Sophos Cloud Optix
Consumer Reports has found that an estimated 13 million US Facebook users don’t use, or don’t even know about, the social network’s privacy controls.
That’s not necessarily the fault of the users.
Consumer Reports – an independent, nonprofit US product-testing organization – notes that Facebook users do make some bad choices as far as protecting their privacy goes. But Facebook doesn’t make it all that easy for us, either.
From CR’s press release:
"While some privacy or security issues arise from poor choices Facebook users themselves make, other problems can stem from the ways the company collects data, how it manages and packages its privacy controls, and the fact that users' data can wind up with people or companies with whom they did not intend to share. Some users might be surprised to know that Facebook gets a report every time they visit a site with a 'Like' button, regardless of whether or not they click on that button, have a Facebook account, or are even logged in."
Those factors, taken together, have created a privacy free-for-all where users publish all manner of personal data from which can be extrapolated religious affiliation, sexual orientation, alcohol usage proclivities and more.
Based on projections from CR’s State of the Net report, which was released on Thursday, Americans during the past 12 months “liked”, updated their profiles, and posted status updates to produce these data points at these rates:
- 39.3 million identified a family member in a profile
- 20.4 million included their birth date and year in their profile
- 7.7 million “liked” a Facebook page pertaining to a religious affiliation
- 4.6 million discussed their love life on their wall
- 2.6 million discussed their recreational use of alcohol on their wall
- 2.3 million “liked” a page regarding sexual orientation
For the report, CR surveyed 2,002 members of its interactive consumer online panel who were over the age of 18 and had a home internet connection.
CR found that some people are sharing way too much, including an estimated 4.8 million who’ve potentially tipped off burglars where and when they’re going on given days and 4.7 million who’ve “liked” Facebook pages about health conditions that can be used against them by insurers.
The privacy situation’s bad even for those of us who restrict our information to be seen only by friends, given that friends using Facebook apps can allow our data to be transferred to a third party without our knowledge.
CR says that privacy-related problems caused by Facebook are on the rise: 11% of households using Facebook reported trouble on the site last year, ranging from someone using a log-in without permission to being harassed or threatened.
That percentage projects to some 7 million households – 30 percent above figures from last year’s State of the Net report.
CR acknowledged Facebook’s claims that it takes privacy and safety issues seriously, including CEO Mark Zuckerberg’s assertion that the company checks privacy access tens of billions of times every day and the company’s pledge to offer users greater access to records of their Facebook activity.
It’s all not quite enough, however. For one thing, Facebook’s privacy controls are too hairy for many people to understand.
CR references a recent study from consultants Siegel+Gale that finds that Facebook’s and Google’s privacy policies are tougher to comprehend than the typical bank credit card agreement.
Meanwhile, US online privacy laws are feeble in comparison to those of Europe, for example. In the US, scant federal rights allow us to see and control much of the information that social networks collect.
To address all these issues, CR has put out a call for a national privacy law, asked Facebook to fix what it sees as a security weakness around passwords, as well as a collection of tips to help users understand and use Facebook’s privacy tools.
The advocacy:
Better protections. Consumers Union, the advocacy arm of Consumer Reports, wants a national privacy law that holds all companies to the same privacy standards and lets consumers tell companies not to track them online. It also supports the Obama administration's effort to bring industry and privacy groups together to set clear rules for how personal data is collected and used. Additionally, Consumers Union launched a petition urging Facebook to improve privacy controls and address concerns about sharing practices. The petition is highlighted in a CU policy ad appearing in Politico which can be found at www.hearusnow.org.
What else CR wants to see fixed:
Fix password security lapse. CR notes that Facebook could fix a security lapse that permits users to set up weak passwords including some six-letter dictionary words. And it could help users avoid inadvertently sharing status updates with the public, either by alerting them more prominently when they are about to do so or by changing the default audience for posts to the user's preferred audience.
And CR’s tips for users on using privacy controls:
- Think before typing. Even if a user deletes his/her account (which takes Facebook about a month), some info can remain in Facebook's computers for up to 90 days.
- Regularly check Facebook exposure. Each month, users should check out how their page looks to others. Review individual privacy settings if necessary.
- Protect basic information. Set the audience for profile items, such as town or employer. And users should remember: Sharing info with "friends of friends" could expose them to tens of thousands.
- Know what can't be protected. Each user's name and profile picture are public. To protect one's identity, they should not use a photo, or use one that doesn't show their face.
- "UnPublic" the wall. Set the audience for all previous wall posts to just friends.
- Turn off Tag Suggest. If users would rather not have Facebook automatically recognize their face in photos, they could disable that feature in their privacy settings. The information will be deleted.
- Block apps and sites that snoop. Unless users intercede, friends can share personal information about them with apps. To block that, they should use controls to limit the info apps can see.
- Keep wall posts from friends. Users don't have to share every wall post with every friend. They can also keep certain people from viewing specific items in their profile.
