Security Experts:

Facebook vs. Privacy - What You Can do to Protect Your Privacy

Facebook Privacy - Steps You Can take to Protect your Privacy While Using the World's Largest Social Networking Site

Facebook is ubiquitous. But it is also anathema to privacy. My daughter tells me that if I am so paranoid about my privacy that I should not have a Facebook account.

Facebook Privacy and SecurityFacebook and Privacy are clearly not synonyms, but they are not (quite) antonyms either. You can you use Facebook without completely sacrificing your privacy, but you have to work at it. Default Facebook settings are defined to maximize the use of Facebook features, with the consequence of minimizing your effective privacy. If you want a big Social footprint, that’s good, but if you care about your privacy, it is definitely not.

Facebook literally has enough Security and Privacy settings that you could write a book about them. I am not going to dwell on most these other than to say that the biggest single concept to keep in mind on Facebook is their tiers of controls – the concept that differentiates between Nobody, Friends only, Friends of Friends, and Everyone.

Most Facebook controls can be associated with these levels:

Facebook Privacy

1. Only Me: You are blocking the access so that no one is allowed to use the service, though this is not even available for every Facebook function.

2. Friends Only: Only other Facebook users who you have accepted as “Friends” will have the access in question.

3. Friends of Friends: Any “Friends” of your Facebook Friends will have the access in question. So, if Jill is a Facebook friend, and she has another Friend Trevor (whom you may not know at all) Trevor will also have the access.

4. Everyone: Any Facebook user can have the access.

Above and beyond the normal settings, you have the ability to use the “Make this Visible to” and “Hide this from” options. These allow you to explicitly include or exclude access for specific users. These settings override other security and privacy settings.

Realistically, this is a pretty simple security hierarchy, and most of the settings are pretty self-explanatory. In practice, if you have all your settings at “Only Me”, then you have strong privacy, but no useful functionality. If you have all your settings at “Everyone”, then you have great functionality, but absolutely no privacy. You can, however, find balance between the extremes.

This balance is all up to you. In the privacy settings (Account/Privacy Settings), you can control which level of access you support for a variety of functions within Facebook. Visit Account/Privacy Settings. From there, check out Sharing on Facebook/Customize settings, and Connecting on Facebook/View Settings. If you are concerned about privacy as you customize your settings, you are better off starting with a “Friends Only” setting, and opening it up than you are by starting with the default settings. It would take many pages to analyze every setting option, so I only caution you to review each and every one yourself and see if you think they make sense for you. Beyond that, there are some settings it is worth double checking on your own account, as well as how you share things that you might not quite realize you are sharing.

Account Settings/Security

First of all, you should have a good password on your Facebook account. Use a reasonably complex password that is easy to enter from your computer or personal device. And, use the password on Facebook only. Do not share your Facebook password with any other system. You don’t want to make it any easier than you need to for someone else to gain access to your Facebook account, or to use your Facebook information to gain access to another one of your accounts. My current Facebook password is mixed case, alphanumeric, with special characters, and is 15 characters long (or is it?).

Use Secure Browsing when you can. This will make your Facebook login use a secure https connection if your device supports it. If you are not sure you care, you should check out FaceNiff or Firesheep. If you are logged onto a wireless network with your portable device, these tools can be used on the same network to sniff for the cookies that identify your device with Facebook. The sniffed information can then be used to access your account. The “attacker” doesn’t need to enter in your username or password since they have the cookies that hold the information that Facebook uses to verify that you are a valid user. So, if you are logging onto the default web site, and shared a wireless connection with a FaceNiff user, they now have enough information that they can log onto your Facebook account and act like you. But, if you required Secure Browsing, you defeat them.

Want to strengthen your logons more without dramatically affecting your usability? Turn on Login Approvals. The concept is simple. You provide a phone number under Account/Account Settings/Mobile. If someone tries to log on as you from their own device, Facebook may not recognize the device, and the user will not be able to complete the logon process without getting a security code from your phone.

If you don’t want to go quite this far, you can enable Login Notifications. You can request that Facebook send you an email or text message if your account is accessed from a computer or mobile device that you have not used before. This way, even if you were not preventing it, at least you would know if someone was able to log on as you from their own device.

To make it easier to access your account if you forget your password, register a phone number as described above, and add a Security Question. You don’t have to use the name of your first grade teacher as long as it is a name you will remember. But if you do use your first grade teacher, make sure you don’t list your teacher’s name on your public profile as your “favorite teacher ever, my first grade teacher, Miss Hendrickson”.

Sharing Information

At Account/Privacy Settings/Sharing on Facebook, there is a small labeled “Let friends of people in my photos and posts see them.” This is enabled by default. If you leave it enabled, it means people who are not your friends can see your photos and posts, as long as those people are friends of your friends. So, your best friend Jill can see your posts because you friended her on Facebook. You cannot stand Trevor, who is also friends with Jill. If you leave this checked, Trevor will be able to see anything in which Jill is tagged, whether you actually want him to or not.

From here, click “Customize settings” to reach a more detailed list of settings, and slide right to “things others share”.

“Photos and videos you’re tagged in” refers to information on other users’ pages as well as your own. You can control whether or not Trevor can see you tagged on Jill’s page by controlling how other users share your information.

The “Suggest photos of me to friends” feature is an interesting one. Facebook uses facial recognition to check faces in uploaded photos. If the software thinks it recognizes you in a photo it will suggest tagging you. So, if Jill uploads 15 photos from her drunken New Year’s Eve party, Facebook could suggest your name for tagging in the five photos in which it believes it recognizes you. Yes, you are notified if Jill accepts the tags and you can go untag yourself manually. But, if you disable this option (enabled by default) you do have better control over where you appear.

“Friends can check me in to Places” is another interesting setting. As someone who generally cares about my privacy, I am unlikely to check myself in to any place when I am out and about. It just feels like an invitation to rob me if I am telling people that I am not home (and yes, I know I can show that information to only my friends, but am I sure that all of their Facebook accounts are safe?). So, personally, I find the idea that someone else could “check me in” even more ridiculous. You can disable this option from the permission pulldown.

Look up just a little in the “Things I share” section and find the “Include me in ‘People Here Now’ after I check in”. If you do happen to “check in” someplace, like a bar, or restaurant, or the airport, then anyone who is also checked in at the same place can see you, whether you know them or not, regardless of whether or not they are “friends”. You can stop this nonsense by deselecting “Enable”.

I am paranoid about my privacy, but I still want to take advantage of some of the functionality provided by Facebook. Facebook honestly helps make it easier to keep in contact with coworkers and friends. There are things I don’t want to share, and there are things I want to be able to share, but in exactly the manner I want to share it.

Just not with Trevor…

Related Reading: Is Facebook Good for your Health?

view counter
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.