I've had enough of this.
I hate that information is so easily accessible on Facebook. I've been able to reconstruct whole family histories on Facebook that I have no business constructing. It was cool at first, but now it's just creepy. And I wish I could actually tell people, "Look, here's the problem, and here's how to fix it," but actually doing that has earned me several blocks and other ill-will on Facebook. If that's my reward for showing them the problem, then I refuse to blow the whistle. So I'm going to do it in a general sense.
Parents are by far the weakest link - I've been able to gather more information using parents than anywhere else. Usually it's us who know the most about Facebook and have the most secure profiles. At least two friends' parents have their privacy set to "Everyone" and they have relatively uncommon names (not like Michael Yee) so I imagine it would be easy to find them.
I'm sick of it. So here's the deal: Link this post to everyone. Email it to people. Spread the word. When I come searching again, I want to run into a firewall. I want to be blocked. Here are my vectors of attack. Close them down.
Basic directory information
Facebook makes work and school information public by default. I'll use myself as an example. Before, I could put CSU Long Beach in my profile and someone could search "Michael Yee" and narrow it to "CSU Long Beach," but the school wouldn't show up in my profile. Now it does, and it will show the year unless you specifically erase it. When I look up other information, I subtract 18 years for high school and about 22-25 years for college to find birth years. Someone who lists themselves as being in Huntington Beach High School '83, for instance, will have been born in 1965 and 45 years old this year.
Solution: In Privacy Settings, turn the "See my education and work" bit to "Friends Only".
Friend lists
I use friend lists to ferry out other relatives with the same last name (two last names if the person, almost always female, uses the maiden name as a middle name). This leads back to the title of my post: the college or high school student's profile will be secure, but his/her parents' profile may not be, and I can glean information from that. If only some information is available, I just guess when the child was probably born; a range, so to speak, based on certain highly ethnocentric assumptions of when is the right time to give birth to a child.
Solution is two-fold. You can make yourself searchable to only friends. That too is the Privacy settings. Turn the "Search me on Facebook" bit to only Friends. This doesn't work all the time, because you will still show up in other friend lists; e.g. if I'm trying to look up my friend's parents or other relatives, I can just scroll down the list to find people with the same last name.
The better solution is to hide your friends list; turn the "See my friend list" bit to friends only. That still won't stop someone from looking, but at least it will prevent total strangers who have no relation to you at all from snooping your information.
What is a mutual friend?
Many, many restaurants, bars, and events now have friend profiles. They often have a lot of friends. That redefines what it really means to have "mutual friends." Are you so sure that only people two handshakes away can look at your wall? For instance, I'm friends with Walters on Washington, a Texas-based location. Now I get a ton of People I Don't Know based on that mutual friend connection. If you're friends with that establishment, and you have everything set to Mutual Friends, I will be able to see everything, even though I live nowhere near Houston.
Solution: Set everything to friends only. Theoretically, Facebook makes it easy now. Click on the "Friends Only" tab on Privacy Settings.
Photo albums
Photo albums reveal much: I once had a list of things I could guess based on looking at a profile pictures album. I can tell whether you own a DSLR, own a Mac computer (Photo Book effects, or "uploaded via iPhoto/Aperture"), what photo program you used ("uploaded via Adobe Lightroom Export Plugin"), are a model (usually with the watermarks that agencies put on), and other things. By far the best example was being sure that one of my work friend's mother was born on September 19, because she had the Disneyland birthday pin on her shirt and the picture was uploaded that day. If it was uploaded by Facebook Mobile I would be even more sure that was the day.
Facebook did a Very Bad Thing back in December when it flipped the bit to Profile Pictures to "Friends of Friends" by default. A conservative estimate is that at least 60% of the profiles I hit don't have their profile pictures secure.
Solution: Photo Privacy. Flip all the bits to Friends Only.
