August 14, 2010

Account segregation: protecting your Facebook privacy

Here's a little dirty secret.

Facebook is making it easier to stalk people more than ever.

How, you might ask? Because they recently changed it so that email addresses are public to everyone. If you know one's email address, and it's attached to their Facebook account, you can find them, no matter what the privacy is. Even if the email is set to "Friends Only" or "Only Me," other people can and will find it. This is not a bug. I complained about it to the Facebook team and they said it was a feature. I've tested it with other people and I can still find them even when their email is set to "Only Me."

Why is this a problem?

Well, what if you use the same email for your Internet life and your real life? I just found someone on the GameFAQs message boards. I now know his full name and his general location. I can now plug that name into paid databases and such to find even more information. I've never bothered to find out because I don't want to pay, but money is the only thing stopping one from knowing more about this person.

Solution: I use two email accounts, one for the Internet, the other for real life. I've attached my Facebook account to my real life email, so that people who actually know me in real life can find me, but those who only know me on the Internet cannot.

What about your school email? I used mine to register for Facebook and then never used it again. But it's still linked to my account. So an employer who wants to find me need only to do two things. One, go to the CSULB Search website and type in my name. I'm the only Michael Yee at CSULB.

There I am.

Now, copy that email address, and look...

I'm the only hit. You've found me. This doesn't do much, because I've secured my profile completely, but there are a surprisingly large number of people whose information is visible to everyone or mutual friends. And remember, it only takes one mutual friend to find our your information. Are you friends with organizations or newspapers? That could be their ticket a stranger finding more information about you if you set your profile to "Friends of Friends."

Basically, I just can't slip away and be anonymous in the hundreds of Michael Yees. I'm easily findable.

Solution Remove your school email from Account Settings if you don't want stalkers, employers, or school authorities being able to find your profile within seconds.

July 21, 2010

Cassandra's life story on Facebook: Why you need to secure your relatives' Facebook accounts

It's imperative that you secure not only your own, but your parents' Facebook accounts. Here's a little story as to why. The story you are about to read is true. I have only changed the names to protect the person.

So I thought I'd like to tell a little story about someone I met named "Cassandra." I met her at an airport and she gave me her business card. She worked for a relatively new organization. Her last name was unique. So I thought I'd look her up, see what I could see about her. I was just curious — as I always am. I wasn't going to do anything. You must understand: I'm not in the business of ruining other people's lives. I'm in the business to help people secure their information to ruin the real con man's life.

Cassandra was the only hit when I entered her first and last names. It was her, no doubt about it. The picture showed her with a man, meaning that was probably in a relationship, engaged, or even possibly married. It's hard to describe, but you know that look — that a brother and sister have when posing for a photo as opposed to a significant other. Her profile was secure; all of her important information was hidden from view. She was listed in a college network with the words "UNLV Alum '05," meaning two things. If that was the year she graduated and she only took four years, she was born in 1983. Sometimes people list the year as the first year they entered college. If that's the case, she was most likely born in 1987. But 1987 seemed incredibly young for job she already held at that organization.

Her friend list was visible, so I searched for her last name. I found 4-5 hits. The first was her father, named "Matt". Some of his information was visible: such as that he was married to a woman named "Joanne". Matt and Joanne were married in 1979, giving further validation to a birth year of 1983 for Cassandra.

On Matt's profile, only one child, Cassandra, is listed. A recent wall post on May 14 on Matt's wall mentions a son (also named Matt) that says "wish that we will see each other again my dear son." This could either mean two things: he's quite far away, or he passed away. I checked the Social Security Death Index and found an entry for "Matt" III, who was born on May 14, 1984 and died in 2007. The last benefit was in Nevada, which correlates with Cassandra attending UNLV (University of Nevada, Las Vegas). Interestingly enough, the SSN was issued in the state of Montana. From this I can reasonably guess that Cassandra must have been born in early 1983 (like maybe January) or late 1982 (September to December) for the second child's date of May 1984 to work.

The other two hits were her uncle and her grandfather. The grandfather's profile was named "Matt" Sr. He had graduated high school in 1943 from a place in Ontario, Canada. That meant he was born around 1925 and would be around 84-85 years right now. He would be around 58 years old when Matt III was born in 1984.

On the uncle's profile, he was listed as having graduated high school in 1975, meaning he was born in 1957. On the uncle's wall, Matt (Jr.) had written, "Hey little brother, just thinking of you." That meant that Matt had to have been born earlier than 1957. The average gap between siblings is two and a half years, so I think it's probably like 1954-1955. That would make him 24-25 years old when he married his wife, and about 29 years old when he had Cassandra.

