It’s time to review how well you well you have been protecting your privacy on Facebook.
Why? Because Facebook is beginning to roll out the new version of its search engine.
First announced by Mark Zuckerberg in January, Graph Search makes it easier for people to find content that has been shared on the social network through the use of natural language and filters.
The upshot is that if you have ever shared something on Facebook, it’s easily searchable by anyone you have given permission to view it. (Or – in some cases – anyone you have forgotten to remove permission from viewing it)
To demonstrate what Graph Search can do, Facebook offers the example of searching for restaurants that your friends have visited:
Clearly it would have been much more laborious in the past to check out each of your friends’ Facebook profiles and trawl through their past restaurant trips.
The good news is that Graph Search doesn’t make anything you have shared on Facebook any more public than it was before.
The bad news, though, is that it does provide a much easier way to dig up information that might otherwise have been overlooked or hard for others to dig out of your Facebook history.
The Actual Facebook Graph Searches blog demonstrates the power of Graph Search quite well, with a series of example searches that may make you realise the potential dangers and embarrassments.
For instance, here are married people who like prostitutes:
One likes to think that most of the people who said they “Like” prostitutes were saying it as a joke. But can you guarantee that your workplace of employment or a potential new romantic partner would find it as amusing?
Here’s another example. Single women who live nearby who like men and list “Getting drunk!” as one of their interests:
Again, that’s something you might only want to share with a controlled audience – if anyone.
After a string of PR disasters involving its users’ privacy, Facebook is keen to be seen to be responsible. They made the following short video to explain how users can control who they share their information with:
[youtube=http://www.youtube.com/watch?v=PjcXZeL_3IQ&rel=0&w=550]Although some will no doubt delight in Facebook’s new Graph Search ability, I am also confident that there will be plenty of people who will be embarrassed or disturbed about how easy it has become to learn information about them.
Tips for better Facebook privacy
In light of Facebook making it easier for people to find out information about what you like, where you have been, and so forth.. here are my tips for better protecting your privacy on the social network.
1. Make sure you are restricting who can see your Facebook updates
Everytime you post a status update on your Facebook page, you have the ability to control who can see it (or search for it later).
If you make it “Public” then that actually means you have made the status update not only viewable by *everybody* on Facebook, but also everyone *not* on Facebook as well – including search engines which may archive the content. In short, you’ve opened Pandora’s box and even if you change your mind later and delete the post, or make it private, you can never be confident that the message isn’t lurking somewhere else out there.
“Public” may be fine for companies and brands, but is rarely likely to ever be appropriate for the personal Facebook pages of individuals.
The “Custom” option is probably a more sensible choice, as it allows you to choose specific people or lists of friends. “Custom” also allows you to explicitly say who you *don’t* want to share the update with.
However, be very careful not to choose “Friends of Friends” unless you realise the possible consequences.
It may be that you have been very careful about who you have befriended on Facebook, but can you be confident that your Facebook friends have shown similar levels of caution?
2. Lock down who can see your future and past posts
You should also use Facebook’s privacy settings to adjust who can view your future posts, take the opportunity to review past Facebook posts you have made, and limit the audience for past posts that may have been accidentally shared with “Friends of Friends” or “Public”:
Handily, Facebook provides users with the option to review all of the posts and things that they have previously been tagged in. You should use the opportunity to untag yourself from places and photographs that you do not feel comfortable sharing with the masses. You’re learning about the benefits of online privacy, and won’t be so free-and-easy in future.
Additionally, you should block search engines from being able to link to your timeline, and may wish to limit who can look you up using your email address or phone number.
3. Control your Facebook timeline and where you are tagged
Facebook provides additional privacy settings which you should spend time checking to better protect yourself online.
For instance, if a friend tags you in a status update or photograph you can review that post *before* it appears in your timeline. Note: that doesn’t stop the update or photo appearing elsewhere on Facebook (you have to laboriously ask your Facebook friend to remove the photo or post in its entirety if you don’t like it), but you can at least prevent it from appearing on your page.
The last option on this page is one of the most controversial.
Who sees tag suggestions when photos that look like you are uploaded?
This option is connected to Facebook’s controversial facial recognition feature. As your Facebook friends upload photo albums, Facebook can try to determine if any of the pictures look like you. And if they find what they believe to be a match, they may well urge one of your Facebook friends to tag it with your name.
As you can see from my screenshot, the “feature” isn’t currently available to me. But if you have the option, I would recommend that you disable this if you value your privacy.
