This week, security firm Sophos tested Australian Facebook users to see how many people would add an unknown to their friends list. The tests were a repeat of earlier testing in 2007, where they found 43% of people blindly accepted a friend request from a made-up account belonging to a plastic frog.
The 2009 tests showed that we still aren’t being careful on Social Networks: approximately 46% of people blindly accepted friend requests from people they didn’t know.
So why is this a problem? Because you have a lot of personal information on your Facebook profile—by friending people you don’t know you may be setting yourself up for Identity Theft.
Many people on Facebook have their workplace, their email address, and their birthday all readily available to people on their friends list. These details are an excellent starting place for scammers and social engineers.
So what do you do to protect yourself? This is far from a comprehensive guide, but here’s some security tips for Facebook:
1. Re-think the information you publish online
The best way to ensure people don’t get sensitive information is to avoid it being on the Internet in the first place.
Once your information is online, it enters indexes and caches, and it may be difficult to remove that information from the Internet entirely. However, if your information is already on your profile, remove it as soon as possible.
Check your profile and ask yourself which information should be removed. For instance, do people really need to know every school you ever went to, or every workplace you’ve ever worked at?
2. Don’t friend people you don’t know
Unless you friend someone, they cannot access the majority of your information. Simple as that.
Actually, no: it’s not that simple any more. As of 10 December, Facebook changed their Privacy settings, and the new default is that “Everyone” can see your information. That’s not everyone on Facebook—that’s everyone everyone—your personal information will be available to the Internet at large, indexed and cached in search engines, and freely available to anyone who cares to look at it.
However, we are going to change these default settings so that only your Friends can access information about you, so it is still best to only accept requests from people you know.
3. Put your friends and family into Lists
Facebook allows you to sort your friends into Lists, which can help you keep track of your friends more easily: you can filter your News Feed based on lists, or use Lists to keep track of how you know a person. You can use Lists to control who can talk to you on Facebook Chat. Lists can also be used to tell Facebook who can see certain information on your profile.
You can set up your Lists by going to Friends (in the top menu) and the All Connections option: the Create new list option is at the top of the screen.
Once you have set up your Lists, you can use the Privacy settings to limit who sees your profile.
4. Change your Profile’s privacy settings
By default, Facebook tends to have weak privacy settings: your information is open in most cases. To change the default settings, go to Privacy Settings, under Settings in the top menu.
The first part you will want to change is the Profile section. As of today, this section now requires a password to “unlock” the panel and change the settings.
Each part of your profile—such as photos, videos, or education information—has its own drop-down where you can change the settings. It is best to use restrictive settings, but you can let your true friends in using the Customise option, selecting Specific People and adding your Lists.
As of the 10th December 2009, you should be able to customise nearly every section this way. If you still have the old Facebook Privacy (i.e, they haven’t rolled out to you yet), set things as restrictive as you can stand in the meantime.
Make sure to check the settings for your Photos too.
5. Check your Contact Information settings
You can also select who can see your contact information—phone numbers, email addresses, and Instant Messaging contacts—on Facebook. The settings for this used to be in the Profile Section, but as of today they are now in their own section under Settings, then Privacy Settings, and Contact Information.
Just as with the Profile section, there are a number of drop-down options to select who can see each piece of information. Customise each setting so that only the people in your trusted Lists can access sensitive data.
6. Check your Search privacy settings
As of the 10th December, the Search settings have been greatly simplified: unfortunately I am not sure for the better. Previous search settings used to allow you to define what information people would see when searching for you.
Currently the settings allow you to select who can search for you, i.e., friends, friends of friends, or everyone. You can also select if your profile will be available on public search engines (such as Google). You can check these settings by going to Settings, then Privacy Settings, and Search.
7. Check your Applications and Websites
The Applications and Websites (Settings, Privacy Settings, Applications and Websites) section contains a number of other subsections. These sections control what your Applications can share about you, what your Friends applications can share, and allows you to block Applications (and invites from people for Applications).
The first (easiest) thing to check is the What your friends can share about you section: this allows you to choose which information your friends’ Applications and websites can share about you: this is similar to the old “Application Settings” in the old privacy model, and I recommend you be as restrictive as you can bear: I removed all the checkboxes.
Applications will still be able to access your basic information (like your Name, and Profile Picture) when you or your friends install them, but this will help limit and prevent any abuse of your personal data.
Once you have checked these settings, you need to check what Applications you have installed, and what those applications are able to do. The What You Share section will take you to your Applications (also available under the Applications button (bottom menu) and Edit Applications), via a blurb about the kinds of information an Application may use.
The Applications screen hasn’t changed from the previous privacy model, and you will be presented with a list of all your installed Applications. This is a good opportunity to remove any Applications you no longer use, and I recommend being restrictive with Applications. In fact, I’m no fun at all, and I’ve removed nearly all the Applications except for MyFlickr because I like to share my photos.
Make sure you check what permissions your applications have—for instance, are they able to post to your News Feed? And who sees updates made by an Application? You can check both of these settings under Edit Settings.
8. Disable Facebook Ads
The Facebook Ads section has been moved from Privacy Settings to Account Settings. Have you ever noticed an advert on Facebook, with a note underneath saying that one of your friends likes the ad? By going to Settings, Account Settings, then Facebook Ads, you can disable this.
NOTE: Facebook will NOT use your profile picture in advertisements. However, third-party applications have been known to do this in the past (in violation of Facebook policy), which is another good reason to check your Application Settings as per point 7. This will help prevent this and other abuses of your data from occurring.
Final thoughts
This is far from a comprehensive article on protecting your information online, but I hope this is a start. Always make sure you understand the security and privacy settings on any online applications you use.
EDIT: Oh wonderful. Just as I publish this article, I check Facebook and in the last couple of hours, Facebook have changed the way Privacy settings work. Please be patient while I see what’s changed…
EDIT: I have rewritten the article to reflect the current privacy model as of 10 December 2009. I’d also like to use this edit to express my displeasure at a couple of changes:
- You can no longer preview your Public Search profile from your Privacy settings: it is not as easy to see what people will see if they search for you.
- The News Feed settings appear to have disappeared. These settings used to control whether your friends would be updated if you commented on their Wall, or liked a link somebody posted.
- WHY are they setting “Everyone” (as in public Internet) as the default for your information?
If anyone knows where these two settings have gone, please tell me, and I will include it in the article!
EDIT: The Privacy changes are a much, much bigger mess than I originally realised… ouch. The EFF have weighed in on the issue too.
