Safe Facebooking

I have a Facebook account on which I have duly locked down the privacy controls (several times, it feels like). In theory, no one can get at my information unless we become Facebook friends.

In practice, I’ve discovered, it’s another story entirely. After spending the better part of ten days, recently, integrating Facebook into another website, I have new rules for how I use Facebook. I realize they sound a little tin-foil-hat-style crazy, so after the rules I’ll explain a bit about why I adopted them.

Image by CycleDog

Image by CycleDog

Rule 0: I’m not closing my Facebook account. I know a few people who have gotten off Facebook entirely, recently, but Facebook is the only place I’m in touch with my cousins who live out of state, my best friends from elementary school who are scattered to the wind, and my husband’s family who live on the east coast. These people aren’t going to get on Twitter, and I do want to hear about their lives.

Rule 1: I always browse Facebook in a separate browser. If I’m doing my random web browsing in Firefox, then I open Facebook in Chrome (or less frequently, Safari). It’s not sufficient to open Facebook in a different window of the same browser, or a different tab of the same browser. It has to be a different browser. (If you only have one browser right now, you can install Firefox here, or Chrome over here.)

Rule 2: I make sure my non-Facebook browser has no residual FB cookies. I used to just leave a Facebook tab open while I browsed random web sites in other tabs, but that’s incredibly dangerous. If I am logged in to FB, any of those third-party sites could be silently collecting my Facebook information without notifying me. Once I decided to separate my browsing, I deleted all cookies in my non-Facebook browser. As long as I don’t log in to FB again in that browser, other sites won’t be able to access my Facebook information.

Rule 3: I never browse anywhere else in the Facebook browser. I use Chrome for Facebook, so I don’t use Chrome for anything else. Any external links I want to click on from Facebook, I open in Firefox. This can be a pain in the ass because links on FB usually redirect you through another FB page. So in FB, I right click the link, select “Copy link location”, switch to Firefox, paste the link in, edit it to remove the Facebook prefix, and then hit return to go there.

In practice, I do use Chrome for other stuff, but I log out of Facebook and clear all my cookies first. Which leads to…

Rule 4: I always log out of Facebook. They’ve hidden the log out option; it’s at the top right, the last option under “Account.” It’s not sufficient to close the Facebook window, or even to quit the browser you’re using for Facebook. In either case you leave behind a set of “logged in” FB cookies that other sites can read. I always explicitly log out of FB when I’m done.

Rule 5: There is no rule 5.

Rule 6: I never use Facebook to log in to another web site. Any web site can use Facebook as their log in system, instead of (or in addition to) letting visitors create accounts. Most of these sites are not officially affiliated with Facebook. It’s convenient to use FB for this, sometimes, instead of creating yet another username and password to remember.

But it’s also dangerous. When I authorize a site to use Facebook to log me in, that site can then access my name, my email address, all the schools I went to, all my employers past and present, my interests and hobbies, my pictures, my wall, my messages, and my friends. Among other things. And the site may hold on to that data, so even if I change it or hide it in Facebook, it’ll be in their database in perpetuity. Since the site isn’t affiliated with Facebook, it’s not bound by their privacy policy, so who knows what it will do with the information? It’s way better to just set up another account with a throw-away username and password.

Feeling crazy yet?

I am. Or maybe “paranoid” is a better word. Before I started working with the Facebook API, I had no idea how much information was available to third-party web sites. Things I don’t think of as public – including my email address – are available by default.

There are, of course, terms of service that those sites have agreed to, but nobody checks or audits them. It’s trivially easy to sign up for a developer account, create a Facebook application, stick some Javascript on a site, and start collecting the data of unwary FB members who visit you.

The public/private dilemma

Honestly, most of the information I have on Facebook is public knowledge anyway, including my email address. But it doesn’t sit well with me that FB lets third-party sites access information that non-friends can’t see. What else might they decide to share someday – the links I’ve clicked on? The groups I’ve visited but not joined? The exes I’ve searched for?

By keeping Facebook quarantined, I hope to contain the fallout of any future “experience enhancements.”

And now, if you’ll excuse me, I need to go use my hat to make dinner.

8 comments to Safe Facebooking

  • Andrea

    I’ve been having some thoughts along the same lines. At the moment I use Facebook only via the dedicated Facebook app on my iPod touch.

    There is a way to use Firefox both with Facebook and with other websites: you can create different Firefox profiles. You can run several different Firefox profiles at the same time using the -no-remote flag. The MozillaZine Knowledge Base has some information about this: http://kb.mozillazine.org/Using_multiple_profiles_-_Firefox and http://kb.mozillazine.org/Opening_a_new_instance_of_Firefox_with_another_profile

  • Very intriguing, and worth thinking about, but the first step is to keep the sensitive content off of Facebook, no? Mine doesn’t have any noteworthy information about me – not even my primary e-mail address.

    My other issue is that I don’t like Facebook and I don’t like using it, but your points about maintaining contact are valid and ultimately why I keep my account. Still, to quarantine it to another browser reinforces the “need” to use Facebook by making it a more complicated process. Do you find that this process emphasizes or de-emphasizes the compulsive Facbook-check?

  • Great post, and very timely given the whole Facebook info on BitTorrent debacle.

    There’s a simple way to keep Facebook separate without having to copy and paste links into a different browser: Mozilla Prism (http://prism.mozillalabs.com/). It’s basically just site specific browser (like Fluid or Chrome “application shortcuts”) however the real bonus with Prism is that it maintains separate cookies and history. It also opens all outgoing links in your default browser. I love it!

    Joe

  • Chris

    Nice article. I have been working with Facebook application for a while and it may seem as you say here but instead it looks like that you cannot get email address from Facebook API unless you authorize the website to do that. Plus you can usually choose if you want to give just a proxy email that should die when you uninstall the app.
    Also, Unless you “connect to facebook” the website should not be able even to find you user ID.
    Please let me know your thoughts.

  • Hi Sarah. This particular blog entry is very informative and – I believe – very important. I’m working on a project to develop a knowledge-base for survivors of domestic violence. I’d going to send this link to the director of the women’s center at Wright State University in Dayton, Ohio. She’s a friend and feminist associate. Thanks for this blog. You have probably done more good by doing so that you may realize. Robert Bigelow, feminist-advocate.

  • Shouldn’t a Firefox private mode session, or the addon “CookiePie” address the issue? And, if you stick to rule 3, shouldn’t that make rule 4 redundant?

    Otherwise, some scary insights into a subject I thought I at least mostly had a grasp of.

  • Alex

    You are not paranoid! By not relinquishing the right to control over your own information, you are being responsible and active and you should assert yourself as such! We must show the lazy, complacent, “facebook-is-a-well-intentioned-service” people that awareness and activism is the way to go, not something done only by luddites.

    I know you call yourself paranoid as a joke, but if we are to take back our social media we must enlist the help of others, and many of them will be more than happy to call you a crazy bat and to ignore your message, esp if we as media activists are happy to call ourselves paranoid!

    Thank you for your article!

  • Gabriel Smith

    Only a moron would use Facebook in the first place.