In 2004, Mark Zuckerberg changed the world, for better or worse, with the launch of Facebook. Originally exclusive to Harvard students, the social network quickly surpassed then-dominant MySpace to secure its place in the Internet food-chain. While it may seem like everyone who's anyone is on Facebook, the website has come under constant scrutiny in recent years over its privacy policies and its implications in the Snowden leaks. Yet, despite the facts, experts still seem unable to agree as to whether or not it is possible to have privacy while using Facebook.
Internet Safety 101
Before one can hope to maintain privacy on Facebook, one must first understand the basics of Internet Safety and Privacy. Without this foundational knowledge, it's impossible to evaluate the level of privacy one can have on any website. I would strongly recommend reviewing the Privacy Rights Clearinghouse's Fact Sheet on Online Privacy for a primer. Moving forward in this article, I will assume you have a basic knowledge of the Internet, how it works (things like IP addresses and cookies).
We'll start with one of the most annoying aspects of Facebook - advertising. Most experts will agree if the service is free, YOU are the product. In the case of Facebook, its revenue comes from advertising. Unfortunately, many online ads today also track you online. They can track you across websites and build a profile based on the sites you visit, ads you respond to, and products you buy. Additionally, social media widgets like Facebook's Like button, can easily track your browsing habits across multiple sites. One simple way to prevent this is to install Privacy Badger in your browser. This will allow you to prevent these methods of tracking you.
Sharing is Not Always Caring
Contrary to popular belief, the single biggest threat to your privacy on Facebook is you, yourself. In the early years of Facebook, before privacy became a big issue, most of us thought it was great to share a little about ourselves with the world. We often thought nothing of it so we put our birthday, city and state, and phone number on our account. Some of us even put our full address. In a perfect world with flawless software and governments that respect privacy, this information would be perfectly safe and secure on your profile. You've set your privacy settings to restrict access to your closest friends, whom you've personally verified as being behind their profiles. Nothing to worry about, right?
Unfortunately, even the most popular software written by the world's top experts can be riddled with bugs and flaws that allow unauthorized access to certain information. As any experienced privacy expert will tell you, a single piece of personal information may not seem worthwhile, but coupled with one or two other details about you, and your entire life can be exposed overnight.
At the center of Facebook lies the profile - your personal account with the information you choose to share with your friends and the world. The following sections outline the various information you can include on your profile.
Control What You Share
Facebook's privacy settings allow you to control who sees your posts, who can contact you, and who can look you up. I personally recommend making sure that only your friends can see what you post. When writing a new post, Facebook offers an audience selector that allows you to choose who can see that specific post. You can elect to share it with only a handful of people or share it with your friends while hiding it from a few people. You can also use friend lists to group together friends. By using this in conjunction with the audience selector, you can have granular control over who sees the things you post as well as who see the different pieces of information on your profile.
I strongly suggest limiting who can look you up my your email and phone number to your friends. Otherwise, anyone can find your profile with either piece of information. I also strongly suggest turning off the option for search engines outside of Facebook to link to your profile.
If you, like I once did, have your home address on your Facebook profile, it's time to remove it. Seriously, don't even finish reading this article. Edit your profile right now and remove it. You are just asking for trouble. There is absolutely zero need for you to make your home address public. Consider using a P.O. Box or a private mail drop from the UPS Store or similar service.
Your phone number
While having your phone number listed on Facebook is hardly as dangerous as listing your address, it's worth keeping in mind that a simple reverse lookup of your phone number could reveal your home address. To mitigate this risk, you should never connect your home phone to your Facebook account. Additionally, check with your mobile carrier and update the address on record to your P.O. Box or private mail drop. You may also be able to request that your carrier does not list your information with your phone number. My personal cell phone returns my name and my location as Nashville, TN even though I live elsewhere in Tennessee. My business phone number, which is procured through Google Voice returns no information on me whatsoever. Neither phone number will be beneficial to anyone.
Work and Education
While it may seem harmless to share your workplace on Facebook, it certainly is not without its risks. Employees have often been fired for what they post on social media. Additionally, if you are at risk of being stalked or harassed for a debt, your workplace is definitely a prime target. On July 4th, 2016, 22-year-old Bryton Mellot exercised his freedom of speech and burned the American Flag, posting the incident on Facebook. Despite where you stand on the issue of flag burning, my focus on this incident is the danger introduced by Facebook. The Walmart he worked at soon came under threats. It didn't take much to figure out where he worked and the whole situation could have had a much more tragic outcome.
