I’m a Facebook user, not a Facebook basher. When used as intended, Facebook’s a nice tool for keeping up with friends and family. If you’ve mastered email’s many security issues, Facebook security is easy. It has many more security tools than many other Internet apps. So why worry about Facebook security?
In March 2009, Facebook users were attacked by five security problems, including the dreaded Koobface virus! During this time, users were led (like sheep to cyber-slaughter) to fake Facebook sites that harvested user credentials. Then in May 2010, Facebook’s instant personalization feature was used against Facebook users. Yelp users (and their Facebook friends) had their email addresses harvested, possibly by spammers and bot-herders. Validated mail addresses like these normally cost money. As if that weren’t enough, in July 2010, SkullSecurity.org released a bit torrent of 100 unique Facebook profiles (with a total of 171 million profiles).
What makes Facebook risks worth a response? Never before has one app provided so much data to the rest of the world. Companies and nations alike only made slivers of data available. Nearly 3GB of profile information is extremely enticing to marketers; all those friends with similar interests in hobbies and music make great marketing opportunities. It is a magnification of the risks we’ve had with email.
Let’s discuss using Facebook more securely. We’ll start with profile settings we can make, using the new profile introduced recently. I will write a companion set of blogs that cover “soft” security issues. I want to focus this article on the technical baselines.
Understanding Facebook Roles
When configuring Facebook security, you must use special roles. You probably understand that the Everyone role means just that. Everyone, as in “everyone in the world.” Everyone in the Facebook Pages Directory, an open repository of people whose security settings are set openly, or to the default settings, can have much of their profile information collected. You may even know that “Only Me,” another role, means just thatjust you.
The “Friends” role seems simple enough. Friends are the people you specifically approve to view your information. But what about that ”Friends of Friends” role? Whom does that include, and how do you restrict it?
You can’t restrict membership in that role. You don’t control who your friends’ friends are, right? Therefore, when giving that role access, you trust everyone your friend trusts. This was a problem for some Facebook users. They didn’t understand that their friends’ loose security settings would allow access to personal information they thought was secret. The “Friends of Friends” role is not as open as the Everyone role, but no one should assume the role’s final numbers or members can be determined easily.
Review Figure 1. These are Facebook’s recommended security settings; are they adequate security for your profile information? Do you care if Everyone sees Everything? Let’s review profile security and see what needs to be restricted, if anything.
Figure 1 Facebook’s recommended privacy settings.