May. 4, 2010

Posted by in Facebook | 61 comments

The Social Hacking Guide to Understanding Facebook Privacy

After Facebook’s sweeping announcements at the 2010 f8 conference, many people have been reexamining the content they’ve posted on Facebook and who can access that content. This process has helped raise awareness of new behaviors that affect privacy expectations, but has also caused some users to discover old issues for the first time. As with many Facebook updates, the ensuing responses have at times led to confusion and misunderstandings. In this guide, I hope to provide some clarity in understanding how privacy works on Facebook.

This guide is intended for a general audience, so I will try hard to explain ideas clearly and not get bogged down by technical details. However, I will also be focusing on the concepts behind various privacy controls, but not necessarily stepping through all available settings. If you want more on the latter, along with recommendations for those settings, I would point you to the Facebook Privacy & Security Guide maintained by Tom Eston at Social Media Security, a site where I’m also a contributor.

In case you’re not familiar with Social Hacking, it’s a blog about privacy and security issues in online social networking written by Joey Tyson (a.k.a. theharmonyguy), a security engineer at Gemini Security Solutions. Note that all opinions are those of the author and do not reflect in any way on Gemini or any other organization. Finally, note that this guide is licensed under a Creative Commons License. That means you’re welcome to share it with others for noncommercial purposes if you cite Social Hacking or theharmonyguy with a link to and under similar terms. If you want to publish a large portion of the guide on a site that includes advertising, please contact me first.

1. Facebook is Not Magic

I’ve spent countless hours over the last few years studying the technical details behind Facebook’s privacy controls and looking for ways an attacker could override them. All that investigation leads me to state that Facebook is not magic, in both a positive and a negative sense. First, while Facebook employs all sorts of technology to record your activity on the site and the information you post there, they cannot magically discover all of your secrets and post them for the world to see. The biggest form of control you have over your content on Facebook is not sharing it to begin with.

Of course, participating in Facebook often carries a variety of social pressures that may prevent from simply “not sharing,” and Facebook may record data or combine pieces of data in ways you don’t anticipate. Also, remember that your friends are humans, and even if you restrict all of your content to just your friends, they can still copy that content and post it elsewhere beyond your control. That’s the sort of social problem no technology can completely stop, and comes down to the trust you place in your friends. However, Facebook can’t hack into your e-mail account or copy your wall calendar, so if Facebook knows something about you, that knowledge probably involved you or a friend of yours.

On the flip side, no website is totally bulletproof in securing information. As someone involved in security research, I know that even “secure” websites pose risks. And yet, I routinely share my credit card number with merchants as I shop online. Is it possible that someone could hack those merchants or intercept my data and steal my credit card number? Certainly. A thief could also sneak up behind me on the street and try to grab my wallet, but that doesn’t mean I never take walks. I generally avoid walks, though, in certain neighborhoods where I don’t trust the environment. Similarly, I try to be very careful about what websites I trust with my personal information. When you post private content on Facebook or anything other social networking site, I can’t promise you that no one else will ever see that content. What you share with Facebook comes down to how much you trust Facebook with that data. This guide may help you in making such decisions, but ultimately, you have to make them.

2. Facebook Wants You to Share

Security guru Bruce Schneier gave an excellent lecture earlier this year about privacy and different generations. In the talk, he related a hypothetical story from social media researcher danah boyd about a friend who discloses information shared privately in order to gain better social standing with others. He then noted that Facebook is like that friend, gaining much revenue and market position from sharing the content you give it with other parties. As Schneier put it, we are Facebook’s product, not their customers.

You may ask, why would Facebook want to share my data? You may use Facebook simply to chat with friends that about things don’t seem of much importance to a large, high-tech company. I would give three main answers. First, the more Facebook knows about you, the more they can target the advertisements they show you. Companies buying ads want to make sure they reach an audience most likely to buy a certain product and value word-of-mouth recommendations. Right now, if I wanted to, I could buy an ad campaign on Facebook that appears for 25-year-old men who are interested in women, engaged or married, speak English, have a college degree in physics, like both Lord of the Rings and U2, and are not already members of a certain Facebook group I created. Facebook tells me that about 80 users fit that description, and estimates that at average pricing my ad would see 1-2 clicks per day. Facebook has offered this level of ad targeting for several years now.

Second, many companies are looking for data on behaviors and trends across large groups of people, and not simply for advertising opportunities. Since millions of people login to Facebook every day and share information about their interests, habits, activities, friends, and ideas, the company can build huge sets of data to answer general questions about their users.

Finally, Facebook can use your information to let other services provide a more targeted experience as well. For instance, if you list your favorite music artists on your profile, Pandora can use that list to generate an online radio station tailored to your specific tastes without requiring you to re-enter all those artists.