- When all else fails, deactivate. When a user deactivates their account, Facebook retains their profile data but the account is made temporarily inaccessible. Deleting an account, on the other hand, makes it inaccessible forever.
If you use Facebook, and want to be kept up-to-date on the latest privacy and security issues affecting the site, make sure to join the Sophos page on Facebook, where over 170,000 people regularly share information.
Thumbs down image, courtesy of Shutterstock
All well and good posting these stats, but where is any help to anyone reading the post? I'm a student in the field, and I know damn well people who know little about computers and the internet will look at this and go "OMG, EVERYONE KNOWS WHAT I'M DOING AND I CANT PROTECT MYSELF!"…
Why cant you post a quick tutorial? For example, instead of suggesting making an insane password which nobody can crack, but is so insane you cant remember yourself, I see no mention of 'Login Approvals'. As a one time set-up its easy enough to do (Account Settings -> Security -> Login Approvals). Every time I log in from a device I've not set as a registered device (it asks you if you want to save the device after you input the code) I receive a text message containing a 6-digit code. I put this code into the box which is open on Facebook. Assuming the code is correct, it asks you to name the device you log in from (EG: Home-Desktop, Laptop, Phone) and save the device, or if your on a public computer, dont save. After you've finished with Facebook, whether you log out or not, the next time someone opens Facebook, they will be unable to continue to your Facebook page.
So to simplify: you visit www.facebook.com -> Input email and password -> Input code received in text message -> Choose to save this device as 'Registered to log into your account' -> Surf Facebook to your hearts content -> Log off from browsing session -> Someone else tries to log in and you will receive a text asking for the code, they dont get in and your Facebook info is safe.
I understand this isnt specifically to do with 'Privacy Controls' however it will fix the 'Password Security Lapse'.
Matthew
Interestingly, this is one of the few account security related posts on Naked Security that doesn't link to http://nakedsecurity.sophos.com/2010/02/03/choose…
The idea here is that for a password to be truly strong, it must also be memorable.
I also use login approvals as well. It prevents unauthorized access. Another layer of security is to use a complex password. Never use passwords such as “password”, a name, or anything that can be found in a dictionary. A complex password is at least 8 characters long and consists of letters (both upper and lowercase), numbers, and symbols. The more conplex and longer it is, the harder and longer it will take to crack it. Another option you want to enable is secure browsing. This uses https or SSL (Secure Socket Layer). You’ll know if your using https when you see a lock icon in your browser.
From Consumer Reports: “we surveyed 2,002 online households, including 1,340 that are active on Facebook, for our annual State of the Net report. We then projected those data to estimate national totals.”
National projections from a sample set of 1,340 households?!?
From the same article: “We focus on Facebook because it is the world’s largest social network, with 800-million-plus users”
Actually — it has 900 million users. If they can't even get that right… it suggests big problems with the methodologies used.
#junk science
Last time I checked, 900mil would fall into 800+mil by definition. Also this is how studies are generally done. You survey a sample of the population and extrapolate from there. Most of the surveys I see are of 1,000 people / house-holds so this used almost double that.
Consumer Reports' methodologies of extrapolation cause it to conclude that "28 percent shared all, or almost all, of their wall posts with an audience wider than just their friends."
Yet, social media trend tracking companies that attempt to follow ALL public FB postings find a significantly lower percentage of unique public profiles.
Consumer Reports is speculating and is peddling junk science.
That said — once Facebook does its IPO and is a public company, shareholders should demand that FB just publish the damn stats — and kill all this stupid speculation once and for all.
There is an infinite amount of photos with inspirational quotes or jokes circulating on Facebook. (Beautiful sunsets and cute kittens…) To my horror, I discovered that if I comment, share, or like, it is added the thousands on the planet who did the same. And the worst, every person’s profile is open to every other stranger on those lists.
This week someone asked to tag herself on one of my photos. We have no friends in common and I couldn’t even send her a message, though her page was wide open to me. Now I’m in the time consuming “deleting” process, praying it really does delete my name on these lists.
And why can’t we secure our photos from being copied?
If you wanted privacy you wouldn't even be using Facebook… Honestly! Why would you use it if you didn't want people to know about the things you post. DUH!
I've actually got an answer for this one: some people use it because they want to know what OTHER people post. Some also use it so they can get store discounts. And then they get hooked, and share information because all their friends are doing it and they don't want to be seen as antisocial.
13 million unaware…13 million of how many? 900? Makes 1.5%. Either that’s an underestimation, or really better than expected.
13 million *American* Facebook users. So, it's not fair to compare it with Facebook's 800 or 900 million *global* users.
But yes, I'd agree. I would expect the number to be larger. In my experience people are mostly pretty clueless about Facebook's privacy settings.
A good reason not to use your real name 😉
If not using a picture of you protects you identity, do the advocate wearing a mask when in public as well?