The data on millions of Facebook users that a firm wrongfully swiped from the social network probably has spread to other groups, databases and the dark Web, experts said, making Facebook's pledge to safeguard its users' privacy hard to enforce.
Facebook chief executive Mark Zuckerberg said Wednesday that the company will notify users whose data may have been taken by Cambridge Analytica, a political marketing firm that worked for the Trump campaign.
Cambridge Analytica obtained the data of an estimated 50 million users in 2014 and 2015 under false pretenses, breaking Facebook's rules. Zuckerberg said that Facebook, the world's biggest social network, has taken steps to ensure that data on millions of its users does not get into the wrong hands.
But Paul-Olivier Dehaye, a privacy expert and co-founder of PersonalData.IO, said he suspects the data has already proliferated far beyond Cambridge's reach.
"It is the whole nature of this ecosystem," Dehaye said. "This data travels. And once it has spread, there is no way to get it back."
Zuckerberg said Facebook will investigate and audit thousands of third-party developers. Third-party apps could access data on Facebook users and their friends until 2015, when Facebook changed its rules.
Experts question whether the network's push to investigate and audit thousands of third-party developers will merit any true results. Dehaye questioned how Facebook would define which apps merit investigation and what would constitute "suspicious activity".
Facebook said that it conducts manual and automated checks to make sure that developers are complying with its policies. It also plans to expand its bug bounty program to report misuse of data.
Zuckerberg said in interviews Wednesday that the company is investigating reports that independent researchers and dark-web data brokers are trading user data grabbed by the firm Cambridge Analytica.
Frank Pasquale, a professor at the University of Maryland who specializes in algorithms and tech ethics, called this "the runaway data problem," and said there is no way to return the genie to the bottle when it comes to securing data that has been released.
Location and demographic information, which was taken from Facebook, can often be used to tie someone to other data points where the identity was previously unclear.
"The larger [the] data sets you get about individuals, the easier it is to use those to reidentify them in data sets where they think they're anonymous," Pasquale said.
"With a relatively small amount of data points, you can infer an incredible amount of very personal information about people."
Facebook does not know whether other companies have shared or mishandled user data, and a forensic audit is ongoing, Zuckerberg told Wired magazine.
Asked by Wired how confident he was that Facebook data had not gotten into the hands of Russian operatives or other groups, Zuckerberg said, "I can't really say that. I hope that we will know that more certainly after we do an audit."
For many of Facebook's prime growth years, the company gave outside developers access to virtually everything that a user who authorized an app, or her friends, had posted on the social network: her home town, current city, events and location check-ins; her interests, groups and all the pages she'd liked; her relationship statuses with romantic partners, friends and family; her birthday, activities, work history and political and religious affiliations; and her photos, notes and videos.
Facebook changed its rules in 2015 amid concerns over how the data was being used. But for years, other developers had the power to construct the same kinds of massive microtargeted databases that had helped make Facebook so prominent.