SPECIAL NOTE TO SARAH CONNOR, THIS IS ESPECIALLY URGENT.
Once again Facebook has created a cool-feature-with-creepy-implications, and once again FB has decided to activate it for everyone without telling us about it or making it easy to choose not to participate. I'm talking about Facial Recognition, an upgrade to FB's capabilities that allows it to identify your face from the crowd of millions of pictures uploaded every day. As I understand it, FB is compiling a database of pictures linked to names and the ability to recognize faces. This might make tagging people in pictures a little easier, but it could also mean a stranger could tag you (I think so far FB doesn't currently allow that, but their M.O. is to enable features without warning and by default, so . . .) in a picture you didn't even know was taken. Sketchier than the auto-tagging feature is the fact that FB has started compiling this information (your face matched to your name) at all, without much warning and certainly without asking. Even Google, which is first-and-foremost a search engine, thinks this is too invasive. One creepy implication of this kind of database is that a stranger could take your picture and then use it to find your name and then everything the internet knows about you. Might be cute in a movie but IRL ("in real life") we might not want to go there.
Solutions:
1. Opt-out of auto-tagging:
Go to Account (in the upper righthand corner of the screen)
Select Privacy Settings from the drop-down menu
Click "Customize Settings"
Under "Things others share" there is a section "Suggest photos of me to friends" click "Edit Settings" to the right.
Click on the box that says "Enabled" and toggle it to "Disabled."
2. Ask Facebook to pretty please stop compiling photo identification data on you.
This is the part that should help prevent strangers from identifying you by photo.
While signed into Facebook, click this link. It will open a page in the Help Center from which you can message the Facebook Photos Team. The pre-written text is "Please remove all photo summary information associated with my account that could be used to make photo suggestions." and I would leave that to avoid confusion. Send it. You will receive no confirmation that they have obeyed, however.
Today I will write about Facebook's Platform for third party apps (applications made for Facebook but not by Facebook), why they're a major vulnerability for your account, and how and why to turn the Platform off and secure your account. While the Account Settings adjustments I recommended yesterday should all be easy calls (and I think FB should make them mandatory instead of opt-in), this involves a genuine trade-off: massively improved security and reduced risk of hijacking, but also the loss of those third party apps.
The Problem
Third party apps are dangerous for three main reasons that I am aware of:
1. You're trusting your account's safety to more people. FB is already unreliable, and now you're depending on FB and who knows who else to protect access to your account.
2. Yesterday I begged you to enable Secure Browsing (HTTPS) for Facebook, and you did it! But most apps don't permit Secure Browsing and force you to revert to HTTP. This is like using a condom with your partner but sleeping around without protection.
3. With Platform enabled (as it is by default) you can pile up applications without realizing it. A couple of people I've helped regain control of their accounts have had piles of Apps enabled that they didn't recognize and never used. Every one of those is a vulnerability, I'd wager especially those that are sneaky about getting themselves attached to your account.
The Solution (if you can live without Mafia Wars)
1. In the upper right-hand corner select Account
2. From the drop-down menu select Privacy Settings
3. In the lower left-hand corner pic Apps and Websites: Edit your settings
4. Apps you use will list the applications that have permission to access your account and therefore potentially provide access to hijackers and identity thieves. Any there you don't recognize? That's what I'm talking about.
5. Deactivate them individually. (Even if you want to keep some, deactivate the ones you don't use.)
6. Click "Turn off all platform apps."
Ta-da! Your FB profile is now much more secure, and the inability to access Farmville might also make more productive citizen of you. I've had the Plaform turned off for a couple days now and since I didn't really use the apps nothing has changed. The core FB experience (statuses, pictures, wall postings, groups) remains the same.
Tomorrow I'll write about securing Gmail. If you use a different email service, I strongly suggest looking up security protocols because they're all under attack.
Problem
FB accounts are being steadily hijacked this year. At this rate soon FB will be like MySpace; hijacked or false accounts run by computer programs ("bots") sending crap ("spam") to each other with no human users left on board. For years Facebook was the cleaner, safer alternative but now it is going downhill too. The main line of defense for your account is your password, but clearly that is no longer nearly good enough. A friend whose account I helped recover this week had a Hebrew password and some bot either guessed or stole it. The bots are either stealing our passwords from somewhere, guessing them somehow, or forcing entry by some back door.
To save itself, and especially to encourage people to trust it as a marketplace (do not do this - never ever ever give Facebook your credit card) Facebook should immediately make several changes to the way it handles your account. Instead, FB has chosen to leave accounts vulnerable by default and allow you to choose ("opt-into") more secure settings.
Solution
In the upper-righthand corner, go to Account, then Account Settings.
Scroll down to Account Security and click it.
Here we will activate three security protocols that will make it much harder to hijack our accounts or steal our information.
1. Secure Browsing (https)
Activate this to tell FB to use HTTPS rather than HTTP whenever possible. This encrypts data being transferred between your computer and Facebook's server and will make it harder to hack. The core FB experience of pictures and statuses and wall posts and messages will not be affected but will be much more secure. Certain FB Apps (all those games and third-party features) won't work on HTTPS and will ask you to switch to unsecured HTTP to use them. I recommend you stop using those (tomorrow we will talk about disabling them completely), but if you do switch at least you'll be protected some of the time.
This is especially important if you go online on public wifi networks, for example at a coffee shop, library or school.
2. Login Notifications
Selecting either "Send me an email" or "Send me a text message" will cause Facebook to notify you when a new computer logs into your account. If you've done the logging in of course you will ignore the message. If you haven't, you'll know your account has been violated. Once you've signed into every computer you use Facebook on once you should stop getting notifications. If you're a student who frequently logs in from public computers this might get annoying.
3. Login Approvals
This is part of the new "Two Factor Authorization" trend that is taking hold now that passwords provide insufficient security. You'll need to give FB your cellphone number, which I did not like doing, and from now on when a new computer is logged into your account the person logging in (hopefully you) will have to use a code that FB will send to your phone via text message as well as the password. Just as the password requirement is no longer a sufficient lock on your account, knowing it will no longer be a sufficient key. This sounds more complicated than it is in practice because you only have to set it up once per computer. I've been using it for weeks and it doesn't change my daily experience at all.
I really don't like giving FB my phone number and I hope they'll give an option to use email instead soon. But Two Factor Authorization is absolutely key to make sure that some guy in Russia or some kid in Ontario can't get into your account even if they steal your password (which sooner or later they will).
