In a landmark case regarding data privacy, you may have the right to be forgotten (also known as the right to erasure). This means you can have certain results removed from Google and other search engines if you meet the specific criteria. Here’s a guide to how you can take advantage of this law.

What is the right to be forgotten?

Before we dive into how you can remove your personal information from searches on the internet, it’s important to get an understanding of what the rules are. First of all, it is important to note that for now this right only applies to European citizens/residents and only applies to search results in Europe as decided by the European Union’s Court of Justice. The decision to limit the location of search results was only made a couple of months ago, so there is still a chance that it may expand to the rest of the world in time. 

The right to be forgotten came into effect as part of the General Data Protection Regulation (GDPR) in May 2018, however it actually began four years earlier. In 2014, Mario Costeja Gonzalez took Google to court and won. In the late 1990s, Gonzalez was in the midst of bankruptcy and had to auction his property. At the time, the auction was announced in the local newspaper.

By 2014, Gonzalez no longer had financial problems, but if you searched his name on Google, the newspaper article covering the property auction was the first result. Gonzalez argued that this information was no longer relevant, he had done nothing illegal and that it was harming his reputation, and the EU courts agreed. Ironically, there are now hundreds of search results for his name thanks to the case. However, Gonzalez’s case set an important precedent for individual privacy laws.

In the GDPR, the right to be forgotten is outlined in Article 17 as: ““The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”

To break down all of that legal jargon, if you meet a certain set of circumstances then you can request that Google and other search engines remove search results that involve your personal information.

What criteria do you need to meet?

Naturally, not all types of data are included in the right to be forgotten. There are several conditions, but you only need to meet one to qualify. 

The conditions are the following:

• An organization needs your consent to process your data and you withdraw your consent
• An organization processed your data unlawfully
• Your personal data is no longer necessary for the purpose of the organization that originally collected it
• An organization processed the data of a child
• An organization used your data for direct marketing and you object to your data being used for that purpose
• An organization relies on legitimate interests as its justification for processing your data, you object to this processing, and there is no overriding legitimate interest for the organization to continue with the processing

That being said, there are a number of conditions that override your right to be forgotten. They are the following: 

• Your data is used to perform a task that is being carried out in the public interest
• Your data is being used for a legal defense or to establish other legal claims
• Your data is necessary to perform occupation or preventative medicine (this only applies if health professionals are processing your data)
• Your data is being processed for a purpose that is necessary for public health purposes and serves public interest
• Your data is being used to exercise the right of freedom of expression and information
• Your data is being used to comply with a legal ruling or obligation
• Your data represents important information that serves the public interest (including scientific research, historical research, or statistical purposes) and the erasure of this data would likely halt or impair the progress that was the original goal of the processing

As you can see, there are several ways the right to be forgotten can be negated. Many people wrongfully believe that they can get any search result removed simply because they don’t like it or it’s slightly embarrassing. For example, a business won’t be able to remove a bad review because that is not personal data. The same applies for if you run a business under your actual name. If you hold a political office, your personal information will probably stay up because it’s in the public interest. 

If you aren’t sure if you meet the criteria for removal, you can still try asking Google to take down the search results you want removed. If you want a result removed and Google does not take it down, it may be worth your time to consult a lawyer to figure out if you are eligible in the first place. Remember, this is only for search results in the EU, so search results elsewhere will remain the same.

How to request a removal

The first step is to identify the information that you want taken down. This requires finding the specific website address (URL) that shows up with your information. Google recommends that you contact the website with your personal information on it directly, as removing search results is not the same as the data actually being deleted. If you aren’t sure how to contact the webmaster, Google has a handy tutorial.

Next, you need to go to this Google page. You will be prompted to fill in a few answers as to where you want the data removed from and why you want it removed. Note that you will need to fill out separate requests for each type of search result (such as a web result, image result, et cetera). You will need to select that you want to remove your personal information from Google’s search results. Don’t worry, one of the reasons for removal is because of European data protection laws. 