Likes and Interests
Facebook did yet another Very Bad Thing when it moved to linking all of your interests into real pages, something far far worse than the profile photos. It made it "Everyone" by default. Thanks, Facebook. I can't verify this, but I'm pretty sure that advertisers use information made to "Everyone" in order to send you targeted advertising. I don't know, because I haven't had ads on for a long time now. I just know that before, if you were listed as a "male" and didn't state your preference (or set it as interested in men) or relationship status, you'd get ads that say "Meet Gay Singles." And that was when I had all of my interests private.
The solution: In Privacy Settings, set Bio and favorite quotations, religious and political views, to private. I don't think this will kill everything – I can't find the prior link before.
The Wall
This is rather puzzling thing, because users whose profiles are otherwise secure have their wall open. this is a really bad thing, primarily because OpenBook scrapes such information on a real-time basis and displays it for everyone to see. You can even search, so you know whose pregnant (and make judgments if they're listed as "single"), who just graduated from high school, who hates their boss, and other things.
As of yet, I have not figured out the one setting that turns the wall off to only friends. Solution: Under Privacy Settings, set "Can see Wall posts by friends" to friends Only. Change "Posts by me" to Friends Only. That will hide most of the wall information from view, but I'm not sure if it will hide all of it.
Afterword
Secure your information, please. I don't use the information maliciously, but I can imagine other people doing so. Maiden name and birthday is a given. But other information, like personal information, can give a clue as to what the answer to a security question is (e.g. "What's your favorite band?" and having only one band listed as your favorite). Make them work harder.
July 15, 2010
May 17, 2010
Securing your Facebook account
Thanks, Facebook.
I'm not a big fan of their new "connections" idea, which takes your previous list of interests and links them to a page.
The problem I saw was that suddenly, everyone's page information was now public knowledge. People who I knew before had completely private profiles were now disclosing their interests, likes, and tastes in music. So I refused to link my pages because I thought that they would be public to everyone. Facebook later wiped them out and changed my profile to the new profile.
Now I've figured out what just happened. In the "Friends, Tags, and Connections" part under Privacy Settings, they now have separate controls for each part of your profile. And guess what? Current City, Hometown, Education and Work, Activities, Interests, and Things I Like were turned to "Everyone" by default. Thanks, Facebook. It's high time for opt-out – set to friends by default and only opened up by others.
I encourage you to turn them to "Friends Only" and safely link your connections without fearing the loss of privacy.
February 7, 2010
Facebook: Why you should hide your friend list
When I wrote my first Facebook security posts a month ago, Facebook had decided that friend lists were to be public knowledge. Luckily, they retreated on this, and now you can hide the friend list from non-friends. Simply go to your profile page, click on the pencil, and uncheck the "show friend list to everyone" box.
The question, of course, is, why should you do this? I'm here to tell you why. Because Facebook's search functions reveal information about you that you probably don't want others to know. I'll use an example, using me.
The question, of course, is, why should you do this? I'm here to tell you why. Because Facebook's search functions reveal information about you that you probably don't want others to know. I'll use an example, using me.
I'm in the CSU Long Beach network, so you can tell what college I went to, but let's say I didn't have such a network. It would be easy enough to find out what college I went to – because Facebook orders the "Browse > College Friends" list by the most amount of people based on network. I have more CSU Long Beach friends than anywhere else, naturally, because I go there, so it's at the top.
Also, my network says "CSU Long Beach '10". So from that you can surmise approximately what year I was born, or at least the minimum age I must be. Even if this wasn't the case, though, I could just click on a bunch of friends and see what college network years they are. Most of my friends are '08, '09, and '10, so you could guess anywhere from a 4-5 year range what year I graduated, and again, what age range I should be.
Also, my network says "CSU Long Beach '10". So from that you can surmise approximately what year I was born, or at least the minimum age I must be. Even if this wasn't the case, though, I could just click on a bunch of friends and see what college network years they are. Most of my friends are '08, '09, and '10, so you could guess anywhere from a 4-5 year range what year I graduated, and again, what age range I should be.
This also applies to what high school you went to. The truth is that, even if you hide Education Info, you'll still show up under searches for that high school and graduation info. But this is about the friend lists. You can easily tell that I most likely went to Huntington Beach High School, and must have a lot of friends up in Canada (because Killarney is a secondary school in Vancouver). Actually, I only have two friends that are in the Killarney network. All "Browse" features are grouped by network, so the effect is more pronounced for people currently in school.
