Imagine overhearing the following conversation:

Company X: “I’d like you to give me access to your personal data (email, birthday, address, etc.), a list of a hundred of your friends, family, and acquaintances, and permission to use that information in whatever way I choose”

 Individual Y: “And what do I get in return?”

Company X: “You get to take a quiz that tells you what Lord of Rings character you are.”

Individual Y: “Sounds like a fair trade.”

You might think that no one would be foolish enough to engage in such an exchange. But I have. And if you use Facebook, chances are you have too. But even if you’ve never taken an online quiz or accepted a game request, your friends may have given away your private information.

Last week the New York Times reported that British data analysis firm Cambridge Analytica had “harvested private information from the Facebook profiles of more than 50 million users without their permission.” As law professor Andrew Keane Woods explains,

The data that Cambridge Analytica obtained seems to have come from Aleksandr Kogan, a researcher at Cambridge University who convinced hundreds of thousands of Facebook users to take a Facebook-linked personality quiz—thereby granting Kogan access, through Facebook’s developer platform, to a treasure trove of user data. Kogan then shared this information with Cambridge Analytica. . . .

Only about 270,000 people took the quiz, so how did Kogan get information from 50 million user profiles? Facebook offers a popular feature called Facebook Login, which lets people simply log in to a website or app using their Facebook account instead of creating new credentials. In 2015, developers who created apps that used Facebook Login were allowed—with Facebook’s permission—to collect some information on the users network of friends. According to the Times, Kogan was able to use the data gleaned from the friends profiles to match users to other records and build psychographic profiles. 

Earlier this week we also learned that for several years Facebook has been collecting call records and text-messaging data from Android devices. The company denies it was collecting the data without permission, that it was an “opt-in” feature, that it “helps you find and stay connected with the people you care about, and provides you with a better experience across Facebook.” Still, the concerns have led the Federal Trade Commission to launch a nonpublic investigation into the Facebook’s privacy practices.

When people think about social media ethics (if they ever think about it at all), we tend to focus solely on the content that is directly posted or shared. We may worry, for instance, whether we are passing along gossip or “fake news.” What we rarely worry about is whether we are breaching the trust of our friends, family, and neighbors by exposing their personal information without their permission.

Here are a few simple suggestions for how you can protect your privacy—and the privacy of your neighbors—when using the world’s most popular social media platform.

Consider limiting who you “Friend”

Have you ever wondered why Facebook and other social media sites publicly display the number of “friends” or “followers” you have? Why isn’t that information that only you can see? The reason is because we humans are competitive, and overly concerned with status ranking.

Online social networks like Facebook often use gamification—the application of game-design elements and game principles in non-game contexts—to increase engagement. A simple example is showing the number of “friends.” When you see your friends have more “friends” than you, it provokes envy and sparks your competitive nature. You become more inclined to accept “friend requests” from strangers or remote acquaintances out of a desire to maintain your own status relative to others.

From Facebook’s perspective, the increase in your number of “friends” is a win-win: You get the minor pleasure of feeling influential, while the company gains major influence by increasing their network effect (i.e., the interconnectedness makes their product more valuable).

Even those who aren’t especially competitive, though, can feel the social pressure to add more “friends.” Many Facebook users (including me) develop the habit of accepting almost every request we receive because it seems rude to reject an offer of online friendship. After all, on the other end of the digital request is an actual human. They might take offense or think we are snobby. We don’t want to be rude and, after all, it just requires us to click “Accept.” What harm could there be in being friendly?

This latest data breach, however, shows the danger. You’re allowing the new person to pass along a wide range of your personal data. As Ben Thompson explains, an old Facebook developer page shows  their API would allow developers to access not only to user account information, but also huge amounts of friend account information, such as their interests, religion, politics, relationship status, etc.

 Why expand our exposure by allowing people we don’t even know to be able to access and share your data simply because we’re trying to be polite?

Recommendation: Consider going through your “Friends” list and de-“friending” any names you do not recognize. If you don’t remember who they are they probably don’t need access to your personal information. 

Next, consider limiting which of your remaining friends can see your posts. To do this click on “Settings” and then “Privacy.” Under “Privacy Settings and Tools” you can restrict who sees such information as your future posts, past posts, friends lists, friends requests, your email address, your phone number, etc.

Be wary of trusting your friend’s “friends”

To increase the effect of social pressure and encourage you to accept friend requests, Facebook also shows how many “mutual friends” you share. Accepting a request a “friend of a friend” seems safer since the person has presumably been vetted by someone we know and trust. Unfortunately, for the reasons listed above, our friends are likely to be accepting numerous random requests, making their associations an unreliable gauge of trustworthiness.

 (About once a month I get a friend request from what appears to be an attractive young women (NB: They’re almost certainly neither women nor young) whose only activity on Facebook is a few recent posts of scantily clothed selfies. It’s the most obvious sort of catfishing, and yet invariably a number of men I know are listed as “mutual friends.”)

Recommendation: Before accepting a request from a “mutual friend,” take a few minutes to read the requestor’s profile and determine whether there is a reason to add them to your social media circle.

Know how third-party apps are using your information

Whenever you use a third-party app on Facebook to play a game or take a quiz you are giving an outside group or company access to your person information. As Facebook clearly explains:

Keep in mind when you install an app, you give it permission to access your public profile, which includes your name, profile pictures, username, user ID (account number), networks and any info you choose to make publicly available. You also give the app other info to personalize your experience, including your friends list, gender, age range and locale.

Recommendation: You can easily revoke access permissions of Facebook apps. To do this go to “Settings” and select “Apps.” You’ll see a list titled “Logged in with Facebook.” If you hover your cursor over each app you’ll see a pencil icon. Click that to edit the settings for that app.

You can also automatically remove access to your account by all those apps in one easy step. Go to “Settings” and select “Apps.” Scroll down until you see “Apps, Websites and Plugins.” Click the “Edit” button and the click “Disable Platform.”