Mind your data: individuals and organisations
We can’t foresee how the data that we share via the internet might be used. That's an issue.
An app using Facebook Login harvested data from 50 million Facebook profiles. According to Facebook, the app created by Dr Aleksandr Kogan was used by approximately 270,000 people.
The data was passed to Cambridge Analytica, a firm that does political, government and military work around the globe.
We don’t yet understand how Cambridge Analytica used the data however according to The Guardian it may have been used to influence the European Union Referendum and in support of the Trump Presidential campaign.
It suggests that correlations between seemingly unrelated issues and topics provide an indicator of political affiliation that can be used as the basis of ad targeting.
Here’s the issue. This wasn’t a hack. Users knowingly shared their data. Facebook has known about the issue since 2015.
Data is porous
Every interaction we have with a machine leaves an audit trail of data that can be shared via a direct message, email or memory stick. There’s the rub. We knowingly share personal data with social media platforms such as Facebook.
Trust in the platform is likely to have been dented by this latest revelation, especially among tech savvy users, but the fact is that Facebook has become a utility. We willingly trade our data for the ability to stay connected with friends and family.
You can download all the data that Facebook has about you (select settings > download personal data). It takes Facebook around 30 minutes to create a file and email you a link to download.
The file contains every post, interaction and relationship that you’ve ever shared on the platform. It lists the companies that hold data about you and the advertisers that have targeted you with ads.
No one in a discussion on my Facebook feed was surprised by the revelations in The Guardian and no one said that it was likely to change the way that they used social media, although the share price is down 6.5% to $173 today.
Mind your data
What we are currently unable to foresee, let alone understand, is how our personal data might subsequently be used or abused.
The case strikes at the heart of upcoming European Union General Data Protection Regulation (GDPR) legislation. It calls on organisations to have robust data management and security policies.
In this instance users connected to people involved in a research study had their data harvested. Legislators in Brussels, London and Washington are rightfully concerned about the impact on democracy.
The challenge is that we are reliant on the services we use to have an assertive approach to data security. There’s a clear conflict when a business model is predicated on that data.
I look forward to the day when I can manage my own data and grant access via technology such as blockchain.
Personal security policy
Here are five things that I’d recommend that you to do to secure your social media accounts. It’s good housekeeping.
- Implement two factor authentication – this requires use of a second device to to authenticate access to your account
- Limit apps that have access to your account – this is the primary way in which data is shared outside the platform
- Download your data – access your data so that you understand what is being stored. It will almost certainly prompt you to rethink how your personal security
- Cull your networks – have a proactive attitude to managing your network connections; both reciprocal connections in networks such as Facebook and LinkedIn and one-way networks such as Instagram and Twitter
- Proactive attitude to security management - proactively manage your security when you publish content to your networks
Organisations and data management
GDPR is a set of rules designed to unify data protection legislation which will be enacted across the European Union (EU) in May 2018.
Here’s a summary of the steps that organisations should be taking to ensure that they are GDPR compliant. It was originally created by ResponseSource founder and chairman Daryl Willcox for an article on my blog.
Publish a data protection policy that explains what data you hold, what you do with it and who you share it with. It should explain clearly how requests to reveal, change or delete data are handled and give an overview of how you keep data secure.
Make sure your IT systems and internal security processes are up to current good practice and your suppliers are compliant. Review regularly.
Live and breathe respect for people’s data. Ensure your team understands the spirit of GDPR so they can make the right judgements in terms of keeping people informed about how their data is used and the importance of data accuracy and security. Crucially, abide by your data protection policy.
Sarah Hall is my partner.