Are you sharing your telephone number on Facebook?
You might be and not even realize it.
A few months ago I signed up for Facebook’s Login Approvals, which required my mobile number. Instantly my number was added and set at my default setting.
If my general privacy setting were “Public”, my number could be one of the 2.5 million phone numbers that Brandon Copley recently harvested from Facebook using the site’s new Open Graph Search.
The app developer from Texas admits that users can use privacy settings to hide their number but still believes this is a violation of users’ trust.
“Facebook is denying its users the right to privacy by allowing our phone numbers to be publicly searchable as the default setting,” Copley told TechCrunch. “This means that anyone with my number knows my Facebook contact information. I may have not told my future employer about my Facebook account, but if I called them on my cell phone they can now know how to find me on Facebook.”
To make sure your phone number isn’t public, go to your profile and click on “Update Info”. Click “Edit” next to your “Contact Information” then click on the audience icon and select the level of sharing you want. I chose “Only Me”.This isn’t the only privacy surprise you should expect as Facebook’s Open Graph Search begins rolling out to the site’s one billion users
The simplest way to make sure you’re only sharing what you want to share is to use our new Safe Profile Beta app, which scans your profile and lets you know how much you’re sharing and how to lock down your profile. But keep reading for more information about the search and how to prepare yourself.
Open Graph Search will definitely change the way people look at Facebook. You can sign up for the waiting list here: http://www.facebook.com/about/graphsearch
Your friends and their friends will be able to search your information in ways you may not expect. And this tool will likely become the “Google” of social—meaning people will go to it first to discover the people based on interests and location, which could get a bit “creepy.”
Some suggest this tool will make it easier for criminals to find information for phishing attacks or repressive governments to crack down on dissidents. You can see some examples of how married people who “like” prostitutes and government employees who “like” racism here: http://actualfacebookgraphsearches.tumblr.com/
However, the good news is that it’s restricted by your privacy settings most of your friends use Facebook pretty sanely, right?
“90% of users get the basics right and the other 10% are hopeless,” F-Secure Security Advisor Sean Sullivan told me. “When the 90% meets the 10%, de-friend the boneheads. Because soon they will reflect on you.”
Since you will not be able to opt out of Open Graph Search, you might want to take a few more steps to make sure you don’t end up on the bad end of a disturbing search made by a friend, family member or potential employer.
Here’s what to do now:
(If you’re one of the 90% of the Facebook users who gets how to use the site, you can skip to step three for tips that relate specifically to Graph Search.)
1. First of all, never post anything you wouldn’t want to end in your mom’s newsfeed.
This will save you from most embarrassment. This means, no pictures, videos or status updates you wouldn’t want to see on the cover of your hometown newspaper. If you do this, you’ll avoid most—but not all trouble that could result from being on Facebook or in its search.
2. Check your privacy settings and unfriend anyone who doesn’t seem to use the site responsibly
You can get fancy and restrict certain things to certain people, but Facebook’s basic privacy settings are “public” or “friends.” We recommend friends, unless you want to open your profile to end up in the search results of anyone in the world.
Find the lock near the upper right hand corner, click on it and select “See more settings” at the bottom of the menu that pops up.
Change every option for “Who can see my stuff?” and “Who can look me up?” pick “friends”.
3. Scrub you history
You can (and should) limit all of your old posts to just your friends. Once you do this, you cannot undo it. But you can go back and adjust each posts individually.
Click at the top right of any Facebook page and select Privacy Settings Find “Limit the audience for posts I’ve shared with friends of friends or Public?” and click Limit Past Posts. Click ”Limit Old Posts”.
4. Check your likes!
This is where Graph search gets “creepy.” Let’s say you liked a band three years ago or your competitor at work or a boy band as joke. Graph Search doesn’t get the joke. What you’ve liked on Facebook is now much more important. And just as you unfriend anyone who worries, go through your likes and unlike any page you don’t want to be associated with. Unfortunately you need to do this page by page.
Go to your profile, click on “Likes.”
They’re organized chronically, so go back in time and unlike away.
5. Turn on “tag review” and take control of your wall.
The most annoying thing about Facebook is that people can tag you in photos you don’t want to be associated with. You can turn on “tag review” and prevent the photos from showing up to your friends but the tag will still be on the photo unless you “report/remove tag.”