The next step is to fill out the provided form. You will need to provide personal information including your name, country of origin, and a copy of an identifying document like a passport or driver’s license. You will also need to outline specifically what search results you want removed (including URLs) and the search term used to find these results. Note that you also need to provide a reason for removal. We recommend that you be as precise as possible and tie your reasoning back into the qualifications we mentioned above.

From there, you will need to wait to hear what Google’s verdict is. The process to remove data is done manually and hundreds of thousands of requests are submitted every year, so it could take some time. It’s important to remember that Google is most likely operating under its own best interest here, so unless you have a really good reason and/or are willing to escalate things further if your case is rejected, Google might just say no. So far, Google has been quite transparent with its processes and have an ongoing transparency report. 

If you decide to fight Google’s ruling, your case will be passed on to your local data protection authority. This could take a long time, and it may be a good idea to employ a lawyer at this point.

To date, 43% of requests have been removed, so you have an okay chance of having your information removed. It’s important to remember that this is just the process for Google; other search engines like DuckDuckGo do not offer data removal on the basis of GDPR.

Conclusion - Use discretion

If you truly feel that there are search results about you that contain irrelevant or damaging information that fall within the constraints of the GDPR, we do recommend that you ask for those results to be removed. However, because it only removes search results from Google in the EU, it may not be that useful to you if you work/live in multiple countries.

In any case, if you are serious about pursuing your case to the very end, seeking advice from a lawyer may be worth your time. Be sure that you are working with someone who fully understands the GDPR, especially Article 17.

The right to be forgotten is an important landmark for personal data protection, but it still has a long way to go to be truly effective. It will be interesting to see if other countries follow suit and create similar laws to the GDPR, and how Google reacts. 

Since then, hackers have evolved and become more malicious. From hacking major companies, to stealing millions of dollars and revealing government secrets, hackers are now a major part of modern society. Here’s a look at the most notorious hacking groups of all time and what they’ve done.

7. Lizard Squad - Active

The Lizard Squad originally announced that it disbanded in 2014, but it actually didn’t go anywhere. This hacking group appears to mostly be run by teenagers and young adults. They have mainly hacked gaming-related services like League of Legends and PlayStation. 

The group has claimed responsibility for hacks against Facebook, although Facebook denies that they were ever hacked. In general, the Lizard Squad has a reputation for claiming to have performed hacks when they haven’t actually done anything. They even made a false bomb threat against a Sony executive. The group did manage to successfully hack Taylor Swift’s Twitter account though, but nothing came of it.

Several members of the Lizard Squad have been arrested and charged for their activities. However, that hasn’t stopped the group from continuing to hack. Most recently, they attacked the Labour Party in the United Kingdom.

6. Carbanak - Active

Very little information is known about this mysterious hacking group, but so far it has managed to steal millions from banks. Carbanak (also known as Fin7) started in 2013 and has been one of the most successful hacking groups to date. So far, the group has managed to steal $1 billion from banks around the world. 

The alleged mastermind behind the group was arrested in 2018 along with two other high ranking members. However, Carbanak has carried on successfully without them. A recent report from Bitdefender alleges that the group is still alive and well. Carbanaks modus operandi seems to be to remain unnoticeable; so far they have managed to stay in the shadows. 

5. Syrian Electronic Army - Active

The Syrian Electronic Army emerged in 2011 as a pro-Assad group of hackers. Given the group’s avid support of the Assad regime, it is widely believed that the group has government ties, and Assad has publicly stated his support of the hacking group.

The hackers have primarily focused on targeting US media outlets and social media pages. The Washington Post was a victim of the hacking group (twice), as was the New York Times. Their most notorious attack was when they hacked the Associated Press’s Twitter account, claiming that the White House was under attack and that then President Barack Obama had been injured.

