Hit the Reset Button: A New Guide to Facebook Safety and Privacy

Facebook is now in the process of releasing dramatic updates to its ever-evolving privacy features. These updates contain some new tools to help secure your privacy and online identity. And if you haven’t reviewed your settings recently, now it the perfect time to do so.

How do  you know if the new features are available to you? Go to Account> Privacy Settings. If you see the settings above, you’re in.

F-Secure Labs Security Advisor Sean Sullivan walked me through the updates, identifying the most relevant changes for cautious users. Based on what we’ve found, here’s what you need to do now—if you haven’t already—to secure your Facebook account.

1. Secure your PC and password.
How to do it:
A. Update your system and security software. Our Health Check makes this easy.
B. Choose a password that can’t be guessed. Make it a password that you only use for this account and none of your “friends” will able to guess. Don’t choose a word in the dictionary or any word mentioned on your profile. Here’s system that our Labs recommend.

Why?
Updated Windows 7 or Mac OSX software along with updated security software will protect you from most threats in case you ever make a mistake online. I also recommend you back up your data in a remote location (off-site physical backup or online backup) for complete protection.

2. Go “Friends Only”.
How to do it:
A. Go to Account> Privacy Settings.
B. Under “Control Your Default Settings” click “Friends.”

Why?
Go with “Friends Only” because you can now choose how to share any post or picture with “Public”, the maximum audience, “Friends” or “Custom”. Custom includes options to select specific friends, “Friends of Friends” or “only me.” Or you can block specific people from each post. You can make this decision each time you post. So start it’s smart to start with the safest setting just in case you post something you shouldn’t have.

Also, you can now change the privacy setting of any old post or media you posted. This is a good new addition. However, certain things like your name, friends lists and the comments you make on Facebook pages will always be public.

You can decide how and who can find and contact you on Facebook in your Privacy settings by clicking “Edit Settings” for “How You Connect”.

3. Hit the “reset button” and turn all your past posts to “Friends Only”.
How to do it:
A. Go to Account> Privacy Settings>
B. Next to “Limit the Audience for Past Posts” click “Manage Past Post Visibility”.
C. In the pop-up, click “Limit Old Posts”.
D. In the next pop-up, click “Confirm”.

Why?
Why not? You can always change an old post to make it public again if necessary. Anything you share on Facebook can be reshared in some way by anyone who has access it. With this one step you’re saying I only want my friends who I trust to have access to everything I’ve done on Facebook. Facebook assumes you know your friends. That’s the official word in a recent official Guide to Facebook Security (PDF).

Of course, Facebook also profits from social games that flourish because people friend new people ravenously. So it’s a good idea to give your Friends List a quick scan and unfriend anyone you don’t know or trust—unless you’re a game player. Then you should know that Facebook appreciates your business but isn’t designed to protect your privacy

4. Turn on Profile Review to approve all posts and pictures tagged with your name before they’re posted on your wall.
How to do it:
A. Go to Account> Privacy Settings.
B. Next to “How Tags Work” click “Edit Settings”.
C. In the “How Tags Work” pop-up, click “Edit” next to “Profile Review”.
D. In the next pop-up, click “Turn on Profile Review”.

Why?
Anyone on Facebook can now tag you in a photo or a post. With Profile Review, you’ll be able to decide which photos and posts tagged with your name show up on your wall.

While you’re on the “How Tags Work” pop-up, you may also want to disable “Friends Can Check You Into Places”. This won’t stop someone from saying you’re at a bar on your lunch break, but it may prevent your friends from seeing such a fictional check in. If you don’t want Facebook to put you in its facial database to recognize you when you appear in your Friends pictures, click “Edit” next “Tag Suggestions” on the “How Tags Work” pop-up. Then select “Disable”.

5. Set your Account Security.
How to do it:
A. Go to Account> Account Settings>
B. On the left-hand column, click “Security”.
C. Click “Edit” next to the “Security Question”. Pick a question only you will be able to answer.
D. Click “Edit” next to “Secure Browsing”. Click the box next to “Browse Facebook on a secure connection (https) when possible” and then click Save Changes. You’re browsing will now be secured when it can be.
(Many apps and games are not yet updated for secure browsing. Using these may boot you out of Secure Browsing. But Facebook seems to put you back into secure browsing as soon as it can.)
E. For extra protection, click “Edit” next to Login Approvals. Then click the box next to “Require me to enter a security code each time an unrecognized computer or device tries to access my account” and click Save Changes. This will create a little hassle but could also prevent your account from being hacked.

Why?
These tools are the extra protection you need to greatly reduce the chances of your account being hacked. And if you do get hacked, an active secondary email account and a good security question will help you get it back.