Joanne had her website listed; her current job is a sales rep for Avon, and she listed her hometown and current city. Since Matt had not, I couldn't correlate whether or not they were together right now or working apart.

This is the awestruck power and fear of Facebook. I was able to paint an eloquent picture of this stranger that I just barely knew. I know this:
  • That she has a deceased brother and his date of birth and death and social security number
  • Her parents' names and when they were married
  • Approximate date when her father, uncle, and grandfather were born
  • An incomplete picture of family movements (grandfather in Ontario, the brother's Social Security card being issued in Montana, the current city of the mother)
Why is this a problem? Well, from the aesthetic view, I shouldn't be able to know this on my own. I should have had to ask, and even then, I doubt Cassandra would have told me all this. But she alone has the right to tell me these things. I don't have the right to find out on my own.

Second, while Cassandra's profile was secure, her parents' and other relatives' profiles were not. So I was still able to paint a cogent picture of her life. This is the point of my Parents: Facebook's weakest link post: you might be secure, but if your parents' aren't, your privacy has been compromised.

So what could Cassandra have done to prevent information leakage like this? Simple:
  • Hide the friend list. This prevents complete strangers like me from being able to riffle through information
  • Get parents and other relatives to hide all information. Facebook makes it easy now: set the tab to "Friends Only"
  • Hide the wall. The wall seems to be the number-one worst thing that's visible, and that's not a good thing.
If you aren't bothered that someone could paint a picture of your life like this, by all means, stare decisis. If you are, then get on it now and make sure everything's secure — both you and your parents'.

July 15, 2010

Parents: Facebook's weakest link

I've had enough of this.

I hate that information is so easily accessible on Facebook. I've been able to reconstruct whole family histories on Facebook that I have no business constructing. It was cool at first, but now it's just creepy. And I wish I could actually tell people, "Look, here's the problem, and here's how to fix it," but actually doing that has earned me several blocks and other ill-will on Facebook. If that's my reward for showing them the problem, then I refuse to blow the whistle. So I'm going to do it in a general sense.

Parents are by far the weakest link - I've been able to gather more information using parents than anywhere else. Usually it's us who know the most about Facebook and have the most secure profiles. At least two friends' parents have their privacy set to "Everyone" and they have relatively uncommon names (not like Michael Yee) so I imagine it would be easy to find them.

I'm sick of it. So here's the deal: Link this post to everyone. Email it to people. Spread the word. When I come searching again, I want to run into a firewall. I want to be blocked. Here are my vectors of attack. Close them down.

Basic directory information

Facebook makes work and school information public by default. I'll use myself as an example. Before, I could put CSU Long Beach in my profile and someone could search "Michael Yee" and narrow it to "CSU Long Beach," but the school wouldn't show up in my profile. Now it does, and it will show the year unless you specifically erase it. When I look up other information, I subtract 18 years for high school and about 22-25 years for college to find birth years. Someone who lists themselves as being in Huntington Beach High School '83, for instance, will have been born in 1965 and 45 years old this year.

Solution: In Privacy Settings, turn the "See my education and work" bit to "Friends Only".

Friend lists

I use friend lists to ferry out other relatives with the same last name (two last names if the person, almost always female, uses the maiden name as a middle name). This leads back to the title of my post: the college or high school student's profile will be secure, but his/her parents' profile may not be, and I can glean information from that. If only some information is available, I just guess when the child was probably born; a range, so to speak, based on certain highly ethnocentric assumptions of when is the right time to give birth to a child.

Solution is two-fold. You can make yourself searchable to only friends. That too is the Privacy settings. Turn the "Search me on Facebook" bit to only Friends. This doesn't work all the time, because you will still show up in other friend lists; e.g. if I'm trying to look up my friend's parents or other relatives, I can just scroll down the list to find people with the same last name.

The better solution is to hide your friends list; turn the "See my friend list" bit to friends only. That still won't stop someone from looking, but at least it will prevent total strangers who have no relation to you at all from snooping your information.

What is a mutual friend?

Many, many restaurants, bars, and events now have friend profiles. They often have a lot of friends. That redefines what it really means to have "mutual friends." Are you so sure that only people two handshakes away can look at your wall? For instance, I'm friends with Walters on Washington, a Texas-based location. Now I get a ton of People I Don't Know based on that mutual friend connection. If you're friends with that establishment, and you have everything set to Mutual Friends, I will be able to see everything, even though I live nowhere near Houston.

Solution: Set everything to friends only. Theoretically, Facebook makes it easy now. Click on the "Friends Only" tab on Privacy Settings.

