New Facebook Privacy and You
Facebook are in the process of changing how their privacy settings
work, and today, I was given the option to migrate my account over
to the new scheme. These were
announced
on the facebook blog about a week ago, and sounded quite promising.
Unfortunately, I actually feel creeped out by the new system.
I'm going to start with the good thing. Yes, that's right, there's
only a single good thing about the change that I've found.
When making status updates, one now has fine-grained control over who
sees them. I can have a status update that's only seen by my family,
or only seen by my friends who like to dress as pirates, or by
everyone except my friends in Sydney. This is something that a lot
of people have been asking for, and it's great to see it implemented.
Unfortunately, the rest sucks.
I've some some blogging about Facebook
privacy in the past, as well as a conference presentation
and radio
interview. In all cases, I've recommended using the (difficult
to find, but incredibly valuable) button marked Do not share any
information about me via the Facebook API. When ticked, that
would block almost all the information I could gain about a
user with my tools, which try to squeeze as much information from
the Facebook API as possible. Admittedly, there were some leakages,
but not many.
That setting is now gone. All the applications, installed by
all your friends, now have access to your "publicly available
information", and there's not a damn thing you can do about it.
Publicly available information includes Name, Profile Picture, Gender,
Current City, Networks, Friend List, and Pages. What's more
disturbing for me is that the new Applications and websites
settings don't provide a control for sharing of events. In fact,
some of the volunteers
for my privacy study have gone from me not being able to see
anything about them, to me being able to see their past,
current, and future events! That disturbs me, not least because
I want to control who can see which events I've attended.
The other thing to dwell on here is pages are now publicly
accessible. Pages are things that you can fan, such as
companies, or bands, or even privacy researchers,
and newsletters. To be
honest, these were creepy to begin with, because the owner
of a page could access all sorts of bulk demographic data about their
fans, and even export it for processing with other tools. But
now, the list of pages you've fanned are public.
Public information in Facebook is available to everyone, even
users who haven't logged in, and third party applications and websites. That's bad. You may have
have fanned pages that relate to controversial beliefs or sexual
preferences. Your probably don't want a potential employer
to be able to see these, but now there's nothing you can do about
this either, except for un-fanning those pages.
I recommend you do this now.
What's also conspicuously missing are the ability to control is what
goes onto the recent activity section of your Wall. I'm
looking at one my volunteers now who previously never had their
like events posted to their wall, and it's now covered with
them. This gives me a wealth of information about who they're
interacting with, which in turn is very useful if I'm planning
to do any social engineering.
In fact, it even links to events and posts that my friends like, but that I can't see.
I can even extract Facebook IDs (fbids) of the target posts.
While this doesn't in itself let me access the information directly, I
can certainly tell when two of my friends are liking the same post.
Based upon what I know about my friends, I may be able to infer more
than that, or ask one friend what another friend has just "liked".
You can manually remove recent activity from your wall, but you
have to do it manually by finding the event you want deleted, and selecting
the 'Remove' option that appears when you hover to the right of it.
Joining groups also results in recent activity (without the option of
turning it off), and there's a chance that other events may appear
there as well.
In fact, talking of groups, I can't find any privacy
controls for them either. For some of my friends, they're
visible. For some of my friends (and apparently for myself), they're
not. At the very least this is confusing, and it may simply represent different friends being at different stages of the privacy migraation.
Group information gets leaked all over the place anyway (recent events, groups recently joined, and publicly visible group lists), so regardless how this is being controlled, I can probably find
out which groups you're a member of regardless.
What I find most disturbing of all is that my friends list has gone
from completely private to completely public. While I've found the
control that allows me to no longer display my friends on my profile,
since they're now "publicly available information", they're still
accessible by other means. I actually consider my list of friends
to be very private; and I'm not at all happy that's changed.
Oh, and for those who remember me talking about dark stalking to infer the existence of other users who had otherwise completely hidden themselves from view? Well, it's not that big an issue anymore, since I can now directly navigate to their pages (from their UIDs that I'd found previously), and see their "publicly available information". Good work in protecting their privacy, Facebook, good work...
Recommendations
So, you might be wondering what I recommend? Well, to begin with,
make sure that you're happy with your new "publicly accessible
information" really being public. If you don't want your
grandparent, work colleague, potential employer, stalker, dog, guild,
or whoever else seeing your Name, Profile Picture, Gender, Current
City, Networks, Friends, or Pages, then change or remove them
now. They're available to everyone, including
unauthenticated users, "facebook-enchanced applications and websites",
and via the API.
Go to your profile page. Scroll down until you see
Recent Activity. Anything you don't want to see there,
delete it now. Anytime you join a group, or like an event, or
fan a page, or change your relationship status, or sneeze,
go back to Recent Activity and check if you're happy with that
being broadcasted.
Go through all the new privacy settings, and think about
each one. Some of them may not have even been mentioned in the
migration tool. My date of birth had unexpectedly went from being
completely private to compeltely public.
Stay informed. If you want updates from me, then
join my
privacy study or subscribe to the relevant
google
group. Make sure you fan the Facebook Site
Governance page, since that's where many updates are posted,
and is a hub for user feedback.
If you want another perspective on the changes, the
Electronic Frontier Foundation
have also posted their
analysis of the changes.
Finally, be aware this is not the first time a major website has changed their privacy policy, and it certainly won't be the last. If you really want something to remain private, you might want to avoid putting it on-line in the first place.
