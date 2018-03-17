SAN FRANCISCO — Facebook wants you to know: this wasn't a breach.

Yes, Cambridge Analytica, the data-analysis firm that helped President Trump win the 2016 election, violated rules when it obtained information from about 50 million Facebook profiles, the social-media company acknowledged. But the data came from someone who didn't hack the system: a professor who originally told Facebook he wanted it for academic purposes.

The professor set up a personality quiz using tools that let people log in with their Facebook accounts, and then asked them to sign over access to their friend lists and likes before using the app. The 270,000 users of that app and their friend networks opened up private data on 50 million people, according to the New York Times. All of that was allowed under Facebook's rules, until the professor handed the information off to a third party.

Facebook said it found out about Cambridge Analytica's access in 2015, after which it had the firm certify that it deleted the data. Facebook said Friday that it now knows that Cambridge kept it — an infraction that got Cambridge suspended from the social network. Once that was announced, executives quickly moved on to defending Facebook's security.

“This was unequivocally not a data breach,” Facebook executive Andrew Bosworth said on Twitter. “People chose to share their data with third-party apps and if those third-party apps did not follow the agreements with us/users it is a violation.” Alex Stamos, Facebook's head of security, echoed that argument Cambridge denied doing anything illegal or using the information in the 2016 presidential election campaign. Facebook says it has no way of knowing how or whether the data was used in the Trump campaign.

Facebook's advertising business depends on users sharing their most personal data via its social network. But the company's “not a breach” argument isn't likely to make users feel any safer or more comfortable, especially given that it's already under fire for missing that Russians were purchasing U.S. election ads on the site to sway voter opinions, and running fake accounts disguised as real Americans. The company has also been fending off accusations that it's too slow to notice or react to harmful content.

The latest incident has raised new questions about what technical guardrails Facebook has in place to prevent authorized users from sharing sensitive information, and how much visibility the company has into how outsiders use the data.

Facebook wouldn't comment on those questions, saying only that it has made significant improvements in its ability to “detect and prevent violations” by app developers, such as random audits of applications using its tools to make sure they're following the rules. And it's no longer letting developers who use Facebook's login tools see information on their users' friends.

The disclosure also is an example of Facebook's continuing struggle to anticipate negative consequences of its lack of oversight — in some cases taking action only after things go wrong. The company in the past two years has worked to understand and counteract the spread of misinformation on its site, the use of its automated advertising system for racist targeting, the proliferation of fake user accounts and the spread of violent video.

But when the company tries to explain what it's doing, it grapples with the perception that it's shirking responsibility for its problems, treating them as public-relations snafus instead of serious product flaws.