New Facebook Privacy and You
Facebook are in the process of changing how their privacy settings work, and today, I was given the option to migrate my account over to the new scheme. These were announced on the facebook blog about a week ago, and sounded quite promising. Unfortunately, I actually feel creeped out by the new system.
I'm going to start with the good thing. Yes, that's right, there's only a single good thing about the change that I've found. When making status updates, one now has fine-grained control over who sees them. I can have a status update that's only seen by my family, or only seen by my friends who like to dress as pirates, or by everyone except my friends in Sydney. This is something that a lot of people have been asking for, and it's great to see it implemented.
Unfortunately, the rest sucks.
I've some some blogging about Facebook privacy in the past, as well as a conference presentation and radio interview. In all cases, I've recommended using the (difficult to find, but incredibly valuable) button marked Do not share any information about me via the Facebook API. When ticked, that would block almost all the information I could gain about a user with my tools, which try to squeeze as much information from the Facebook API as possible. Admittedly, there were some leakages, but not many.
That setting is now gone. All the applications, installed by all your friends, now have access to your "publicly available information", and there's not a damn thing you can do about it.
Publicly available information includes Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. What's more disturbing for me is that the new Applications and websites settings don't provide a control for sharing of events. In fact, some of the volunteers for my privacy study have gone from me not being able to see anything about them, to me being able to see their past, current, and future events! That disturbs me, not least because I want to control who can see which events I've attended.
The other thing to dwell on here is pages are now publicly accessible. Pages are things that you can fan, such as companies, or bands, or even privacy researchers, and newsletters. To be honest, these were creepy to begin with, because the owner of a page could access all sorts of bulk demographic data about their fans, and even export it for processing with other tools. But now, the list of pages you've fanned are public.
Public information in Facebook is available to everyone, even users who haven't logged in, and third party applications and websites. That's bad. You may have have fanned pages that relate to controversial beliefs or sexual preferences. Your probably don't want a potential employer to be able to see these, but now there's nothing you can do about this either, except for un-fanning those pages. I recommend you do this now.
What's also conspicuously missing are the ability to control is what goes onto the recent activity section of your Wall. I'm looking at one my volunteers now who previously never had their like events posted to their wall, and it's now covered with them. This gives me a wealth of information about who they're interacting with, which in turn is very useful if I'm planning to do any social engineering.
In fact, it even links to events and posts that my friends like, but that I can't see. I can even extract Facebook IDs (fbids) of the target posts. While this doesn't in itself let me access the information directly, I can certainly tell when two of my friends are liking the same post. Based upon what I know about my friends, I may be able to infer more than that, or ask one friend what another friend has just "liked".
You can manually remove recent activity from your wall, but you have to do it manually by finding the event you want deleted, and selecting the 'Remove' option that appears when you hover to the right of it. Joining groups also results in recent activity (without the option of turning it off), and there's a chance that other events may appear there as well.
In fact, talking of groups, I can't find any privacy controls for them either. For some of my friends, they're visible. For some of my friends (and apparently for myself), they're not. At the very least this is confusing, and it may simply represent different friends being at different stages of the privacy migraation. Group information gets leaked all over the place anyway (recent events, groups recently joined, and publicly visible group lists), so regardless how this is being controlled, I can probably find out which groups you're a member of regardless.
What I find most disturbing of all is that my friends list has gone from completely private to completely public. While I've found the control that allows me to no longer display my friends on my profile, since they're now "publicly available information", they're still accessible by other means. I actually consider my list of friends to be very private; and I'm not at all happy that's changed.
Oh, and for those who remember me talking about dark stalking to infer the existence of other users who had otherwise completely hidden themselves from view? Well, it's not that big an issue anymore, since I can now directly navigate to their pages (from their UIDs that I'd found previously), and see their "publicly available information". Good work in protecting their privacy, Facebook, good work...
So, you might be wondering what I recommend? Well, to begin with, make sure that you're happy with your new "publicly accessible information" really being public. If you don't want your grandparent, work colleague, potential employer, stalker, dog, guild, or whoever else seeing your Name, Profile Picture, Gender, Current City, Networks, Friends, or Pages, then change or remove them now. They're available to everyone, including unauthenticated users, "facebook-enchanced applications and websites", and via the API.
Go to your profile page. Scroll down until you see Recent Activity. Anything you don't want to see there, delete it now. Anytime you join a group, or like an event, or fan a page, or change your relationship status, or sneeze, go back to Recent Activity and check if you're happy with that being broadcasted.
Go through all the new privacy settings, and think about each one. Some of them may not have even been mentioned in the migration tool. My date of birth had unexpectedly went from being completely private to compeltely public.
Stay informed. If you want updates from me, then join my privacy study or subscribe to the relevant google group. Make sure you fan the Facebook Site Governance page, since that's where many updates are posted, and is a hub for user feedback. If you want another perspective on the changes, the Electronic Frontier Foundation have also posted their analysis of the changes.