The last week has been devastating for Facebook, with revelations about the Cambridge Analytica data abuse, but also uncontrolled access to people's private information and friend networks by thousands of other developers and apps. There's now a trending #deletefacebook campaign, with instructions on how to clean up if you still have an account. Even Elon Musk is publicly quiting and removing his company pages.

The current focus of the story is two-fold: One the one side, there is the specific case of Cambridge Analytica which misused people's data for targeted political advertisement. Apparently, they were involved in both the British EU exit vote and the 2016 US presidential vote. Although this is clearly manipulative political propaganda, the exposure were in these cases limited, with some hundred thousand to a few million people possibly affected. It is doubtful that their meddling affected the final outcome of either election. However, this part of the story is just the tip of the iceberg.

The much larger issue is that the Facebook "Graph API" which was used by Cambridge Analytica was also available to thousands of other Facebook hosted apps. Facebook actually got concerned these third party developers might steal their whole social graph, and start new social network companies, so access was somewhat restricted around 2014. However, up-until then, the information of millions, or more likely hundreds of millions, of people were downloaded by all kinds of companies.

Yet, even with Facebook's change of policy, the problem persists. Through mobile phone apps, it is still too easy to lure people into granting full access to contact lists and other private data. Once the button is pressed, there is no longer any way to oversee or control what data is sent where. Indeed, once the Facebook part of the story fades away, mobile app privacy and permission settings is likely to be the next fallout. Here Google and Apple will have to answer for their behavior and the lack of user control of their data.

Told you so

It is easy to get up on a high horse and look down on people who are affected by the latest privacy fallout. After all, there have been news, warnings, and even popular fiction about the dangers of loss of privacy and dystopian absolute surveillance since Orewell who published in 1948. Richard Stallman has been writing since the 1980s, and Snowden blew the whistle in 2013. "Told you so", is on the tip of the tongue of anybody vaguely informed.

Yet, privacy and publicity is not a one-size-fits-all matter. What some people find acceptable or necessary to be public, others want to keep private, and visa-versa. Eric Schmidt, Sasha Grey, and Edward Snowden would want very different privacy settings. Crucially, there is not one correct publicity and privacy strategy. It has to be a personal consideration and choice, without absolute directives on what is legally allowed and morally acceptable.

It is therefore futile to wait for government regulation on the matter. There is simply no law or regulation which will solve all possible requirements. In certain cases, law and eager law enforcement can make the matter significantly worse, as in the cases where teenage "sexting" is brought down with the full force of the law. Some jurisdictions are changing the law, but here short term ephemeral communication like in Snapshat is a better technical solution.

Protect yourself

Given that privacy and publicity preferences are personal, what are some steps you can take to make your online presence fit your preference? It has to start with personal reflection on what you want and require, and be articulated into a consistent personal strategy from there on. Adhering to a coherent strategy makes it easier to follow, and easier to explain to others.

Here are some ideas, some might fit you, while other might not.

  • Use a pseudonym: This has been standard practice for authors and artists for ages, and long before Facebook most user accounts were arbitrary nicknames like "john1970". Even if you are not a published writer, your social media publications could well benefit from a modified name. How much you want to alter your name is up to you. Facebook will not allow certain made-up names, but a few spelling mistakes will likely go through the filter. For different accounts, e.g. Twitter, consider if you use a different pseudonym, or the same. It will depend on the goal of your publication.
  • Hide your face: Computer vision and facial recognition has now become so good at matching faces from images, that it has become just as unique an identifier as your name. That is, there is still likely to be some mismatch because some people look alike (or have the same name), but we must assume Facebook, Goolge, and governments has the capability to identify you based on a picture. Not appearing in any picture can be difficult, but you can at least start with not publishing your own selfies.
  • Go ephemeral: Some things are better forgotten, and it is easier to forget if there exists no records. However, till recently, the dogma of the digital information age has been that anything stored can never be deleted. There will always be a copy somewhere. Services which put an expiry date on information is starting to change that. Snapchat has become popular because of that feature, and there is an untapped marked for more expiry features in more services.
    Somewhat ironically, it is standard practice in large cooperations like Facebook and Google to have email and document retention policies with limited duration, usually two to three years, to protect themselves from possible future legal subpoenas.
  • Say no: Deleting your Facebook account has already been discussed. Yet, there are many other apps out there, and they are often in just as good a position to harvest data. Not installing, deleting, or not granting certain access should be simple good digital hygiene for everybody.
  • Use privacy focused tools: Certain tools and apps are not possible to get around if we want to take advantage of the Internet. By now there are many alternatives to the mainstream devices, applications and mobile apps. In the wake of the Snodwen NSA files, there were many good suggestions, and the advice at PRISM-break, named after one of the NSA mass surveillance programs, is just as relevant today.
  • Block ads: Whether it's freedom from political propaganda or manipulative advertising, browsing the web without advertisement is very refreshing. It also makes many websites load much faster. Adblock Plus is an extension available to most desktop and mobile browsers. My personal preference though, is host blocking on DNS level. With some technical know-how, it's an easy install-and-forget procure, with no need to upgrade before you get a new computer or device.
  • Turn off cookies, JavaScript: This one can be a bit extreme, because it makes certain websites less useful, and you'll have to reconfigure the same settings over and over. A good compromise is to automatically delete cookies on browser exit, and install NoScript where you can white-list your trusted sites. But it does take some work, and is far from perfect.
    Just be aware of websites which require you to enter credit card data. Those are best accessed in an incognito (private) window, but with cookies and JavaScript turned on, lest the transaction fails or get stuck due to missing scripts.