Photo albums

Photo albums reveal much: I once had a list of things I could guess based on looking at a profile pictures album. I can tell whether you own a DSLR, own a Mac computer (Photo Book effects, or "uploaded via iPhoto/Aperture"), what photo program you used ("uploaded via Adobe Lightroom Export Plugin"), are a model (usually with the watermarks that agencies put on), and other things. By far the best example was being sure that one of my work friend's mother was born on September 19, because she had the Disneyland birthday pin on her shirt and the picture was uploaded that day. If it was uploaded by Facebook Mobile I would be even more sure that was the day.

Facebook did a Very Bad Thing back in December when it flipped the bit to Profile Pictures to "Friends of Friends" by default. A conservative estimate is that at least 60% of the profiles I hit don't have their profile pictures secure.

Solution: Photo Privacy. Flip all the bits to Friends Only.

Likes and Interests

Facebook did yet another Very Bad Thing when it moved to linking all of your interests into real pages, something far far worse than the profile photos. It made it "Everyone" by default. Thanks, Facebook. I can't verify this, but I'm pretty sure that advertisers use information made to "Everyone" in order to send you targeted advertising. I don't know, because I haven't had ads on for a long time now. I just know that before, if you were listed as a "male" and didn't state your preference (or set it as interested in men) or relationship status, you'd get ads that say "Meet Gay Singles." And that was when I had all of my interests private.

The solution: In Privacy Settings, set Bio and favorite quotations, religious and political views, to private. I don't think this will kill everything – I can't find the prior link before.

The Wall

This is rather puzzling thing, because users whose profiles are otherwise secure have their wall open. this is a really bad thing, primarily because OpenBook scrapes such information on a real-time basis and displays it for everyone to see. You can even search, so you know whose pregnant (and make judgments if they're listed as "single"), who just graduated from high school, who hates their boss, and other things.

As of yet, I have not figured out the one setting that turns the wall off to only friends. Solution: Under Privacy Settings, set "Can see Wall posts by friends" to friends Only. Change "Posts by me" to Friends Only. That will hide most of the wall information from view, but I'm not sure if it will hide all of it.


Secure your information, please. I don't use the information maliciously, but I can imagine other people doing so. Maiden name and birthday is a given. But other information, like personal information, can give a clue as to what the answer to a security question is (e.g. "What's your favorite band?" and having only one band listed as your favorite). Make them work harder.

May 17, 2010

Securing your Facebook account

Thanks, Facebook.

I'm not a big fan of their new "connections" idea, which takes your previous list of interests and links them to a page.

The problem I saw was that suddenly, everyone's page information was now public knowledge. People who I knew before had completely private profiles were now disclosing their interests, likes, and tastes in music. So I refused to link my pages because I thought that they would be public to everyone. Facebook later wiped them out and changed my profile to the new profile.

Now I've figured out what just happened. In the "Friends, Tags, and Connections" part under Privacy Settings, they now have separate controls for each part of your profile. And guess what? Current City, Hometown, Education and Work, Activities, Interests, and Things I Like were turned to "Everyone" by default. Thanks, Facebook. It's high time for opt-out – set to friends by default and only opened up by others.

I encourage you to turn them to "Friends Only" and safely link your connections without fearing the loss of privacy.

February 7, 2010

Facebook: Why you should hide your friend list

When I wrote my first Facebook security posts a month ago, Facebook had decided that friend lists were to be public knowledge. Luckily, they retreated on this, and now you can hide the friend list from non-friends. Simply go to your profile page, click on the pencil, and uncheck the "show friend list to everyone" box.

The question, of course, is, why should you do this? I'm here to tell you why. Because Facebook's search functions reveal information about you that you probably don't want others to know. I'll use an example, using me.

I'm in the CSU Long Beach network, so you can tell what college I went to, but let's say I didn't have such a network. It would be easy enough to find out what college I went to – because Facebook orders the "Browse > College Friends" list by the most amount of people based on network. I have more CSU Long Beach friends than anywhere else, naturally, because I go there, so it's at the top.

Also, my network says "CSU Long Beach '10". So from that you can surmise approximately what year I was born, or at least the minimum age I must be. Even if this wasn't the case, though, I could just click on a bunch of friends and see what college network years they are. Most of my friends are '08, '09, and '10, so you could guess anywhere from a 4-5 year range what year I graduated, and again, what age range I should be.

