[author: Brandy Dorris*]

Since its founding in 2004, Facebook has amassed a user base of 2.23 billion active users. Social media sites, such as Facebook, allow individuals to stay connected with friends and family and instantly share content within their network and online communities. Users share personal information, photos, location information, status updates, and more with their social networks never considering who else might have access to the shared content. Unfortunately, it can take an incident like the Cambridge Analytica breach to make people question how secure their online content really is.

In 2018, it was announced that Cambridge Analytica had come to possess personal data for over 50 million Facebook users through cooperation with a psychology professor from Cambridge University, Aleksander Kogan, who in 2014 developed an app that was targeted toward Facebook users. The app – thisisyourdigitallife – provided users with a personality quiz in exchange for access to their personal data and the personal data of the people in their social network. This was all possible due to the early version of Facebook’s Open Graph API which allowed third-party apps created by external developers to access a personal data as long as permission was granted by the user.

Unfortunately for Facebook, news of this breach came around the same time as the implementation of the General Data Protection Rules (GDPR) which govern how personal data belonging to citizens of the EU can be collected and processed. Among the key protections of the GDPR is the requirement to obtain affirmative consent from an individual to collect his or her personal data and the limitation for data to be collected only for well-defined purposes. Since the thisisyourdigitallife app allowed users to grant access to their friends’ personal data without their friends’ knowledge or consent it is likely that GDPR could play a role in the investigation into the Cambridge Analytica breach.

The Cambridge Analytica data breach is only one example of how personal data can be collected through social media. While social media sites work to revise their data sharing policies and better secure the information that is posted, it is crucial that users are also doing their part to protect themselves and their networks.

Some of the things a user can do to protect their online privacy include:

• Be selective. Only accept requests to connect from people you actually know and groups you trust to protect your information.
• Manage your privacy and security settings. On Facebook you can manage who is able to view different content by default. For a full guide on managing your privacy and security settings for Facebook, please refer to the Facebook help center.
• Understand what you’re sharing. When using a new app or site for the first time, read the privacy and usage agreement. Do not agree to any agreement that requires you to share your personal information with the app or site creator unless it is a trusted source.
• Never share sensitive information online. Sharing your location, address, phone number, credit card information, social security number, etc. online – even if your security settings are in place to keep them private.
• Be aware of linked accounts. Some social media sites will allow you to link to other sites or your phone to share content across all platforms. An example here is if Facebook is linked to your phone, you could be sharing GPS location data without realizing it.
• Manage your accounts. Enable multi-factor authentication when possible, create complex passwords and change them regularly, and disable or close accounts you no longer use.

*Brandy Dorris is a Senior Encompass Content Analytics Platform (EnCAP) Analyst who specializes in data processing, deduplication and culling.  She is based in Encompass's Nashville office and has worked in electronic discovery for five years.