Over the past few years, the Syrian Electronic Army has stayed out of the headlines as it has focused on targets closer to home. However, in 2018 it was discovered that they have been developing malware for Android phones. To date, only one member of the hacking group has been arrested, while others are wanted by the FBI.

4. Lazarus Group - Active

The Lazarus Group (also known as Guardians of Peace) is a group believed to be run by the North Korean government, and it has been very successful. The hacking group seems to have started in 2009, and mostly uses malware in its attacks. 

However, in 2014 the Lazarus Group caught the world's attention when it hacked Sony Pictures in retaliation for the movie The Interview being released. It is also responsible for Wannacry, a ransomware software that requires users to pay to have their data given back to them.

The Lazarus Group has also had a large amount of success with cryptocurrency. So far they have managed to steal $471 million from different cryptocurrency exchanges, and they are responsible for nearly bankrupting the Japanese crypto exchange CoinCheck. The United States government currently has sanctions placed on the hacking group and has frozen any known financial assets associated with them. 

3. Fancy Bear - Active

While the name may sound cute, this hacking group certainly is not. Fancy Bear (also called Sofacy) is a Russian hacking group that is firmly believed to be working under the Russian government. They tend to target foreign governments, embassies, media companies, defence organizations, energy companies, Russian dissidents, and even the Olympic games.

The hacking group got its start in 2008 when it targeted the Georgian government and has been going strong ever since. Fancy Bear was allegedly responsible for the Democratic National Convention hack prior to the last presidential election in the United States. They have also been responsible for the recent attacks on the German Parliament, and tried to influence the French elections in 2017. The group’s members remain largely unknown, and they show no sign of stopping. 

2. Equation Group - Active

If this name doesn’t sound familiar, you’ve probably heard of the organization it is allegedly tied to - The National Security Agency (NSA). Kapersky first announced its discovery of the Equation Group in 2015, lauding it as the most advanced hacking group it had seen to date.

The Equation Group only came to light because it’s members made a number of errors over the years. Given that the group was mostly targeting countries and governments considered to be enemies of the United States (such as Russia and Iran) and that the group seemed to have an unlimited budget, suspicions arose that the Equation Group had government ties.

While it has never been confirmed that this hacking group is working under the NSA, there is strong evidence that it probably is. Obviously, the NSA isn’t going to confirm this connection. Very little is known about the Equation Group, and they likely intend to keep it that way.

1. Anonymous - Inactive

This is probably the most recognizable hacking group on our list. Known for wearing Guy Fawkes masks, the Anonymous group has been behind some of the largest hacks of the 2000s. The group emerged out of 4chan in the early 2000s, and are some of the most well-known “hactivists” to date. 

Anonymous has been involved with a large number of hacks including the Church of Scientology, the Occupy Wall Street movement, the Canadian government, the Westboro Baptist Church, ISIS, and many more. While some of the group’s reasoning for their attacks was questionable at best, most people think of Anonymous as a Robin Hood-esque group of hackers, helping to better the world.

What has made the group so successful is that it is largely decentralized; members do not often know the identities of others in Anonymous. Anonymous has been responsible for 45% of all hacks in the last four years, however, the group now seems to be defunct… or at least very quiet

Honorable Mention: Legion of Doom - Inactive

No list of hacking groups would be complete without The Legion of Doom. This legendary hacking group is no longer active, but it is a hacking group that has gone down as being the most influential of all time. The group was active through the mid-80s to early 2000s, but they are mostly known for their work from 1984-1991. The group is also responsible for penning the infamous Hacker’s Manifesto.

At the time, the most common type of hacking was that of phone companies. This included setting up phone lines that could not be billed by phone companies. The Legion of Doom feuded with another hacker group called Masters of Deception, and their battle royale to decimate one another became known as The Great Hacker War. 

In comparison to the hacking we see nowadays, their activities seem very tame, but it was some of the biggest cyber warfare at the time. Most of the members are still largely unknown.

