USEFUL TIPS FOR USING FACEBOOK, TWITTER & CO. MORE SECURELY
Web surveillance has become a huge and advanced industry. From governments and intelligence services, through companies and advertisers, to criminals and hackers, more people than your think are interested in the information you post and view on Facebook, Twitter and other so-called social networking media. Below are some tips to help you protect yourself, as much as possible, when using these platforms.
1. Don’t use your personal Facebook and Twitter account for political activity.
Why? Because if your account is monitored or hacked, not only will your personal life be exposed, but also that of your family and friends.
2. Don’t use your real name, your personal email account or picture for your political Facebook and Twitter accounts. It’s safer to use a new, separate email account that you only use for your this purpose.
Why? Because if your Facebook or Twitter account is monitored or hacked, and you are using the same personal details, including your email address, for things like banking and other things that involve sensitive information, then the damage could be much greater. If you live in a country where online activity is heavily monitored by the state, using your real name, your picture and other personal details, such as your place and date of birth, might simply be a recipe for being caught or profiled very quickly.
Note that your name, your profile an cover pictures, and your ‘networks’ on Facebook are treated as ‘public information’ accessible by anyone, so changing your privacy settings does not affect these three things.
Note also that Facebook’s Terms of Services include a policy on names, which prohibits those who join the platform from using pseudonyms. But many people do, of course. Just make sure the name you choose sounds like a real one.
IMPORTANT: It may be wise to get a whole new phone and a new phone number to use for your political Facebook, Twitter, etc., especially if you’re using smart phones to access them. Social media platforms are increasingly hassling people about their phone number and linking this to other things they do, whether for marketing or monitoring purposes. On the plus side, it is sometimes useful to provide a phone number because it helps secure and retrieve your account in case anything happens.
If you do provide a phone number, Facebook has a feature for enhanced login security called ‘Login Approval’ (in the ‘Security’ tab in ‘Account Settings’). This requires you to enter a code sent to you via a text message if Facebook did not recognise the device you (or someone else!) are using to log in. This is useful to prevent your account from being hacked. There are also other features in there, such as ‘Trusted Contacts’, to help you reclaim a hacked account or if you forget your password.
3. Use a strong password and change it every now and then. Don’t use the same password for Facebook and Twitter that you use for other things. And remember to always log out when you finish your session.
4. Use a browser (preferably Mozilla Firefox) to log into Facebook and Twitter, rather than using special FB or Twitter apps (e.g. on smart phones).
Why? Because apps save passwords and other private information; they sometimes don’t allow you to log out; and many do not seem to use a secure connection (see the next tip below). So if your phone is lost, stolen or confiscated, all this information will be potentially compromised.
Of course apps do make life easier, but you should only use them if you can be sure that their privacy and security settings are as good as your secure browsing settings.
IMPORTANT: The best way to ensure that you are browsing the web ‘privately’, i.e. without widgets and plugins sharing your data with social networking sites, is to use two separate browsers, say Chrome and Firefox, for example. Use the first one for all general web surfing (after clearing all your cookies and logging out of all social networks on this browser) and use the second only for Facebook, Twitter and other social networks (again, after clearing all cookies first). Do not use the second browser for any other web surfing. Also, on your first browser install plugins like Disconnect, which blocks all widgets from connecting to common social networking sites.
5. Always use a secure connection to connect to Facebook, Twitter, etc. (i.e. URLs that start with HTTPS rather than HTTP).
How? In your Facebook’s Security Settings, you will notice an option that allows you to enable ‘secure browsing’. By enabling it, all your activity on Facebook will be over an encrypted connection from now on. Twitter uses an encrypted connection by default.
IMPORTANT: You should definitely enable this feature if you are using Facebook on public computers, such as in libraries and internet cafés, or if you are using public wi-fi access points. Even if you are connecting from home, it’s a good idea to enable it anyway.
6. Use anonymous browsing to connect to Facebook and Twitter.
Why? Even if you have secured yourself against intruders eavesdropping on your connection, Facebook & co. may still know exactly who you are, where you are, and what you are doing on their platforms. And from experience, these companies can hardly be trusted with not sharing this information with other ‘interested parties’. (Remember when Yahoo handed over critical information on Chinese dissidents, including their IP addresses and the content of their emails, to the Chinese government, leading to their prolonged imprisonment?)
