Facebook Is Working Like It's Supposed To (And That's the Real Scandal)

Since the scandal involving Facebook and the political consulting firm Cambridge Analytica broke last Saturday (March 17), I've made a couple of media appearances and spoken to many friends and acquaintances about the issue.

Facebook CEO Mark Zuckerberg at the 2011 G8 summit in France. Credit: Frederic Legrand - COMEO/Shutterstock

(Image credit: Facebook CEO Mark Zuckerberg at the 2011 G8 summit in France. Credit: Frederic Legrand - COMEO/Shutterstock)

Everyone has the same questions: How could Facebook let this data breach happen? Does this mean that other people have my Facebook data too?

There's only one answer to both questions: This is not a data breach, and other people do have your data, because collecting data on millions of users and then sharing that data with third parties is exactly how Facebook works.

MORE: The Quick and Dirty Facts About Facebook and Cambridge Analytica

"This is exactly Facebook's business model," Chester Wisniewski, a senior security analyst at Sophos, told Tom's Guide. "Except they want to be the ones doing the analytics and making all the money."

The only thing that went wrong here is that the university researcher who collected the data from 50 million Facebook users, and was supposed to use it only for scientific purposes, then turned around and sold that data to Cambridge Analytica for reportedly just under 1 million pounds (about $1.6 million in 2014).

That sale violated Facebook's terms of service. Facebook had let the university researcher have that data for free, since he was ostensibly using it for non-commercial reasons. It wasn't happy that he, not Facebook, was the one who profited from it.

Yup, you're still the product

Here's my I-told-you-so moment. For years, I and many other people concerned about security and privacy have been ranting like Old Testament prophets about how Facebook is a huge privacy-sucking machine.

"We have been warning people since Facebook began that it is no MySpace," Wisniewski said. "These guys are out to make a killing, and get you addicted in the process."

Has anyone ever told you that if you get something for free, you're not the customer, you're the product, and that that applies to Facebook? Does it get tiresome to hear that? Sorry, but we mean well. We just wish more people would listen.

"Privacy wonks have been warning the public about the true face of Facebook for years, but no one listened," independent security blogger Graham Cluley told Tom's Guide. "Or at least they listened, and then shrugged and said 'Yeah, but it's fun,' and chose to ignore the truth."

Some people do listen. In January 2011, an earlier incarnation of this website posted a story titled "Why I Quit Facebook — and You Should Too." It got a ton of clicks, although I don't know how many of those people took that advice. (The story is no longer online.)

But other people continued happily logging into Facebook, sharing what they had for lunch, their political opinions, their favorite new songs, their kids' baby pictures, and their birthday wishes to all their friends. And then they didn't log out.

Facebook knows more about you than you do

Facebook knows where you live, when you were born, what you like, what you look like, where you went to school and who your relatives and friends are. It knows everything about them as well. It knows whether you're fighting with your mom, which cousin of yours is expecting a baby and who's going to attend your high-school reunion.

"Most people are blissfully ignorant of how companies like Facebook make money and often chalk it up to 'advertising'," Wisniewski said. "But it goes to far deeper and darker places than that."

Even if you've never signed up for Facebook, Facebook STILL has your data, because it's created a "shadow profile" based on what your real-life friends have said about you on Facebook.

It then throws all that data into a digital grinder that separates Facebook users into profiles categorized by race, gender, income, political beliefs, education, location, musical taste, spending habits and God knows what else. Then it presents those profiles to advertisers and sells ads targeting those profiles.

"Insight about you as a consumer is the new oil," Steve Santorelli, director of outreach and analysis at Team Cymru, told Tom's Guide. "Companies are making a lot of money refining the oil that the Facebook pipes are able to deliver."

If you stay logged into Facebook, and most people do, those ads appear not only on Facebook, but all over the web. If you have a Facebook app on your phone (and you shouldn't), those ads will change as you move around physically.

And so do those dumb Facebook apps

If that's not bad enough, all those stupid games and surveys that you've enabled on Facebook — all the "apps," as they call them — have access to your information too.

An app made it possible for Cambridge Analytica to get data on 50 million Facebook users. Only 227,000 people enabled the app — a survey app called "ThisIsYourDigitalLife" — but Facebook's rather permissive rules at the time let it scrape data from the accounts of almost all of each survey respondent's friends. (Go to Settings —> Apps on your Facebook page right now and delete every app you're not actively using.)

"The data that Facebook leaked to Cambridge Analytica is the same data Facebook retains on everyone and sells targeting services around," Maciej Ceglowski, founder of the Pinboard social-media bookmarking service, wrote on Twitter. "The problem is not shady Russian researchers; it's Facebook's core business model of collect, store, analyze, exploit."

Again, this is how Facebook is supposed to work. Thousands of apps have grabbed the same kind of data on you that Cambridge Analytica did. That's true even if you never enabled those apps — it was enough for your friends to have done so. (Facebook has since tightened the rules and now doesn't let apps get as much friends' data.)

"The work that CA is accused of doing — building 'psychographic profiles' based on demographics and online behavior in order to figure out how to segment and market to a vulnerable population — is a succinct description of how Facebook makes money," Ceglowski wrote on Twitter.

In a statement today (March 21), Facebook CEO Mark Zuckerberg said that Facebook would "remove developers' access to your data if you haven't used their app in 3 months."

He also pledged to "reduce the data you give an app when you sign in — to only your name, profile photo, and email address."

That's great, but that doesn't change the overall picture. It doesn't change how Facebook itself uses your data, and nothing in Zuckerberg's statement addressed that.

OK, what do I do now?

So does this mean that you should quit Facebook? Well, honestly, if you rarely use Facebook, or don't see much use for it, then yes. We've got instructions to show you how.

But that's not an option for most people, who use Facebook to keep up on far-flung family and friends. I barely use Facebook, but I need it for work and for staying abreast of groups and party invitations.

"Sadly, despite the #deletefacebook meme going on right now, I'm not expecting any significant exodus from Facebook," Cluley said. "I wonder what it will really take for people to turn their backs on those free services that have hidden costs."

And as Ceglowski and New York Times reporter Sheera Frenkel pointed out on Twitter, Facebook IS the internet for many people in developing countries, in many of which Facebook offers free cellular data as long as users stay signed in.

It's not like Facebook has suddenly gotten more intrusive or is handling your data more carelessly. This scandal has just made many more people realize of what's going on behind the scenes with Facebook.

"Nothing fundamental has changed here, other than a little more user awareness of what goes on," Santorelli said. "It comes down to knowledge and managing your own personal privacy settings." (Here's our guide to managing Facebook privacy.)

"If you do not want to deal with that, then you either accept the fact that you are going to be profiled, and likely at least suffer attempts at manipulation," Santorelli added, "or you drop off social media entirely."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.