Are you fed up with the ‘accept all’ buttons that pop up on every website? Do you find yourself clicking ‘accept all’ time and time again just to get rid of that annoying pop-up?
You might think that what you’ve just agreed to are merely some insignificant technical terms and conditions, and that you’re simply trading some trivial digital data for free access to the platform—a bargain, really.
But what the platform won’t tell you is that this is actually an unfair term.
This is a disclaimer agreeing to allow the website to track your digital activity. Every click signifies a surrender of your privacy rights and contributes to a system of platforms that erodes our digital rights.
We are facing a massive digital privacy crisis.
When you hear the term ‘data breach’, what springs to mind?
We usually worry about hackers or viruses stealing our personal information. To protect our personal information, many of us install antivirus software after we brought a new computer, and whilst browsing the internet, we avoid downloading unverified software and opening links from unknown sources.
These concerns are well-founded, as attacks by hackers and malware can lead to significant data breaches.
The Data Breach at Optus
In 2022, Optus suffered a cyberattack, resulting in the leak of personal data belonging to approximately 9.5 million Australians(Chalmers & Whitson, 2025).
“The fallout from last week’s cyber attack on telecommunications giant Optus, which exposed the details of current and former customers, is continuing. The leaked information includes dates of birth, names, phone numbers and, in some cases, addresses and drivers licence numbers.”
——Maguire, 2022
If you are interested, you can watch Nine News Australia’s video report on this incident via the link.
If data breaches caused by cyberattacks are cause for concern, then the ‘legitimate’ collection of data by platforms poses an even greater problem. We are so cautious about guarding against external cyberattacks and viruses that we fail to recognise other, more profound threats to our privacy.
We are unaware that our digital activities are entirely in the hands of the platforms. The security of our personal data, our online activities, and even the personal online accounts we use are subject to platform terms and conditions that we may have ticked without ever reading them.
The Cambridge Analytica Controversy
In 2010, Facebook launched the Open Graph API. This allowed developers to access users’ social networks and personal interests. This data was widely used for political and commercial purposes. In particular, for the purposes of political campaigning, Cambridge Analytica obtained user data and claimed that it could use this information to ‘better target political messages to people who could be influenced’ (Harbath & Fernekes, 2023).
In 2018, The Guardian and The New York Times revealed that Cambridge Analytica had used the data of 50 million Facebook users to build models. Facebook argued that this did not constitute a data breach, as the users had consented to their data being shared with developers, and therefore the practice was lawful.
And this so-called ‘consent form’ is the ‘accept all’ clause that we casually click on every time without ever really reading it. However, this is by no means a fair clause for us. It is a commercial contract designed primarily to protect the interests of the companies that develop these online platforms, rather than our own (Suzor, 2019).
Yet its legal validity is recognised. Consequently, when platforms utilise our information within the scope of these contractual terms, it is difficult for us to seek redress, as this is lawful.
If you would like to find out more about incidents of this kind, in addition to the Cambridge Analytica scandal, the links below cover nine further data breaches.
In summary, these two incidents have not only highlighted the issue of data breaches, but have also exposed the vulnerability of our digital identities under the contractual terms set by these platforms.
The law isn’t actually on your side
The reason the platform is able to use our information in this way is that it is legally recognised.
With the mindset that ‘the law is fair, and even if I don’t read these terms and conditions carefully, it won’t have much of an impact on my rights or my life’, we click the ‘accept’ button time and time again.
Yet a startling fact is that, legally speaking, our relationship with these platforms is not one of rights protection, but rather a commercial contractual relationship between a company and a consumer (Suzor, 2019).
“Your access to the platform can be terminated at any time for any or no reason“
——Suzor, 2019, p. 11
This means that when we click ‘accept all’ time and again to gain access to digital platforms, we forfeit the freedom of speech and rights we originally possessed, placing ourselves under terms and conditions set by the platforms. Terms that can be unilaterally amended at any time.
You might argue that the law will protect us, and that those who draft laws and policies would not allow such a significant loophole to remain unaddressed.
At present, external bodies do indeed exercise a degree of oversight over platforms, ensuring that they do not operate in a private sphere entirely free from legal constraints, for example, the European Commission may, as a preliminary step, investigate and challenge the mechanisms of platforms created by private companies.
