Staying Safe on Social Networking Sites

Millions of people have accounts on Facebook*, MySpace*, Linkedin*, and other social networking sites. While these are convenient ways to keep up with friends and business associates, there are several serious concerns:

The more information you share, the easier it is for crooks to steal your identity, plant viruses on your computer, stalk you or your children, etc. Read Identity Theft and How to Avoid It for more information. The section on spear phishing is particularly relevant. If you like a particular band, for example, someone could send you a link to a site that claims to have information about the band but that in fact will infect you with viruses, spyware, etc. There are infinitely more possibilities.
Once you share information with someone else, you lose the ability to control what happens with that information. Anyone who sees it can do whatever they want with it, now or at any point in the future.
It is well known that many employers search social networking sites for information about applicants. While this could benefit you (if your pages are well organized, show civic responsibility, display creativity, etc.), there may be things that you would rather potential employers not see.
Law enforcement also uses social networking sites. Watch CIA Facebook for a humerous look at where this could go :)

Tips are provided below to reduce the chances of trouble. They are separated into General Tips (applicable to all social networking sites) and tips specifically for Facebook.

*The name of each site is a registered trademark of the respective site.

General Tips for All Social Networking Sites (mostly from "Social Insecurity", Consumer Reports, June 2010):

Use a strong password to keep crooks from getting information that you intended for friends only and to keep them from pretending to be you and going after your friends. The usual recommendation is at least eight characters with upper and lower case letters and numbers mixed in. Include special characters (#, $, etc.) if the site allows it. Do not use ordinary words or information that someone could find out about you, such as birthday, middle name, pet's name, or address. One way to make good passwords that you can remember is to use letters from a nonsense phrase with numbers thrown in. Example: IL2bac43 for “I Love 2 buy antique clocks” with an added random number. Obviously, this is more secure if you do not love to buy antique clocks!
Avoid using the same password on multiple sites. It is especially dangerous to use the same password for social networking and shopping sites that you use for banking. A hacker who gets your password at one site can then get into everything!
Post no more than the month and day of your birth, NEVER your full birthday (which is useful for ID theft). This also means that you shouldn't post your age, since your birth year could then be deduced. If a site requires you to enter your birthday, it is safest to put in a fictitious birthday.
Never post anything that you wouldn't want law enforcement, a current or potential employer, or the whole country to see on the evening news, now or in the future! Remember, once someone else sees it, you lose control!
Use privacy controls. In most cases, you want everything limited to viewing by your friends and no one else. Specific setting recommendations for Facebook are provided below.
Be aware that sites can always change the default privacy options. This means that something you limited access to can become available to everyone without your knowledge or consent.
When setting privacy controls, be sure to block search results other than from friends. Otherwise anyone can find your information.
Do not post a child's name by a picture or as a caption to a picture. Having a name and picture is useful to potential pedophiles, kidnappers, etc.
Do not include your full address, children's schools, or children's ages (same reason as previous item).
Never post the fact that you are currently away from home or will be in the future. Anyone who sees that will know that your home is an easy target. If you want to tell people about your trip, do so when it is over.
Never let children (or others who lack knowledge about Internet security) use a social network site without supervision. It's too easy to make a mistake.
Beware of emergency requests for funds from a friend's account. The friend's account may have been taken over by someone else!
In fact, be wary of any message that encourages you to do something. Such messages should be treated with the same caution as an e-mail from an unknown sender. Just because the message appears to be from a friend doesn't mean it is! A link could be to an infected web site, and an "update" could install malware.
Be very cautious about using apps (applications) available from the site or suggested by others. Many malware programs populate these sites, including many that will readily collect your login information.
Watch out for "compact" URLs (web addresses). For example, bit.ly/16StNc leads to the Consumer Reports home page. While they are convenient for saving space in Twitter posts and other short messages, criminals often use them to redirect the user to malicious sites.

Tips+

The fact that Facebook is extremely popular makes it an excellent way to stay in touch with your friends. That also makes Facebook users extremely attractive targets for crooks! Disclaimer: Facebook occasionally changes its privacy options and defaults. For thorough analysis of the currently-available options, use Facebook Help and/or go through each and every option under the Account Menu (a drop-down arrow near the top right of the screen while in Facebook). Unfortunately, finding information in Facebook Help can be somewhat like looking for a needle in a haystack. The following tips should help, each of which has both a direct link to relevant infomation and key words to use when searching Facebook help. Check both to get the most information:

