July 21, 2010

Cassandra's life story on Facebook: Why you need to secure your relatives' Facebook accounts

It's imperative that you secure not only your own, but your parents' Facebook accounts. Here's a little story as to why. The story you are about to read is true. I have only changed the names to protect the person.

So I thought I'd like to tell a little story about someone I met named "Cassandra." I met her at an airport and she gave me her business card. She worked for a relatively new organization. Her last name was unique. So I thought I'd look her up, see what I could see about her. I was just curious — as I always am. I wasn't going to do anything. You must understand: I'm not in the business of ruining other people's lives. I'm in the business to help people secure their information to ruin the real con man's life.

Cassandra was the only hit when I entered her first and last names. It was her, no doubt about it. The picture showed her with a man, meaning that was probably in a relationship, engaged, or even possibly married. It's hard to describe, but you know that look — that a brother and sister have when posing for a photo as opposed to a significant other. Her profile was secure; all of her important information was hidden from view. She was listed in a college network with the words "UNLV Alum '05," meaning two things. If that was the year she graduated and she only took four years, she was born in 1983. Sometimes people list the year as the first year they entered college. If that's the case, she was most likely born in 1987. But 1987 seemed incredibly young for job she already held at that organization.

Her friend list was visible, so I searched for her last name. I found 4-5 hits. The first was her father, named "Matt". Some of his information was visible: such as that he was married to a woman named "Joanne". Matt and Joanne were married in 1979, giving further validation to a birth year of 1983 for Cassandra.

On Matt's profile, only one child, Cassandra, is listed. A recent wall post on May 14 on Matt's wall mentions a son (also named Matt) that says "wish that we will see each other again my dear son." This could either mean two things: he's quite far away, or he passed away. I checked the Social Security Death Index and found an entry for "Matt" III, who was born on May 14, 1984 and died in 2007. The last benefit was in Nevada, which correlates with Cassandra attending UNLV (University of Nevada, Las Vegas). Interestingly enough, the SSN was issued in the state of Montana. From this I can reasonably guess that Cassandra must have been born in early 1983 (like maybe January) or late 1982 (September to December) for the second child's date of May 1984 to work.

The other two hits were her uncle and her grandfather. The grandfather's profile was named "Matt" Sr. He had graduated high school in 1943 from a place in Ontario, Canada. That meant he was born around 1925 and would be around 84-85 years right now. He would be around 58 years old when Matt III was born in 1984.

On the uncle's profile, he was listed as having graduated high school in 1975, meaning he was born in 1957. On the uncle's wall, Matt (Jr.) had written, "Hey little brother, just thinking of you." That meant that Matt had to have been born earlier than 1957. The average gap between siblings is two and a half years, so I think it's probably like 1954-1955. That would make him 24-25 years old when he married his wife, and about 29 years old when he had Cassandra.

Joanne had her website listed; her current job is a sales rep for Avon, and she listed her hometown and current city. Since Matt had not, I couldn't correlate whether or not they were together right now or working apart.

This is the awestruck power and fear of Facebook. I was able to paint an eloquent picture of this stranger that I just barely knew. I know this:
  • That she has a deceased brother and his date of birth and death and social security number
  • Her parents' names and when they were married
  • Approximate date when her father, uncle, and grandfather were born
  • An incomplete picture of family movements (grandfather in Ontario, the brother's Social Security card being issued in Montana, the current city of the mother)
Why is this a problem? Well, from the aesthetic view, I shouldn't be able to know this on my own. I should have had to ask, and even then, I doubt Cassandra would have told me all this. But she alone has the right to tell me these things. I don't have the right to find out on my own.

Second, while Cassandra's profile was secure, her parents' and other relatives' profiles were not. So I was still able to paint a cogent picture of her life. This is the point of my Parents: Facebook's weakest link post: you might be secure, but if your parents' aren't, your privacy has been compromised.

So what could Cassandra have done to prevent information leakage like this? Simple:
  • Hide the friend list. This prevents complete strangers like me from being able to riffle through information
  • Get parents and other relatives to hide all information. Facebook makes it easy now: set the tab to "Friends Only"
  • Hide the wall. The wall seems to be the number-one worst thing that's visible, and that's not a good thing.
If you aren't bothered that someone could paint a picture of your life like this, by all means, stare decisis. If you are, then get on it now and make sure everything's secure — both you and your parents'.

July 15, 2010

Parents: Facebook's weakest link

I've had enough of this.

I hate that information is so easily accessible on Facebook. I've been able to reconstruct whole family histories on Facebook that I have no business constructing. It was cool at first, but now it's just creepy. And I wish I could actually tell people, "Look, here's the problem, and here's how to fix it," but actually doing that has earned me several blocks and other ill-will on Facebook. If that's my reward for showing them the problem, then I refuse to blow the whistle. So I'm going to do it in a general sense.

