If you can’t trust a social network to protect your data, what can you do?
For some in the wake of the Cambridge Analytica scandal, the answer is the hashtag spreading this week: #DeleteFacebook. For others, though, quitting the world’s largest social network isn’t a viable option.
Some use Facebook for their jobs. For many who run an online business, Facebook is essential. For others, it remains the best way to remember birthdays, schedule events, post photos and stay in touch with friends and family across the globe — privacy concerns aside.
So what can you do if you want to protect yourself without deleting your Facebook account? There's no perfect solution, but there are a few steps you can take to keep your account more secure.
What happened with Cambridge Analytica wasn't a data breach in the traditional sense: Facebook was not hacked and its systems were not infiltrated. Instead, Cambridge Analytica, a data-mining firm with ties to the Trump campaign, is accused of purchasing personal information on millions of Facebook users from University of Cambridge psychology professor Aleksandr Kogan.
Kogan had permission to collect data from the 270,000 people who filled out his personality survey through an app he created called “thisisyourdigitallife.” The survey also collected data on respondents’ entire networks of Facebook friends, totaling around 50 million people.
Until Facebook changed its third-party data-sharing rules in 2015, such information-gathering was allowed by the site's Terms of Service. What wasn't allowed was selling the data collected to a commercial entity such as Cambridge Analytica, which allegedly used the information to target political messages. Since the scandal erupted, Kogan and Cambridge Analytica have been banned from Facebook.
"People feel that they were being spied on, and that their data and their privacy is being breached without their consent," said Karen North, a professor of digital social media for USC's Annenberg School for Communication and Journalism.
Though deleting your Facebook account makes a statement, it’s not a permanent solution to protecting your data online, said Gennie Gebhart, a researcher for the Electronic Frontier Foundation, an organization that advocates for free expression and privacy online.
In her opinion, people shouldn't have to delete Facebook. Facebook should do better.
"If you want to use a platform or a service that adds value to your life, you shouldn't have to sell your soul and kiss your privacy goodbye," Gebhart said.
Any time you interact with Facebook — whether you're checking into a location, posting vacation photos, or "liking" a friend's status — you are giving Facebook data. Any time you interact with a third-party developer — games such as FarmVille and apps that show you what your profile photo would look like if you were older or a different gender, or tell you what the most popular song was the year you graduated from high school — you are giving your data to Facebook and to that developer. (Sometimes in ways you might not realize: sharing a post about the most popular song during the year you graduated high school tells Facebook what year you graduated from high school, even if that information isn’t on your profile.)
If you’re done turning your data over to Facebook, it offers two options: Deactivating your account, and deleting your account. Deactivating essentially puts your profile on pause. If you decide later on that you want to use Facebook again, you can reactivate it and all your posts will still be there.
Deleting it is a more permanent solution. After a 90-day waiting period during which Facebook lets you change your mind, your profile ceases to exist. Facebook says it doesn't retain anything you've posted or any information that could identify you. (It does retain de-identified data to track usage.)
Of course, even if Facebook itself deletes your data, that still leaves the third-party apps. Once you disable an app from your profile, Facebook stops sharing your data with it. However, you need to reach out to the app directly to ask its developer to delete the data you have already handed over.
One problem with that: "Basically, there's no enforcement mechanism" to make sure the developer actually deletes your data when you ask them to, said Serge Egelman, the research director of the Usable Security and Privacy Group at the International Computer Science Institute at UC Berkeley. "Facebook just takes it on faith that everyone complies with this and doesn't use data inappropriately, which is obviously ridiculous.”
Facebook says it's trying to change that. In Mark Zuckerberg's statement Wednesday on the Cambridge Analytica debacle, he outlined the steps the company would take to boost enforcement, including an investigation into apps that had access to large amounts of data prior to the company’s data-sharing rule changes and a full audit of apps with "suspicious activity."
Gebhart of the Electronic Frontier Foundation said the changes were a good start, but don’t go far enough. Furthermore, Facebook is asking people to trust it to fix a problem it was responsible for in the first place — something she feels Facebook really hasn’t owned up to.
Overall, she said, the onus should be on Facebook and other tech companies to fix these problems and protect users, and to have full accountability and transparency in doing so.
“You shouldn't have to be a settings wizard and technology expert to enjoy these platforms with security,” she said.
In the meantime, here's what she and other experts recommend to make your data as safe as possible.
Unfriend people you don't know or barely speak to
It's fun to have a high friend count, but as the Cambridge Analytica incident proved, your data could be vulnerable through your network. Weed out anyone you don't really know or haven't spoken to in years.
Be aware of what's publicly available from your profile
Facebook has an option to see what your profile looks like to the public. Go to Settings > Timeline and Tagging > Review > Review what other people see on your timeline, and click View As.
Lock down any information you don't want to be public.
For instance, you might not want anyone and everyone to know your hometown, your marital status, or where you work.
Review which apps have access to your data
If you've been using Facebook for a long time, you've probably enabled a staggering number of apps that you've completely forgotten about. Go to Settings > Apps > Logged in with Facebook and remove anything that doesn't absolutely need access to your Facebook profile.
Deleting those apps means Facebook will no longer provide them with your data, though you have to reach out to the app developer directly to get them to delete the data they already have. Facebook provides you with a link to contact the developer to begin the process.
Disable API sharing
Many websites and apps allow you to sign in with your Facebook account. This means one less password to remember. But it also means Facebook is connected to whatever you're doing in that app or on that site. If you really want to disconnect, disable API sharing by going to Settings > Apps > Apps, Website and Plugins, and click Edit. Disable it.
It’s worth noting that this is something of a nuclear option: Some dating and ride-sharing apps and other sites require you to use a Facebook login as a way of proving you’re really who you say you are. If you disable API sharing entirely, you won’t be able to use them, so you might want to review and revoke permissions on a case-by-case basis.
Lie – or at least limit what you share about yourself
If you’re committed to throwing Facebook and advertisers off your trail, make it harder for them to pin down exactly who you are. Mark Marino, director of the Humanities and Critical Code Studies Lab at USC, says he tells people to create a little noise in their profile. Basically, lie. Make your birthday a different date than it actually is. Tell Facebook you're 100 years old. There's no reason Facebook needs to know your hometown, or which of your friends are actually your family members. A lot of people fill in those fields just because they're there, but they are not mandatory to having a Facebook account.