This applies to every kind of friend list. You can guess certain things based on the friend makeup. For instance, I have a few friends in the Los Angeles Times network, and they'll show up under Work Friends. So I have some kind of relationship to the LA Times, and I do; I intern at the LAT's smaller papers. Right now, since I'm still in college, I don't have many friends that show up under the work banner.
If you look at friends by city, you can see that I either lived in Huntington Beach, CA for a long time, I still live there now, or it was my hometown. This looks like it's based on hometown and current city information since Facebook abolished regional networks two months ago. So even if you hide the hometown from the profile, people could guess where your hometown is based on sorting friends by city.
What's the point of all this? Hide your friend list, please. It provides a wealth of information that you don't want people to necessarily know about.
This applies to every kind of friend list. You can guess certain things based on the friend makeup. For instance, I have a few friends in the Los Angeles Times network, and they'll show up under Work Friends. So I have some kind of relationship to the LA Times, and I do; I intern at the LAT's smaller papers. Right now, since I'm still in college, I don't have many friends that show up under the work banner.
If you look at friends by city, you can see that I either lived in Huntington Beach, CA for a long time, I still live there now, or it was my hometown. This looks like it's based on hometown and current city information since Facebook abolished regional networks two months ago. So even if you hide the hometown from the profile, people could guess where your hometown is based on sorting friends by city.
What's the point of all this? Hide your friend list, please. It provides a wealth of information that you don't want people to necessarily know about.
January 2, 2010
LBSU women win Big West season opener
Long Beach State player Ally Wade (22) attempts to pass the ball around UC Riverside player Brittany Waddell (15). The Long Beach State women's basketball team beat UC Riverside, 55-46, at the Walter Pyramid, to open up Big West play. See "Late run keys conference-opening win for LBSU women" by Andrea C. Quezada at Daily49er.com.
For my part, today's game showed the danger of photographing at the baseline. In the first half, a ball bounced out of bounds and almost hit me because I was too busy taking photographs. In the second half, Ashley Bookman stepped over me a few times after running out of bounds to try to rescue a ball. Later, after a steal and a LBSU player threw the ball downcourt, Melanie Lisnock ran to the left of me as she ran out of bounds after having missed the ball. If she had been running slightly more to the left she would have hit me.
For my part, today's game showed the danger of photographing at the baseline. In the first half, a ball bounced out of bounds and almost hit me because I was too busy taking photographs. In the second half, Ashley Bookman stepped over me a few times after running out of bounds to try to rescue a ball. Later, after a steal and a LBSU player threw the ball downcourt, Melanie Lisnock ran to the left of me as she ran out of bounds after having missed the ball. If she had been running slightly more to the left she would have hit me.
December 19, 2009
The New Facebook: Why Friends-of-Friends is a Bad Idea
In Facebook's new privacy settings, regional networks were dismantled completely. However, in its place, the "friends of friends" setting has become immensely popular. This is a very dangerous proposition and I urge you to restrict your privacy to friends only. There are far too many people that can see your profile and it may even affect your ability to get a job.
How many "friends of friends" will have access?
Friends of friends is much more dangerous than the regional network. Let's take the highly conservative count of 200 friends. Let's say each of them has, on average, 200 friends. Multiply that and a potential 40,000 non-friends could have access to your profile and photos. This is highly conservative, because in my friend count list, 12 of the top 20 have more than 1,000 friends each, and many other have anywhere from 400-900 friends. Heck, one of my friends has 1,950 friends.
Places, location, and event "friends"
Before the advent of Facebook Pages, a friend profile was a common way to get the word out about your product or location. I've gotten friendship requests from the "Port of Long Beach" or "PRSSA Long Beach." This can be dangerous, because they can be the mutual friend link that would otherwise not exist. For example, CSULB ASI has 1,200 friends. If I became friends with CSULB ASI, I potentially have access to more than 1,200 people's photo albums, notes, etc. if they chose to set friends-of-friends privacy.
