Facebook may have succeeded in getting Cambridge Analytica to delete millions of users' data in January 2016, but the information based on that data appears to have survived for much longer. The Guardian has obtained leaked emails suggesting that Cambridge Analytica avoided explicitly agreeing to delete the derivatives of that data, such as predictive personality models. Former employees claimed the company kept that data modelling in a "hidden corner" of a server until an audit in March 2017 (prompted by an Observer journalist's investigation), and it only certified that it had scrubbed the data models in April 2017 -- half a year after the US presidential election.
In a response to the Guardian, a Cambridge Analytica spokesperson denied that there was a "secret cache," and said that it had started looking for and deleting derivatives of that data after the initial wipe, finishing in April 2017. It was a "lengthy process," the company claimed.
Facebook has already outlined its stance on the subject. In his testimony to the US House of Representatives, company chief Mark Zuckerberg said that Cambridge Analytica "represented to us" that it had deleted models based on the social network's data. A spokesperson added that Cambridge Analytica claimed all the derivative data was gone in a September 2016 statement from its lawyers. If the scoop is accurate, however, both statements are problematic. Facebook did tell Cambridge Analytica to erase derivatives, but it didn't double-check that Cambridge Analytica had done exactly that. And if Cambridge Analytica's attorneys had testified that the data had been erased by September 2016, why did it just claim the deletion took months longer?
This is partly water under the bridge now that Cambridge Analytica is closing down. At the same time, it underscores just how messy the situation was (and to some degree, still is). Whether or not Facebook was completely diligent in getting on-the-record promises, there was only so much it could do to verify that all aspects of the data were gone. The only certainty is that users and their privacy were caught in the crossfire.