Facebook said it would begin rolling out a link starting Monday to let users know if they are among the estimated 87 million Facebook members who had data improperly harvested by Cambridge Analytica. The political data firm is accused of exploiting private social media activity to support its work on behalf of President Donald Trump’s 2016 campaign.
Not coincidentally, Facebook revealed its notification plan as CEO and founder Mark Zuckerberg prepared to testify before Congress about how user data came to be exploited to target and mislead voters. The company has issued multiple mea culpas and announced plans to rectify the privacy breach, although it steadfastly refuses to call it a breach. Data were not hacked or leaked; the information was collected by a third-party app for a personality test that was created by a researcher. About 270,000 Facebook users signed up to take the test, giving their consent to have their data collected. Because of Facebook’s terms of service at the time, the app was also able to collect the data of their friends. The researcher later gave Cambridge Analytica the raw data.
Facebook also announced a research initiative to understand the role of social media in elections. But whether the motivation behind the company’s rush of transparency is publicity driven or not, it raises one very important question: What exactly are users supposed to do if they learn they are among the unlucky 87 million?
We asked several experts precisely that.
1. Get mad(der) and demand the right to be invisible.
Knowing your information was used “accomplishes next to nothing, since there’s nothing you can do about it other than be mad,” according to Serge Egelman, research director of the Usable Security & Privacy group at the International Computer Science Institute, an affiliate of the University of California, Berkeley. Unless, of course, you channel your anger to effect change, he added.
Once information is released, it is impossible to get it back. The European Union has stronger privacy regulations that allow anyone to request that his or her collected data be deleted. Although this is not a perfect solution, it at least helps prevent personal data from being further abused. Of course, the process assumes that users can identify all the recipients of their data, and even then they have to take it on faith that those companies really will delete it.
Egelman said that having similar rights in the U.S. would help make companies more cognizant of how they handle and share personal data, especially if there was proactive enforcement. But, he added, “That still doesn’t really address the fundamental problems in this particular case, which are that the damage is already done and the data shouldn’t have been shared with Cambridge Analytica to begin with.”
Egelman says this is a regulation problem: “If Facebook faced liability for inappropriately sharing data with shady third parties without users’ informed consent, they would be incentivized to prevent companies like Cambridge Analytica from using their platform (or at least be motivated to do due diligence to understand how those companies are using the data they share).”
2. Pay attention to those settings.
Until fairly recently, about the two worst things that could happen to you online were identity theft and getting scammed. But people are also trying to sell us things, and they collect data to do it. They follow our online actions and try to make money off of us by targeting ads to our particular interests. If you spent time shopping for shoes on Zappos, you’ll likely see an ad for Zappos shoes the next time you sign on to Facebook.
The idea that our personal information was used to influence the outcome of an election took this to a new level. It’s what made the Cambridge Analytica scandal so much more egregious. It stretches our collective imagination to ask what else is possible if and when our seemingly harmless information falls into the wrong hands.
There could be good to come of that, said Mari Smith, a Facebook marketing expert. “Don’t panic, but be more aware,” she told HuffPost.
This is the users’ caveat emptor moment, she said, noting that “users can and should take back control of their data.” The information that Cambridge Analytica obtained was information people willingly provided, she pointed out, so now is the time for users to “pay more attention, dig into privacy settings and adjust your settings,” she said.
But still, the episode renewed worries about the role social media has and will have in shaping our lives. On Friday, Jeremy Ashkenas, a computer programmer who created the CoffeeScript and LiveScript programming languages, dug up some Facebook patent applications that hint at what avenues the site may or may not want to pursue in the future. He found applications for “generating business insights using beacons,” whereby Facebook could dig deeper and decide what it is about you that specific businesses might like to know. For a restaurant, it could be “food allergies and favorite foods.” For a bookstore, “a list of books recently read.” In other patent applications, Facebook indicates that it wants to figure out how to track your location when your GPS is off. Still other prospective patents would help Facebook analyze the words you use when describing politicians, note your proximity to stores you have shown an interest in, and maintain a list of people you know and/or engage with. Some would simply help Facebook “know” you better by inference rather than user action.
If this list unnerves you, it’s all the more reason to keep your information close to the vest.
3. Understand privacy policies, and stop blindly accepting them.
Remember that you aren’t required to give all your personal information in your social media profile, so don’t. Anything you can do to make it harder for data miners to piece together information on you, the better, said Theresa Payton, a national cybersecurity expert who served in the White House and now manages her own cyberprotection company.
Stop blindly accepting privacy policies when downloading apps or third-party features and understand that services offered free are often not: You are paying the price with your privacy, said Jakub Kokoszka, managing director of Usecrypt, a privacy service with eight layers of security.
But privacy policies are notoriously hard to read and are often intentionally very ambiguous, said Egelman, whose research has shown that these disclosures “utterly fail at achieving informed consent,” he told HuffPost. For instance, when your phone asks for your permission to share location data with an app, it doesn’t specify the circumstances under which that data will be shared, nor does it disclose all the third parties. It is “patently absurd” to think that when a user clicks the “allow” button, he or she really understands both the context of the request and all of its ramifications, Egelman said.
The solution? Just don’t agree unless you really understand it!
4. Don’t rely on Facebook for news.
Anyone remember the movie “Wag the Dog,” in which a spin doctor and a Hollywood producer fabricate a war in order to cover up a presidential sex scandal shortly before an election? Who before 2016 had ever even dreamed about fake news?
Fake news matters, and much of it was spread via Facebook. A Politico analysis found that Trump struggled in the election against Hillary Clinton in places where more people were subscribers to news outlets.
If less-than-savory firms can use your data to target you on Facebook in a bid to change your mind or influence your choices ― and clearly they can ― then you shouldn’t be relying on Facebook to feed you news and critical information. Make sure the only person making your decisions is you.
5. Run your own digital ship more tightly.
We’ve all been annoyed with the common advice to regularly change our passwords and not reuse them. Well, maybe hearing it again ― this time on the heels of learning your private information was used to help get Trump elected ― will make a difference. Add an underscore to the change-your-password advice, because it comes from Payton.
While you’re at it, change your password frequently across all social media platforms, Payton said, not just Facebook. Although scoring passwords wasn’t at the root of the Cambridge Analytica mess, there is no limit to what might happen in the future when it comes to data mining.
She also recommends consumers use separate “burner” emails for social media accounts and all online accounts. While the world may have been educated about burner phones on “The Wire,” burner emails generally aren’t used to scam or rip anyone off. Quite the opposite, it’s an email address that you use with the intention it will one day be deleted. Use it whenever you don’t want to use your main email address, and keep it empty in terms of personal information about yourself.
In the same vein, Payton also recommends using a different phone number, like Google Voice, instead of your personal cellphone.
Cybercriminals are very savvy about how they can piece together different bits of information in order to get the data needed to do the most damage, she said.
6. Keep an eye on your money.
Suspicious financial transactions, like several withdrawals that are very low dollar amounts, can signal criminal activity. Consumers should also check their credit report to see if anyone has opened new accounts in their name. While Facebook doesn’t consider the Cambridge Analytica situation a breach, there are significant risks involved with mined data being mishandled. Risk to reputation is the biggest, with financial and identity damages being the hardest to remedy.