4. Stop your friends’ Facebook apps from accessing *your* private information
Many Facebook users aren’t aware that – unless you have locked down your privacy settings correctly – the apps, games and websites that your *friends* use can also access your personal details, photos and updates.
Facebook argues that allowing other people to share your info with third-party apps makes the “experience better and more social”.
And, with depressing predictability, Facebook leaves options like this enabled by default.
In my view, it’s indefensible for Facebook to take this stance, so go to your Facebook Application settings and follow my recommendation to deselect every tickbox in the section:
At the same time, it wouldn’t do any harm for you to review on the same settings page what apps you have given access to your account, and – for instance – adjust settings if you are uncomfortable with them posting publicly on your behalf. If you have no need for an app, or believe that it could be malicious, you should revoke its access to your account entirely.
5. Stop posting private stuff on Facebook
Here’s the simplest advice of all.
Facebook is going to find it a lot harder (although not impossible) to expose your personal and private information to others if you never share it with the social network in the first place.
So, if you have something that you wouldn’t feel comfortable sharing with your boss, or with your loved ones, or with a jealous ex-partner or potential identity thief, then don’t post it on Facebook.
Facebook is in the habit of introducing new features which can impact users’ privacy, making it users’ responsibility to manage their own security and turn unwanted features off. The best defence is to keep yourself informed of changes that Facebook makes, and keep yourself clued up about new security and privacy risks.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.
If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
My name is Graham Cluley.
We are going to discuss whether you should quit Facebook.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralised control of employee passwords and applications.
But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses. Right, Facebook. Get me off it, kids.
Does it say anything in your feed that I've disappeared, or have I just kind of gone away?
You just disappeared into the mist.
If you remember, Graham, we did a lot of Facebook security training very early on in Facebook's birth and its growth.
And still my data could be compromised simply because I was friends with people that may not have been as privacy aware as me. Actually, it probably wouldn't have mattered.
Someone somewhere downloaded some game that hoovered up all my data.
You don't know what events are going on, you forget somebody's birthday, nobody wants to email you anymore, nobody answers the phone anymore.
Whereas for a lot of us who want to quit Facebook, it's like, well, we will literally have no way to keep in touch with people.
And they'll see a little, oh look, they said they like the picture of my child or whatever it was, or the holiday I'm on. That's nice. And you continue to feel connected.
What I don't like is that people, of course, give this curated image of themselves on social networks, you know, where they're, "Oh, aren't I fantastic?
Look at me, I'm doing my warrior pose at the yoga." That's like the max of your familiarity with yoga. I'm doing my sun salutation.
Because you could use Facebook to log into other apps, right?
I'm a Spotify user, and it's one of the many apps where you can create your account just by saying, just create your account with Facebook. You just click this button.
It's super easy. And I did that. And there's no way for me to easily disassociate my account without literally deleting my old account and creating a new one.
And then I'll lose my playlists and my albums. I have to recreate all that stuff I've done.
I don't have to generate passwords. Facebook's going to handle it.
And this site which I'm signing up for, I don't have to worry about them looking after my password because they're using the whole Facebook process instead.
So I think this is a really valuable thing for people to remember if they are considering quitting Facebook is what the impact will be on any other apps and websites which might be—
The way you can convince yourself that you've shared too much information on Facebook is to download a copy of your Facebook data, right?
There is a link, and we will put it in the show notes, which you can go to on Facebook. And regardless of whether you plan to quit or not, download your data.
It will download all the photos that you've posted and all the messages and all kinds of other stuff as well. You will be horrified.
And at that point, you begin to think, crikey, I volunteered so much information, information which I would never have given to a phishing site, information I would never have given to some scammer or fraudster ringing up on the phone.
I have willingly given to Mark Zuckerberg and his cronies, and what on earth are they planning to do?
I'm a little weird in how I use Facebook.
And I'm going to start off with the simplest thing you can do, which is not a complete cutoff, but it is called turning off the Facebook platform.
That is the thing which basically Facebook uses to integrate you with third-party apps and websites.
It's the thing which powers the like buttons which appear on third-party sites, which can of course track you around the internet, which isn't terribly nice either.
And this is the thing which was exploited by Cambridge Analytica's app, or the app which gave them the data, which allowed, for instance, your friends to give your information to other people as well.
So this is— if you're not ready to leave Facebook for whatever reason, you might want to consider turning off the Facebook platform.
So we're going to include a link where you can do that.