6. Turn off Public Search
How to do it:
A. Go to Account> Privacy Settings>
B. Next to “Apps and Websites” click “Edit Settings”.
C. Next to “Public search”, click “Edit Settings”.
D. Make sure the box next to “Enable public search” is NOT checked.

Why?
Do you want your Facebook page to be the first thing to come up if an employer, an ex or your mom does a Google search of you? If your answer is yes, click that box. If not, limit the ability to find you within Facebook and Facebook apps.

7. Click with caution.
How to do it:
A. Think twice before you ever click the “Post” button.
B. Think thrice before you click on the links posted by friends.

Why?
Clicking on a bad link could expose you to malware or scams. This is when you need your updated software to protect you most. For extra protection, use our free ShareSafe App to share links with your Facebook friends. You’ll even earn points that can be used to win rewards.

8. Limit the information shared with Apps.
How to do it:
A. Go to Account> Privacy Settings>
B. Next to “Apps and Websites” click “Edit Settings”.
C. Next to “Apps you use”, click “Edit Settings”.
D. Click the “X” box to delete any app you aren’t using.
F. Go back to App settings, and click “Edit Settings” next to “How people bring your info to apps they use”. Uncheck every box and click Save Change.
E. For extra protection, turn off all applications until you need them. Do this by clicking “Turn off all platform apps” in the Apps, Games and Websites settings.
F. For even more protection, turn off “Instant Personalization” which automatically shares your public information with Facebook’s partner sites. Do this clicking Edit Settings next to “Instant personalization”. UNCHECK the box next to “Enable instant personalization on partner websites.”

Why?
When you’re dealing with apps, you’re dealing with third-party developers who you may not know or trust. The actual language Facebook uses to clarify how and when your information may be shared through apps and friends is difficult to decipher.

The more you limit the data you’re sharing, the more control over your identity you have. We say eliminate the unknowns; opt out of sharing until you have a reason to opt in. You should also know if you use an app, there’s a chance your friends could find see that. So keep that in mind every time you try out a new app.

BONUS TIP: Tell Facebook not to use your  image or name in ads.
How to do it:
A. Go to Account> Account Settings>
B. On the left-hand column, click “Facebook Ads”.
C. Click “Edit third party ad settings”.
D. Next to “If we allow this in the future, show my information to” select “No one.”
E. Click Save Changes.
F. Click “Facebook Ads” again and click on “Edit social ads setting”.
G. Next to “Pair my social actions with ads for” select “No one.”

Now check your work. See how other people see your profile.
How to do this:
A. Go to Profile.
B. In the upper right corner, click on View As…
C. View how specific friends or the “public” sees you.

A sign posted on a wall in Facebook headquarters says: “Move fast and break stuff.”

Facebook’s transition into secure/https browsing, is a good example of how Facebook improves privacy and security in a steady, if occasionally buggy, way.  As you explore these new features, you may notice, for instance, that Facebook still may use the word “Everyone” in one or two places, though they announced that they’re transitioning to the word “Public.” But the changes here are for the better.

These updates are, of course, not enough for some critics. As usual, you should expect some unforeseen consequences, as there nearly always are when 750 million active users have to reexamine how they use the largest social network ever created.

Your security depends on you and your friends knowing how Facebook works. Now that you know how to protect yourself, I hope you share this information with someone you care about.

Follow F-Secure on Facebook for more security and privacy tips.

Cheers,

Jason

More posts from this topic

MB

In what color would you like your new Mercedes?