Conclusion

Since hackers emerged, they have become more and more nefarious. Hacking groups have gone from setting up free phone lines to attempting to destroy whole governments. We have certainly seen a rise in government-sanctioned hacking groups. While protection against cyber warfare is a necessity in today’s age, it would be nice to see governments focus more on preventing attacks instead of initiating them.

Individuals are very rarely the targets of hacking groups (unless you are a high profile individual). However, that doesn’t mean there isn’t potential for your personal data to be compromised as the result of a hack. Major companies and social media platforms are amongst the most common targets.

If you’ve been the victim of a data breach or hack (you can check on the website Have I Been Pwned?), it’s important to know what could happen to your personal data afterwards. Most people aren’t able to prevent a hack, but there are a number of things you can do to protect yourself, and it’s vital that you do your due diligence. If anything, hacking groups are only going to become more advanced as time goes on.

In this article we will cover what federated identity management is, how it works, how it compares to single sign-on, its benefits, disadvantages, and the potential applications.

What is federated identity management?

On a very basic level, federated identity management (FIM) is when multiple enterprises let subscribers use the same identification data to obtain access to the services and/or networks of all the enterprises in the group. It has aspects that are similar to single sign-on (SSO), but it is different and we will dive into that later.

With FIM, a user’s credentials are always stored by a core organization - the identity provider. When a user logs into a service, they don’t have to provide their credentials to the service provider. Instead, the service provider trusts the identity provider to validate the user’s credentials. As a result, the user never actually provides their credentials to anyone but the identity provider.

Additionally, when two or more domains or service providers become federated, all a user has to do is authenticate one. They can then access services and resources without having to perform a separate login process for each organization within the federation.

Identity federation offers both economic advantages and convenience to organizations and users alike. For example, if multiple companies can share a single application, everyone will ultimately save due to a consolidation of resources.

However, FIM involves a lot of trust and open communication between partners that choose to make use of it. Companies that are thinking about creating or joining an identity federation need to ensure that they agree upon all factors. Honest communication is a must.

How does FIM work?

Typically, a user will log into their identity provider. Once they have done that, they will initiate a login to a service provider that offers identity federation. Instead of authenticating directly with the user, the service provider requests the user’s authentication from their identity provider.

The identity provider then authorizes the user to the application or service provider, and the user is then permitted to access the service or app. As you can see, the user only needs to have their data authenticated once. 

How FIM compares to single sign-on

FIM and single sign-on (SSO) have a lot of similarities, but they are different at their core. It’s important to point out that federated identity management gives you SSO, but SSO does not necessarily give you FIM.

Single sign-on allows users to log in to multiple services using the same login credentials. You’ve definitely seen this on the internet, for instance, when you can register or login using your Facebook, Twitter, or Google account.

However, there are two things that FIM does that SSO cannot, and they make a big difference. Firstly, SSO only allows users to access multiple systems within a single organization, while FIM enables users to log into systems across different organizations. For example, you can use your Facebook account to create an Instagram account because Facebook owns both companies. With FIM, you could be part of an identity federation that includes Netflix, Hulu, and Disney+.

Secondly, FIM is far more secure than SSO. For SSO, your credentials are still being provided to any system that you are logging into. Whereas with FIM, your credentials are only given to your identity provider, no one else. 

FIM certainly relies heavily on SSO technologies to authenticate users across different websites and apps, but it has developed these technologies further. So while FIM does offer users SSO, SSO does not provide all of the same benefits that FIM does.

The benefits of FIM

Naturally, FIM offers convenience for both companies and their users, and it has a number of different applications. For example, organizations that are working together on a project can form an identity federation so that all of their users can share and access resources easily. This allows users to access all resources across domains, and also allows administrators to still control the level of access in their own domains.