Here’s how to turn on “tag review” so photos you don’t approve don’t show up on your profile.
Click on the wheel in the right-hand corner, click on your privacy settings and then click on Timeline and Tagging on the left menu.
Most people want to allow friends to post on your wall but if protecting your images is your priority, you may want to make it available only for you. Either way, it’s a good idea to select “friends” for “Who can see what others post on your timeline?” This will prevent strangers or even potential mates or employers happening to catch your page right as a friend posted some hilariously sick image on your timeline.
We recommend you turn on “Review posts friends tag you in before they appear on your timeline?” This won’t stop your friends from tagging you in something embarrassing but it will stop it from showing up on your wall if they do.
We definitely recommend you enable “Review tags people add to your own posts before the tags appear on Facebook?” This so called tag review will keep you from being in ridiculous tagged pictures or posts that show up in search results. Instead of just popping up on your wall the posts will show up in your activity log where you can approve a tag or asked for it to be removed. To get to your “Activity Log” to approve your tags, go to your profile by clicking on your name on the top navigation. Then click on “Activity Log”
Here’s a Facebook video on how to “report/remove” photos or videos you don’t want to be tagged in.
6. If you want to prevent your friends and family from being associated from you, hide them.
On your profile/timeline page, click “Friends”. In the new screen you’ll see an edit button.
Select “Only Me”.
To hide your family, click “About” below your name, work, school and hometown on your timeline. Under “Relationships and Family” select “Edit” and select “Only Me.”
7. If this is too much work, consider moving somewhere you’ll have lots of privacy—Google+.
[Photo by Milica Sekulic]
The recent statements from FBI director James Comey is yet another example of the authorities’ opportunistic approach to surveillance. He dislikes the fact that mobile operating systems from Google and Apple now come with strong encryption for data stored on the device. This security feature is naturally essential when you lose your device or if you are a potential espionage target. But the authorities do not like it as it makes investigations harder. What he said was basically that there should be a method for authorities to access data in mobile devices with a proper warrant. This would be needed to effectively fight crime. Going on to list some hated crime types, murder, child abuse, terrorism and so on. And yes, this might at first sound OK. Until you start thinking about it. Let’s translate Comey’s statement into ordinary non-obfuscated English. This is what he really said: “I, James Comey, director of FBI, want every person world-wide to carry a tracking device at all times. This device shall collect the owner’s electronic communications and be able to open cloud services where data is stored. The content of these tracking devices shall on request be made available to the US authorities. We don’t care if this weakens your security, and you shouldn’t care because our goals are more important than your privacy.” Yes, that’s what we are talking about here. The “tracking devices” are of course our mobile phones and other digital gadgets. Our digital lives are already accurate mirrors of our actual lives. Our gadgets do not only contain actual data, they are also a gate to the cloud services because they store passwords. Granting FBI access to mobile devices does not only reveal data on the device. It also opens up all the user’s cloud services, regardless of if they are within US jurisdiction or not. In short. Comey want to put a black box in the pocket of every citizen world-wide. Black boxes that record flight data and communications are justified in cockpits, not in ordinary peoples’ private lives. But wait. What if they really could solve crimes this way? Yes, there would probably be a handful of cases where data gathered this way is crucial. At least enough to make fancy PR and publically show how important it is for the authorities to have access to private data. But even proposing weakening the security of commonly and globally used operating systems is a sign of gross negligence against peoples’ right to security and privacy. The risk is magnitudes bigger than the upside. Comey was diffuse when talking about examples of cases solved using device data. But the history is full of cases solved *without* data from smart devices. Well, just a decade ago we didn’t even have this kind of tracking devices. And the police did succeed in catching murderers and other criminals despite that. You can also today select to not use a smartphone, and thus drop the FBI-tracker. That is your right and you do not break any laws by doing so. Many security-aware criminals are probably operating this way, and many more would if Comey gets what he wants. So it’s very obvious that the FBI must have capability to investigate crime even without turning every phone into a black box. Comey’s proposal is just purely opportunistic, he wants this data because it exists. Not because he really needs it. Safe surfing, Micke
