I am a developer of an app that makes use of Facebook friend permissions and have seen the various API changes they have made since 2014.
Applications using Facebook Graph 2.+ (which is the only option since Spring 2015 or so) who access friend data may only access data of friends who have also given consent to your app. So if A and C log into a Facebook app, and A is friends with B and C, the app can only be aware that A and C exist. This is true of legacy and new Facebook applications. It used to be possible to get basically everything about B (name, age, gender, photo, etc), but that all got shut down when Graph API 1.0 was discontinued. If this is somehow not the case for some Facebook apps that got special permission or there is a hack to get at the data, that would be a huge breach of trust.
Is this correct? Because all this time I was wondering about this scandal: apparently, this all started because someone had some app or website which got downloaded by a few hundred thousand FB users (who gave access to their info), and somehow they turned that into data of 50M users. And I also am well aware the current FB API doesn't allow you to get info about your friends if only you give permissions to an app. That this "breach" happened some time ago, when API permissions were different, would make a lot of sense to me.
Before 2015 Facebook apps could access the data of your friends if you gave it permission. Your friends didn't need to give explicit permission (though there were never-used settings to block access).
Some academic dude made a personality test app that harvested the data from all of the friends of people who used it. He paid lots of people (almost all American) on Amazon's Mechanical Turk to use it and harvested their data and the data of their friends.
He sold that data to Cambridge Analytica. This was in 2012 I think. Facebook removed that version of the Friends API in 2015 so this is no longer possible.
That’s actually the point of my post. I have been developing Facebook apps since the very beginning of the developer platform, but stopped because the new rules were so restrictive that they made apps useless. There is no point to developing social network apps that can’t involve the user’s social network.
Since all apps have these restrictions, I don’t believe that any apps at issue here had special permissions. However, it is possible that they scraped public data and were assisted in being pointed to which data to scrape by the direct profile data they obtained through the apps. Enough friends lists etc. are public to make this potentially beneficial.
No specs have been released about CA’s “psychographic profiling”. We don’t know the extent of the data that they had access to, what data went into it (perhaps it was based on name and friends list only, which are mostly public etc.). So until we know more, we can only assume that these apps had the same constraints that all others do.
Applications using Facebook Graph 2.+ (which is the only option since Spring 2015 or so) who access friend data may only access data of friends who have also given consent to your app. So if A and C log into a Facebook app, and A is friends with B and C, the app can only be aware that A and C exist. This is true of legacy and new Facebook applications. It used to be possible to get basically everything about B (name, age, gender, photo, etc), but that all got shut down when Graph API 1.0 was discontinued. If this is somehow not the case for some Facebook apps that got special permission or there is a hack to get at the data, that would be a huge breach of trust.