Pages do not have this problem. They're much better because you don't have to disclose as much private information as a friend link would (and it's a pain to set limited profile). This is probably why they've become far more popular than these friend profiles. I don't recommend severing ties with these profiles, just set everything to friends-only to avoid this problem.
Networking
If you're networking well, there's a really good chance that a potential employer can see your profile if you have friends-of-friends access. For example, I'm friends with the adviser at the Daily 49er and the CSULB photojournalism teacher. Both used to work at the Orange County Register and the photo teacher used to work at the Associated Press. When I sent the name of the Associated Press internship coordinator to the photo teacher for a recommendation letter, she came back to me and said, "Hey, i used to work with that coordinator." So if that coordinator had a Facebook and I had friends-of-friends privacy, she could potentially see my photos, notes, etc. which is a really bad thing.
And what could she see? Well, by default (and Facebook is really stupid), the profile photos album is accessible to friends of friends. As I stated in my prior post, if you have less-than-work-safe poses (such as holding beer containers uploaded before your 21st birthday), this could look bad. Photo album access can also be compromising, especially those of parties. I also believe that notes access is Everyone by default. Now that it shows up in profile search, employers could see potentially embarrassing "25 random things about me" notes or other things.
The point is that you shouldn't take the risk. Any potential employer's evaluation of you should purely be based on what you submit – the resume, cover letter, and the interview process. They should not have the access to make assumptions about your social life, relationship status, or other things not pertaining to the job description. Legally, they can't ask such questions. But I don't believe there's anything illegal if they happen to find that information on their own if your friends-of-friends privacy setting grants them that access.
How many "friends of friends" will have access?
Friends of friends is much more dangerous than the regional network. Let's take the highly conservative count of 200 friends. Let's say each of them has, on average, 200 friends. Multiply that and a potential 40,000 non-friends could have access to your profile and photos. This is highly conservative, because in my friend count list, 12 of the top 20 have more than 1,000 friends each, and many other have anywhere from 400-900 friends. Heck, one of my friends has 1,950 friends.
Places, location, and event "friends"
Before the advent of Facebook Pages, a friend profile was a common way to get the word out about your product or location. I've gotten friendship requests from the "Port of Long Beach" or "PRSSA Long Beach." This can be dangerous, because they can be the mutual friend link that would otherwise not exist. For example, CSULB ASI has 1,200 friends. If I became friends with CSULB ASI, I potentially have access to more than 1,200 people's photo albums, notes, etc. if they chose to set friends-of-friends privacy.
Pages do not have this problem. They're much better because you don't have to disclose as much private information as a friend link would (and it's a pain to set limited profile). This is probably why they've become far more popular than these friend profiles. I don't recommend severing ties with these profiles, just set everything to friends-only to avoid this problem.
Networking
If you're networking well, there's a really good chance that a potential employer can see your profile if you have friends-of-friends access. For example, I'm friends with the adviser at the Daily 49er and the CSULB photojournalism teacher. Both used to work at the Orange County Register and the photo teacher used to work at the Associated Press. When I sent the name of the Associated Press internship coordinator to the photo teacher for a recommendation letter, she came back to me and said, "Hey, i used to work with that coordinator." So if that coordinator had a Facebook and I had friends-of-friends privacy, she could potentially see my photos, notes, etc. which is a really bad thing.
And what could she see? Well, by default (and Facebook is really stupid), the profile photos album is accessible to friends of friends. As I stated in my prior post, if you have less-than-work-safe poses (such as holding beer containers uploaded before your 21st birthday), this could look bad. Photo album access can also be compromising, especially those of parties. I also believe that notes access is Everyone by default. Now that it shows up in profile search, employers could see potentially embarrassing "25 random things about me" notes or other things.
The point is that you shouldn't take the risk. Any potential employer's evaluation of you should purely be based on what you submit – the resume, cover letter, and the interview process. They should not have the access to make assumptions about your social life, relationship status, or other things not pertaining to the job description. Legally, they can't ask such questions. But I don't believe there's anything illegal if they happen to find that information on their own if your friends-of-friends privacy setting grants them that access.