A new Mercedes. Nice. Or maybe an Audi R8? That would be cool. But hold it! Don’t sell your old car yet! Liking and sharing that giveaway campaign on Facebook will NOT give you a new car. Those prizes doesn’t even exist. They are just hoaxes. Internet and Facebook is full of crap, junk, rubbish, nonsense and gibberish. Nobody knows how many chain letters there are spreading some kind of unbelievable story. False celebrity news, bogus first-aid advice, phony charity campaigns and this kind of giveaways. We tend to think about these chain letters as hoaxes, pretty harmless jokes that doesn’t hurt us. But that’s not the full story. A hoax can be harmful, like the outright dangerous first aid advice that some people keep spreading. But a car giveaway is probably a harmless and safe prank, even if it’s false? No, not really. These chain letters are actually not traditional hoaxes, they are like-farming scams. There’s no free lunch, you don’t pay for Facebook with money but with your private data. The like-farming scams work in the same currency. You will not lose any money even if you like the page and share it. Instead you will participate in building a page with a lot of supporters, which is valuable and can be sold later. Needless to say, you will not get any of that money. Here’s how it works. Any business has a problem when starting on Facebook. An empty page without likes isn’t trustworthy. So the scammers set up a page containing anything that can go viral. A promise to get a luxury car works well. They just have to tell everyone to like the page and to share it as much as possible, to keep the chain reaction going and get even more likes. The scammers wait until there’s enough likes before they clean out the content, rename it and start looking for a buyer. The price is in “$ per k”, meaning dollars per 1000 likes. A page with 100 000 likes could sell for over $1000. So sharing the page can make quite a lot of money for the scammers if you have a lot of gullible friends, who in turn have a lot of gullible friends, and so on … The downside for you is that the likes stick even if the page is redesigned for some totally different purpose. Your face will be an evangelist for the page’s new owners and show up next to their brand. And you have no idea about what you will be promoting. I have friends who are anti-fur activists. You can probably imagine what one of them would feel when discovering that she likes a fur-coat designer! And finally some concrete advice. Review your list of old likes regularly. Remove everything except those things you truly like and want to support. When you encounter a giveaway post like this, check the involved brand’s main page in Facebook by searching for the brand name. You will in most cases notice that the giveaway is a totally different page that just is named similarly. That’s a strong scam indicator. Use common sense. From the above you get an idea about what likes in Facebook are worth. Does it make sense to give away luxury cars for this? Don’t participate in scams like this. It might feel tempting, but remember that your chance to win is exactly zero. Spread knowledge every time you see a scam of this kind. Comment with a link to this post or the appropriate description on Hoax-Slayer or Snopes.   Those sites are by the way fun and educating reading. I recommend spending some time there getting familiar with other types of hoaxes too. Read at least these two articles: Facebook car giveaway on Snopes and Facebook like-farming scams on Hoax-Slayer .   Safe surfing, Micke  

Dec 16, 2014
BY 
Facbook terms

Facebook’s new terms, is the sky falling?

You have seen them if you are on Facebook, and perhaps even posted one yourself. I’m talking about the statements that aim to defuse Facebook’s new terms of service, which are claimed to take away copyright to stuff you post. To summarize it shortly, the virally spreading disclaimer is meaningless from legal point of view and contains several fundamental errors. But I think it is very good that people are getting aware of their intellectual rights and that new terms may be a threat. Terms of service? That stuff in legalese that most people just click away when starting to use a new service or app. What is it really about and could it be important? Let’s list some basic points about them. The terms of service or EULA (End User License Agreement) is a legally binding agreement between the service provider and the user. It’s basically a contract. Users typically agree to the contract by clicking a button or simply by using the service. These terms are dictated by the provider of the service and not negotiable. This is quite natural for services with a large number of users, negotiating individual contracts would not be feasible. Terms of service is a defensive tool for companies. One of their primary goals is to protect against lawsuits. These terms are dictated by one part and almost never read by the other part. Needless to say, this may result in terms that are quite unfavorable for us users. This was demonstrated in London a while ago. No, we have not collected any children yet. Another bad thing for us users is the lack of competition. There are many social networks, but only one Facebook. Opting out of the terms means quitting, and going to another service is not really an option if all your friends are on Facebook. Social media is by its nature monopolizing. The upside is that terms of service can’t change the law. The legislation provides a framework of consumer and privacy protection that can’t be broken with an agreement. Unreasonable terms, like paying with your firstborn child, are moot. But be aware that the law of your own country may not be applicable if the service is run from another country. Also be aware that these terms only affect your relationship to the provider of the service. Intelligence performed by authorities is a totally different thing and may break privacy promises given by the company, especially for services located in the US. The terms usually include a clause that grant the provider a license to do certain things with stuff the users upload. There’s a legitimate reason for this as the provider need to copy the data between servers and publish it in the agreed way. This Facebook debacle is really about the extent of these clauses. Ok, so what about Facebook’s new terms of service? Facebook claim they want to clarify the terms and make them easier to understand, which really isn't the full story. They have all the time been pretty intrusive regarding both privacy and intellectual property rights to your content, and the latest change is just one step on that path. Most of the recent stir is about people fearing that their photos etc. will be sold or utilized commercially in some other way. This is no doubt a valid concern with the new terms. Let’s first take a look at the importance of user content for Facebook. Many services, like newspapers, rely on user-provided content to an increasing extent. But Facebook is probably the ultimate example. All the content you see in Facebook is provided either by the users or by advertisers. None by Facebook itself. And their revenue is almost 8 billion US$ without creating any content themselves. Needless to say, the rights to use our content is important for them. What Facebook is doing now is ensuring that they have a solid legal base to build current and future business models on. But another thing of paramount importance to Facebook is the users' trust. This trust would be severely damaged if private photos start appearing in public advertisements. It would cause a significant change in peoples relationship with Facebook and decrease the volume of shared stuff, which is what Facebook lives on. This is why I am ready to believe Facebook when they promise to honor our privacy settings when utilizing user data. Let’s debunk two myths that are spread in the disclaimer. Facebook is *not* taking away the copyright to your stuff. Copyright is like ownership. What they do, and have done previously too, is to create a license that grant them rights to do certain things with your stuff. But you still own your data. The other myth is that a statement posted by users would have some kind of legal significance. No, it doesn’t. The terms of service are designed to be approved by using the service, anyone can opt to stop using Facebook and thus not be bound by the terms anymore. But the viral statements are just one-sided declarations that are in conflict with the mutually agreed contact. I’m not going to dig deeper into the changes as it would make this post long and boring. Instead I just link to an article with more info. But let’s share some numbers underlining why it is futile for ordinary mortals to even try to keep up with the terms. I browsed through Facebook’s set of terms just to find 10 different documents containing some kind of terms. And that’s just the stuff for ordinary users, I left out terms for advertisers, developers etc. Transferring the text from all these into MS Word gave 41 pages with a 10pt font, almost 18 000 words and about 108 000 characters. Quite a read! But the worst of all is that there’s no indication of which parts have changed. Anyone who still is surprised by the fact that users don’t read the terms? So it’s obvious that ordinary user really can’t keep up with terms like this. The most feasible way to deal with Facebook’s terms of service is to consider these 3 strategies and pick the one that suits you best. Keep using Facebook and don’t worry about how they make money with your data. Keep using Facebook but be mindful about what you upload. Use other services for content that might be valuable, like good photos or very private info. Quit Facebook. That’s really the only way to decline their terms of service. By the way, my strategy is number 2 in the above list, as I have explained in a previous post. That’s like ignoring the terms, expecting the worst possible treatment of your data and posting selectively with that in mind. One can always put valuable stuff on some other service and post a link in Facebook. So posting the viral disclaimer is futile, but I disagree with those who say it’s bad and it shouldn’t be done. It lacks legal significance but is an excellent way to raise awareness. Part of the problem with unbalanced terms is that nobody cares about them. A higher level of awareness will make people think before posting, put some pressure on providers to make the terms more balanced, and make the legislators more active, thus improving the legal framework that control these services. The legislation is by the way our most important defense line as it is created by a more neutral part. The legislator should, at least in theory, balance the companies’ and end users’ interests in a fair way.   Safe surfing, Micke   Image: Screenshot from facebook.com