Listing your college, university, or high school isn't much of a threat unless you are currently attending. It should go without saying that minors shouldn't be listing such information anywhere on the Internet. College students should be similarly cautious, especially when living on a small or open campus. When I attended university in West Palm Beach, the campus was a block away from downtown and was wide open. Anyone could drive through the campus or enter most buildings without the need for ID. The dorms were unlocked with traditional keys and sat on the edge of campus. We were lucky to live in a fairly safe part of town, but that would have never stopped the wrong person from infiltrating the campus to find their target.
Places You've Lived
For the most part, listing places you've lived and your current city aren't a major threat. However, if you are at high risk of stalking or harassment, you may consider listing only places you've lived in the past, before the stalking/harassment started, and not add any new locations you may move to. Otherwise, you are leaving a breadcrumb trail for anyone looking for you. Additionally, living in a small town or suburb could reduce your privacy if you share the exact town on your profile. A popular workaround is simply listing a large city nearby. I live in a small town an hour or so out of Nashville, so I would list Nashville on my profile. Elementary, my dear Watson.
Family and Relationships
Listing your family and significant other isn't nearly as dangerous as listing other information on your profile. However, high risk individuals and family of high risk individuals should give careful consideration before adding anyone to this section. You could expose them to harassment or stalking as a means to get to you. You could also expose a connection to a person an adversary otherwise did not know about.
Details About You
Be careful when sharing life events on Facebook. Things like buying a new car, buying a new home, graduation, etc. can all be used to later identify you for matters such as credit reports and identification. I've frequently been asked to identify a vehicle I purchased in a given year when I apply for a credit report. Posting this information on Facebook allows anyone with the right permissions to look it up for themselves.
In recent years, incidents of impersonation on Facebook have been on the rise. Scammers create a profile under your name or a friend's name. They'll use the same pictures and information you or your friend have on their profile. The danger with this comes into play when people who forget their password simply create a new profile. It can seem impossible to distinguish between the real deal and the scammer. I have an old friend who has, at least, four or five distinct profiles on Facebook because she constantly forgets her password. With so many real profiles for her, it wouldn't take much for someone to create a fake profile and pose as her. Sometimes it's merely a prank. Other times, it's to scam money or information. At it's core, Facebook impersonation is a form of identity theft. With employees being fired over what they post on Facebook, coupled with the way petty arguments escalate to long-term grudges over posts, an impersonator could potentially do irreparable damage to one's reputation and relationships.
A similar threat users face with "friends" is that many people will gladly accept a friend request from anyone, even people they don't know. I've had family receive requests on Facebook claiming to be an old friend from high school. Instead of researching the person, they gladly accept the friend request without realizing they have never even met before. Such accounts are generally a form of social engineering, usually in an attempt to gain personal information that you only share with friends.
We have a natural tendency to trust those we consider to be friends. However, unless you can verify the identity of the person behind the profile, it's best to not share anything you wouldn't otherwise make public. After all, even if your friend really did make their profile, someone else may have hacked their account and could be using it to get information.
When all else fails, you can always block people on Facebook. Generally, people block someone who is harassing or otherwise annoying them. However, there is absolutely nothing wrong with blocking someone who has never contacted you. I have several people blocked on Facebook simply because I do not want them to find my profile.
All of the advice in the world can't protect your account if you don't take its security seriously. If you don't use login approvals, anyone can get into your account with your password alone. If you don't have login alerts enabled, you'll never know that someone else has accessed your account until it's too late. If you enable two-factor authentication or code generator, as Facebook calls it, the only viable way for anyone to breach your account is through a security flaw in Facebook's software. Code Generator requires you to enter your password and use a time-based PIN to verify your identity before logging in to your account. This simple extra step can be the sole different between keeping and losing your reputation and profile.
Facebook allows you to select three to five friends as trusted contacts who can help you regain access to your account if you forget your password and can't access the email account you signed up with. Your friends will be able to access a special code you can use to regain access to your account. This feature, as far as I am aware, is unique to Facebook and is quite handy.
One of the biggest things I've seen people fail to do with their Facebook account is to frequently review the browsers and devices they're logged in with as well as where they're logged in from. Both of these sections allow you to see information about every web browser and device that is currently or recently logged in to your account. It also grants you the ability to terminate any or all of the sessions listed. If you see an unusual device, browser, or location, it's possible someone else may have access to your account.
It's also worth reviewing the apps you use on Facebook such as games, quizzes, and other websites you've used Facebook to sign-in with. Some games and apps have been maliciously crafted to steal your information or spam your friends on your behalf.
