Schneier on Security
A blog covering security and security technology.
« Billboards that Watch you Back |
| Cheating at Disneyworld »
February 12, 2009
Privacy on Facebook
Posted on February 12, 2009 at 6:16 AM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"The best way to prevent embarrassing items from showing up on Facebook in the future is to not make bad judgements in your personal life."
So true. And good luck with that, kids... :-)
That was going to be my response. Honestly, I've never even looked at facebook, but from the news it seems like if you want any privacy at all, you just don't go there.
I'm more of a LiveJournal guy anyway.
I have a fake account of Facebook, it's useful when researching.
Considering I use it as an information resource and since I value my privacy, there is no way I would put my personal information on there!
Muffin got it right. Don't use it.
@Roxanne: But we only learn to make good judgements by first making bad judgements. Telling somebody to always make good judgements is inherently flawed.
The problem with Facebook is that now all those initial bad judgements from which learn are archived for the world to see, and it is not representative of the way it has changed us in the process.
*One of the problems with Facebook. There are plenty of others.
Unfortunately, there's no way to people from seeing photos of you in someone else's profile. You can prevent them from tagging you, but not having you in the picture.
I always worried a little about Facebook privacy but didn't take the time to investigate the options so cheers for the link. The way I see it is just be careful who you invite as a friend - NEVER anyone from work :)
Those who should, would never read this advice. Those who read it; didn't need it.
These things are so antisocial that it's a real travesty of language to call them social-web sites!
A few key shortcoming in FB's privacy settings:
1. lack of privacy settings for your networks
2. asymmetric read/write controls for your wall
3. lack of friend lists and exclusions for your profile
4. lack of friend lists for your basic & personal info.
5. also, in order to simply reply to a Facebook message from a non-friend, you have to give “permission to view your list of friends, as well as your Basic, Work and Education info for one month.”
It used to be that youthful indiscretions were witnessed by a few and remembered by fewer.
These sites make those indiscretions permanent and public. The audience is much wider, and many of that audience aren't the sort of people who get invited to the parties where youthful indiscretions happen. Those bitter souls judge the indiscreet harshly.
If the options are "don't be indiscreet" and "don't post" then "don't post" is the only way to go. Because nobody will give up their fun, especially after a few drinks.
Actually, using a fake last name helps to a surprisingly large degree. Neither my students nor potential employers seems to have found me, at least.
I'm going to start by guessing that "sortkatt" is your fake FB last name.
Sorry, couldn't resist,
I agree. I really disagree with some of the punishments handed out to teenagers when the only evidence was a Facebook posting or a cell phone video. We're not giving them a chance to *learn* from the same mistakes that you and I made.
Yes, they got into that fight in the restroom or smoked pot at their friends house, but somehow we aren't giving them a chance to learn on their own. We come down on them harder than the behavior deserves.
It just doesn't seem right.
All of this is a good reason to use an alias online. Not to provide high security, but to provide plausible deniability. I'm not worried about a background investigator or national defense agency discovering my kinks and/or hobbies -- just my line manager and my co-workers.
Privacy defaults on Facebook are particularly bad. If the site defaulted to private, it would be much less populated and popular. This puts the burden of privacy management on users, many of whom don't want to have to become Facebook experts to protect themselves.
My rule is simple:
"Only put things on Facebook that you are happy to have (a) totally publicly accessible and (b) indexed by Google."
I agree with other posters - the first rule is "don't use it." There. Privacy problem solved.
Personally, being a somewhat typical geek/software engineer, I'm all for a new type of site called "Antisocial Networking". www.inyourfacebook.com anybody?
"I'm not worried about a background investigator or national defense agency discovering my kinks and/or hobbies -- just my line manager and my co-workers."
So you don't mind that every bored buracrat knows you like your welly boots filled with warm custard whilst wearing your gas mask and that you collect bondage Barbi Dolls then?
just so long as your co-workers don't rib you about it.
May I be one of the first to not join your not-social networking site?
I mean, this is what it should be: sign up, do nothing.
To deter employers from viewing social networking pages, employees might post on their pages legal terms of service under which employers agree to scram. This idea should not be taken as legal advice for any particular situation, just a topic for public discussion. Details: http://hack-igations.blogspot.com/2007/11/... --Ben
Sorry guys, a domain squatter/advertiser using the address
6107 MAGNOLIA AVE
grabbed that domain as of 2006 May 04
Expectations of privacy, and posting information to the internet - seems a dubious combination.
Do not post things in public and/or on the web that you want to keep private. Ever.
Then again I do not worry over-much about privacy, except when I do. My name, address, email, and phone number have been on the web since I first put up a web page in 1992. (I added a map link when maps on the web appeared.) Never been a problem.
On the flip side - you will find very little information about my kids - from me.
Pro tip: If you don't want other people to see it, don't put it on a (public) Internet website.
"Just don't post it" helps surprisingly little when all your *friends* use facebook. They take pictures, and those pictures go online and are discussed. It's probably better to be on Facebook yourself, so that you can see when they post that picture of you vomiting into the toilet and you can ask for it to be removed.
Even "Get less candid friends" isn't workable advice. A lot of pictures of me from the early 90's are showing up on Facebook these days.
I think the dangerous thing with social networking sites isn't just your own account but friends - If a bad picture is taken on a night out, can you really stop them uplaoding it? I have had a few pics nicked off my computer (my fault I know) and on complaining to Facebook I got no help at all despite being tagged in them.
