How to set up your Facebook privacy settings

Facebook, privacy and you.

Yasin
Yasin Soliman
@
@SecurityYasin

Facebook

Addressing a packed crowd at the Facebook F8 conference six years ago, Facebook founder Mark Zuckerberg set out his vision for a new age of online interaction.

More than one billion people actively use Facebook each month.

Put that into perspective – an online social network that comprises one in seven of the world’s entire population. For better or for worse, it seems Zuckerberg’s plan has come to fruition: “the default is now social”.

Sign up to our free newsletter.
Security news, advice, and tips.

It’s quite rare to find a person nowadays that doesn’t use Facebook to share news, updates and friends’ night out pics on a regular basis. That’s all well and good, but are you really aware of who’s viewing your posts?

While Facebook’s comprehensive collection of privacy settings might sound inviting on paper, your options seem to change every day. For this reason, getting your privacy under control – for good – has become increasingly difficult.

What’s more, you may presume you’ve got your settings locked down, but you might want to double check: you’d be surprised what other people can discover.

First of all, we’ll take a look at an overview of each area. Next, we’ll step through the fundamental options that determine who sees what, before finishing up with a review of the controls you’ll want to tweak for maximum privacy.

One small tip before we get started – I would recommend following this guide from your desktop computer, for the time being. Your mileage may vary on Facebook’s mobile and tablet sites.


The Nerve Centre: Privacy Settings and Tools

Let’s jump right in: look for the padlock icon on the top-bar, and click it to bring down the “Privacy Shortcuts” menu. Notice that Facebook now provides quick access to three of the most important settings here, but for now, we’re going to visit See More Settings.

Facebook privacy button

If you’ve given the labyrinth that is Facebook’s user settings a once-over before, you may already know that related settings are spread across several areas. For this reason, we’re going to look through each area in turn.

In “Privacy Settings and Tools,” Facebook provide you with options for controlling who can see your stuff, contact you and look you up.

Facebook privacy tools

If you’re under 18, you may be informed that “[Facebook] take extra steps to protect your information” – this means that the defaults for some settings may be already be configured for a higher level of privacy.

The first option, “Who can see my future posts?,” can be used to set a default audience for new status updates and content in the future. By audience, I’m talking about common groups such as “Friends of Friends” or “Public.”

Facebook audience selector

However, it’s important to clarify that this does not work retrospectively. Posts from several months or years ago won’t be updated, but set this one to Friends to be on the safe side.

Review all your posts and things you’re tagged in is a special option – taking you to the Activity Log screen.

Facebook activity log

Here, you can peruse a past account of all the content you’ve been involved with. In some cases, you may have been tagged in a post – showing how your digital footprint isn’t always under your control!

We’ll come back to the Activity Log in the next section.

Limit The Audience for Old Posts on Your Timeline, also has a particularly sweeping effect. Clicking “Limit Old Posts” will change the audience of anything you’ve shared with Friends of Friends or the Public to Friends only.

Include Public as an option in your audience selector?” is a one-time choice – enabling this option will add “Public” to your list of audiences. In my experience, once you’ve switched this on, it can’t be turned back off.

In terms of “who can send you friend requests”, choose Friends of Friends if you’re concerned about unknown invitations or solicitations. Otherwise, stick with Everyone.

The next two settings apply to people who can’t already view your email address and phone number, respectively. Ideally, set both of these “who can look you up” options to Friends to prevent data leakage.

The final – and rather important – option in this section, involves having your Facebook profile indexed by search engines. Unless your profile is well-known in the public eye, I’d ensure this setting is disabled.

Timeline and Tagging

We’re now going to take a look at settings specifically related to friends’ interactions with your Timeline, so click “Timeline and Tagging” in the sidebar.

Timeline and tagging

This section involves the media and posts that other people link you to, rather than the content you create yourself.

Notice the first setting – “Who can add things to my timeline?” – this gives you the ability to control whether anyone else can post on your Timeline at all. Select Only Me if you wish to prevent Friends from posting on the feed.

The next option is “Who can see things on my timeline?”, which offers a link entitled “View As”.

View as

This helpful feature lets you see what your Timeline looks like to the public or a particular friend. Upon clicking on View As, you’ll be presented with a Public view of the profile.

If you’re interested in seeing what a particular person views when they visit your profile, type their name into the selector.

It’s important to mention – Facebook advises you to “keep in mind that posts and photos you’ve hidden on your Timeline are still visible to the [people] they’re shared with [elsewhere], like in News Feed and search.”

Moving on, the next two options give you access to a more granular – or specific – range of audience selectors. “Who can see posts you’ve been tagged in on your timeline?” and “Who can see what others post on your timeline?” speak for themselves: these options let you control which groups can view mutual content.

