The Paranoid's Guide to Facebook

Over half a billion people use Facebook around the world. It is the single largest phenomenon of human connection in history, not to mention the biggest thing ever to hit the Web, and a source of enjoyment for millions. But it's becoming more and more of a love-hate relationship. We love using Facebook and other online social networks, but we hate the ever-increasing privacy and security concerns.

Those concerns about privacy on Facebook have caught the attention of the U.S. Government: Congress recently sent Facebook an open letter asking the company to explain the disclosure of user identities to third parties (as originally reported by the Wall Street Journal), and how the company plans to address this issue. James Clarke, senior consumer technology analyst at Mintel International, makes very clear what's at stake: "It's in Facebook's own interests to provide a safe environment for users to enjoy; the value of their business depends on it."

The wheels of Government will inexorably turn, albeit slowly, and you need to secure your privacy now. Here are some steps you can take to keep your private information private on Facebook.

Facebook Places

Using Facebook Places has its benefits, but whether you're using a mobile device or a desktop, telling the world where you are has major disadvantages. When you broadcast your location, you're exposing vulnerabilities for an ill-intentioned person to swoop up. And your iPhone or Android-based smartphone can broadcast your exact geographic coordinates down to a few feet.

If you use Facebook Places, remember that Facebook instantly defaults your privacy setting so that "Everyone" can see your profile. And that doesn't mean everyone on Facebook, but everyone on the Internet.

Surf over to the Account tab in the upper right corner and select Privacy Settings. From here, you can set who can and can't see your profile, and how much you want others to see when you upload comments and images. If you don't like the idea of anyone knowing where you are, you should disable Facebook Places completely.

Disable Facebook Places: To do so, log into Facebook, and select Privacy Settings from the Account drop-down menu (upper-right corner of the page). From there, click Customize settings--the link is at the bottom left of the page. The last line under the Things I share section deals with Facebook Places. Click Edit and select Disable.

This stops Places from operating on your profile, but it does nothing for what your friends do.

To stop friends from broadcasting your location, scroll to the Things others share section. At the bottom of that table is the Places section. There, click Edit and select Disable.

Control Individual Items Posted to Your Profile

Aside from the generic settings you control through the Account and Privacy Settings pane, you can also set the privacy level for individual items you post to your profile. This is frequently overlooked, but it is a targeted way of controlling the content posted to your profile.

Naturally, you should be careful what you post to begin with. Even if you permanently delete your Facebook account (see the last tip, below), the photographs and information that you've shared with your Facebook friends can still be lurking somewhere on Facebook or the Internet; if in doubt, don't post it, but if you do, control who sees it by using the lock feature.

Using the Lock: Posting a photograph to your profile? Before you press Share, look closely at the drop-down menu above the sharing tool. Click the drop-down menu to reveal the choices of who you want to see the post: Everyone, Friends of Friends, Friends Only, or Customize.

The Customize setting will allow you to block individual Facebook friends irrespective of the choice you select. (It should go without saying, but you shouldn't accept friend requests from people you don't know. Doing so negates any and all security tips you can possibly implement.)

Hide Your App Activity

Some of the most popular games on Facebook, such as Metropolis and Mafia Wars, require--and reward--players for recruiting other users--that is, you can't succeed in the game unless you recruit other friends. And some games and apps will automatically post messages to your wall so your friends see what you've been up to (when you first play the game or use the app, you agree to the terms and conditions that allow the game or app to do this).

These frequent posts can be a nuisance to your Facebook friends, and besides, do you really want others to know that you've been playing Farmville all day instead of working?

Hitting the Facebook Invisible Key: Head over to Privacy Settings under your Account settings. At the bottom left of the Privacy Settings page is a link to the privacy options for Applications and websites.

Select Edit Your Settings, and then locate Game and application activity, which is the third item listed on the resulting page. Next, select Custom from the drop-down menu and choose Only Me in the dialog box that pops up.

Now no one but you will be able to see your gaming activity through your Facebook profile.

Disable Facebook Apps Entirely

Sending out updates is just one example of what Facebook apps can do. Not all apps flood your newsfeed, but Facebook apps all have a common denominator: They can gain access to personal information you enter into your profile.

Author and former head of The Security Consortium Mark Kadrich is concerned about Facebook's quality control over third-party developers. "App developers are providing code for the Facebook environment," Kadrich says. "But how much security testing is really being carried out by Facebook before letting it loose on users?"

Facebook's policy is that application developers are not allowed to use your personal data off-site and are only supposed to access sufficient personal information to allow them to run, or to "enrich" your user experience. But once an app has access to the personal information that it needs, it's up to the app developer to keep that information safe.

If you're not happy with third parties having access to your information, the best course of action is to block all applications on Facebook.

Applications--Exit Stage Left: Select Privacy Settings under the Account drop-down menu and press Edit your settings under Applications and websites.

Under Applications you use, select Turn off all platform applications:

And on the resulting alert box, choose Select all and press the Turn Off Platform button:

You may have to wait a few minutes while the new settings are put in place; it takes time to go through any existing applications to disable their access.

Controlling What Your Facebook Friends Tell the World About You

Just as you might not want people to know where you are, you also may not want your friends passing on information about you either. Your friends have access to your profile, and they can repost items you posted to your wall--such as photographs--to their own profiles, or share the information with others, all without you knowing or having any control.

Your Facebook friends may also be using Facebook apps themselves--these apps may have access to their friend lists for information, and that includes you. To better control who can access your private information, you have to control what information your friends can give out about you.

Access Denied: Press Privacy Settings under Account and go to Applications and websites. From there, click Edit your settings, and then Info accessible through your friends. There, you'll find a detailed table of items you can deselect from sharing when your friends allow apps to access your profile information; for full privacy, deselect everything (recommended).

The Ultimate Security: Delete the Account

Deleting your Facebook account entirely is a draconian step, but it may be worth considering if you feel you've outgrown the usefulness of Facebook, or have simply changed in outlook. All those drunken or injudicious frolics--or simply the need to adopt a professional persona in public--may mean you need to wield the ax over your Facebook account.

The problem is, you can't--at least not without doing some digging. You can only deactivate your account, which makes it, dormant so to speak, from your Account Settings page. Your profile is still there, in hibernation, still available to Facebook.

Deep-sixing Your Facebook Account: Be warned--this process takes 14 days, and you cannot use your Facebook account in any way once initiated. The link to permanently delete your Facebook account is buried deep in Facebook's Help pages, so we found it for you. Request that your account be deleted here.


Press Submit. Fill out the resulting form, then press OK. Leave the site, never to return.

Facebook is great fun, but ultimately you are responsible for staying safe and secure. And although Facebook has its responsibilities too, the onus is on individual users to understand how the privacy and account settings work, to apply Facebook's privacy controls, and to regulate their own behavior. Even if Facebook should, hypothetically, be sanctioned for losing user information--for letting it get into the wrong hands--that will be little comfort if you are one of the victims.

Subscribe to the Security Watch Newsletter

Comments