly, quite naively. I thought we were doing everything okay.
Lesley Stahl: Facebook says that you lied to them.
Aleksandr Kogan: That's frustrating to hear, to be honest. If I had any inkling that what we were going to do was going to destroy my relationship with Facebook, I would've never done it. If I had any inkling that I was going to cause people to be upset, I would've never done it. This was the blindness we had back then.
For someone implicated in the biggest privacy scandal on Earth, Kogan seems incongruously guileless.
Lesley Stahl: Before all this happened, what was your job? And what was your field of study?
Aleksandr Kogan: So I was a social psychologist. I was working as a university lecturer at the University of Cambridge—
Lesley Stahl: In England?
Aleksandr Kogan: In England. And I ran this lab that studied happiness and kindness.
Lesley Stahl: Happiness and kindness (laugh)
Aleksandr Kogan: Yup.
That's a far cry from the adjectives lobbed at him now: sinister and unethical.
Here's what he did: he asked Facebook users to take a survey he designed from which he built psychological profiles meant to predict their behavior.
He failed to disclose that what he was really after was access to their friends, tens of millions of people he could not otherwise reach easily. And that he was doing the survey for Cambridge Analytica, a political consulting firm, that used the material to influence people on how to vote.
The company's then-CEO bragged about their prediction models on stage.
Alexander Nix: By having hundreds and hundreds of thousands of Americans undertake this survey we were able to form a model to predict the personality of every single adult in the United States of America.
Lesley Stahl: Did you get to the point where you were predicting personalities?
Aleksandr Kogan: Yup
Lesley Stahl: And you gave that to Cambridge Analytica?
Aleksandr Kogan: Correct.
Lesley Stahl: What did you think they were going to use it for?
Aleksandr Kogan: I knew it was going to be for elections… And I had an understanding or a feeling that it was going to be for the Republican side.
As political consultants, Cambridge Analytica is hired by campaigns to analyze voters and target them with ads.
In the 2016 presidential election, Cambridge Analytica worked first for the Ted Cruz campaign, then later for Donald Trump, though his campaign says they didn't use the Kogan data.
The Republican benefactors Robert and Rebekah Mercer were Cambridge Analytica's financial backers; Steve Bannon was on the board.
Lesley Stahl: So did you ever meet or hear about Steve Bannon at Cambridge Analytica, the Mercers?
Aleksandr Kogan: Nope.
Lesley Stahl: Jared Kushner? Nothing?
Aleksandr Kogan: And those names would not ever have rung a bell for me, to be honest.
Lesley Stahl: Tell us what you did.
Aleksandr Kogan: So I create this app where people sign up to do a study. And when they sign up to do the study, we would give them a survey. And in the survey we would have just this Facebook log-in button. And they would click the button, authorize us. We get their data-
Lesley Stahl: Authorize us to do what?
Aleksandr Kogan: To collect certain data. We would collect things like their location, their gender, their birthday, their page "likes" and similar information for their friends. And all of this-
Lesley Stahl: But you, did you say you collected information on their friends?
Aleksandr Kogan: We did.
Lesley Stahl: But they didn't opt-in.
Aleksandr Kogan: So they didn't opt-in explicitly.
Lesley Stahl: No, no, no. They didn't opt-in period. The friends did not opt-in.
Aleksandr Kogan: And it seems crazy now. But this was a core feature of the Facebook platform for years. This was not a special permission you had to get. This was just something that was available to anybody who wanted it who was a developer.
Lesley Stahl: How many apps do you think there are, how many developers, who did what you did?
Aleksandr Kogan: Tens of thousands.
Lesley Stahl: Tens of thousands?
Aleksandr Kogan: Tens of thousands.
Lesley Stahl: And Facebook, obviously, was aware.
Aleksandr Kogan: Of course. It was a feature, not a bug.
The feature was called "friend permissions," which Sandy Parakilas, who used to work at Facebook, explains.
