MANILA, Philippines – A Facebook quiz about your personality type seems innocent enough, but as over 270,000 Facebook users have come to realize, it can also be a means for a political consulting firm to profile users and aid its messaging.

Amid criticism over Facebook’s role – or lack thereof – in policing the spread of false information comes another, potentially more alarming scandal: how it allowed a third-party application (a quiz, in this case) access to the data of the 270,000 people or so who signed up, as well as the data of their friends. 

That amounts to the data of over 50 million Facebook users. (READ: Zuckerberg apology fails to quiet Facebook storm)

But the thing is, Facebook’s actions – selling user data to outsiders – may not be illegal.

In an interview on Rappler Talk, cybercrime law expert Jose Jesus “JJ” Disini pointed out that users may have actually agreed to hand over their data to Facebook and third-party developers upon agreeing to the site’s terms of use – terms which people rarely take time to understand, if they even read it at all.

“This is the bargain that we struck knowingly or unknowingly, we agreed to have our data used, right?” Disini said. 

“I always ask this when I give lectures on data privacy, ‘Who here has ever read those terms of service?’ And no one raises their hands, not even among lawyers,” he added. 

It also isn’t a security lapse, at least in the usual sense, on the part of the company. “This is not a data breach. This is their business model. This is what they do,” said University of the Philippines College of Mass Communication professor Clarissa David. 

So in an age when Facebook has become a staple in daily life, how can an average person protect his or her personal data? And what other issues should you think about before clicking on that “I agree” button? 

Here are a few reminders from Disini and David: 

“If it’s free, you’re the product.” While the internet may have revolutionized how the world works, the axiom “nothing in life is free” still holds true. 

In the case of Facebook and just about any other application and social network out there, being “free” means that the data you input, and which they collate, is what can be used to generate income. 

Both Disini and David agreed that the obvious fallout from the Facebook data scandal could – and should – push the emergence of competition (even the paid kind) that can offer the same services without the danger of data misuse and abuse.

Think and rethink those “consent forms.” Disini was the first to admit that the “system is broken.” A social networking site’s or an app’s consent form, in an ideal world, is designed to protect a user’s privacy. But as Facebook has shown, it could also be “the vehicle by which your privacy is violated because you consented.”

Quoting the late Steve Jobs, Disini pointed out that privacy should be “telling people how we’re going to use [the] data.” 

“It’s not just sharing, because when I consent to Facebook taking my data, I consent to Facebook taking my data and selling it to third parties, fine. But do I know what those third parties are going to do with it?” David added.

According to Disini, there are two major “regimes” when it comes to data privacy protection and the law. The United States/Asia Pacific Economic Cooperation (APEC) regime is “market-based,” while the European Union (EU) regime is “permission-driven.”

“Permission-driven” means data may only be used with explicit consent and a full explanation of how that data could be used. Disini said that the Facebook/Cambridge Analytica issue is a violation of EU law.

How about the US/APEC regime? “So long as the entity has no evil motive, then it can use the data even without your consent,” said Disini. It’s clear how this can be problematic – how is evil motive determined, for instance? 

Disini explained that the difference in regimes means compromises between countries covered by the regimes. US-based companies, for instance, may find more restrictions when getting data from users in European countries. 

Check and re-check your permissions. Viral quizzes can be fun, but that all ends once your data is released without your explicit consent. “Half-seriously, I would say that [if] you have a friend who keeps posting those quizzes, unfriend them because they are consenting on your behalf to take data,” David said.

If you absolutely can’t unfriend that person who’s quiz-crazy, David said the least users could do is study one’s privacy settings on Facebook. David herself prefers using Facebook from a mobile browser rather than the official app, since this minimizes the data you’re sharing. 

Disini said these rules should also apply to other applications and websites that ask for your data that it might not need. Some apps, even gaming apps, ask for a user’s location, said Disini.  

So what now, Facebook? The company has promised to “step up” following the scandal – but that’s a promise that it’s long made and has yet to fulfill.

David said that following data privacy issues, there’s talk about beginning to look at Facebook as a “public utility” – which means it should be regulated by government. 

Both Disini and David agreed that the incident puts Facebook in a vulnerable position and gives its competitors a golden opportunity.

“In a sense, this was inevitable. The wild, wild west has to come to an end and they have to mediate between what people really want, and what are the possibilities of big data, and what money can be made from big data. And we need to find this space,” Disini said. 

Are you concerned about how Facebook and similar sites and apps use your data? Would you be able to #DeleteFacebook? – Rappler.com