However, we must acknowledge that, even though governments and organisations are currently striving to address the issue of personal data breaches, it remains difficult for individual regions to develop a comprehensive privacy protection system (Mansoori, 2025).
The content we post can be deleted at any time, and the accounts we use may be suspended. All the data you upload to digital platforms, including your IP address, private videos and photos, is stored on platforms that are not entirely under your control. Doesn’t that seem rather unsafe?
Whether it is the data breach suffered by Optus following an external cyberattack, or Facebook’s practice of analysing user data on its platform, allegedly ‘with users’ consent’, these incidents demonstrate that digital security is not merely about preventing data leaks, but also about safeguarding our digital rights, namely our control over our own digital information.
One mechanism that helps to erode our digital rights is the ‘black boxes’ of social media platforms.
An opaque, black-box review mechanism
To enhance our experience on digital platforms, all content we post online undergoes content moderation by these platforms, thereby reducing harmful information on the internet, such as hate speech.
This process determines what content can be published online and what constitutes a violation that requires removal. However, this content moderation mechanism operates as a ‘black box’. In other words, it is difficult for us to know the exact content and rules of the platform’s moderation process, and in some cases, the platform’s moderation and enforcement rules are not even fair (Sinpeng et al., 2021).
When you post something, you might assume that a computer is reviewing your post, but in fact it is reviewed by a human.
The complex mechanisms of digital platform design serve to obscure the platforms’ regulatory frameworks
Facebook, Instagram and TikTok have designed complex procedures for external parties to access platform data, intricate user reporting mechanisms, and systems that make it difficult for users to appeal against the platforms’ moderation decisions, as the platforms do not provide users with channels to request specific information to support their explanations.
This ‘black box’ mechanism shields the platform’s regulatory framework, making it difficult for outsiders to identify regulatory issues within the platform or to ascertain whether its rules are fair, thereby hindering timely changes to any unfair rules. This facilitates the platform’s implementation of a range of measures that serve its own interests.
Imagine if your personal information were maliciously posted online, or if someone were to use your private photographs to fabricate false information. You might want to report this content to have it removed, but you would most likely be unable to do so. This is because the platform’s cumbersome reporting mechanism makes it difficult for you to report such content, and even if you do manage to report it, the platform may take a passive approach to handling the matter. This effectively deprives you of the digital rights and sense of security to which you are entitled. Such is the serious consequence that this platform mechanism may inflict upon us.
Furthermore, as the platform provides no channel for us to submit supporting evidence regarding its review decisions, we may conclude that ‘since I cannot explain my situation in detail and my explanation is insufficient, my appeal is likely to be rejected anyway, so it is pointless’, thereby abandoning any attempt to appeal the review outcome.
And that is precisely the outcome the platform is hoping for.
Much like those lengthy ‘accept all’ terms and conditions, the platform utilises such complex and opaque mechanisms to serve its own interests. Through these mechanisms, they reduce the volume of user issues they need to address, thereby making the platform easier to manage.
The insecurity of digital and real-world identities
Platform mechanisms designed specifically to ‘reduce energy consumption’ compromise the security of our digital identities and may even affect our real lives.
During the war in northern Ethiopia, Facebook allowed users to post content inciting violence through hate speech and disinformation; even when these posts were reported, Facebook chose to leave them unchecked rather than remove them, as such content helped Meta generate revenue.
For instance, a post by an influencer calling for the ‘cleansing’ of Tigrayan armed supporters remained online for four months after being reported.
Similarly, a racist message believed to be linked to the murder of an Ethiopian scholar was also reported, yet Facebook did not remove it.
Hate speech online can lead to hate-motivated violence in the real world (Sinpeng et al., 2021).
The platform has collected vast amounts of user data, including political leanings, IP addresses, and even personal interests, content preferences and identity information; yet, when faced with such social incidents, it has failed to utilise its considerable governance powers to protect the safety of us, its users. This approach of prioritising profit over user safety further demonstrates that, to the platform, users are merely providers of personal data rather than individuals whose fundamental rights require safeguarding.