Additionally, FIM eliminates the need to create new accounts for each service provider, application and domain. This means that users don’t need to remember all of their different usernames and passwords. A Dashlane study from 2015 found that the average person has 90 online accounts; imagine trying to remember all of your login data for 90 accounts. Password managers are increasing in popularity, but FIM eliminates the need for them altogether. 

Security is also increased with FIM as users only need to provide their data once to an identity provider. Far less information is being passed around, making things like data breaches far less effective. This not only makes user data safer, but also means that companies are not as vulnerable.

FIM also saves companies money. By consolidating their resources, each company is no longer responsible for individual login pages, authentication, data storage, access, et cetera. Things become far simpler for both organizations offering FIM and their users. 

The disadvantages of FIM

While FIM is generally seen as an overwhelmingly good thing, it does have some disadvantages. The first is that setting up an FIM system can be expensive initially. Small businesses and start-ups may not be able to offer FIM because doing so means they will have to modify their existing systems. 

Another challenge is that participating members of an identity federation will need to create policies and security protocols. Each member will have to adhere to these rules, which may cause problems when different companies have different rules and requirements. As we witness FIM becoming more mainstream, we may potentially see different federations competing against each other.

Since an organization can be a member of different federations, they need to follow what could be multiple sets of rules. Following these different policies and procedures may require more time and effort than many companies are aware of. 

We already mentioned that trust is really important to identity federations, and that can be a disadvantage. For example, given Facebook’s history of not caring about user data privacy, they may find that no one wants to form a federation with them. In fact, a fair amount of most major companies have experienced data breaches, which may make it hard to find someone with adequate safety procedures in place to partner with.

The potential applications of FIM

With identity management becoming an increasingly popular topic, it will be interesting to see if FIM becomes mainstream. From a user perspective, it could be a major player when it comes to protecting personal data.

When we consider how FIM could be used with decentralized identity (DID), things become even more interesting. DID means you only hand over your data to a trusted third party that handles all requests for access and identity. If DID and FIM combine, data becomes even more secure. DID keeps your identifying information safe, while FIM keeps all of your account information protected. Using both together could revolutionize data privacy for the better.

FIM can also be used for companies that are collaborating on projects together or companies that offer business to business (B2B) services. Instead of trying to share data back and forth constantly, all that is needed is an identity federation to allow access to those who need it.

Microsoft is one of the first companies to start using FIM, so it makes sense that they are also proactively working on DID as well. The US government has also shown interest, and is working on FIM research through the National Institute of Standards and Technology.

Conclusion - A safer future for all

Federated identity management offers benefits to both the general population, users, and the organizations that employ it. Things become more streamlined and safer for everyone who makes use of FIM. It will be interesting to see if major companies follow Microsoft’s lead and begin integrating it into their own systems. 

While FIM does have some disadvantages, in particular when it comes to cost and time, we think the benefits outweigh them. That being said, it would be nice to see FIM become more accessible to smaller businesses as well as major corporations. We can only hope that it becomes less time and money intensive as it becomes more mainstream. 

Data privacy and protection are a big part of technology’s future, and we think FIM has a major role to play. With 73% of people having increasing concerns over data privacy, it is vital that companies adapt to ensure both consumer protection, and their own data safety. As time goes on, hackers are only going to get better and better at what they do, and organizations of all shapes and sizes need to do their due diligence when it comes to data protection. FIM might not be the complete answer, but it is part of the solution. 

Financial Identity Theft

This is by far the most common type of identity theft. A malicious actor may apply for a loan or credit card under your name, or simply gain access to your credit card information and begin making purchases.

For credit card theft and fraud, most of the time your bank will notice a suspicious transaction and give you a call. If you are the one that notices a suspicious transaction, or that you have lost or had your credit card stolen, the first thing you need to do is phone your bank and report that your card information has been stolen. The bank should immediately cancel your credit card, and issue you a new one. You will want to make sure that you choose a new PIN number that is different from your old one. Contacting the police and filing a report is also a good idea, as is contacting the Federal Trade Commission (FTC) if you are in the US, or the relevant authority in your jurisdiction.

