Facebook
Facebook’s privacy controls are strong, sophisticated…and confusing. The big risk, though, is the platform applications—they could easily be viruses, and they have access to your profile.
To block and report platform applications:
Why? You know all those quizzes you take and applications you install on your profile? Vampires? iLike? Well, those applications are not developed by Facebook. In fact, the people at Facebook don’t even review those applications to make sure that they a) work correctly or b) don’t do anything malicious to your profile or your computer. In January 2008, Facebook had to remove one of these “platform applications.” A security company discovered that The Secret Crush application was installing adware on users’ machines. (Not only that… it never bothered to tell you who had a crush on you!) Platform applications could do a lot worse than that, though, because by installing them, you grant them access to your profile information and sometimes your friends’ profile information. How? To block an application, first click “Applications” on the left toolbar. Click “Browse applications,” then “Search applications.” Select the application you wish to block. “Block application” will be located in the right-hand column. To report that the application has done something malicious, and click on “Report Application,” located on the bottom left of the page.
Facebook User’s Profile Page
Facebook Application
To delete an application from your profile:
Why? You shouldn’t allow an application to hang around with access to your profile when it’s not one you even use. How? Once you’ve logged in, click “Applica-
tions” in the vertical bar on the left-hand side. Click “remove” beside whatever application you wish to uninstall.
July 2008
�To limit what profile info other people can see:
Why? While you may want to share
Removing Applications
your home address or photos with your closest friends, you probably don’t want to share that information with just anyone. Facebook allows you to set some pretty granular controls on that profile information.
How? Click “privacy,” in the upperright side of the dark blue toolbar. Click “Profile.” From there you’ll be able to restrict access to your profile, your personal information, your online status, your status updates, your friends, any photos/videos tagged with your name, anything written on your wall, etc.
To limit access to your contact information, click the “contact information” tab. From there you can determine who can see your IM screen name, mobile phone number, land line number, address, Web site, and e-mail address. You’ll be able to limit access to that information to “Only Friends,” “Friends of Friends,” “My Networks and Friends,” and in some instances “No one.” Or you can “Customize” the options. Use customize if you’ve got some friends you’re willing to share your whole profile with, and some friends you’d rather allow only a limited profile to. If you choose customize, a new window will open. Under “Except These People,” type in the name of individual friends, or a friend list. To make a friend list, click “Friends” in the dark blue toolbar on the top of the page. (Do not choose from the drop-down menu.) Click “Make a New List” on the right side of the page and name it “Limited Profile” or “Only Acquaintances” or “People I Want to Keep at Arm’s Length.” Then add friends to that list.
Limit Viewable Information
July 2008
�To limit who can find you in a search:
Why? Perhaps you just want to use
Block Other Users
Facebook to stay in touch with your current friends, not make new ones, and you’d rather not have strangers checking you out online.
How? Click “privacy,” in the upperright side of the dark blue toolbar. Click “Search,” and under “Who can find me in a search?” select “My Networks and Friends of Friends,” “My Networks and Friends,” “Friends of Friends,” or “Only Friends.”
To block other users:
Why? Unfortunately there are people in our lives we’d rather not have in our lives. Sometimes it’s appropriate to block someone, so they will not be able to search for you, see your profile, or contact you on Facebook. How? Click “privacy” in the upper-right
Delete Credit Card Data
side of the dark blue toolbar. On the bottom of the page, you’ll see the “Block people” window. Type in a person’s name, and if they have a Facebook account, you can block them. To delete credit card data:
Why? Credit card data is one of the
most tempting attack targets. Although it is convenient if you regularly make purchases through Facebook, you should never save credit card data as part of your profile. Many online businesses will have your credit card data stored (hopefully securely) somewhere, but very few if any of those same sites also have the breadth and depth of personal information your Facebook profile holds.
How? In the upper-right of the dark blue toolbar, click “Account.” Under “Settings,” under “Credit Cards” click “manage.”
To change your password:
Why? You should periodically change your password, just in case an attacker has gotten a hold of it. How? In the upper-right of the dark blue toolbar, click “account.” Under “Settings,” Under “Password” click “change.” Be sure to choose a password that is at least 8 characters long, and a mix of letters (both uppercase and lowercase), numbers, special characters (&,%,$,etc.), and is something easy for you to remember but very hard to guess.
July 2008
�To deactivate/delete your Facebook account:
Why? If you lose interest in Facebook, get rid of your account. It’s an unnecessary risk to leave it live. Facebook
has been criticized for its process for deactivating accounts. Merely “deactivating” your account doesn’t accomplish much. If you want to reactivate it, all you need to do is log in. Your friends can still invite you to events or applications, and you’ll still receive e-mail notifications when those invitations happen. (You can turn off those notification e-mails, but it takes an extra step.) “Deactivate” is not “delete”—Facebook does not delete your profile. The good thing about deactivation is that if you later decide you want your Facebook account back, they can reactivate your profile just like it was before—no need to reinstall applications, etc. The bad news is that if an attacker figures out how to access Facebook’s Web database, they can find your full profile data, with all your personal information and credit card data (if you made the risky decision to store credit card data on your account).
How? If you’re comfortable with merely deactivating your Facebook account, click “account” in the dark blue toolbar across the top of the page. Click “Deactivate.” A new window will open asking you why you’re leaving Facebook. Near the bottom of the page there is a box (unclicked by default) that allows you to opt out of receiving e-mail notifications. Click this box, then click “deactivate.” If you want to really delete your Facebook account, first browse the Facebook “Groups.” Search for the group titled “How to permanently delete your Facebook account.” This group’s page provides easy instructions for deleting your account (which they say takes two to three days to take effect). If you join this group, you will be updated whenever Facebook’s deletion practices change.
Other tips • Your Facebook friends will send you loads of requests. Remember though, that part of the installation process is to invite other friends to the application—so your friends have sent you a request before they’ve even used the application themselves. Before you install it yourself, ask your friends what they think, and check out their profile pages to see how the application works. If you’re just going to use your privacy settings to prevent anyone from seeing certain information anyway, then save yourself the effort—don’t bother to enter that info in the first place! Ask your information security or IT department about your organization’s policy on Facebook. You may not be allowed to check your account at work.
• •
July 2008