Sandy Parakilas: The way it works is if you're using an app and I'm your friend, the app can say, "Hey, Lesley, we want to get your data for use in this app, and we also want to get your friends' data." If you say, "I will allow that," then the app gets my data, too.
Lesley Stahl: What you're saying is I give permission for the friend? The friend doesn't give permission?
Sandy Parakilas: Right. It doesn't feel right when you say it out loud?
Lesley Stahl: No, it doesn't feel right.
Sandy Parakilas: Right.
What Happened After Data Left Facebook
Facebook should've been aware of how this could be abused because they were repeatedly warned, including by Parakilas, who used to be a manager in charge of protecting data at the company. He says he raised concerns years before Kogan built his app.
Sandy Parakilas: I think they didn't want to know. You know, the impression that I got working there is that—
Lesley Stahl: They didn't want the public to know.
Sandy Parakilas: Well they didn't want to know in the sense that if they didn't know, then they could say they didn't know and they weren't liable, whereas if they knew they would actually have to do something about it. And one of the things that I was concerned about was that applications or developers of applications would receive all of this Facebook data, and that once they received it, there was no insight, Facebook had no control or view over what they were doing with the data.
Lesley Stahl: Once the data left Facebook, did Facebook have any real way to find out what happened to it?
Sandy Parakilas: No.
Lesley Stahl: Or was it just gone?
Sandy Parakilas: It was gone.
Lesley Stahl: Wow.
Sandy Parakilas: They could put it on a hard drive and they could hide it in a closet.
Lesley Stahl: Would you say then policing this was pretty impossible?
Sandy Parakilas: It was very frustrating.
Lesley Stahl: Did you bring this to the attention of the higher-ups, the executives?
Sandy Parakilas: Yeah, a number of folks, including several executives.
Lesley Stahl: So were the executives' hair on fire? Did they say, "Oh my God, we have to fix this. We have to do something?"
Sandy Parakilas: I didn't really see any traction in terms of making changes to protect people. They didn't prioritize it, I think, is how I would phrase it.
Lesley Stahl: So would you say that they didn't prioritize privacy?
Sandy Parakilas: Yes. I would say that they prioritize the growth of users, the growth of the data they can collect and their ability to monetize that through advertising. That's what they prioritized because those were the metrics and are the metrics that the stock market cares about.
"I think the real problem is that you've got a company that has repeatedly had privacy scandals. It has repeatedly shown that it doesn't prioritize privacy over the years."
Facebook CEO Mark Zuckerberg turned down our request for an interview. Eventually the company did change its policy - so app developers can no longer gather data from users' friends without their consent.
Facebook's years of failing to protect users' privacy by allowing covert harvesting of so much personal data became the center of the congressional hearings two weeks ago. In his defense, CEO Mark Zuckerberg pointed the finger at one particular app developer.
Mark Zuckerberg: If a developer who people gave their information to, in this case, Aleksandr Kogan, then goes and in violation of his agreement with us, sells the data to Cambridge Analytica, that's a big issue. People have a right to be very upset. I am upset that that happened.
Lesley Stahl: You're a villain in many eyes, the guy who stole data from Facebook and then sold it.
Aleksandr Kogan: The idea that we stole the data, I think, is technically incorrect. I mean, they created these great tools for developers to collect the data. And they made it very easy. I mean, this was not a hack. This was, "Here's the door. It's open. We're giving away the groceries. Please collect them."
Lesley Stahl: Your point, though, I think is that they're singling you out.
Aleksandr Kogan: I think there's utility to trying to tell the narrative that this is a special case that I was a rogue app, and this was really unusual. Because if the truth is told, and this is pretty usual and normal, it's a much bigger problem.
And he says he wasn't hiding anything from Facebook. When Aleksandr Kogan built his app, he posted its terms of service – that's what users agree to when they download an app. His terms of service said this: "If you click 'OKAY' you permit [us] to...disseminate... transfer...or...sell...your….data" even though it was in direct conflict with Facebook's developer policy.
Lesley Stahl: It says plainly in the developer policy, clearly, that you are not allowed to transfer or sell data. It says that. Come on. This was as clear as can be.