Location, Location, Location
Facebook, being the social platform that it is, allows you to not only share what you are doing, what you are thinking, what you are eating, and what you are watching; but also allows you to share where you are at when you post. I constantly see people check-in on their phone, as if to let the entire world know where they are. While there's nothing inherently dangerous about this if you check-in at, say, a concert or a nice restaurant, checking in at work and home or at friends' houses can be a potential threat.
Software exists that can aggregate all the locations from your past posts and build a map showing where you check-in most frequently. The software is easy to use and only requires being able to view your posts. An adversary could easily generate this map and determine your place of employment and your home. Coupled with any other information you leave available on your profile, your privacy could disintegrate in a matter of minutes.
On the web, check-ins are voluntary and are performed by entering your location along with your post. On mobile devices, however, your post can automatically be tagged with your location based on your GPS position. Using Location Services on your mobile device Facebook can track your location even when you don't check in. Depending on your app and device settings, Facebook can either track you only when you use the app or any time the device is on. This information can be connected to your account like your IP address and can be turned over to government agencies or possibly exploited through a security flaw in Facebook's platform. Since this information is provided by the GPS, it is usually far more accurate than your IP address alone.
Turn Off Location Services
The easiest and most effective way to prevent Facebook from using your location on your mobile device is to simply turn off Location Services for the app. Keep in mind if you use Facebook's Messenger app, you will need to do the same for it as well.
A privacy expert's greatest weapon - disinformation is the act of deliberately sharing or spreading false or misleading information. Since Facebook is often a go-to starting point for finding information on someone, it stands to reason that the more inaccurate information you share on Facebook, the more misguided anyone would be when trying to violate your privacy. Examples of disinformation on Facebook would be setting your current city to the nearby metropolis when you live in a suburb or even in the general vicinity. If you live within an hour or so of New York City, you could list NYC as your current city even though you are not actually there.
Despite the many privacy controls and security options Facebook offers, nothing can protect your data from extraction by a hacker who exploits a security flaw in Facebook's platform. Some flaws merely allow people to view your profile when they otherwise wouldn't be allowed. More serious flaws, however, can allow an attacker to access to your private messages. Even without security flaws, Facebook frequently receives government requests for user data. Additionally, the Snowden leaks reveal that the NSA can tap your Facebook chats and even impersonate Facebook. If your potential adversary is an oppressive government, sharing your real information on Facebook will be the equivalent of handing yourself over on a silver platter. Disinformation can be critical in such a case.
- Use a burner phone number and change it on your account every time you get a new one.
- Use a throw-away email address and change it frequently.
- List a fake current city and change it often.
- Never list an address. You don't want to tie innocent people to your identity.
- Use the Tor Browser or Tails to access your account. This will mitigate the ability to track you down by your IP address.
- Never access your account from an insecure or public location like a library. Your session can easily be tracked to your identity (using your library card or ID to use the computer as well as surveillance footage of you at a given machine) and other metadata about your visit (books you checked out, surveillance video of the vehicle you drove, etc.) can be used to destroy your privacy).
One of the most dangerous mistakes someone makes on social media in general, especially Facebook, is posting about how wonderful their vacation in the Bahamas is and how relaxing it is to be away from home or posting about how they can't wait to drop the kids off at the babysitter and have a romantic evening out with their spouse. This is a bright beacon of hope for any potential burglar. If they can see your posts (either because your privacy settings are too open or they're your "friend"), they'll know that you are away and likely know when you'll be back. It's becoming more and more common for burglars to use social media to find their next target, all because you couldn't resist to post that picture of you and the kids with Mickey Mouse in the Magic Kingdom.
If you absolutely insist on sharing the pictures and offering a play-by-play of your vacation, at least use the audience selector to mark the posts so only you can see them. When you return home from your trip, go back and change the audience so everyone can see your posts. You'll be home and that'll throw any would-be criminal a nice curveball.
Facebook, like anything else, can be a wonderful tool to stay in touch with friends and family abroad. Many groups exist to allow people buy and sell with their local community, find lost pets, find new social events, and even find love. Facebook has played a pivotal role in reuniting me with long lost friends from high school and college and even allowed me to build stronger relationships with people I see on a regular basis. I don't believe in avoiding Facebook like some experts suggest unless you are at high risk for harassment or abuse, in which case you may wish to use the precautions I've outlined in this article. So go ahead, enjoy your digital self. Just use common sense:
- Be responsible.
- Think before you post.
- Verify who's really behind that friend request.
- Lock down your privacy settings.
- Secure your account with login approvals, login alerts and code generator.
- Clean up and remove access to old apps, games, and quizzes you no longer use.
- Never send sensitive information in a Facebook message, even if you trust the recipient.
- Never trust Facebook to protect your most sensitive information. It can always be compromised.