“In 2003, one year before Facebook was founded, a website called Facemash began nonconsensually scraping pictures of students at Harvard from the school’s intranet and asking users to rate their hotness. Obviously, it caused an outcry. The website’s developer quickly proffered an apology. ‘I hope you understand, this is not how I meant for things to go, and I apologize for any harm done as a result of my neglect to consider how quickly the site would spread and its consequences thereafter,’ wrote a young Mark Zuckerberg. ‘I definitely see how my intentions could be seen in the wrong light.'” From Why Zuckerberg’s 14-Year Apology Tour Hasn’t Fixed Facebook by Zeynep Tufekci, Wired.
“It’s clear now that we didn’t do enough to prevent these tools for being used for harm as well. And that goes for fake news, foreign interference in elections, and hate speech, as well as developers and data privacy. We didn’t take a broad enough view of our responsibility, and that was a big mistake. And it was my mistake. And I’m sorry.” –Mark Zuckerberg’s opening remarks during his Senate testimony, 10 April, 2018.
“Nothing wrong with apologizing, but saying I’m sorry does nothing when you continue to make the same mistakes.” –Unknown
What is one to do with Facebook in light of all the problems that have been coming out about it? Really, for those of us who have been really keeping close tabs on Facebook, the Cambridge Analytica news is merely the biggest bit of news, not something that seems surprising. I remember a presentation by a representative of the FTC that I went to four or five years ago where he said they had repeatedly investigating Facebook for breaching their own privacy policies. Remember, this latest news wasn’t a data breach in the sense that someone broke through Facebook’s security protocols to steal data. Cambridge Analytica and their associates used Facebook-provided tools to collect the data with Facebook’s blessing. The “breach” part is that they then used the data in a way that Facebook hadn’t sanctioned. But the collection of your personal data, and that of your friends, was expressly what Facebook’s tools were for.
What can you do? Well, the easy answer is stop using Facebook. Download what information you can and then delete your account. Of course, they make it seem easy to do, but be careful for so-called “reactivation traps” that cancel out your request to delete your account for weeks afterward. (If helping clients use Facebook wasn’t part of my consulting work, I’d have deleted my account nearly a decade ago.)
Let’s say, however, you’re addicted and can’t live without your regular Facebook fix; you just don’t want your private messages shared with foreign political operatives. That’s fair, if that’s where you are.
First, some assumptions. Since there is a dynamic tension between security and convenience, and between privacy and both social sharing and marketing, I’m assuming that you are a typical casual Facebook user who wants your personal data to be more secure than you are now…but without much extra effort. I’m assuming you want to be free to connect with friends and family, or to market your small business (in other words, not totally locked down in a high-security bunker)…but not being an easy mark for data thieves. Like that joke of the hikers and the bear, you don’t have to be faster than the bear, you just have to be faster than at least one other hiker. Security level: at least I’m not last.
Also, I’ll also not talk about general security, like what makes a strong password or using a different password on different sites. That stuff is out there already, or in other articles in this blog.
Pay Attention to These Issues on Facebook First
The very first thing you should think about is what you’re posting. Remember that the defaults on Facebook are almost always for everything to be “public.” In other words, your first line of defense is that old saying of only doing on Facebook what you’d be comfortable having published in the newspaper. Think broadly, too. With just a few points of data, it’s really easy using “big data” techniques to discover the identities and details about supposedly anonymous users. For example, if you are doing check-ins on Facebook from your home, you are advertising your home address to everyone with an internet connection. If you then check in from your beach-front hotel in Hawaii, you’re also publishing that you’re not currently at home. That’s an invitation for a break-in with only two data points.
A related issue is how you use Facebook. To be extra careful, just skip playing any of the games or taking any of the quizzes that tell you what Game of Thrones character you are, or who your celebrity boyfriend is, or what your IQ or personality is. It was that kind of app that opened the door for Cambridge Analytica. Similarly, when you go to other sites that give you the option of making a new account or signing in with Facebook, make the new account. Using that “Sign in with Facebook” button is easy, but also potentially opens the door to data snooping. Okay, enough of the general stuff. To the specifics!