December 13, 2009
New Facebook Privacy: Taking Control
Facebook has recently rolled out a new series of privacy controls. After some review, I've concluded that they're much leakier than before and the new defaults are worse than the original. Here's a summary of what's changed and how to restore the privacy that Facebook has stripped.
Broadly, I recommend all information to be restricted to Friends Only unless there is a compelling reason otherwise not to. Opening the information to My Networks is just asking for trouble. In the CSU Long Beach network there are 18,000 people alone. For instance, I want people to go to my website, so I have it visible, and my email address is also listed on my Zenfolio, so there's no reason why to have it restricted on Facebook.
More information is now easily accessible:
Before, your settings could be "Everyone" for notes, emails, and photo albums, but it took a lot of work to actually find the information. For instance, to find notes, I would grab the ID number after the notes.php?id= and this trick didn’t work for people who had picked out usernames. Now, the "Notes" tab shows up in the profile search. To fix this, go to Application Settings and set Notes privacy settings to Friends Only.
Email addresses are by default set to "Everyone." Before, the only practical purpose was if you already had someone’s email you wanted to find, like an old friend. The CSULB database attaches email addresses to names, which was useful for common name people; i.e. if there were two persons named Michael Yee in the CSU Long Beach network, but you knew my email was myee3
csulb.edu (CSULB search), you could figure out which one was me (if my email was open, which it isn't; I also lost the password, so contact me at my Gmail). Now it's shown in the profile search, meaning that more people can see your email address. Go to Privacy Settings and set email access to Friends Only. Only your friends or close associates should know your email address, unless it's a business email.
The profile photo album is also now visible to everyone by default. You have to dig into the photo album settings to restrict it further. Since the profile picture is one of the most prominent features of one's profile, having Everyone access by default is a problem. People often have pictures of their significant others, poses that are more personal than professional, and other things. Non-friends should not be able to see your profile pictures by default. To fix this, go to Photos Privacy, scroll to bottom and set privacy of the Profile photo album to "Friends Only".
Photo albums also show up searches now as well. You should go through your photo albums and restrict certain ones (parties, indecent albums, etc.) to Friends Only.
Friend lists are weird now. Before, you could set it so certain lists or non-friends could not see the friend list. Now, it's either ON for everyone or OFF for everyone. You have to turn the friend list on by default, which you can do by clicking the pencil icon in the friend list in the profile.
Searching gives away more information
Your ability to block non-friends from seeing your friend list, the "Add as Friend" button, and profile picture are gone. This is really bad. I can confirm that at least 3-4 people who previously had their profile pictures hidden, hidden lists, and the Add as Friend button now have all three visible. You can still restrict people from poking you or messaging you. In addition, Facebook will show the groups you've joined and the pages you're a fan of. Facebook considers all of that information to be publicly available (according to their Privacy Settings FAQ) and there is no current way to hide them, except for removing your membership in all pages.
Facebook's defaults are terrible
Facebook revokes your searchable status – it reverts to everyone – and you have to switch it back to "Friends Only" so non-friends can't find you. However, as of this writing, restricting access to "Friends Only" doesn't work; my mom has that setting enabled but I can still see her under other accounts. Good job, Facebook. Way to make being invisible harder. Also, "Add as Friend" now shows up. I know one person who has accepted the new privacy settings that somehow has disabled the Add as Friend button (incidentally, the same person has also banned me), so there might be an option to disable that, but the 2-3 others who previously had it disabled now feature the "Add as Friend" button.
Facebook privacy has become considerably harder now. Check your settings, because the New Facebook is worse than the old one. Just like how the Old Facebook layout was a lot better than the new one.
Broadly, I recommend all information to be restricted to Friends Only unless there is a compelling reason otherwise not to. Opening the information to My Networks is just asking for trouble. In the CSU Long Beach network there are 18,000 people alone. For instance, I want people to go to my website, so I have it visible, and my email address is also listed on my Zenfolio, so there's no reason why to have it restricted on Facebook.