If you’re concerned about strangers or acquaintances viewing these posts, consider opting for Friends except Acquaintances or Only Me for maximum privacy.

Facebook only me

The next sub-section talks about “managing tags” and “tagging suggestions.” In clearer terms, we’re talking about the “Kate tagged you in an album” or “Michael tagged you in a post” notifications here.

Facebook tag review

I would recommend ensuring the Tag Review feature is set to enabled – which is where Activity Log returns to the spotlight.

Within the Activity Log is the home of Tag Review itself; here you’ll be presented with any content that friends have tagged you in. You’ll have the option to approve or reject these posts individually.

Facebook tag screen

When you’re tagged in a post, who do you want to add to the audience if they aren’t already in it?” is a rather cryptic, standalone option.

Imagine you’re tagged in an old school friend’s status update, but some of your friends don’t know them on Facebook. Setting this option to Friends, or another audience, allows you to share these posts with additional groups.

Finally, there’s tag suggestions. As a minor, this option is “Unavailable” to me – although I’d definitely recommend disabling it if you have the choice. If you leave this option enabled, Facebook will use your face and account in other people’s suggested tags.

Blocks, Apps and Ads

You may be in a situation where blocking a person is the most appropriate option. If you’re interested, look for the Blocking option on the sidebar.

As described, “once you block someone [completely,] that person can no longer see things you post on your timeline, tag you, invite you to events or groups, start a conversation with you, or add you as a friend.”

Instead of a “full block,” you can also choose to just block messages, app invites or event invites from particular friends.

Games and apps are hailed as a deeply integrated part of the Facebook Platform – but, to you and I, are unnecessary annoyances on the social network. You’ll see what I mean in just a second.

From the sidebar, visit the Apps section. These settings pose an unsettling risk to your privacy; the Platform itself involves Facebook “receiving information about your use of third party apps and websites.”

Look for the first heading, “Apps, Websites and Plugins”, and click Edit. I’d strongly advise clicking Disable Platform unless you’ve got a particular need for these features.

Platform off

Next, look for the “Apps Others Use” heading and click Edit. This feature claims to make your Facebook experience “better and more social” – I’d recommend un-ticking every checkbox.

Apps others use

We’re about to wrap things up, but there are still a couple more settings to look through. The “Old Versions of Facebook for Mobile” option applies to older Facebook clients (e.g. on BlackBerry devices), which do not have the new audience selector feature.

Finally, let’s take a quick glance at the Ads section. Due to European behavioural advertising laws, this option may differ from country to country.

Social actions

At the end of the day, you can improve your privacy by disabling or unchecking anything related to personalisation, interest or social actions.

Taking the above steps will help make your Facebook experience safer and more private, but don’t forget that history has shown that the social network has a habit of rolling-out changes to its privacy settings and introducing new features which may make you less protected online.

Make sure to keep informed of the latest changes, and review your privacy settings regularly.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.


If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Researcher at heart, Yasin Soliman lives and breathes information security. You can find him on Twitter at @SecurityYasin.

3 comments on “How to set up your Facebook privacy settings”

  1. Elaine

    Something has changed fairly recently on Facebook that means your privacy is not as secure as it used to be. If you "like" or comment on something, then all your friends see that post on their timeline. I am constantly seeing posts and photos from people I don't know, because one of my friends has interracted with it. Not only is it a breach of the privacy of the person who made the post – what is the point of marking it for friends only when it will be spread by the friends' comments? – but it also means my timeline gets cluttered with stuff that is of no interest to me.

    1. Tony · in reply to Elaine

      I agree, you summed it up perfectly. I don't want others to know whether I like (agree with ) a range of subjects and I am not interested in my friends or friends of friends opinion either. It is a breech of privacy for all concerned.

      This was the last straw that caused me to activate my account a week ago. I will leave my account deactivated for about a month before I decide on whether to delete it completely or reactivate. Facebook has become increasing irrelevant to me as well as being a bandwidth hog when using expensive mobile broadband.

  2. coyote

    'That's all well and good, but are you really aware of who's viewing your posts?'

    I bloody well better be since I am one of those who is supposedly more disconnected but actually more connected because I don't use Facebook.

    That out of the way. Now I see what people mean with their privacy issues being complicated. I'm thankful I don't have to read that entire wall of text for something that shouldn't be nearly as complicated as it apparently is. Not that it would take long to read but it's a lot more to read than should be needed.

    Of course, there is a final two-part step that everyone could take (but few would take especially for privacy alone): tighten everything up (for the final state just in case – as I suspect – they don't clean up completely after account deletion) and then delete your account. I don't see that happens and so this document is the next best alternative.

    Sharing this howto would be far better than much of the other rubbish being shared on Facebook. I suppose this is being linked/shared/whatever on the GC Facebook feed (or whatever it is called) ? I certainly hope so.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.