Dec 3, 2014
BY 
privacy settings twitter

It’s time to check your Twitter ‘Security and privacy’ settings

When it comes to privacy, Twitter's simplicity has always been its key advantage. Your tweets are public or they are protected. Of course, this implicit agreement with users has never been that simple. "Protected" tweets turned out to be searchable -- they aren't anymore. And if one of your followers decides to share your tweets through a manual retweet or a screenshot, you're just as exposed as you would be if your tweets were public. But that's true of any form of digital -- or real world -- communication. Now, Twitter is getting even more complicated to become in hopes of becoming as mainstream as Facebook, which is trying to improve the revelancy of its feed in order to replace Twitter as the go-to online destination for monitoring breaking news. You may have noticed that Twitter's is slowly rolling out changes to its web experience that may alter the way people understand the service. Tweets that have been favorited but not retweeted by people you follow may show up in your stream. More changes like location-based alerts and native video will soon follow. The closer-to-original Twitter experience still exists -- and will likely always exist -- in apps like Tweetdeck. But no matter how you use the service, your activity on and off the site is being tracked to improve outcomes for advertisers. This makes sense. It is a business and since you're not paying to use this valuable service, you are its product -- even if you're using the site for business. By offering tools like its free analytics, the site is striving to make it clear how useful it is and build good will as it evolves. However, Twitter recognizes that its users just may want to avoid allowing more "big data" tentacles into our digital brains. Thus it allows you to opt out of some tracking and features that may feel invasive. Here's how to do that: Go to your "Security and privacy" section of your Settings. Scroll all the way down. If you're interested in maximum privacy, I recommend your uncheck the three boxes at the bottom of the page -- Discoverability, Personalization and Promoted Content -- then click "Save changes". While you're on this page, make sure you're taking advantage of Twitter's best security tool: Login verification. Turn on two-factor authentication by activating "Send login verification requests to my phone". Twitter's biggest security problem is that everyone in the world knows your login. Unless you turn on Login verification, all an intruder needs is your password. You may also want to make sure "Tweet location" is off and erase all of your previous locations, if you're worried about being tracked in the real world. One last thing while you're checking your settings, click on Apps. Then "Revoke access" of any you're not using. Not sure if you're not using an app? Get rid of it and you can always renew its access later. Cheers, Jason [Image courtesy of Rosaura Ochoa via Flickr.]

Dec 1, 2014
BY