It’s time to log into Facebook and click the little triangle in the upper-right corner to open the menu. Select “Settings.” This is the area where there are tons of things to adjust. From here on out, I’ll refer to the sidebar on the left as the “settings menu.” Weirdly, you want to skip the “Security and Login” option for now and jump straight to “Apps and Websites.”
What to Look For in ‘Apps and Websites’
On this page, there are three tabs: Active, Expired, and Removed. Look at the list on the Active tab. These are apps/websites that currently have access to some or all of your data. It may be that they only can see your basic identity. They might provide some kind of function that you want. For example, I have the YouTube “app” on my account. This allows me to automatically post a link to new YouTube videos I upload to my YouTube account. I want the ability to to do that, so I want to keep that app. But if you see anything that you no longer need, or don’t recognize, click the little check box next to the app, then hit the “Remove” button.
Next, the other tabs: Expired and Removed. These are apps you gave permissions to at some point in the past and then they either expired, or were removed (including apps removed in the previous step). Note that when you “remove” an app it doesn’t go away, it just goes into another category. Since these have been authorized by you in the past, the pages/organizations/people represented probably collected some information about you. Removing the app on Facebook doesn’t mean these organizations will delete the information they have on you. You’ll have to contact them directly and ask that they delete what they’ve got. They may or may not do so, but that’s part of the “fun.” There will no doubt be tearful conversations about privacy policies and data retention schedules. It’ll be great. Do you have to do this? No…but like going to the dentist and having an annual physical, it’s generally better if you do.
Oh, and if there’s one or two that seem particularly egregious, tell your friends to contact them as well, since you may have put all of their data at risk. That’s how the 270,000 people who used Cambridge Analytica’s app opened up 87 million people’s data to them: the average Facebook user has about 330 friends (though the median number is closer to 200).
What to Look for in ‘Ads’
Back to the settings menu to click on the next item: Ads. The settings menu will disappear and you’re now in the world of what Facebook uses to sell your attention to advertisers. There’s some interesting stuff here, like under “Your Information” there’s a “Your Categories” tab, where you can see what categories Facebook thinks you fall into. It says I’m a fan of soccer. I’m not. I’m not even sure what Seattle’s team is called. Heck, the only soccer rules I know are that you aren’t supposed to use your hands and… no, that’s all I know about soccer.
Anyway, the important place to look is “Ad Settings” (at the time of writing, it’s got a little blue circle with a white gear in it). Turn off everything in this section. “Ads based on your use of websites and apps” is where that annoying thing is where you visit a website once and then Facebook is showing you underwear ads for the next three months or whatever. It’s your permission for tracking to follow you from websites you visit back to ads on Facebook.
“Ads on apps and websites off of the Facebook Companies” is the reverse permission. This allows other, non-Facebook companies to use what Facebook knows about you to show ads on their own websites. So since Facebook happens to think I’m a soccer fan, I might see ads featuring soccer balls and shoes with cleats if I were to go to a sporting goods website. Turn this one to “No,” too.
Finally, the last option in this section is “Ads with your social actions.” This is Facebook using your name entice your friends to buy things. Change this option to “No one.”
Unrelated to privacy per se, you can also look at “Hide Ad Topics” which is where they put the most frequent “distressing” ad topics that you can turn off: alcohol, parenting, and pets.
Extra Steps For the Extra Mile
In the settings menu, there’s one other section to look at: “Privacy.” Yeah, all this so far and we haven’t even looked at the privacy settings yet. But this is where you’re going to have to do some thinking about how you want to interact with people. The previous stuff was basically about how advertisers and Facebook interacted with you. This stuff impacts you connecting with others.
The “Who can see your future posts” sets the default visibility for stuff you post from here on out. It’s probably set to “Public” which means anyone, whether they’re friends or multinational corporations or spies from Russia and China, can see it. That might be good, if you’re reasonably careful about what you post, or it might not be. This can be changed to “Friends” (only people you’ve friended can see it), or several other options.
