A guide to Facebook security and privacy (Update)by Steve Ragan - Dec 14 2009, 19:51
The following primer will address the security and privacy settings both offered and seemingly excluded by Facebook. After reading, you should understand the basics for securing and controlling the privacy of your Facebook account, as well as a fundamental grasp of why proper privacy management on Facebook is important.
[Note: This article has been updated to reflect the changes made to the Facebook privacy settings on December 9, 2009.]
Right now, 350 million people are using Facebook, and as more and more people start to use the social networking portal, more and more criminals will use it as a valuable source of profit and information. Criminals are attracted to large groups, and social networking is a gold mine for infection vectors, if the criminal wants to spread Malware, or information gathering, if the criminal wants to buy and sell information.
Facebook has seen Malware attacks, which spread via malicious links or applications, Phishing scams, which again spread via applications and posted links, as well as common robbery, where people are tricked into sending money to someone pretending to be a friend. So how can you protect yourself on Facebook without limiting its usability?
Facebook has built-in privacy settings. These are designed to help you protect personal information and your account itself from crooks that are up to no good. However, the problem is that Facebook is still growing, and often new features come at the cost of security. Most Facebook users are aware of the basic privacy protections, but do not know how to manage the more advanced features. The recent privacy changes have only compounded the issue.
Facebook has a decent help section, which explains many aspects to the privacy and security features. However, in some respects they are not overly detailed, which could be because Facebook feels that overloading a user with too much information can be a bad thing. If so, they would be correct. However, sometimes more information is better than partial information.
The reason proper privacy management is important is because of the information that is shared on Facebook daily by its users. Personal details are written about without a second thought. Yet, those same details, when pieced together over time, can lead to an entire dossier on a person. Remember, if you post it online, it will stay there. So the note or update you wrote two or more years ago on Facebook can be used down the line for something completely unexpected.
As an example, if someone wanted to impersonate you on Facebook, how hard would it be for them to gather enough information to guess your password? If they access your Facebook account by guessing the password, how many other sites are using that same password? Is this risk acceptable to you?
What kind of damage could be done if someone knows your full name, place of birth, current location, email address, family names, birthdates, schools attended, etc.? These are examples of information The Tech Herald recently collected simply by reading Notes posted by Facebook users, as discussed in a previous article.
The following pages will outline the various Facebook privacy settings and how to use them, as well as what they mean for you. If you want to skip around, the index below will help.
Basic Privacy Management
When you are on the main page of your Facebook profile, you will see a settings option, which offers a dropdown menu for access to Account Settings, Privacy Settings, and Application Settings.
Clicking settings alone will take you to the My Account menu and the Settings tab. More often than not, this is where users go to manage their privacy settings.
After that you will move to the privacy area, where you can select what privacy settings you want to control. In this section we will start with Profile.
As part of the new privacy settings change, the Profile Information section has been revamped and broken down into a granular level of access based on the information you can enter. Here you can control who has access to things you have entered in Personal Info, About Me, Religious views, Political views, your wall posts, video posts, photos, and comments.
This level of control in the new privacy section is great, but it isn’t without its flaws. There is still no real explanation as to what each of the settings mean, such as how they can affect you with regard to what others can see, or the impact the settings have on your overall privacy.
As mentioned in the previous version of this premier, there is no information on what it means to select Only Friends over Friends of Friends. At the same time, Facebook has removed the My Networks and Friends option, so that layer of confusion is a thing of the past.
The help section on Facebook covers some of this, but not in any serious detail. The images below show the various options, including the available settings and custom settings.
The image above lists all the settings you can select for your profile. Everyone means that literally, anyone on Facebook can view your profile.
Friends of Friends, Facebook explains in their help section. However, to cover it here, it just means that your friends will see your profile, and their friends will too.
Lastly, you have the Only Friends option, meaning that only those you have added as a friend can see your profile.
There is a noteworthy change to the privacy section in the upper right part of the screen. This allows you to preview what each of the settings mean to your account. You can look at your profile after each change and view what most people on Facebook will see. This is not a new option, but a better placement for it compared to past versions of the privacy center.
The image below, is what you see if you select the customize option. As you can see, there is no real customization. However, Facebook has added the Only Me option, which will prevent everyone but you from seeing the information. You can also actively block certain people from access if you wish.
In each part of the Profile Information settings, make sure you take the time to check each section and select the option that best matches what you wish to share. It seems like this is common sense advice, but a good deal of Facebook users never check this section.
Also, there are some new sections to take note of. You can see them in the image below.
The ability to control access to Photos and Videos of you is important. Yet, clear explanation is once again missing from these options. The sub-title says, “Photos and Videos you've been tagged in” but it offers the same controls (Everyone, Only Friends, Friends of Friends, Customize) as the other sections in this area of the privacy center.
Searching for help on this topic will offer more questions than answers, as the FAQ’s and help topics still talk abut the older privacy settings. In short, the Photos and Videos of Me options allow you to control the link under your profile image. If you set this to Everyone, then when someone sees your profile they can link to tagged images of you.
“While there is the option to block users from viewing the tagged photos section on your own profile, there is no way to restrict the visibility of a photo that you are not the owner of,” Facebook explains.
The Posts by Me section works by granting access over who can see your posts, notes, links, photos, and video. You can pick from the normal options here as well. Likewise, the section for Posts by Friends (available if you allow friends to post to your wall), covers the same stuff, but is directed at comments or posts made by friends to your profile. You can control who is allowed to comment on your things as well, which is another layer of selective privacy.
In the Photo Albums section, you will be taken to a separate page that controls who can see the images you have posted. Again, here you need to check the settings and pick the one that best matches your desired level of privacy.