Parents are by far the weakest link - I've been able to gather more information using parents than anywhere else. Usually it's us who know the most about Facebook and have the most secure profiles. At least two friends' parents have their privacy set to "Everyone" and they have relatively uncommon names (not like Michael Yee) so I imagine it would be easy to find them.

I'm sick of it. So here's the deal: Link this post to everyone. Email it to people. Spread the word. When I come searching again, I want to run into a firewall. I want to be blocked. Here are my vectors of attack. Close them down.

Basic directory information

Facebook makes work and school information public by default. I'll use myself as an example. Before, I could put CSU Long Beach in my profile and someone could search "Michael Yee" and narrow it to "CSU Long Beach," but the school wouldn't show up in my profile. Now it does, and it will show the year unless you specifically erase it. When I look up other information, I subtract 18 years for high school and about 22-25 years for college to find birth years. Someone who lists themselves as being in Huntington Beach High School '83, for instance, will have been born in 1965 and 45 years old this year.

Solution: In Privacy Settings, turn the "See my education and work" bit to "Friends Only".

Friend lists

I use friend lists to ferry out other relatives with the same last name (two last names if the person, almost always female, uses the maiden name as a middle name). This leads back to the title of my post: the college or high school student's profile will be secure, but his/her parents' profile may not be, and I can glean information from that. If only some information is available, I just guess when the child was probably born; a range, so to speak, based on certain highly ethnocentric assumptions of when is the right time to give birth to a child.

Solution is two-fold. You can make yourself searchable to only friends. That too is the Privacy settings. Turn the "Search me on Facebook" bit to only Friends. This doesn't work all the time, because you will still show up in other friend lists; e.g. if I'm trying to look up my friend's parents or other relatives, I can just scroll down the list to find people with the same last name.

The better solution is to hide your friends list; turn the "See my friend list" bit to friends only. That still won't stop someone from looking, but at least it will prevent total strangers who have no relation to you at all from snooping your information.

What is a mutual friend?

Many, many restaurants, bars, and events now have friend profiles. They often have a lot of friends. That redefines what it really means to have "mutual friends." Are you so sure that only people two handshakes away can look at your wall? For instance, I'm friends with Walters on Washington, a Texas-based location. Now I get a ton of People I Don't Know based on that mutual friend connection. If you're friends with that establishment, and you have everything set to Mutual Friends, I will be able to see everything, even though I live nowhere near Houston.

Solution: Set everything to friends only. Theoretically, Facebook makes it easy now. Click on the "Friends Only" tab on Privacy Settings.

Photo albums

Photo albums reveal much: I once had a list of things I could guess based on looking at a profile pictures album. I can tell whether you own a DSLR, own a Mac computer (Photo Book effects, or "uploaded via iPhoto/Aperture"), what photo program you used ("uploaded via Adobe Lightroom Export Plugin"), are a model (usually with the watermarks that agencies put on), and other things. By far the best example was being sure that one of my work friend's mother was born on September 19, because she had the Disneyland birthday pin on her shirt and the picture was uploaded that day. If it was uploaded by Facebook Mobile I would be even more sure that was the day.

Facebook did a Very Bad Thing back in December when it flipped the bit to Profile Pictures to "Friends of Friends" by default. A conservative estimate is that at least 60% of the profiles I hit don't have their profile pictures secure.

Solution: Photo Privacy. Flip all the bits to Friends Only.

Likes and Interests

Facebook did yet another Very Bad Thing when it moved to linking all of your interests into real pages, something far far worse than the profile photos. It made it "Everyone" by default. Thanks, Facebook. I can't verify this, but I'm pretty sure that advertisers use information made to "Everyone" in order to send you targeted advertising. I don't know, because I haven't had ads on for a long time now. I just know that before, if you were listed as a "male" and didn't state your preference (or set it as interested in men) or relationship status, you'd get ads that say "Meet Gay Singles." And that was when I had all of my interests private.

The solution: In Privacy Settings, set Bio and favorite quotations, religious and political views, to private. I don't think this will kill everything – I can't find the prior link before.

The Wall

This is rather puzzling thing, because users whose profiles are otherwise secure have their wall open. this is a really bad thing, primarily because OpenBook scrapes such information on a real-time basis and displays it for everyone to see. You can even search, so you know whose pregnant (and make judgments if they're listed as "single"), who just graduated from high school, who hates their boss, and other things.

As of yet, I have not figured out the one setting that turns the wall off to only friends. Solution: Under Privacy Settings, set "Can see Wall posts by friends" to friends Only. Change "Posts by me" to Friends Only. That will hide most of the wall information from view, but I'm not sure if it will hide all of it.


Secure your information, please. I don't use the information maliciously, but I can imagine other people doing so. Maiden name and birthday is a given. But other information, like personal information, can give a clue as to what the answer to a security question is (e.g. "What's your favorite band?" and having only one band listed as your favorite). Make them work harder.