Additionally, you will want to change any other passwords and security questions related to your account. As an extra precaution, you should also change your passwords on any shopping or e-commerce websites that you use and remove your credit card information from there as well. Make sure that your passwords are diverse and complicated; if you need help remembering them you can always use a service like LastPass.
If someone has taken out a loan or opened a credit card under your name, then the steps are a little different. Filing a police report is a must and you will need to submit a report to the relevant authorities. After that, you should contact the lender. Usually, a fraudulent credit card or personal loan can be cleared up pretty quickly. You will then need to contact each of the three national credit bureaus (Experian, Equifax, and TransUnion) to dispute the errors and provide them with the police report and/or a letter from the lender stating it was identity theft. 

In the case of a fraudulent student loan taken out in your name, it gets even more complicated as there are major penalties for failing to pay off such a loan. You will need to contact both the lender and the school, and provide them with a copy of the police report. 

Lastly, in order to prevent any type of financial fraud from happening again, you should put a fraud alert on your credit. This will require potential creditors to go through extra steps in order to confirm your identity. If you are in the US, you can do this by calling one of the three national credit bureaus.

Medical Identity Theft

Medical identity theft is when someone fraudulently uses your health insurance information to receive reimbursement themselves. In essence, they get treatment under your health insurance plan. It is less common than other types of identity theft, but it is one of the most damaging. You are probably a victim of medical identity theft if you receive bills for medical services you didn’t receive, notices from collectors for medical debt you don’t have, notices from your health insurance provider that you have reached your benefit limit, or if your medical records show conditions you do not have.

Unfortunately, the whole process of remedying the situation requires a lot of legwork on your part, but it is doable as long as you are patient and aren’t afraid to get on the phone. The first step is to obtain your medical records and look to see if anything is out of place or inaccurate. If possible, call any hospital, pharmacy, doctor, clinic, or health plan that you know the thief used and get records from them. If a provider refuses to release your records within 30 days, you can file a complaint at the U.S. Department of Health and Human Services Office for Civil Rights.

After that, you will need to contact your health insurance plan and medical providers for copies of “accounting of disclosures” for your medical records. This shows you who has copies of your inaccurate medical records and therefore, who you need to contact.

If there is false information on your records, you will need to ask for corrections to be made by your healthcare and medical providers. It is recommended to send copies of your records with errors highlighted, and to send these by certified mail so that you know they have been received.

Lastly, contact your healthcare provider and all three national credit bureaus to report that your identity has been stolen. Most likely, whoever has your medical information also has a lot of identifying information about you, and they may try to commit financial fraud as well. It will be a lot easier if you have a police report to show. As a result, it is recommended to file one.

This type of identity theft can be very long and hard to fight, so we recommend that you keep a close eye on your medical information and file a police report anytime your personal information is stolen, regardless of if identity theft is immediately committed or not.

Tax Identity Theft

Tax identity theft occurs when someone files a tax return using your identifying information, fraudulently claims your children as dependents, and/or claims your tax benefits. Someone can also use your personal information to apply for a job, which will lead to problems as you may be on the hook for income that you didn’t actually earn. Tax identity theft is one of the most common types of identity fraud.

If you are a victim of tax identity theft, you will need to contact the Internal Revenue Service (IRS) immediately. You will likely be asked to file a police report, fill out a specific form, and send proof of your identity (such as a copy of your passport or driver's license). Next, you should file a complaint with the FTC. They will provide you with an Identity Theft Affidavit, which you will need to hold on to.

In order to file a police report, you will need the Identity Theft Affidavit provided by the FTC, along with proof of theft (such as a notice from the IRS), a government-issued ID, proof of address, and the FTC’s Memo to Law Enforcement. If your local police station refuses to take your identity theft report, you can try filing it as a miscellaneous incident report or go to another police station.