It's deep within the settings, and what it will mean is that all posts by apps and games and things like that will be removed from your timeline.
You won't be able to log into apps or games and websites using Facebook. Oh, wow, I live.
Oh, diddums. Oh dear, you've lost all that. But that is the most private I think you can really make Facebook without deleting the account altogether.
So there you are, disable Facebook platform.
Yippee, right? When you change your mind. So at the moment, you won't find Carole on Facebook. Carole could log back in if she wanted to, but right now, no one can see your profile.
No one can search for you.
And as soon as you log in, if you're using a password manager, it obviously just fills in the login page as you get there.
And bish bash bosh, you gotta do the whole deactivation again. So you can't get a friend to look to see if you've been removed.
Okay, so you don't clean up everything which you posted around the place. Your friends may even still see your name in their friends list, but it won't go any further beyond that.
But also keep in mind that if you deactivate your Facebook account, your Messenger account, which is like their IM system, that will remain active.
So disabling Facebook Messenger is a whole separate thing.
Now, I don't know if that's 100% true, but I know of some people who said they've sort of either deactivated or deleted their account, maybe just deactivated.
Have you heard about the Firefox extension that puts Facebook in its own little container tab?
They won't know that you're logged into Facebook as well.
Now I don't use—I use Firefox regularly, but one of the things that I've done is I've updated my ad blocker with specific code and rules which block any like buttons from working on pages when I visit them, because I don't want Facebook knowing which pages that I'm going to and gathering data about my movements around the internet if I do accidentally leave myself logged into Facebook.
And that's something else which you can do with a blocker as well. But this is all kind of really nitty-gritty advice.
I think maybe the push for this podcast is how are you going to stop giving any data to Zuckerberg?
So right after this sponsor break, we're going to talk about how you can actually delete your Facebook account entirely.
It's equally a great solution for business teams, families, and single users. Learn more at smashingsecurity.com/lastpass. LastPass.
Pretty hidden away, to be honest. You have to go hunting for it if you do want to do it.
And you will get this big fat warning says if you don't think you're going to use Facebook again and would really like your account deleted. We can take care of this for you.
Bear in mind, you will not be able to reactivate your account. So really, they want you to deactivate rather than delete your account.
I really wish I could.
Does nothing for a few days because it's given you a chance to change your mind.
Because that evening you're thinking, I wonder if anyone's posted any funny cat memes.
Your request is cancelled, yippee, and your account is back. And Facebook says it can take up to 90 days, up to 3 months to delete data they may have stored in their backup systems.
But it says during that time, your information isn't available on Facebook publicly.
If you've been communicating, if you've been sending messages to friends and things, they're still going to have those messages in their inboxes.
And the thing is, whatever privacy steps you take, even if shutting down platform and things like that, if you continue to have a Facebook account, you're still sharing information with Facebook.
And you have to ask yourself, do you trust this organization with your information?
You'll probably go on to some other social network instead.
Right. And so I started creating the community. Now I closed down my blog page. I told them I'm not going to update it anymore and it's going to be deleted.
Carole, what we haven't discussed is what should we do about the Smashing Security Facebook group?
Handwritten letter.
Right now, the one thing that is stopping me from deleting my personal account is that it is the administrator for our Smashing Security Facebook group.
I am gonna hold up a little flame for all our Facebook fans.
I'm sure we're not the only reason they're on Facebook, but why should we make it— I'm pretty damn sure that's not the case.
Why should we add to the difficulty of quitting the addiction?
We're going to check that we don't have any websites or third-party apps which are associated with our Facebook login.
And if they are, we'll recreate accounts on those sites without using Facebook logins. Okay. Or we just ditch the apps because what are they thinking?
And we'll zap the Smashing Security Facebook group. Sorry guys. Thank you for all the support. Go and join us on Twitter.
That helped me a lot.
I'm sure they've listened to the podcast and know, well, I'm going to give them time just to deal with it.
We'll be back next week with a regular episode, pick of the week and all the other goodies and a different guest.
But if you want to follow us in the meantime, you can join us on Twitter @SmashingSecurity. Security, no G, Twitter wouldn't let us have a G.
You can grab t-shirts and stickers and mugs and things like that at smashingsecurity.com/store.
And you can go to smashingsecurity.com for past episodes and for details on how to get in touch with us. Thanks for tuning in. Thank you, Maria, as well for joining us.
If you like the show, rate it on Apple Podcasts. It really does help new listeners discover us, which we like. Until next time, cheerio, bye.
