Is your data safe on Facebook? Not really

Cambridge Analytica scientist says he'd testify before Congress
Cambridge Analytica scientist says he'd testify before Congress

Your personal information is Facebook's currency. It's bought and sold every day.

When advertisers want to target a specific group of customers who, for example, are a particular age and have a certain political affiliation or interest, Facebook makes that possible. The stuff you share and the inferences Facebook makes about you are packaged together with similar people's data, stripped of names and sold to companies. That allows businesses to put ads in front of people they're certain they can influence.

On Facebook, you are the product. Advertisers are the customer.

Facebook's not alone. Most advertiser-supported networks sell some of your information to third parties. Google, Microsoft, Yahoo, AOL, Amazon, Twitter and Yelp do the same.

Related: What You need to know about Facebook's data debacle

Giving up our privacy is the price we pay for getting to use Facebook for free. Most of the time, that tradeoff works: People take advantage of free services by posting, searching and sharing. Most companies that collect our data use it for legitimate purposes and within the bounds that companies like Facebook permit.

That arrangement has turned Facebook (FB) and Google (GOOGL) into online advertising juggernauts. They have built massive audiences of billions of customers, and advertisers flock to them. Facebook and Google control three-quarters of the $83 billion digital advertising market in the United States, according to eMarketer.

But the customer-is-the-product deal doesn't always work to the user's advantage. This weekend, the public learned data company Cambridge Analytica improperly accessed 50 million Facebook users' personal information to influence the 2016 election.

Internet companies have a financial disincentive to give users more control over their data. If people share less, social networks will earn less money.

Related: Facebook announces forensic audit of Trump data firm Cambridge Analytica

Most companies offer privacy settings, and some even let you leave and take your data with you. But they don't make it easy, and critics say social networks and internet companies should give users far more say about which data ends up in advertisers' hands -- and when.

"Tech companies can and should do more to protect users, including giving users far more control over what data is collected and how that data is used," said the Electronic Freedom Foundation in a statement. "That starts with meaningful transparency."

Once you share something on any digital service, your personal information leaves your control. Cambridge Analytica serves as a stark reminder of that.

Related: Why nobody can tell Mark Zuckerberg what to do

The researcher who initially obtained the Facebook users' data did so properly, but Facebook says he broke its rules when he passed that information to Cambridge Analytica without users' authorization. That's the tricky thing with data: Once it's out there, it's hard to put boundaries around it. Facebook trusts companies and researchers who obtain your data to use it properly. If they break the rules, Facebook can punish them (it suspended Cambridge Analytica, for example), but only after your data has already been used illicitly.

"It's difficult to police after it's left your secure perimeter," said Rik Ferguson, vice president of security research at Trend Micro. "Cambridge took advantage of the porousness of Facebook."

Correction: An earlier version of this story incorrectly stated that Cambridge Analytica broke Facebook's rules by obtaining the data from the researcher.

Personal Finance

CNNMoney Sponsors