What are they doing with our data?

With the 'breach' at Facebook they won't get my trust back again.  They can call it anything they want, but, from my point of view it is a 'breach'.  MY data was taken and used in ways I did not give MY permission for.  It isn't just Facebook, but, anyone who offers services over the internet that we need to be more aware of what they know about us and are willing to share to others.  It doesn't matter that it is 'free' like Facebook or a paid service we need to demand that they treat our personal information like crown jewels and do their best to make sure that it isn't taken without our knowledge and permission.

I don't know what they put into the document for data analysis by that 'researcher', but, here are a few things I can quickly think of for anyone who is thinking about people getting access to our data.

• Where is the data stored?
• What is the data you need, why do you need it, and, for how long will you require to keep the data for?
• How is the machine secured both from a physical access point and software?
• Does the system which holds the data accessible from your LAN and/or internet?
• What software tools are being used for data storage and analysis and are they up-to-date for patching?
• Has your hardware been patched for the latest identified vulnerabilities?
• How did you test the security of your systems?
• Who has access to the machine?
• Do you limit access to 'need-to-know' and only the data required?
• Do you limit how the data is moved off the system when 3rd parties have access?
• If so, how?
• What agreements do you have in place for 3rd party access and what do the agreements say?
• If law enforcement or government request access to the data what is the process you follow to grant them access?  
• Do you notify the original owner of the data for such data requests?
• What is the process you follow when there is a network or physical breach of your system?
• How are the backups done and secured and who has access to those backups?
• When you are done with the analysis how is the data deleted?  
• Does that include all backups?
• How do you prove that the data was deleted and can never be recovered?

I understand that they need to make money, but, when the data leaves their control then anything can happen and they need to do a better job documenting what was requested, why it was requested, how it was secured and how it was deleted when done.  For myself I have downloaded my Facebook data to see what they have and I am now looking at other services that respect my privacy more.  It will be hard as Facebook has a massive population, but, other communities in the past have fallen (MySpace, AOL come to mind).