Like with most types of identity theft on this list, it is important to contact one of the three national credit bureaus and place a fraud alert on your credit report. Tax identity theft is usually a precursor to other types of identity theft, so it is recommended to freeze your credit at each of the three credit bureaus.

Unfortunately, resolving tax fraud can take months or even years. In order to prevent tax fraud, it is advised to file your taxes earlier rather than later. Most thieves take advantage of the fact that most people do not file their taxes until later in the tax season. 

Child Identity Theft

As briefly covered in tax identity theft, it is common for criminals to steal the identity of your child to do things like claim them as dependents on a tax return, open credit cards or take out loans under their name, apply for government benefits, and more. This is one of the easier ones to spot as you will most likely start receiving mail addressed to your child or children.

The best thing to do in a situation like this is to report it at identitytheft.gov, contact the lender to close out the account, and file a police report to start a paper trail. Thanks to a new provision, you can also freeze your child’s credit to prevent this from happening again. Note that you will need to place a freeze at all three credit bureaus - Equifax, TransUnion, and Experian.

Conclusion

It is extremely important that if you are a victim of identity theft, you take action immediately. In all cases, you should file a police report and put a fraud alert on your credit. Freezing your credit is also advised, especially since you can unfreeze your credit at a later date. The best thing you can do to prevent identity theft is to take proactive action. This can be as simple as monitoring your credit, having complex and varied passwords, or ignoring suspicious emails. You can read more about this in our article on how to prevent identity theft. Unfortunately, identity theft is a problem that is not going to go away, and it is important to take the necessary steps to protect yourself from it. 

If you follow the news, you’ll know that Facebook came under fire in 2018 for a flurry of leaks, breaches and poor earnings reports. As a result, Facebook lost over $120 billion in market cap, and its user count shrank in Europe.

In fact, Facebook has a long and checkered history of neglecting its users. Let’s look at this claim in more detail.

The Early 2000s - Beacon Shares Purchasing History in the News Feed

Before Facebook had it’s two year anniversary, problems regarding user privacy were already emerging. In 2006, Facebook launched the News Feed feature which shared personal details without the users knowledge or consent. This led to users protesting the sudden privacy violation, especially because the News Feed didn’t have an off-switch.

In late 2007, a program called “Beacon” was launched which illegally shared users’ online purchases from third party sites on the News Feed. Once again, this was done without knowledge or consent, and a class action lawsuit was filed. Despite eventually paying $9.5 million to settle the lawsuit, Facebook didn’t stop running Beacon until 2009.

2009 to 2014 - The Federal Trade Commission Gets Involved

In early 2009, Facebook made changes to its terms of service stating that users can’t delete their data once they leave the platform. Rather predictably, there was an outcry. Later that year, Facebook revised its privacy policy and privacy settings for users. By doing so, Facebook made a large range of personal information public by default.

As 2011 came to an end, Facebook settled with the Federal Trade Commission (FTC) for privacy charges. According to regulators, Facebook falsely claimed that third-party apps were only able to access data that was strictly needed. The truth was more sinister, third-party apps could access nearly all of the user’s personal data and Facebook was also openly sharing user information with advertisers.

The FTC filed a number of other complaints, most of which involve Facebook lying to users about who could see their data and giving users a false sense of privacy. Due to these infractions, Facebook agreed to undergo an independent privacy evaluation every other year until 2031.

In 2013, Facebook discovered a bug that exposed private user information. Although Facebook caught it themselves, the bug shared the phone numbers and email addresses of 6 million users. Anyone who knew at least one piece of contact information or who had some type of connection to the person could access the data. In a statement, Facebook said it fixed the bug and notified regulators.

A year later, Facebook drew more negative attention, when it allowed an internal group of data scientists to run a mood manipulation experiment on over half a million users. The experiment caused Facebook to alter news feeds to either show more positive or negative posts, and its purpose was to show how emotions could spread over social media.

