Tightening up your Facebook privacy

Tightening up your Facebook privacy
I've previously discussed the new Facebook privacy system, what they mean to you, and some recommendations on keeping at least some privacy. If you haven't read this post, I suggest you do so now, as I won't be repeating those recommendations here.

Since my last update, I've had a lot of feedback, and done a bit of exploring, and discovered there are some extra privacy controls that are rather hard to find! One thing that had me perplexed was how to hide which groups I was a member of. Groups are juicy stuff, they tell me a lot about your beliefs, interests, and social ties. These are things you may not wish to be broadcasting to the world. Events are the same, but even more so, since they give me an idea of where you are actually are, and who you're physically interacting with. You probably want to have some control over who can see these.

Luckily, you can; the controls just aren't where you expect them to be. They're not in Privacy Settings at all, they're in Application Settings. By selecting Edit Settings you can change the privacy on your groups, events, gifts, links, notes, and photos; although the photos setting only controls who can see your photos tab/box/link; individual albums have their own privacy controls.

When deciding on your privacy settings, it's worth keeping two things in mind:

(read more...)

New Facebook Privacy and You

New Facebook Privacy and You
Facebook are in the process of changing how their privacy settings work, and today, I was given the option to migrate my account over to the new scheme. These were announced on the facebook blog about a week ago, and sounded quite promising. Unfortunately, I actually feel creeped out by the new system.

I'm going to start with the good thing. Yes, that's right, there's only a single good thing about the change that I've found. When making status updates, one now has fine-grained control over who sees them. I can have a status update that's only seen by my family, or only seen by my friends who like to dress as pirates, or by everyone except my friends in Sydney. This is something that a lot of people have been asking for, and it's great to see it implemented.

Unfortunately, the rest sucks.

I've some some blogging about Facebook privacy in the past, as well as a conference presentation and radio interview. In all cases, I've recommended using the (difficult to find, but incredibly valuable) button marked Do not share any information about me via the Facebook API. When ticked, that would block almost all the information I could gain about a user with my tools, which try to squeeze as much information from the Facebook API as possible. Admittedly, there were some leakages, but not many.

That setting is now gone. All the applications, installed by all your friends, now have access to your "publicly available information", and there's not a damn thing you can do about it.

Publicly available information includes Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. What's more disturbing for me is that the new Applications and websites settings don't provide a control for sharing of events. In fact, some of the volunteers for my privacy study have gone from me not being able to see anything about them, to me being able to see their past, current, and future events! That disturbs me, not least because I want to control who can see which events I've attended.

The other thing to dwell on here is pages are now publicly accessible. Pages are things that you can fan, such as companies, or bands, or even privacy researchers, and newsletters. To be honest, these were creepy to begin with, because the owner of a page could access all sorts of bulk demographic data about their fans, and even export it for processing with other tools. But now, the list of pages you've fanned are public.

Public information in Facebook is available to everyone, even users who haven't logged in, and third party applications and websites. That's bad. You may have have fanned pages that relate to controversial beliefs or sexual preferences. Your probably don't want a potential employer to be able to see these, but now there's nothing you can do about this either, except for un-fanning those pages. I recommend you do this now.

What's also conspicuously missing are the ability to control is what goes onto the recent activity section of your Wall. I'm looking at one my volunteers now who previously never had their like events posted to their wall, and it's now covered with them. This gives me a wealth of information about who they're interacting with, which in turn is very useful if I'm planning to do any social engineering.

In fact, it even links to events and posts that my friends like, but that I can't see. I can even extract Facebook IDs (fbids) of the target posts. While this doesn't in itself let me access the information directly, I can certainly tell when two of my friends are liking the same post. Based upon what I know about my friends, I may be able to infer more than that, or ask one friend what another friend has just "liked".

You can manually remove recent activity from your wall, but you have to do it manually by finding the event you want deleted, and selecting the 'Remove' option that appears when you hover to the right of it. Joining groups also results in recent activity (without the option of turning it off), and there's a chance that other events may appear there as well.