What options to select
When it comes to selecting the optimum settings for profile related privacy, everyone will be different. The trick is to know what information you have already posted to your profile, and how comfortable you are with people viewing it. You should never post personal and sensitive information to Facebook, and what information that you do post should always be considered before being published. Does anyone really need to know your maiden name or the street you grew up on?
If you notice in the images, I selected the Only Friends option for all of my settings. I’ve also selected the checkbox that will permit friends to post to my wall.
Now, none of these privacy settings will matter if you are in a race to collect the most friends. You should be cautious when adding friends at will. The best bet is to add those who you know or knew at one time personally, and if a friend of theirs offers something of interest, such as personality or they’re a source of information for example, consider adding them as well.
When Facebook changed their privacy settings, the part of your profile that governs contact information, such as IM, Phone, address, Website, Hometown, and Email, were moved to a separate section.
You have the same level of access as you do in the profile section, which is Everyone, Only Friends, Friends of Friends, or Custom. When you go to configure this section, you should avoid the Everyone option for the best privacy, only use the Everyone option if you are positive you are ok with the entire Web seeing this information.
Again, as was the case in the profile section, there is a Preview link in the upper right for you to use that will allow you to see the information available at any given moment to other Facebook users.
Search Related Privacy Management
Search privacy on Facebook is covered in the Facebook help section, but again, there is a cross section of old and new information. Like other sections, this too was altered when Facebook updated their privacy controls.
In this section, you can select who can view your profile as a result of a search on Facebook, and either deny or allow your public profile to be indexed on search engines. As is the case in other sections, there is a preview button to use as well.
As you can see in the image above, I have allowed the option for Everyone to search for me through Facebook’s search options. I’ve also allowed a public search listing, meaning you can see me if you searched on Google for example.
You can select Everyone, meaning anyone registered on Facebook, Friends of Friends, or Only Friends as options when setting Search privacy options.
What options to select
When it comes to what options to select, you should consider if you even want to appear in searches.
The default setting is for Everyone to find you in searches, this also includes the recommended feature, where you are recommended to people. If everyone is selected, then you will appear in searches and as a person who is likely recommended to others.
To stop this, change the setting to Only Friends. You should note that friends will always be able to find you in search, as they should since you added them.
If you do not mind that you will appear in search results or recommended listings, then you can leave the visibility set to Everyone. The public search listing is entirely optional, if you want to avoid being listed in the search engines, uncheck this option.
As Facebook explains, “Applications you use will access your Facebook information in order for them to work...When you visit a Facebook-enhanced application or website, it may access any information you have made visible to Everyone [sic] as well as your publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. The application will request your permission to access any additional information it needs.”
You used to have almost total control over what information was shared to applications. Now, you can ignore certain application invites, block applications, and limit the information friends can share about you.
The image above shows the Applications and Websites area of the privacy center. We’ll focus most of the attention on the “What your friends can share about you” section.
“When your friend visits a Facebook-enhanced application or website, they may want to share certain information to make the experience more social. For example, a greeting card application may use your birthday information to prompt your friend to send a card,” explains Facebook.
The catch is, the publicly available information rule applies here. So you will hand over Name, Profile Picture, Gender, Current City, Networks, Friend List, Pages, and information set to Everyone in your privacy controls.
Sadly, there is no way around handing that information over if you entered it into your profile. This section, which used to offer great control over the information an application could harvest, now offers a slimmed down shell of its former self.
The best option here is to opt out of everything to best control privacy. Otherwise, be picky and selective if you choose to allow something.
Also in this section is the ability to list the applications you have blocked from the request page, and if you wish, remove them. You can likewise list friends that you will ignore application invites from as well.
It’s a sad thought, but in all honestly this section of the privacy controls is nothing like it used to be, and the publicly available information rule will be a sticking point for some people.
Miscellaneous Facebook Security and Privacy tips and tricks
When you use Facebook, in addition to the privacy settings mentioned in this primer, there are some other things to consider.
As you access Facebook.com from home, a coffee shop, or the office, use https instead of http when entering the URL. This will add an extra layer or protection, and since the SSL certificate is an EV (Extended Validation) one, you will know you are on Facebook.com by the fact that the address bar in the browser will change colors.
When clicking on links that are reported to belong to Facebook, never go by looks alone. Always ensure that the URL is www.facebook.com and not something that looks like Facebook.com.cn. The entire Facebook platform will only run from facebook.com and never from a sub-domain or within another domains directory, such as random-malicious-domain.com/Facebook.
Under the Settings menu we discussed earlier, check the Applications Settings regularly and clean out those you’re not using. You can remove them by clicking the ‘X’ next to the application name. There is a dropdown with the option to view Granted Additional Permissions, this is the view you would want to use to clean out old applications.
When posting photos or notes, check the permissions levels and ensure that they are aligned with your profile privacy settings. This means if your profile is set to Only Friends, setting a photo of yourself or a note to Everyone will allow those who are not friends to view them.
Change your Facebook password often, and never use a password that is close to or an exact match of a password used for financial transactions online (PayPal, banking, Google checkout, etc.), nor should the password be the same as any email account.
When it comes to the secret question, pick a phrase that no one would know, something that cannot be guessed, and use it as the answer. In short, lie and say that the name of your first pet was “river rats in a showboat on the Mississippi” as an example.
Under the Privacy settings menu, you have the option to block users on Facebook. This is a handy way to deal with stalkers, harassment, and Spammers. This is in addition to actually reporting the person to Facebook at firstname.lastname@example.org.