The issue of mass government surveillance may have taken a back seat to other headlines lately, but the new Edward Snowden documentary is bringing it to light once more. CITIZENFOUR, the Laura Poitras film documenting the moments Edward Snowden handed over classified documents detailing the mass indiscriminate and illegal invasions of privacy by the US's National Security Agency, is getting rave reviews ahead of its world premiere. The film is already prescreening in the UK, and along with that, F-Secure's UK office is publishing a research report that highlights the growing concern of the public - specifically, the British public - with mass surveillance. The ‘Nothing to Hide, Nothing to Fear?’ report centers on the concern about surveillance being undertaken by the British government on its own people, as well as foreign nationals. The concerns are justified, as Snowden himself in recent comments warned that the British Government is even worse than its American counterparts, since the founding fathers of the US enshrined in law certain rights which the Brits – with no written constitution – cannot claim. Research* commissioned for the report shows that 86% of Brits do not agree with mass surveillance. Snowden’s leaks last year highlighted the extent to which Western intelligence agencies are snooping on the general populace, including their emails, phone calls, web searches, social media interactions and geo-location. And when you consider the fact that the UK has 5.9 million closed-circuit TV cameras (one for every 11 people, as opposed to one informant per 65 people in the Stasi-controlled East German state), the extent to which Britain has fallen into being a surveillance state becomes shockingly clear. The UK government, of course, insists that indiscriminate surveillance will protect national security. However, the UK's Regulation of Investigatory Powers Act (RIPA) contravenes Article 12 of the Human Rights Act: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.” “We are in unchartered territory and we appear to have sleepwalked here,” said Allen Scott, managing director of F-Secure UK & Ireland. “Little by little, our rights to privacy have been eroded and many people don’t even realise the extent to which they are being monitored. This isn’t targeted surveillance of suspected criminals and terrorists – this is monitoring the lives of the population as a whole.” With the future use of this data uncertain, the British people are showing their concerns. The research showed that 78% of respondents are concerned with the consequences of having their data tracked. This concern will only increase as more privacy-infringing schemes pervade UK government departments, offering up more personal data for GCHQ, the British intelligence agency, to use. Be sure to check out CITIZENFOUR once it hits your part of the world. And if you're in the UK, you can be among the first to see it – see pre-screening venues here: https://citizenfourfilm.com/ READ THE REPORT: Nothing to Hide, Nothing to Fear? See more of what Brits think about surveillance in our infographic: *Research conducted by Vital Research & Statistics on behalf of F-Secure. 2,000 adult respondents. 10-13th October 2014.
Yet another massive user ID and password leak. This time it affects about 7 million DropBox users, even if DropBox denies they were hacked. As usual, such a hack means that the data these users have stored in DropBox is in jeopardy. It also means that those who use the same ID and password on many services have much bigger troubles. Let’s see what we can learn from this: Always use unique passwords on the services you use. This does not prevent password leaks, but it limits the damage when a leak occur. (A password manager you trust makes this much easier.) Be alert and change your password as soon as you hear about a leak like this. Right now, we don’t know which users are affected. But if you have an old and weak password, it’s a good idea to change it NOW anyway. Changing it one time too many is better than having your confidential data all over the Internet. Pay attention to the security-awareness of the cloud providers you use. This may not have been DropBox’s fault, but it could have been. This is a good opportunity to mention our own younited, which is built with security in mind from the ground up, and is located in a country where the authorities doesn’t do mass surveillance. BTW, Edward also thinks you should consider alternatives to DropBox. DropBox claims this leak happened in some other service that connect to DropBox. This is a plausible explanation and reminds us about the danger of connecting services to each other. If you enter the password of any service into another service, you must ask yourself two questions. Will this company refrain from misusing my data and does this company protect my password sufficiently? By replicating the password to several places you increase the risk that it leaks out. Don’t do that unless you get a significant benefit and trust all places where the password is stored. Two-factor authentication is a great feature that increase security. Use it whenever possible. It should by now be clear that this kind of massive password leaks aren’t rare incidents. We see a constant stream of these and there are probably many leaks that remain unnoticed, or are noticed but stay out of the headlines. We all have to realize that a leak like this will hit us sooner or later. Sorry for sounding like a broken record, if you still have the same password on several services, you should be busy changing them by now. Safe surfing, Micke Image: Screen capture from dropbox.com PS. Isn't that screenshot a bit funny? Yes, your data in DropBox could really be ANYWHERE right now. :)