The Facebook data breach is a scandal of our own making. Legally, there's nothing we can do about it.

Users angered by recent privacy scandals may be wondering what legal options they have. The answer is disappointing.
 / Updated 
Image: Facebook CEO Zuckerberg during a town hall at Facebook's headquarters in Menlo Park,
Boycotting Facebook may prevent you from being manipulated on Facebook, but it won’t protect your data elsewhere.Stephen Lam / Reuters file
Get the Think newsletter.

I’ve spent 15 years researching and litigating privacy laws, and I’m still baffled by Facebook’s ever-changing privacy settings.

Facebook users angered by recent privacy scandals involving the social media giant and various consulting firms like Cambridge Analytica may be wondering what legal recourse they have to reclaim their data or protect themselves from data manipulation. Unfortunately, while Facebook’s actions may have been unethical, Facebook has little legal liability when it comes to its users.

Remember those “Terms and Policies” notices from Facebook that we never read, but always clicked yes on? With those clicks, we consented to binding legal contracts that explain how the cost of using Facebook is the ubiquitous collection of our personal details, purchasing habits, and location information for everything we do on Facebook, many things we do on the internet, and an increasing number of things we do in real life.

If Cambridge Analytica was able to harvest your profile data, Facebook essentially blames you and your friends for not properly configuring your privacy settings.

The Facebook user privacy setting to “restrict access to a specific network or friend group” provides less protection than many may have assumed.

In announcing its suspension of Cambridge Analytica from the platform, Facebook stated that, “The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

But users can’t be fully faulted for the confusion. That’s because the Facebook user privacy setting to “restrict access to a specific network or friend group” provides less protection than many may have assumed.

In Facebook’s mystifying privacy dashboard, “profile privacy” settings are different than “application privacy” settings. When you select “Use Now” or “Play Now” on Facebook Apps and Games, you grant the application full access to your public profile information and email address. Prior to the Cambridge Analytica scandal, the default privacy setting for Apps and Games was “Friends”. Thus, the default application privacy settings enabled your friends to give away your profile information (without your knowledge) to the Apps and Games they used.

By analyzing only your Facebook “Likes,” your data can be manipulated to predict your fundamental qualities, including your intelligence and relationship status.

Data taken from Facebook profiles and friends by such apps can include the following information: name, email, gender, birthday, current city, profile picture, and content (e.g., Likes, status updates, events, and public photos). By analyzing only your Facebook “Likes,” your data can be manipulated to predict your fundamental qualities, including your intelligence, personality type, satisfaction with life, gender, age, sexual preference, interests, religion, political views, and relationship status.

On the basis of ten “Likes,” researchers from Cambridge have demonstrated that Facebook knows you better than your work colleagues. After 70 “Likes,” Facebook knows you better than your friends. Accumulate 150 “Likes,” researchers showed, and Facebook knows you better than your parents. Complete 300 “Likes” and Facebook knows you better than your spouse or partner. Record more than 500 honest “Likes” and Facebook can even know you better than you know yourself.

Voter privacy is a legal gray area. Key to Cambridge Analytica’s work with Donald Trump’s presidential campaign is the fact that there are no privacy laws in the United States that directly prohibit political campaigns from buying, selling, or manipulating voter data and personally identifiable information. Without any privacy protections for individuals in the United States, companies such as Cambridge Analytica are able to exploit trillions of bits of personal information about individual voters. And while Facebook has offered a plethora of apologies and suspended the company from its platform, there’s not much you can do about it after the fact.

The Facebook Platform Policy​ clearly prohibits this type of data harvesting, instructing developers, “don’t confuse, deceive, defraud, mislead, spam or surprise anyone.” Facebook’s ​Platform Policy​ also says developers must, “obtain adequate consent from people before using any Facebook technology that allows us to collect and process data about them.”

Users whose data was harvested by Cambridge Analytica may have viable legal claims against the company. Yet, Facebook users ultimately have little recourse against Facebook itself. Third-party developers like Cambridge Analytica agree to Facebook’s Platform Policy​ and thereby, “agree to indemnify and hold us [Facebook] harmless from and against all damages, losses, and expenses of any kind (including reasonable legal fees and costs) related to any claim against us related to your service, actions, content or information.”

The Facebook privacy debacle involving Cambridge Analytica is bad, but its really only the tip of a very big iceberg.

In short, Facebook is contractually off the hook for any improper actions taken by outside companies. This includes if companies want to use all that data to manipulate Facebook users, making the question no longer “how can I protect my own data,” but rather “how can I protect my own data from being used against me?” Again, federal and state privacy laws offer very little protection. Boycotting or deleting Facebook may prevent you from being manipulated on Facebook, but it won’t protect your data elsewhere.

It’s not just Facebook. If you exist in society, your data is collected. All the biggest technology companies track you around the web (i.e., Amazon A9, Google DoubleClick, and Verizon Oath), collect data about your life (i.e., Oracle Data Cloud (Datalogix), IBM Universal Behavior Exchange, and Adobe Audience Manager), and report your credit and financial wherewithal (i.e., Experian, Equifax Workforce Solutions, and CoreLogic SafeRent).

The Facebook privacy debacle involving Cambridge Analytica is bad, but its really only the tip of a very big iceberg. Americans are desperate for meaningful privacy laws to protect their personal information. And these laws should be stringently applied not just to Facebook, but to personal data in all commercial contexts.

Joel Winston (@joelwinston) is a Pittsburgh-based attorney who specializes in privacy and cybersecurity law. He formerly served as a Deputy Attorney General for the State of New Jersey and currently provides global legal and regulatory counsel to technology companies.

Get the Think newsletter.
MORE FROM think