Note that I’m simply describing realities here, not commenting on whether they’re useful or creepy. Some people find Facebook’s targeted advertising disturbing, some people see it as a way to see relevant ads for products they may find of interest. But my main point is simply that Facebook has a vested interest in you sharing information about yourself and your life. They do provide some degree of control over what happens to the information your share, but ultimately, they benefit most from you sharing the most.

3. Some Content is Always Public

Some parts of your Facebook profile are always considered “publicly available information” (also called PAI) by Facebook, and ultimately, you don’t have control over whether another person or application can see that information. In practice, it may be difficult for others to find such data or Facebook may even prompt them for certain authorization first. But regardless of any settings or appearances, you should always remember that Facebook does not consider the data private and it may be shared via other channels you’re not aware of.

As of May 2010, the following content in your Facebook profile is always PAI: your name, your profile picture, and your connections. The “connections” part currently includes your friends, your family, your relationships, your current city or hometown, your education history, your work history, your activites, your interests, the music you like, the movies you like, the books you like, the TV shows you like, and any page that has a Facebook “Like” button you’ve clicked.

4. Focus on Settings Close to Content

While Facebook’s myriad privacy settings can provide great flexibility over certain bits of data, they can also cause great confusion. But generally, the most important setting for any piece of content is the one closest to that content. In other words, while you may come across privacy settings in many corners of Facebook, you’ll often find one right next to an individual bit of information, and that’s usually the one you should worry about most for that particular data.

For instance, when you post a status update or link on your profile, you’ll see a little padlock icon next to the “Share” button. That padlock sets who can access the status or link. When you create a photo album or edit its properties, you’ll find a “Privacy” box, and that box indicates who can access the photos in that album.

Are there exceptions to this rule? Yes, and I describe some major ones in the next few sections. But for a starting point, those little padlocks that sit right alongside your statuses, links, albums, and so on are the biggest controls you have over who can see your content. As a general rule, the more complicated settings you may come across will not override these individual settings if a person tries to load your content via the Facebook website.

Facebook does provide other privacy settings that control the visibility of certain content on your profile, including the public information I described before, but that’s not the same as access. I’ve posted several tricks in the past that demonstrated how people could still load content that seemed to be hidden but still had individual, padlock controls marked as “Everyone.” Such a setting really does mean everyone, and Facebook treats the content as part of the publicly available information described before. Rely most on the padlocks to control who sees what.

The most important exceptions to this advice involve how applications access your data. Facebook distinguishes between what people can access browsing the Facebook site as usual and what applications or websites can access by communicating with Facebook through other technical methods, and so far I’ve only covered the former case.

5. Applications Act on Your Behalf

A few years ago, Facebook added some ways for people to write their own code that made use of Facebook data. Originally these were just applications added to Facebook, such as the quizzes or games you still often see on the site. But more recently, Facebook has added methods for other websites to interface with user information as well. How much data all of these applications could access depended on users “authorizing” them.

I think the best way to understand the access applications have is to treat them as ambassadors or liaisons between you and Facebook. You generally establish this setup when you authorize the application, which happens whenever you click to allow access for applications inside of Facebook (such as those games and quizzes) and “login” or “connect” your Facebook on other websites. An authorized application then has much the same access to data that you do, and may post to your Facebook as if you were posting.

Until recently, this meant your applications could access profile information, photos, links, notes, etc. even if they were set to “Friends Only.” Now, Facebook is in the process of shifting applications to a setup where they have to ask for all the levels of access they want. Of course, you don’t get to choose those levels of access, and an application may not work if you don’t approve them all. You also can’t place blanket restrictions on every application you might use.

Another aspect to application access comes into play when a friend uses one and you don’t. While you don’t have much control over data access for applications you use, Facebook does allow you to set across the board whether your friends’ applications can see your data as your friends would, if you haven’t used the applications as well.

One of the most recent changes to Facebook involves certain the company authorizing certain sites automatically, a feature called “instant personalization.” These sites (currently, Pandora, and Yelp) then have automatic access to your publicly available information when you visit them. Applications within Facebook have had this sort of access for a while on most visits. Facebook gives a setting to block the behavior for the three external websites, but they may still receive some of your data when friends use them – an aspect controlled by the settings described above.

Facebook does give you the power to block specific applications, including external websites such as, Pandora, and Yelp. When you block an application, it will won’t be able to tell you exist – your friends won’t even see your name in the context of that application.

6. Applications are Not Facebook

When you use an application, such as a quiz or a game on Facebook, you are interacting with code written by someone not part of Facebook. (The company does treat a few specific features as “applications,” such as Photos or Notes, but these are generally marked as such and cannot be removed.) Most of the content you generate within that application, such as your result on a quiz or your score in a game, is stored by the application outside of Facebook. Ultimately, who accesses that information and how long it stays online are up to the people who wrote the application, not Facebook.

