May 7th, 2011

Facebook: Quick Steps to Lockdown Security and Privacy

facebookFacebook use is ubiquitous–you can even “Like” this post on Facebook right from our blog.  As most people know, the default account settings in Facebook are very weak in terms of security and extremely permissive in terms of privacy (facebook doesn’t really believe in privacy).

For an in depth guide to Facebook’s settings and their security and privacy impact, we recommend reviewing Facebook Security Best Practices by Sophos.

Here, we provide a set of very important and simple changes you can make to your facebook account to significantly improve security and privacy.  You can think of these suggestions as the “low hanging fruit”.

Account Profile Basics: Security

In your Facebook “Account > Account Settings > Settings” page,

  1. Make sure that your password to Facebook is strong and not the same as the password that you use for any other site.
  2. Set a good security question and answer.
    1. Note: Once you set your security question and answer, you can never change it! According to Facebook:To protect account security, it is not possible to update your account’s security question once you have added one. If you have not yet created a security question, you will see this option on the Account Settings page.”
  3. Under “Account Security”:
    • Enable “Browse Facebook on a secure connection (https) whenever possible”
    • Enable “When an unrecognized computer or device tries to access my account” and ideally, also enable “When an unrecognized computer or device tries to access my account”.  This notifies you if someone is trying to access your account and also provides two-factor authentication for new computers (or web browsers) trying to do so.
  4. Don’t use Facebook for sending sensitive messages (posts, messages, or email) to others — you have essentially no security with this messaging system.

Account Profile Basics: Privacy

It is good to read Facebook’s own page “Controlling How You Share“.  This will help you understand the general privacy settings available.

Click on “manage” to the right of the “Privacy” section  of you “Account > Account Settings > Settings” page.

  1. Searching For You: Click on “View Settings” under “Connecting on Facebook“.  Use this section to control, in general, who can see what information about you.  In particular, you may want to:
    1. Restrict who can see your list of friends to just other friends
    2. Restrict who can see your education, work, current city, home town, likes, activities, etc.  Generally, these should be set to “Friends Only” … though you can lock it down further by choosing the “Custom” level and making it private, showing it only to certain people, etc.
    3. You may want to change who can “Search for you on Facebook” from Everyone to “Friends of Friends” or just “Friends” — if you don’t want random people using Facebook to look you up.
  2. Update your “Sharing on Facebook” settings to control exactly show can see information about you.  Generally, it is good to restrict most of this information to just “Friends” or to use “Custom” settings to further restrict things.  Be particularly careful with the settings for the following “sensitive” information (which could be used to assist in phishing or identity theft):
    • Who your family members are
    • Who you are in relationships with
    • Your birthday
    • Places you check in to
    • Photos you are tagged in
    • Address
    • IM screen name
    • Email address
    • Phone number
    • Posts by you
  3. Apps and Websites.  Click on “Edit your settings”
    • Info accessible though your friends:  Any information about you selected here is made any third-party application o web site visited by any of your friends.  I.e. you lose all control of this information and anyone may get copies of it.  We recommend NOT sharing anything here.
    • Public search = Google: If you do not want a summary of your Facebook profile visible to anyone performing a web search or Google or Bing or other search engines, you should ensure that “Public Search” is not enabled for your account.

More Privacy Considerations

  1. Facebook changes their privacy controls, settings, and policies very frequently — often with little,  if any forewarning.
  2. Delete Profile Data: If you have information in your “Profile” that is sensitive or very personal or which would be “bad” if unwanted people saw it, the best way to protect that information (better than the standard access controls) is to delete that information from your profile.  If it is not there, nobody will ever see it, even if your friends’ accounts get hacked.
  3. Third party Facebook applications used by your “friends” generally get quite a bit of information about you. Unless you restrict what information applications can access [see above], or delete that information from your profile, you should assume that there will be malicious applications out there collecting your Facebook profile data — it happens all the time.
  4. Facebook owns all of your content! The Facebook terms of service give them a permanent license to use your content (posts, pictures, notes, and everything else) in any way that they want, forever — even if you close your account with them or delete it (and it is shared with others).  As they say, once you put something on the ‘net, its there forever.   This is especially true with Facebook.  So, “Make sure you never upload anything you don’t feel comfortable giving away forever, because it’s Facebook’s now.

Additional Suggestions

  1. Friend Lists: Use Friend Lists to group your frields.  You can then use the “Custom” privacy settings to restrict access of information to specific groups of friends.  I.e. at a minimum you could define “Good Friends” and “Acquaintances” … and limit what the mere Acquaintances will see.
  2. Don’t Let Everyone See Your Tagged Photos. To prevent everyone from seeing photos that you are tagged in (which you have no control over … and who knows what photos these may be….) go into the main privacy page, click on “Customize Settings”.  Under “Photos and videos I’m tagged in”, click on “Edit Settings” and enter the people you don’t want to see your photos … or customize the settings and choose “Only Me” to make these all private.
  3. Instant Personalization: Under “Account > Privacy Settings > Apps and Web Sites > Instant Personalization”.  This allows third part web sites to customize your experience when you visit them and are also logged into Facebook.  This is great, but in order to do this, its shares your personal information with them.  You may want to turn it off. More on Instant Personalization.


Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.