In your Facebook’s Security Settings, you will notice, for example, that Facebook knows (and records) the geographical location from where you are logged in, based on your IP address, along with information about the device you are using to access your account (your web browser and operating system). You can see this in ‘Active Sessions’, the last field in the ‘Security Settings’ tab. If you download a copy of your Facebook data (which you should do regularly), you will find a log of all the locations from which you accessed your Facebook account. You can prevent Facebook from knowing this by using private or anonymous browsing.
NOTE: The ‘Active Sessions’ feature is actually useful to check if anyone else has accessed your account. If you are not using Tor (as described in the above-mentioned anonymous browsing tip), you can check this field regularly to see if there have been any unusual locations or devices used to access your account that do not match yours (that probably means your account may have been hacked!). In this case, change your Facebook password and security questions immediately and notify all your Facebook contacts who may be at risk.
Whilst in there, delete all the previous sessions and enable ‘Login Notifications’, which notifies you, either by email or text message, whenever your account is accessed.
IMPORTANT: Note that if you use Tor or certain VPNs, Facebook may block you from your account because they may think it’s someone else trying to hack your account. If you really want to use them, it is recommended that you provide a phone number or other information to verify that it is you who is logging in.
7. Limit who can access your information on Facebook, Twitter, etc.
Why? Because privacy is security. Attitudes such as “But I don’t have anything to hide” ignore the fact that social networking platforms such as Facebook and Twitter are owned by massive private companies that make their money mainly by collecting information about users and selling it on to advertisers and God knows who. They also don’t really have any other guiding principles, so when a government or intelligence service cracks down on dissidents or targets someone using such platforms, these companies will often cave in and ‘collaborate’ in order to protect their commercial interests.
How? In your Facebook’s ‘Privacy Settings’: Set ‘Who can see my stuff’ to ‘Friends’; Limit the audience for your old posts; Set ‘Who can contact me’ to ‘Friends of friends’; Choose ‘Strict filtering’ for your messages; Set ‘Who can look me up?’ to ‘Friends’; and Turn off the option allowing search engines to link to your Timeline.
In the ‘Timeline and Tagging’ tab : Set ‘Who can add things to my timeline?’ and ‘Who can see things on my timeline?’ to ‘Friends’; Enable the ‘Review posts friends tag you in before they appear on your timeline?’ option; and View how your Timeline looks to the public and to your friends.
In the ‘Followers’ tab, set ‘Who Can Follow Me?’ to ‘Friends’ or ‘Friends of friends’, unless you want to enable other people (‘Everyone’) to follow your public posts (News Feed).
In the ‘Apps’ tab, turn the platform off completely. This will prevent apps from storing and using your Facebook information and activity. If the platform is turned on, make sure you untick all the things that other apps and sites use but you don’t want them to, and disable ‘Instant Personalization’ (this collects a lot of information of your Facebook activity).
In the ‘Ads’ tab, set the ‘Third Party Sites’ and ‘Ads and Friends’ sharing options to ‘No one’. This will prevent your Facebook information and activity from being used in ‘targeted advertising’.
IMPORTANT: An important setting that is often overlooked (and is annoyingly hidden away in a confusing place!) is limiting who can see your Friends and Following lists. To change this, go to your Timeline (by clicking on your name in the top bar), then click on the ‘Friends’ link at the top of your friends box. Click the Edit button in the top corner (looks like a pencil) and select ‘Edit privacy’. Here, set all three options (who can see your friends list, the people and lists you follow, and people who follow you) to ‘Only me’.
Finally, go to your Timeline again (by clicking on your name in the top bar) and click on the ‘Update Info’ link on the cover photo. Set all the sharing options (by clicking the editing pencil button) of each section there to ‘Me only’, or to ‘Friends’ if you know and trust everyone on your friends list and want to share this information with them. But remember, if a friend’s FB account gets hacked, then the information that you thought was not public but only shared with friends might be compromised. The important thing is not to set any of these options to ‘Public’, especially the ‘Likes’ section, and to not display your personal details, such as your email address and date of birth, on your timeline. And obviously do not enter your real or complete address.
If you don’t want the photos you upload to Facebook to be publicly accessible, you have to change their visibility settings separately. Go to your Timesline, then click on the ‘Photos’ link under your cover picture. Click on the edit pencil icon and select ‘See Photos hidden from Timeline’. In there, you can change the visibility setting for each album or picture you have uploaded. It’s recommended to set them all to ‘Friends’, especially your personal/profile pictures.
Twitter has similar – though less complicated and confusing – privacy settings to the ones discussed above.
Remember: even if no one else but yourself can see your Facebook or Twitter information, Facebook and Twitter themselves still have access to it. You should not assume that they would never share it with governments and intelligence services if asked for it. History proves the opposite.