Once the study was published, there was a severe backlash due to the perceived ethical violations. Obviously, users did not provide informed consent to participate in the study, and were treated as guinea pigs.

2018 - Oops! We Leaked Your Data Again

To truly understand the extent of the Cambridge Analytica scandal, we have to go back a few years. In 2014, a Cambridge University professor, Aleksandr Kogan, ran a personality test app on Facebook.

Kogan’s company, GSR, then signed a data-licensing contract with the political consulting firm Cambridge Analytica in order to supply the company with psychological profiles of US voters. Over the course of the summer, the app was downloaded by over 200,000 Facebook users and harvested the personal information of as many as 87 million people.

It wasn’t until 2015 that Facebook learned that Kogan had shared data with Cambridge Analytica. According to Mark Zuckerberg, Kogan was banned from the platform and forced to delete all improperly acquired data. In the summer of 2016, Cambridge Analytica took legal action against GSR and Kogan, for selling illegally acquired data.

Facebook did not notify users of the data breach and assumed the problem had gone away. Luckily, a whistleblower by the name of Christopher Wylie  came forward in 2018, and The Guardian and The New York Times both published exposés revealing the scandal.

The damage of the breach was far more insidious than expected. Steve Bannon, a then advisor to the Trump administration, used this data to specifically target US voters during the 2016 presidential elections. Cambridge Analytica not only worked with Donald Trump’s election team; they also worked with Brexit's “Leave” campaign - and reportedly had a significant impact on the outcome. 

2019 - The Aftermath & Our Current Predicament

After the Cambridge Analytica scandal, Facebook made a renewed pledge to protect users' privacy and in May 2019, Zuckerberg stated “the future is private.” However in the wake of yet another scandal, the words feel hollow. 

There is no trust left for Facebook, and the shift to a privacy-centric approach just feels fake, especially since the behemoth launched its in-app dating service. Given that Facebook also owns two other mega apps - WhatsApp and Instagram - it’s beginning to feel more and more like Facebook’s real goal is world domination. Alarmingly, Facebook's monopoly means that users have nowhere else to turn.

As recently as April 2019, Facebook’s privacy practices were under scrutiny again, when it was revealed that millions of passwords to Instagram and Facebook accounts had been stored in plain text files. Facebook assured users that the passwords were not accessible or abused in any way, but it’s another nail in the proverbial coffin for the company.

It goes beyond privacy too. In March, Facebook was deemed, by the United Nations, as a contributing factor to the ethnic cleansing occuring in Myanmar. It’s clear that Facebook is fighting many demons.

As of today, May 9th 2019, Facebook is still under investigation by the FTC. It is suspected that Facebook will have to pay a fine of $5 billion - the largest fine the agency has ever levied.

What Can You Learn from Facebook’s History of Privacy Abuse?

The timeline discussed so far illustrates that Facebook has a long history of privacy abuse. In interviews, Mark Zuckerberg is open about the fact that software engineers can test and deploy without much oversight. Decisions are seemingly made solely on the strength of the available data, giving little thought to the privacy of its global user base.

It’s unsurprising therefore to see so many occasions on which Facebook users have been forced to suffer data leaks and breaches. What can you do about it?

The first thing to learn is that any online account can be breached. As a result, you should either delete your Facebook account or at least delete any information that could potentially harm you.

Next, it’s vital to start learning about alternatives. Facebook, Quora, Google and others have shown that they cannot be trusted to keep your data safe. Instead, look for platforms that employ a decentralized identity management system. With this approach, your data is stored locally, keeping it safe from large-scale data breaches.

The concept of a Self-Sovereign Identity (SSI) system is key here, as it allows you to retain ownership over your data and minimises the information that is shared publicly. Check out Self-Sovereign Identity and SelfKey’s Identity Wallet to learn more.