Guess a few people have been burnt as I have seen a few posts on this topic recently:
Online Networking has reached epidemic proportions. I’m on Facebook for social networking, LinkedIn for business networking, and Sparkbliss for romantic networking. There are things I like and things I don’t, but what matters most to me is privacy.
With Facebook, the proposition is join or seem aloof. Given its pervasive nature, forget about your privacy. When my friend Calvin asked if he should join Facebook, I put it this way “it depends if you want to fill up your inbox and then allocate the time to respond.” I added “expect everyone you have ever known from childhood to today to want to be friends and then ask you to join this, vote on this, attend this, play this, and so on.” He was deterred for now, but will succumb. Personally, I avoid being sucked into its online vortex. My approach is to log in about once a week, blindly accept friend invites from anybody and ignore everything else.
LinkedIn offers an extremely productive tool for professional networking; it makes sense for anybody in any kind of business. I use my profile as a virtual public resume; I knowingly relinquish my privacy. However, I manage my account and maintain its content with great discretion. Instead of universally accepting every connection request, I qualify each one. The site offers powerful internal search capabilities and externally your profile is easily found by Google. The downside being savvy sales people will use this vast database to find you and sell you.
While Sparkbliss is similar, it is focused upon romantic recommendations through your private network. You control who see your personal information; trusted friends and family screen for eligibility and make introductions. It is unique by its architecture, which places priority upon personal security and privacy. For example, a Sparkbliss profile can not be searched on the site internally or found externally by Google. This is an excellent alternative for people such as teachers who would rather avoid disclosing personal information on on the public Internet.
While Facebook and LinkedIn pay lip-service to increasing default security and privacy settings, stricter measures would only stunt site growth. Don’t expect policies to change any time soon. Unfortunately, most users surrender control of their personal information without knowledge or consideration. Today, it is incumbent upon the individual to protect themselves.
I think these comments are saying more about the commentators than anything else. Talk to a few teenagers and you'll probably get a very different opinion.
Two quotes from teenagers from a NYT article on the subject late 07/early 08 (sorry, lost the citation and am probably misquoting slightly) that stuck in my mind:
"my mom warns me about privacy on Facebook in the same way she warns me not to go to New York because I'll get mugged", and "so the worst that can happen is that someone down the line sees an old photo of me? I'd better make sure it's a great photo". Privacy is not dead, it's just that gossip has been automated.
Because Facebook, like many successful technologies, is simply automating something that already exists and is used enthusiastically: gossip. I choose not make an ar*e of myself in public because I don't want the public to see me looking like an ar*e. I choose my friends in such a way that if I do get drunk and pass out on a toilet, I know I can trust them not to take photos and show them to the world.
If you make a fool of yourself in public and have friends that want to shame you, they'll do it. Without Facebook, they'd just do it by email or verbally. At least this way you get to see who is gossiping about you.
Stop shooting the messenger.
I'm on Facebook, hoping to hear from school friends or acquaintances from many years past. The younger ones from my immediate family are also there. The only photos of me were taken at a wedding when I was all dressed up - nothing to be ashamed of there. My other photos are equally benign. I'm finding it interesting and not very time-consuming but I'm trying to limit my friends and connections. All in all, I'm finding it rather fun.
There is a huge generational difference in attitudes toward this kind of thing. I'm not quite an old timer, but most of my contemporaries live by e-mail; we will grudgingly use IM if someone we know insists on it. Social networking, though, we tend to view with contempt.
People just 5 years younger are obsessed with documenting and posting every detail of their lives. You go out for drinks with people you barely know and they insist on taking group photos with their cell phones and posting them.
They also seem much more willing to do business "in the cloud" with Google apps and the like. When asked how they feel about entrusting their documents to a third party, many seem never to have given it the least bit of thought.
In a previous job, some kids working for a major IT outsourcer casually mentioned that they would be using a free online file storage web service to share documents - some of them quite sensitive infrastructure diagrams - about our company with their overseas colleagues. He was surprised that I took objection to this plan.
Obviously enough, not using fb is the best thing to do privacy-wise. But will we have the option not to go there, in the years to come ?
I have two major issues here :
- Teenagers don't appear to worry about fb, but do they realize how the Internet remembers everything and that it is absolutely different from any previous social experience ?
- Second, what is the level of assurance (or control) the user has on the material he/she puts on fb ? Is there any wiping mechanism ?
These days new attacks are already taking advantage of personal information, some of which is retrieved from social network sites like facebook. If the account is hacked/breached from one of these social network sites, the impersonator can damage the (personal and professional) reputation by modifying the profile or changing/inserting the contents or comments.
"Unfortunately, there's no way to people from seeing photos of you in someone else's profile. You can prevent them from tagging you, but not having you in the picture."
That's pretty much true of any website.
For those of us who are naive FB users and don't have time to research its subtleties ourselves this is an excellent article.
"gossip has been automated"
You guys are the BEST source of tshirt quotes!
To me the reason to limit information on the cloud boils down to the fact that most sites allow password changes to be controlled by q/a of that information.
An example is Sarah Palin's email getting stolen by someone who answered the questions in Yahoo using info from Wikipedia.
For the rest of us that could have been our bank account with information from FB.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.