In your “Application Settings” on Facebook, you will find many specific settings that relate to individual applications, including whether they can be seen on your profile. These control the ways an application interfaces with Facebook, such as the boxes on your profile or whether it can publish links on your wall, but you put your trust in the application to provide privacy and security beyond these aspects. I’ve found many applications that allow an attacker to access information you might think would only appear on your profile. Also, an insecure application could be hijacked to access Facebook data you’ve authorized it to see.

7. You Have to Live Your Life

Anyone who reads my blog or Twitter feed will realize that I care greatly about privacy issues with Facebook, and I spend a great deal of time understanding the controls available to Facebook users. But when people ask me for recommendations on Facebook, I often include a closing bit of advice: You still have to your life. Think before you post, know what your settings do, try to stay current with changes and understand where your data goes. But don’t get paranoid or spend more time adjusting your Facebook than actually communicating with your real-life friends.

Facebook is only one tool for keeping up with people. If using Facebook becomes too much of a chore, maybe you should find another tool. But whether you use Facebook or not, don’t let all the news reports and check-boxes cause you to lose sight of the big picture. Focus on living a life worth sharing before you worry about what you share on Facebook.

  1. mmmkay says:

    “Anyone who reads my blog or Twitter feed will realize that I care greatly about privacy issues with Facebook”

    Yes but I still can’t figure out why. It’s such a small issue to be almost nonexistent in today’s Orwellian society.

    What exactly are people, with their HUNDREDS of “friends” putting on there that is so devasting? Nothing! but this makes them feel important. It’s something to get excited about it like effects them but it doesn’t. No one is interested in your cruise ship vacation photos. The free email address you used to sign up with??? It’s like people who vote for a party and when they win an election, imagine that they’re somehow sharing in the power. It’s a gross fallacy born out of ego.

    “and I spend a great deal of time understanding the controls available to Facebook users”

    You do but that isn’t the full story for users. It’s the backend and agreements with third parties we aren’t privy to where the real violations occur.

    Facebook will do what they want. They pay lipservice to any ‘outrage’ with some beautiful PR on their blog then go ahead with exactly what they planned to. Nothing new there, it’s how corporations behave. Don’t like it, don’t use it. The site is a huge timesink anyways.

  2. Perttrepi says:

    Great Post! I think you did a great job explaining the technical aspects of what facebook is doing behind our backs in a way everyone can understand! Great job!

  3. @major: Yes, I did see that story and posted info about it on my Twitter. Thanks for the tip, though.

  4. Hello
    It doesn’t have much to do with this post but deals with facebook and I also didn’t know where to post this: the 6 friends or 9 friends that are displayed on your profile are they really random? Because sometimes some people are showing up over and over again when I refresh the page. There are also people who are active on facebook but never show up on my friends’ display (they are still in my friend’s list though). I wanted to know if it has to do with friends who visited my profile.
    Thank you!

  5. @Moski: As far as I know they’re random, but you’d really have to ask Facebook. I doubt they have anything to do with who visits your profile, as Facebook takes a strong stance against being able to track profile visitors.

  6. @theharmonyguy: it’s just because i’ve noticed I almost always appear in some of my friend’s display and it happens that I visit their profile several times a day. But I’ll ask Facebook… hope they will reply though.

  7. Dupeable says:

    Security guru Bruce Schneier gave an excellent lecture earlier this year about privacy and different generations.
    Check out this video, too!

    Considering the Sociology of Facebook:
    Harvard Research on Collegiate Social Networking
    Professor Jason Kaufman on his analysis of profiles [video; 49min 46sec]
    Last updated: February 03, 2009

    “But the data is already public!”:
    On the ethics of research in Facebook – Michael Zimmer
    Last modified: 2009-08-04


  1. Tweets that mention The Social Hacking Guide to Understanding Facebook Privacy | Social Hacking -- - [...] This post was mentioned on Twitter by Social Hacking, greychampion, Julia Jacobs, SocialMediaSecurity, F-Secure UK and others. F-Secure UK ...
  2. Tweets that mention The Social Hacking Guide to Understanding Facebook Privacy | Social Hacking -- - [...] This post was mentioned on Twitter by rggoldie. rggoldie said: another good post about Facebook privacy from theharmonyguy ...
  3. Dave's Blog » Blog Archive » Facebook and Me - [...] rant) are either incredibly naive or very dimwitted, if they woke up today and realised that Facebook was not ...
  4. Security Through Obscurity and Privacy in Practice | Social Hacking - [...] with boyd that we can’t expect users to become paranoid sysadmins. The final point of my own guide to ...

Leave a Reply