This also applies to what high school you went to. The truth is that, even if you hide Education Info, you'll still show up under searches for that high school and graduation info. But this is about the friend lists. You can easily tell that I most likely went to Huntington Beach High School, and must have a lot of friends up in Canada (because Killarney is a secondary school in Vancouver). Actually, I only have two friends that are in the Killarney network. All "Browse" features are grouped by network, so the effect is more pronounced for people currently in school.

This applies to every kind of friend list. You can guess certain things based on the friend makeup. For instance, I have a few friends in the Los Angeles Times network, and they'll show up under Work Friends. So I have some kind of relationship to the LA Times, and I do; I intern at the LAT's smaller papers. Right now, since I'm still in college, I don't have many friends that show up under the work banner.

If you look at friends by city, you can see that I either lived in Huntington Beach, CA for a long time, I still live there now, or it was my hometown. This looks like it's based on hometown and current city information since Facebook abolished regional networks two months ago. So even if you hide the hometown from the profile, people could guess where your hometown is based on sorting friends by city.

What's the point of all this? Hide your friend list, please. It provides a wealth of information that you don't want people to necessarily know about.

January 2, 2010

LBSU women win Big West season opener

Long Beach State player Ally Wade (22) attempts to pass the ball around UC Riverside player Brittany Waddell (15). The Long Beach State women's basketball team beat UC Riverside, 55-46, at the Walter Pyramid, to open up Big West play. See "Late run keys conference-opening win for LBSU women" by Andrea C. Quezada at

For my part, today's game showed the danger of photographing at the baseline. In the first half, a ball bounced out of bounds and almost hit me because I was too busy taking photographs. In the second half, Ashley Bookman stepped over me a few times after running out of bounds to try to rescue a ball. Later, after a steal and a LBSU player threw the ball downcourt, Melanie Lisnock ran to the left of me as she ran out of bounds after having missed the ball. If she had been running slightly more to the left she would have hit me.

December 19, 2009

The New Facebook: Why Friends-of-Friends is a Bad Idea

In Facebook's new privacy settings, regional networks were dismantled completely. However, in its place, the "friends of friends" setting has become immensely popular. This is a very dangerous proposition and I urge you to restrict your privacy to friends only. There are far too many people that can see your profile and it may even affect your ability to get a job.

How many "friends of friends" will have access?

Friends of friends is much more dangerous than the regional network. Let's take the highly conservative count of 200 friends. Let's say each of them has, on average, 200 friends. Multiply that and a potential 40,000 non-friends could have access to your profile and photos. This is highly conservative, because in my friend count list, 12 of the top 20 have more than 1,000 friends each, and many other have anywhere from 400-900 friends. Heck, one of my friends has 1,950 friends.

Places, location, and event "friends"

Before the advent of Facebook Pages, a friend profile was a common way to get the word out about your product or location. I've gotten friendship requests from the "Port of Long Beach" or "PRSSA Long Beach." This can be dangerous, because they can be the mutual friend link that would otherwise not exist. For example, CSULB ASI has 1,200 friends. If I became friends with CSULB ASI, I potentially have access to more than 1,200 people's photo albums, notes, etc. if they chose to set friends-of-friends privacy.

Pages do not have this problem. They're much better because you don't have to disclose as much private information as a friend link would (and it's a pain to set limited profile). This is probably why they've become far more popular than these friend profiles. I don't recommend severing ties with these profiles, just set everything to friends-only to avoid this problem.


If you're networking well, there's a really good chance that a potential employer can see your profile if you have friends-of-friends access. For example, I'm friends with the adviser at the Daily 49er and the CSULB photojournalism teacher. Both used to work at the Orange County Register and the photo teacher used to work at the Associated Press. When I sent the name of the Associated Press internship coordinator to the photo teacher for a recommendation letter, she came back to me and said, "Hey, i used to work with that coordinator." So if that coordinator had a Facebook and I had friends-of-friends privacy, she could potentially see my photos, notes, etc. which is a really bad thing.

And what could she see? Well, by default (and Facebook is really stupid), the profile photos album is accessible to friends of friends. As I stated in my prior post, if you have less-than-work-safe poses (such as holding beer containers uploaded before your 21st birthday), this could look bad. Photo album access can also be compromising, especially those of parties. I also believe that notes access is Everyone by default. Now that it shows up in profile search, employers could see potentially embarrassing "25 random things about me" notes or other things.

The point is that you shouldn't take the risk. Any potential employer's evaluation of you should purely be based on what you submit – the resume, cover letter, and the interview process. They should not have the access to make assumptions about your social life, relationship status, or other things not pertaining to the job description. Legally, they can't ask such questions. But I don't believe there's anything illegal if they happen to find that information on their own if your friends-of-friends privacy setting grants them that access.