At present, the platform’s unfair moderation mechanisms have left certain groups vulnerable online and have even disrupted their real-life circumstances. Their digital identities, privacy and security are not receiving the protection they deserve on the internet.
Conclusion
In the long run, every time we click ‘accept all’, every time we neglect our own privacy and security, and every time we remain silent in the face of unfair rules, we are gradually empowering this operating system controlled by private companies. Every time we fail to stand up for our rights, we are encouraging these companies to exploit this system further for their own profit. This collective silence is pushing us towards an even more serious crisis of privacy and security.
Finally, before you scroll past this article, please think about this:
- 1. If your account were suddenly suspended, would you be able to find any effective way to appeal?
- 2. Has any of your content ever been removed? If so, do you know which clause of which contract the platform used to make that decision?
Reference
Bennett, S. (n.d.). Optus data breach – the risks of data over-retention. Sibenco Legal & Advisory. https://www.sibenco.com/optus-data-breach-the-risks-of-data-over-retention/
Chalmers, S., & Whitson, R. (2025, August 8). Optus sued by privacy regulator in warning to Australian corporates to protect data or face fines. ABC News. https://www.abc.net.au/news/2025-08-08/optus-sued-by-privacy-regulator-alleged-failures-22-cyber-attack/105628586
European Commission. (2025, October 24). Commission preliminarily finds TikTok and Meta in breach of their transparency obligations under the Digital Services Act. https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2503
Garg, R. (n.d.). The evolution of Facebook: From 2004 to Meta. SocialAppsHQ. https://www.socialappshq.com/facebook/the-evolution-of-facebook-from-2004-to-meta/
Google. (2026). Image generated from prompt: Create an image depicting the opaque, black-box governance mechanism typical of social media platforms, incorporating elements of hate speech. The image should illustrate that some content is permitted to be posted, whilst other content is removed for breaching the rules. It should also convey users’ confusion regarding the rules. Gemini 3 Flash (April 18 version) [AI image generator]. https://gemini.google.com/
Harbath, K., & Fernekes, C. (2023, March 16). History of the Cambridge Analytica controversy. Bipartisan Policy Center. https://bipartisanpolicy.org/article/cambridge-analytica-controversy/
Harmeling, T. (2025, March 25). 10 data privacy examples (and the lessons they teach us). Usercentrics. https://usercentrics.com/guides/data-privacy/data-privacy-examples/
Maguire, D. (2022, September 27). What’s happening with the Optus data breach? What we know about the alleged hacker’s ransom, data release and apology. ABC News. https://www.abc.net.au/news/2022-09-27/optus-data-breach-cyber-attack-hacker-ransom-sorry/101476316
Mansoori, M. S. F. (2025). Privacy issues in the digital age. International Journal for Multidisciplinary Research, 7(4). https://www.ijfmr.com/papers/2025/4/51622.pdf
Milmo, D. (2025, April 4). Meta faces £1.8bn lawsuit over claims it inflamed violence in Ethiopia. The Guardian. https://www.theguardian.com/technology/2025/apr/03/meta-faces-18bn-lawsuit-over-claims-it-inflamed-violence-in-ethiopia
OpenAI. (2026). Image generated from prompt: Create an image that illustrates the relationship between constitutional law, the platform, and personal data. ChatGPT (GPT-4o version) [AI image generator]. https://chatgpt.com/
OpenAI. (2026). Image generated from prompt: Please provide an image depicting a data breach involving people: a person holding a mobile phone with a look of sheer terror on their face, against a background of floating digital data, with a giant hand behind them reaching for their information. ChatGPT (GPT-4o version) [AI image generator]. https://chatgpt.com/
OpenAI. (2026). Image generated from prompt: Please send me an image illustrating the role of social media platforms during the war; I am writing about the Tigrayan War.. ChatGPT (GPT-4o version) [AI image generator]. https://chatgpt.com/
Sinpeng, A., Martin, F. R., Gelber, K., & Shields, K. (2021). Facebook: Regulating hate speech in the Asia Pacific. Department of Media and Communications, The University of Sydney. https://doi.org/10.25910/j09v-sq57
Suzor, N. P. (2019). Who makes the rules? In Lawless: The secret rules that govern our lives (pp. 10–24). Cambridge University Press.
Be the first to comment