“Review all your posts and things you’re tagged in” is where you can see the stuff where people have mentioned you and remove the link to your profile if it doesn’t seem appropriate or you don’t want other people’s friends to have an easy link to you. For me, most of my tagged posts are from the school where I teach, or my own marketing, so after reviewing my list I left everything as-is. You may choose otherwise.
The “Limit the audience for posts you’ve shared with friends of friends or Public?” option is like the future-posts choice above, only for previous posts. You can un-public them; of course, if someone has already harvested that data, there’s nothing you can do. But you can prevent future scraping of the data from your past posts.
A final couple of options to look more closely at are “Who can look you up using the email address you provided?” and “Who can look you up using the phone number you provided?” On the one hand, having these turned on makes it easier for your old classmates and dowager aunts to find you. But it also means if you’ve given your email to that one sketchy company to get the free download of that song or ebook or whatever, that company can find everything on your profile and maybe your posts, and friends list, and so on. In other words, this is where you have to balance your desire to be available to others with your desire to be secure.
Good Advice, But Doesn’t Really Protect Your Data
Finally, there are a bunch of things fall into a category of good tips for security, but also have little impact on how secure your personal data is. Why? One big reason is that hacking an account isn’t really a thing that happens that much. So is it good to have a strong password? Yes. Should you spend a ton of time making the strongest password? Well, no, probably not. You’re more likely to be tricked into giving away your password, or giving access to someone you don’t really want to be giving access to, rather than someone actually doing “hacking” in the sense of digital breaking-and-entering. In other words, do these things–just do them because they’re good sense, not because they’d have prevented the Cambridge Analytica problem.
Security and Login
This is why I had you skip the “Security and Login” section of the settings menu. The things in that section help you prevent being hacked, but don’t do that much when it comes to sharing of your personal data. However, a brief list of things to look at if you want to pay attention here:
- “Choose friends to contact if you get locked out”: Set this up. Pick a couple of trusted friends. If you get locked out of your account because of, say, a hacking attempt, these are the folks that will be given a code they can give to you (in essence, verifying your identity) so that you can get back in.
- “Where you’re logged in”: Visit this every so often and see if there are any weird locations or devices listed. Be aware that the location they show is really the location of the company that provides your internet connection, so it might not be your specific town, but should be pretty nearby. If it’s in another state (or worse, country), that could be a problem. Any suspicious places you can click the three dots on the right and either choose “Not you?” if you’re sure it’s not you, or just “Log out” — like when it still thinks you’re logged in at your in-laws’ house from the last long weekend.
- “Setting Up Extra Security”: These are all a little more technical, but a good idea. Two-factor authentication means that when you log in from a new location/device, it’ll give you a second way to verify that it’s you. The easiest is with the Text message (SMS) option. When you log in, you’ll get a text to your cell phone with a code you have to type in. That way the bad guys have to have your password AND your phone to successfully get in. Likewise, the “Get alerts about unrecognized logins” lets you know when Facebook thinks something fishy is going on.
Some Final Words of Warning
Great. You’ve gone through all this, tightened up your security settings, warned your friends about apps that might have stolen their data, and had a deep think about how (if?) you want to use Facebook in the future. Ta da! You’re done!
Not so fast. Facebook has said they are working on a new, better, more centralized way of tweaking your privacy settings. It’s supposed to debut in a few weeks. Unfortunately, if the past settings updates are any indication, you’ll likely be opted into the most open settings when the transition happens. That means from the point they make the switch on your account (likely without notifying you) until you notice and have a chance to go in and modify all your settings again, the door to your data will be open for a little harvesting.
It’s a good idea to go back every so often and checking all of your settings in all of the categories to see if there’s something new that’s set to something you don’t want. It happens all the freaking time with Facebook.
P.S. — To see if your data was grabbed by Cambridge Analytica, whether directly or because of a Facebook “friend”, read Wired’s article on how to check.
P.P.S. — If you find any of this confusing or overwhelming, send me a message and I’d be happy to have a conversation with you about it. Helping people with their online presence is what I do.