In fact, talking of groups, I can't find any privacy controls for them either. For some of my friends, they're visible. For some of my friends (and apparently for myself), they're not. At the very least this is confusing, and it may simply represent different friends being at different stages of the privacy migraation. Group information gets leaked all over the place anyway (recent events, groups recently joined, and publicly visible group lists), so regardless how this is being controlled, I can probably find out which groups you're a member of regardless.

What I find most disturbing of all is that my friends list has gone from completely private to completely public. While I've found the control that allows me to no longer display my friends on my profile, since they're now "publicly available information", they're still accessible by other means. I actually consider my list of friends to be very private; and I'm not at all happy that's changed.

Oh, and for those who remember me talking about dark stalking to infer the existence of other users who had otherwise completely hidden themselves from view? Well, it's not that big an issue anymore, since I can now directly navigate to their pages (from their UIDs that I'd found previously), and see their "publicly available information". Good work in protecting their privacy, Facebook, good work...

So, you might be wondering what I recommend? Well, to begin with, make sure that you're happy with your new "publicly accessible information" really being public. If you don't want your grandparent, work colleague, potential employer, stalker, dog, guild, or whoever else seeing your Name, Profile Picture, Gender, Current City, Networks, Friends, or Pages, then change or remove them now. They're available to everyone, including unauthenticated users, "facebook-enchanced applications and websites", and via the API.

Go to your profile page. Scroll down until you see Recent Activity. Anything you don't want to see there, delete it now. Anytime you join a group, or like an event, or fan a page, or change your relationship status, or sneeze, go back to Recent Activity and check if you're happy with that being broadcasted.

Go through all the new privacy settings, and think about each one. Some of them may not have even been mentioned in the migration tool. My date of birth had unexpectedly went from being completely private to compeltely public.

Stay informed. If you want updates from me, then join my privacy study or subscribe to the relevant google group. Make sure you fan the Facebook Site Governance page, since that's where many updates are posted, and is a hub for user feedback. If you want another perspective on the changes, the Electronic Frontier Foundation have also posted their analysis of the changes.

Finally, be aware this is not the first time a major website has changed their privacy policy, and it certainly won't be the last. If you really want something to remain private, you might want to avoid putting it on-line in the first place.

(read more...)

Perl 5.11.1

Perl 5.11.1
I've been behind in my blogging; time seems to fly when one is having fun, and I've been having a pretty good time recently. Most of it's involved working with people and science, rather than technology. After I finish my taxes (not yet overdue), this may change.

In the meantime, I can't go without mentioning that Perl 5.11.1 has been released. This isn't a stable version of Perl, but it's a point release on the way toward 5.12.0. I'm quite excited about 5.12.0 for many reasons I'll go into later, but they all involving modernisation of the language.

Of note in 5.11.1 (and hence 5.12.0) is that deprecation warnings are turned on by default. This isn't scary; it means that if you've got old code that's going to break in the future, then Perl will start warning you about that well in advance.

Of other note is a minor point, and that's the ability to include version numbers in package declarations. One can now write package Foo::Bar 1.23, rather than having to do cumbersome things with the $VERSION package variable.

(read more...)

Teaching Perl in Sydney

Teaching Perl in Sydney
I've just spent the week teaching Perl in Sydney. It was good. Actually, it was really good. My class were close in ability, asked intelligent questions, thought through problems, asked for assistance when needed, quizzed me about advanced topics during the breaks, and generally showed themselves to be awesome. It felt just like the good ol' days.

(read more...)

Bitcoin QR code This site is ad-free, and all text, style, and code may be re-used under a Creative Commons Attribution 3.0 license. If like what I do, please consider supporting me on Patreon, or donating via Bitcoin (1P9iGHMiQwRrnZuA6USp5PNSuJrEcH411f).