July 15, 2010

Parents: Facebook's weakest link

I've had enough of this.

I hate that information is so easily accessible on Facebook. I've been able to reconstruct whole family histories on Facebook that I have no business constructing. It was cool at first, but now it's just creepy. And I wish I could actually tell people, "Look, here's the problem, and here's how to fix it," but actually doing that has earned me several blocks and other ill-will on Facebook. If that's my reward for showing them the problem, then I refuse to blow the whistle. So I'm going to do it in a general sense.

Parents are by far the weakest link - I've been able to gather more information using parents than anywhere else. Usually it's us who know the most about Facebook and have the most secure profiles. At least two friends' parents have their privacy set to "Everyone" and they have relatively uncommon names (not like Michael Yee) so I imagine it would be easy to find them.

I'm sick of it. So here's the deal: Link this post to everyone. Email it to people. Spread the word. When I come searching again, I want to run into a firewall. I want to be blocked. Here are my vectors of attack. Close them down.

Basic directory information

Facebook makes work and school information public by default. I'll use myself as an example. Before, I could put CSU Long Beach in my profile and someone could search "Michael Yee" and narrow it to "CSU Long Beach," but the school wouldn't show up in my profile. Now it does, and it will show the year unless you specifically erase it. When I look up other information, I subtract 18 years for high school and about 22-25 years for college to find birth years. Someone who lists themselves as being in Huntington Beach High School '83, for instance, will have been born in 1965 and 45 years old this year.

Solution: In Privacy Settings, turn the "See my education and work" bit to "Friends Only".

Friend lists

I use friend lists to ferry out other relatives with the same last name (two last names if the person, almost always female, uses the maiden name as a middle name). This leads back to the title of my post: the college or high school student's profile will be secure, but his/her parents' profile may not be, and I can glean information from that. If only some information is available, I just guess when the child was probably born; a range, so to speak, based on certain highly ethnocentric assumptions of when is the right time to give birth to a child.

Solution is two-fold. You can make yourself searchable to only friends. That too is the Privacy settings. Turn the "Search me on Facebook" bit to only Friends. This doesn't work all the time, because you will still show up in other friend lists; e.g. if I'm trying to look up my friend's parents or other relatives, I can just scroll down the list to find people with the same last name.

The better solution is to hide your friends list; turn the "See my friend list" bit to friends only. That still won't stop someone from looking, but at least it will prevent total strangers who have no relation to you at all from snooping your information.

What is a mutual friend?

Many, many restaurants, bars, and events now have friend profiles. They often have a lot of friends. That redefines what it really means to have "mutual friends." Are you so sure that only people two handshakes away can look at your wall? For instance, I'm friends with Walters on Washington, a Texas-based location. Now I get a ton of People I Don't Know based on that mutual friend connection. If you're friends with that establishment, and you have everything set to Mutual Friends, I will be able to see everything, even though I live nowhere near Houston.

Solution: Set everything to friends only. Theoretically, Facebook makes it easy now. Click on the "Friends Only" tab on Privacy Settings.

Photo albums

Photo albums reveal much: I once had a list of things I could guess based on looking at a profile pictures album. I can tell whether you own a DSLR, own a Mac computer (Photo Book effects, or "uploaded via iPhoto/Aperture"), what photo program you used ("uploaded via Adobe Lightroom Export Plugin"), are a model (usually with the watermarks that agencies put on), and other things. By far the best example was being sure that one of my work friend's mother was born on September 19, because she had the Disneyland birthday pin on her shirt and the picture was uploaded that day. If it was uploaded by Facebook Mobile I would be even more sure that was the day.

Facebook did a Very Bad Thing back in December when it flipped the bit to Profile Pictures to "Friends of Friends" by default. A conservative estimate is that at least 60% of the profiles I hit don't have their profile pictures secure.

Solution: Photo Privacy. Flip all the bits to Friends Only.

Likes and Interests

Facebook did yet another Very Bad Thing when it moved to linking all of your interests into real pages, something far far worse than the profile photos. It made it "Everyone" by default. Thanks, Facebook. I can't verify this, but I'm pretty sure that advertisers use information made to "Everyone" in order to send you targeted advertising. I don't know, because I haven't had ads on for a long time now. I just know that before, if you were listed as a "male" and didn't state your preference (or set it as interested in men) or relationship status, you'd get ads that say "Meet Gay Singles." And that was when I had all of my interests private.

The solution: In Privacy Settings, set Bio and favorite quotations, religious and political views, to private. I don't think this will kill everything – I can't find the prior link before.

The Wall

This is rather puzzling thing, because users whose profiles are otherwise secure have their wall open. this is a really bad thing, primarily because OpenBook scrapes such information on a real-time basis and displays it for everyone to see. You can even search, so you know whose pregnant (and make judgments if they're listed as "single"), who just graduated from high school, who hates their boss, and other things.

As of yet, I have not figured out the one setting that turns the wall off to only friends. Solution: Under Privacy Settings, set "Can see Wall posts by friends" to friends Only. Change "Posts by me" to Friends Only. That will hide most of the wall information from view, but I'm not sure if it will hide all of it.


Secure your information, please. I don't use the information maliciously, but I can imagine other people doing so. Maiden name and birthday is a given. But other information, like personal information, can give a clue as to what the answer to a security question is (e.g. "What's your favorite band?" and having only one band listed as your favorite). Make them work harder.

No comments: