12 Dec 2009 pjf   » (Journeyer)

Tightening up your Facebook privacy
I've previously discussed the new Facebook privacy system, what they mean to you, and some recommendations on keeping at least some privacy. If you haven't read this post, I suggest you do so now, as I won't be repeating those recommendations here.

Since my last update, I've had a lot of feedback, and done a bit of exploring, and discovered there are some extra privacy controls that are rather hard to find! One thing that had me perplexed was how to hide which groups I was a member of. Groups are juicy stuff, they tell me a lot about your beliefs, interests, and social ties. These are things you may not wish to be broadcasting to the world. Events are the same, but even more so, since they give me an idea of where you are actually are, and who you're physically interacting with. You probably want to have some control over who can see these.

Luckily, you can; the controls just aren't where you expect them to be. They're not in Privacy Settings at all, they're in Application Settings. By selecting Edit Settings you can change the privacy on your groups, events, gifts, links, notes, and photos; although the photos setting only controls who can see your photos tab/box/link; individual albums have their own privacy controls.

When deciding on your privacy settings, it's worth keeping two things in mind:

Applications run with the permissions of the user that installed them.
This means that if you allow your friends to see events, your friends applications can also see events. The previous privacy settings actually allowed friends to see events, but you could block their applications.
A permission of Everyone generally means it's publicly accessible
Facebook is making it pretty clear that Publicly Accessible Information (PAI) is available to everyone and everything, including unauthenticated users, applications, and third-party websites.

It's also worth noting that even if you set your event and group privacy to only me, it's still possible to go directly to an event or group and see the list of members, and you will show up there. What tightening your event/group privacy stops is a person or application being able to see all of your groups and events in one hit. If I'm determined to find your groups and events, I'd start by grabbing your publicly accessible list of friends, walking through their events and groups, and checking each one to see if you're a member. Your potential employers and in-laws aren't likely to go to that sort of trouble.

It also looks like I'm not the only one who's been upset that Facebook has made one's list of friends completely public information. What's amusing is their response to it. Let's look at their new privacy tools blog post, which talks about how to hide your friends. It starts off being very positive:

When you uncheck the "Show my friends on my profile" option in the Friends box on your profile, your Friend List won't appear on your profile regardless of whether people are viewing it while logged into Facebook or logged out.

That's great, isn't it? We can finally hide our list of friends, just like we used to... Except...

This information is still publicly available, however, and can be accessed by applications.

In other words, you can hide your list of friends from casual observers, but it's still considered publicly accessible information, and hence presumably can be accessed by anyone who can write, install, or employ an application to find it, as well as by "Facebook enhanced" websites.

To the average user, the effects of this change is a great way of letting them feel like their friends are private, but without actually making them private.

I want to give a specials thanks to Matthew Musgrove (@mrmuskrat) for assistance in finding the group and event privacy settings. Also, Risto H. Kurppa is in the process of putting together simple instructions on how to protect one's privacy on Facebook, and is seeking contributions.

If you wish to receive e-mail when I make further posts on Facebook privacy, then join my privacy study or subscribe to the relevant google group.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!