More information is now easily accessible:
Before, your settings could be "Everyone" for notes, emails, and photo albums, but it took a lot of work to actually find the information. For instance, to find notes, I would grab the ID number after the notes.php?id= and this trick didn’t work for people who had picked out usernames. Now, the "Notes" tab shows up in the profile search. To fix this, go to Application Settings and set Notes privacy settings to Friends Only.
Email addresses are by default set to "Everyone." Before, the only practical purpose was if you already had someone’s email you wanted to find, like an old friend. The CSULB database attaches email addresses to names, which was useful for common name people; i.e. if there were two persons named Michael Yee in the CSU Long Beach network, but you knew my email was myee3
csulb.edu (CSULB search), you could figure out which one was me (if my email was open, which it isn't; I also lost the password, so contact me at my Gmail). Now it's shown in the profile search, meaning that more people can see your email address. Go to Privacy Settings and set email access to Friends Only. Only your friends or close associates should know your email address, unless it's a business email.The profile photo album is also now visible to everyone by default. You have to dig into the photo album settings to restrict it further. Since the profile picture is one of the most prominent features of one's profile, having Everyone access by default is a problem. People often have pictures of their significant others, poses that are more personal than professional, and other things. Non-friends should not be able to see your profile pictures by default. To fix this, go to Photos Privacy, scroll to bottom and set privacy of the Profile photo album to "Friends Only".
Photo albums also show up searches now as well. You should go through your photo albums and restrict certain ones (parties, indecent albums, etc.) to Friends Only.
Friend lists are weird now. Before, you could set it so certain lists or non-friends could not see the friend list. Now, it's either ON for everyone or OFF for everyone. You have to turn the friend list on by default, which you can do by clicking the pencil icon in the friend list in the profile.
Searching gives away more information
Your ability to block non-friends from seeing your friend list, the "Add as Friend" button, and profile picture are gone. This is really bad. I can confirm that at least 3-4 people who previously had their profile pictures hidden, hidden lists, and the Add as Friend button now have all three visible. You can still restrict people from poking you or messaging you. In addition, Facebook will show the groups you've joined and the pages you're a fan of. Facebook considers all of that information to be publicly available (according to their Privacy Settings FAQ) and there is no current way to hide them, except for removing your membership in all pages.
Facebook's defaults are terrible
Facebook revokes your searchable status – it reverts to everyone – and you have to switch it back to "Friends Only" so non-friends can't find you. However, as of this writing, restricting access to "Friends Only" doesn't work; my mom has that setting enabled but I can still see her under other accounts. Good job, Facebook. Way to make being invisible harder. Also, "Add as Friend" now shows up. I know one person who has accepted the new privacy settings that somehow has disabled the Add as Friend button (incidentally, the same person has also banned me), so there might be an option to disable that, but the 2-3 others who previously had it disabled now feature the "Add as Friend" button.
Facebook privacy has become considerably harder now. Check your settings, because the New Facebook is worse than the old one. Just like how the Old Facebook layout was a lot better than the new one.
June 8, 2009
House of Blue Leaves photo book
The fourth book, The House of Blue Leaves, is out. It tells the story of the cast and crew of The House of Blue Leaves production, which was put on by the Huntington Beach High School Academy of the Performing Arts on March 13-14, 2009 at the Rose Center Theatre in Westminster, California.
I covered The House of Blue Leaves for my advanced photojournalism class (see below post for details). The 2,000+ pictures naturally lent itself to...a book. But it took a long time. I stopped on March 21 and didn't begin again until late May. It does not feature the hallmarks of my other books: the lack of biographies or pictures of the cast members. It contains my photographs and text only.
It is my first project released in the Blurb.com 10x8 format. Most notably, the 10x8 format allowed me to print full-bleed images that the square 7x7 format wouldn't. It is also my first book about a theater production, spanning the smallest time frame of all prior projects – two weeks, instead of a semester or a full year.
Subscribe to:
Posts (Atom)