Aleksandr Kogan: Understand that now.
Lesley Stahl: You didn't understand that then?
Aleksandr Kogan: I'm not even sure if I read the developer policy back then.
He says that nobody read these privacy sign-offs: not him, not the users who signed on, not Facebook.
Aleksandr Kogan: This is the frustrating bit, where Facebook clearly has never cared. I mean, it never enforced this agreement. And they tell you that they can monitor it. And they can audit. And they'll let you know if you do anything wrong. I had a terms of service that was up there for a year and a half that said I could transfer and sell the data. Never heard a word. The belief in Silicon Valley and certainly our belief at that point was that the general public must be aware that their data is being sold and shared and used to advertise to them. And nobody cares.
How Facebook Responded
Facebook did shut down his app but only after it was exposed in the press in 2015. The company didn't start notifying the tens of millions of users whose data had been scraped until this month. They never took action against this man: Joseph Chancellor, who was Kogan's co-worker.
Lesley Stahl: And where is he today?
Aleksandr Kogan: He works at Facebook.
Lesley Stahl: Wait a minute. Is-- did he have anything to do with the study you did for Cambridge Analytica?
Aleksandr Kogan: Yeah. I mean, we did everything together.
Lesley Stahl: So they've come after you but not someone who did exactly what you did with you.
Aleksandr Kogan: Yes.
Lesley Stahl: And he actually works at Facebook?
Aleksandr Kogan: Correct.
Lesley Stahl: Are you on Facebook?
Aleksandr Kogan: No. They deleted my account.
Lesley Stahl: You can't be on Facebook. You're banned.
Aleksandr Kogan: I'm banned.
Lesley Stahl: And the partner works for them.
Aleksandr Kogan: Correct.
Lesley Stahl: What's wrong with this picture? I'm missing something?
Aleksandr Kogan: Yeah, I mean, this is my frustration with all this, where I had a pretty good relationship with Facebook for years.
Lesley Stahl: Really, so they knew who you were?
Aleksandr Kogan: Yeah. I visited their campus many times. They had hired my students. I even did a consulting project with Facebook in November of 2015. And what I was teaching them was lessons I learned from working with this data set that we had collected for Cambridge Analytica. So I was explaining, like, "Here's kinda what we did. And here's what we learned. And here's how you can apply it internally to help you with surveys and survey predictions and things like that."
Facebook confirmed that Kogan had done research and consulting with the company in 2013 and 2015. But in a statement told 60 Minutes: "At no point during these two years was Facebook aware of Kogan's activities with Cambridge Analytica."
Kogan is testifying before the British Parliament next week. He says he's financially ruined and discredited. Through his ordeal, he says he's come to see the error in the assumptions made by the tech world about Americans' attitudes toward privacy.
Lesley Stahl: Now we all know what you did. Was it right?
Aleksandr Kogan: Back then we thought it was fine. Right now my opinion has really been changed. And it's been changed in particular because I think that core idea that we had – that everybody knows and nobody cares – was fundamentally flawed. And so if that idea is wrong, then what we did was not right and was not wise. And for that, I'm sincerely sorry.
It turns out Kogan has something in common with Mark Zuckerberg: they're both suddenly contrite.
Mark Zuckerberg at hearing: We didn't take a broad enough view of our responsibility and that was a big mistake. And it was my mistake and I'm sorry.
Lesley Stahl: Mark Zuckerberg says that he cares about privacy now?
Sandy Parakilas: I think the real problem is-- is not what he feels in his heart. I think the real problem is that you've got a company that has repeatedly had privacy scandals. It has repeatedly shown that it doesn't prioritize privacy over the years. And you know, when you th-- when you think about that, it's like-- you know, put yourself in the position of, you know, if your partner was cheating on you and they cheated on you 15 times and apologized 15 times-- at some point, you have to say, "Enough is enough. Like, we need to make some kind of a change here."
Produced by Shachar Bar-On. Associate producer, Natalie Jimenez Peel.