8. Liking and following pages:
The list of pages you are affiliated with on Facebook (by ‘liking’ them) is considered public information and is normally accessible to anyone, including people you are not friends with, advertisers and so on. But you can at least hide this information away so that it is not readily available to curious intruders.
Why? In countries where political repression and online surveillance are a big issue, being affiliated with a dissident Facebook page may put you at risk, or at least highlight you as a potential target.
How? The privacy and visibility settings of your public profile include settings for your ‘Likes’. Go to your Timeline (by clicking on your name in the top bar) and click on the ‘Update Info’ link on the cover photo. Click on the edit pencil icon in the top-right corner of the page and select ‘Manage Sections’. In the pop-up window, you can untick ‘Likes’, ‘Events’, ‘Groups’ and any other section that you do not want to show on your public profile page. For the sections that you do choose to show, you can change their privacy settings (who can view this type of information) by clicking the edit button for that section on your profile page and editing the ‘privacy settings’, as explained in the previous tip. For example, you can show your personal and family details only to your ‘close friends’, or hide it from certain friends that you can specify, or you can choose to make the information visible to ‘Only Me’, which is always the safest option.
To double-check what information others can see about you, click the ‘Preview my profile’ link to see what your profile looks like to your Facebook friends, the public and so on. There are also websites, such as Reclaim Privacy, that provide independent and open tools for scanning your Facebook privacy settings.
9. Think carefully before you post, like or share anything, especially about who should or shouldn’t see it.
How? You can now change the sharing or audience option on each individual Facebook post from a drop-down menu provided within the ‘Update Status’ box. When in doubt, use the ‘Preview my profile’ link on any privacy setting page to check how your information appears to others. The ‘Protected my Tweets’ feature in Twitter provides a similar – though not individualised – option. If enabled, your tweets will only be visible to your approved Twitter followers.
Likewise, think carefully about who you allow to become a ‘friend’ or a ‘follower’, because once you’ve accepted someone’s friendship request, they can access any information you’d set as viewable by your friends. Of course you can always remove friends and block people, but it’s better to be careful from the beginning.
10. Make sure you know and understand what information Facebook, Twitter, etc. collect on you when you use them. You can do this by reading their privacy policies, as well as online privacy and security guides like this one.
11. Logging in and out: Always remember to double-check that the web address (URL) you are using to log into Facebook, Twitter, etc. is the correct one (https://www.facebook.com, https://twitter.com), just in case you had been directed to a fake login page through a link (this is called ‘phishing’). And check there is an S or a lock sign at the beginning of the address bar (i.e. you are on an encrypted connection).
When you finish, always remember to log or sign out, rather than just closing the page or the web browser. If you want to be ultra sure that no one else can use your Facebook or Twitter account, you can deactivate your whole account each time you are finished with your session, then reactivate it next time you log in. You can do this from the ‘Security Settings’ page in Facebook, and in the general ‘Account Settings’ page in Twitter. Deactivation does not delete your account; it just removes your profile and the content associated it from Facebook or Twitter.
12. Prepare yourself for a world without Facebook and Twitter!
Your Facebook posts and Tweets, your contacts and everything else you do whilst using these platforms is stored on their servers, not yours. So if your account gets hacked one day, or is suspended for violating their terms and conditions, then you will find yourself having lost all that information. Well, unless you’ve backed it up!
How? In Facebook, on the ‘General Account Settings’ page, you can ‘download a copy of your Facebook data’. It’s recommended to do that on a regular basis. Similarly in Twitter, on the general account settings page, you can ‘request your Twitter archive’, which includes all your Tweets. There are also independent sites and programmes, such as SocialSafe and ArchiveBook, that do this.
More importantly, perhaps, you should not be totally dependent on these platforms in everything you do. Be prepared for a day when Facebook and Twitter are blocked, or simply the internet is cut off altogether. Would you stop doing political activism then or do you have alternative plans in place?
– ‘How to Protect Your Private Information on Facebook’: http://www.wikihow.com/Protect-Your-Private-Information-on-Facebook
– ‘Facebook Security Best Practices’: http://www.sophos.com/en-us/security-news-trends/best-practices/facebook.aspx
– ‘How to organize on Facebook securely’: http://www.movements.org/how-to/entry/organize-on-facebook-securely/
– ‘Facebook Privacy Toolbox’: https://socialsourcecommons.org/toolbox/show/2176
– Also check Facebook’s and Twitter’s own ‘safety tools’, e.g. https://www.facebook.com/safety/tools/