Your name, profile picture, gender, network, username, and user ID are always available to everyone (details, or search "data use policy"). If you don't want to share that information with everyone in the world, you shouldn't use Facebook! And, anyone who knows your username or ID (essentially everyone on Facebook) can see your public information as well as anything else you've let them see.
One thing you never want to show is your full birthday (which would increase the risk of identity theft). To limit how much if any of your birthday shows, click Edit Profile (under your name near the top of the screen) and edit the section under Basic Information (details, or search "hide birthday"). Be advised that Facebook threatens to disable your account if you use a false birthday, but it is not clear if or how they would be able to verify it.
While you are in Edit Profile, click Contact Information and check the settings for who can see your e-mail address and any other information you choose to add (usually Friends or at most Friends of Friends).
When others (usually friends) share information about you, they can also choose to make it public (search "information you choose to make public"). Keep this in mind every time you post something.
The above item implies that you should be careful who you accept as "friends"! It is best to stick with people you know personally.
When you post something (including Status updates), choose the audience (Public, Friends, etc.) carefully. It's also a good idea to set a "default" audience, which will apply in cases where there isn't a separate selection. To set that, click the Account Menu, then Privacy Settings, then choose the desired Defaulty Privacy (details, or search "control your default privacy"). The "custom" option allows you to be more specific than the general settings.
In the following options, the most secure is "only me" if available; next would be "only friends"; next would be "friends of friends":

You can limit who can look up your profile by name or contact information. Click Account Menu, Privacy Settings, How you Connect (details, or search "search privacy settings").

IF you allow "everyone" to look up your profile (which is obviously more dangerous than limiting to "friends" or "friends of friends", you may wish to ensure that "public search" is disabled. If it isn't, anyone can see a preview of your Facebook page by searching for you in Google and other search engines. Click the Account menu, then Privacy Settings, then Apps and Websites, Public Search (search "public search" for details).

You can limit who can add you as a friend and who can send you friend requests. See http://www.facebook.com/help/friends/requests (or search "friends") for details, including how to delete friend requests that you made to others or that others made to you. To delete someone who is currently a friend, go to that person's profile (timeline), hover over the Friends box at the top of their profile (timeline), and click Unfriend (details, or search "unfriend").
You can limit who can send you Facebook messages. Click the Account menu, then Privacy Settings, then How You Connect, and change settings (details, or search "who can send you facebook messages").
You can limit who can post on your wall and who can see those posts. It is very important that posting be limited to people you trust! Click the Account menu, then Privacy Settings, then How You Connect, and change settings (details, or search "who can post to my wall").

Facebook uses "tags" that allow users to link themselves and others to photos, comments, videos, and status updates. Details are provided on the page http://www.facebook.com/about/tagging . Unfortunately, you can be tagged in something that you would have preferred to be private, and you can be tagged even if you were not actually in the activity! To control how tagging works, click Account Menu, Privacy Settings, How Tags Work, Change Settings. You would normally want to:

Turn on profile review of posts friends tag you into. You can't control where others tag you, but at least this lets you control what goes on your profile.
Turn on tag review of tags that friends want to ad to your posts (same logic as previous item).
Limit visibility of posts you're tagged in.
Turn off tag suggestions from uploaded photos. If you don't do this, you may be tagged when you merely look like someone in a photo.
Turn off the ability of friends to check you into places.

Facebook-sponsored apps and websites are notorious for accessing every detail of your profile, so use them only if you don't care about your privacy. There are some options for what information is shared, but you may find it difficult to achieve any meaningful level of control. For maximum privacy, click Account Menu, Privacy Settings, Apps and Websites, and turn off all apps (details, or search "how does privacy work for apps").
Facebook advertisements can use your name or other information unless you prevent them from doing so. For maximum privacy, click Account Menu, Account Settings, Facebook Ads. Click each of the two "Edit ___ add settings" and change to "no one", then click Save.
If you post something and later want to limit who can see it, click Account Menu, Privacy Settings, Limit the Audience for Past Posts (details, or search "limit old posts"). Use with care, since a change here cannot be undone with one click (a warning is given by Facebook).
If you are receiving undesired invitations from a person or just want to block that person from seeing your information, click Account Menu, Privacy Settings, Manage Block Lists (details, or search "manage block lists").
Click Account Menu, Account Settings, Security to access the following settings:

Set a security question, which is recommended (details, or search "security questions").
Turn on login notifications (you can get a text or e-mail when your Facebook account is accessed from a device not previously used, which is recommended) (details, or search "login notifications").
Check to see if you are logged in from a device or location you have not approved. If you are, your account may have been hacked! To solve that and various other problems, go to the Take Action page.
This menu also has a setting for "secure browsing", i.e., encrypting information sent between you and Facebook. Since anything you send to Facebook is potentially viewable by others, this would seem to be of little value.

Use the option to logout (from the Account Menu). Although Facebook allows you to leave your login open (on multiple devices if you like), anyone who accessed a logged-in device would have complete control over your account. That's obviously a bad thing.
If you lose control of the situation or just want to stop fooling with it, you can quickly deactivate your account: click the Account Menu, then Account Settings, then Security (search "deactivate" for details). It might be a good idea to first change your password to reduce the likelihood that someone simply re-activates your account. To change your password,click the Account Menu, then Account Settings, then edit your password (search "change password" for details).

+Thanks to MGT 472 Group 1 from fall 2011 for preparing most of these tips. Some also came from "Your Facebook Privacy Toolkit", PC Magazine, January 2011. Source information directly from Facebook is included with links in the tips.

Send comments and corrections concerning this page to:

wfisher@sfasu.edu

Last updated March 24, 2012