Breaking more than four days of silence, Facebook CEO Mark Zuckerberg admitted mistakes and outlined steps to protect user data in light of a privacy scandal involving a Trump-connected data-mining firm.
Zuckerberg said Wednesday that Facebook has a "responsibility" to protect its users' data and if it fails, "we don't deserve to serve you."
Zuckerberg and Facebook's No. 2 executive, Sheryl Sandberg, have been quiet since news broke Friday that Cambridge Analytica may have used data improperly obtained from roughly 50 million Facebook users to try to sway elections.
Facebook shares have dropped some 8 percent since the revelations were first published, raising questions about whether social media sites are violating users' privacy.
Even before the scandal broke, Facebook has already taken the most important steps to prevent a recurrence, Zuckerberg said. For example, in 2014, it reduced access outside apps had to user data. However, some of the measures didn't take effect until a year later, allowing Cambridge to access the data in the intervening months.
Zuckerberg acknowledges that there is more to do.
In a Facebook post on Wednesday, Zuckerberg said it will ban developers who don't agree to an audit. An app's developer will no longer have access to data from people who haven't used that app in three months. Data will also be generally limited to user names, profile photos and email, unless the developer signs a contract with Facebook and gets user approval.
In a separate post, Facebook said it will inform people whose data was misused by apps. And in the future, when it bans an app for misusing people's data, Facebook promises to tell everyone who used it.
Facebook first learned of this breach of privacy more than two years ago, but hadn't mentioned it publicly until Friday.
The company it is also "building a way" for people to know if their data was accessed by "This Is Your Digital Life," though there is no way to do this at the moment. The app is the psychological profiling quiz that researcher Aleksandr Kogan created and paid about 270,000 people to take part in. Cambridge Analytica later obtained data from the app for about 50 million Facebook users, because it also vacuumed up data on people's friends.
Facebook didn't say how it would inform users if their data was compromised. But it could look similar to the page it set up for users to see if they liked or followed accounts set up by the Russian troll farm Internet Research Agency, accused of meddling with the 2016 presidential elections. This tool, however, doesn't show users if they merely saw —or even "liked"— posts from those pages.
Earlier Wednesday, Kogan described himself as a scapegoat and said he had no idea his work would be used in Donald Trump's 2016 presidential campaign.
Alexandr Kogan, a psychology researcher at Cambridge University, told the BBC that both Facebook and Cambridge Analytica have tried to place the blame on him for violating the social media platform's terms of service, even though Cambridge Analytica ensured him that everything he did was legal.
"Honestly, we thought we were acting perfectly appropriately," Kogan said. "We thought we were doing something that was really normal."
Cambridge has shifted the blame to Kogan, which the firm described as a contractor.
Kogan said Cambridge Analytica approached him to gather Facebook data and provided the legal advice that this was "appropriate."
"One of the great mistakes I did here was I just didn't ask enough questions," he said. "I had never done a commercial project; I didn't really have any reason to doubt their sincerity. That's certainly something I strongly regret now."
He said the firm paid some $800,000 for the work, but it went to participants in the survey.
"My motivation was to get a dataset I could do research on; I have never profited from this in any way personally," he said.
Authorities in Britain and the United States are investigating.
Sandy Parakilas, who worked in data protection for Facebook in 2011 and 2012, told a U.K. parliamentary committee Wednesday that the company was vigilant about its network security but lax when it came to protecting users' data.
He said personal data including email addresses and in some cases private messages was allowed to leave Facebook servers with no real controls on how the data was used after that.
"The real challenge here is that Facebook was allowing developers to access the data of people who hadn't explicitly authorized that," he said, adding that the company had "lost sight" of what developers did with the data.