Facebook timeline security & privacy: steps to keep your account & identity safe

Now that Facebook’s timeline feature is in the final stages of being rolled out to all users (including, finally, to my account), it is important that everyone understands how to use the feature and, most importantly, how to secure your identity and privacy in its new context. Timeline is quite a simple feature, introduced by Facebook with the goal of putting a timeline context behind things you post and ways you interact with the site. But now it’s even easier for people to create a complete “digital snapshot” of your recent history, for better or worse. For example, this can make it easier for prospective employers to piece together a good idea of who you are, but is that always desirable?

It depends, specifically on which items you choose to share (and with whom). For instance, if you had a racy night out last Friday, that might be the kind of thing you’d prefer to share with only a few friends, and certainly not the sprawling list of “Friends of Friends.”

In this first part of a series on securing the timeline feature on Facebook, we dive into restricting data sprawl through inadvertent interaction with the feature. One caveat though: Facebook continually updates its privacy and security settings, including the help sections for each item, so in the future, some of these screens may look different. Still, the principle of attempting to share as little as possible by default, rather than as much as possible, seems like a sound approach, privacy-wise.

Diving into Timeline

First, is timeline enabled on your account? When the timeline feature suddenly appeared on my account (automatically, against my personal preference), I was presented with a notification that it would be happening, and information about when, followed by a button showing how to get more information in the timeline help section:

Facebook timeline announcement

Then, when the date arrived, I was presented with a notification that the feature was now enabled, like this:

Facebook timeline notification

Okay, so now I have it, but what to do about? First, on the “Learn More” page we can dig into the nuances of the service, starting with the Privacy Options link (highlighted in the red below)

Facebook privacy options

When you click that link, you are taken to a landing page where we can adjust your privacy settings, here’s the direct link in case you need that: https://www.facebook.com/help/timeline/privacy

Facebook privacy settings

First, let’s look at the options for “Who can see stories on my timeline”:

Timeline story visibility

Here you’ll have to start making decisions about what information to share, and with whom. It is worth noting that Facebook treats sharing items on your timeline very much like sharing them with other features; you choose what works for you. Typically, Facebook has a couple ways to controlling this for the user: you can manage groups of content by setting a default to be applied to all data within that same context; or you can use their inline contextual control menus for each item to determine piece-by-piece which items get shared, and with whom.

Since it may cause problems to make your data Public by default, you’ll have to decide if you want to share your items with Friends (+ friends of anyone tagged), only you, or some custom combination where your preference can be more granular, with the ability to restrict certain people or groups (which can be handy).

Here we’ll have to start making decisions whether to allow or protect information sharing by default. Remember, you can always increase the sharing of data, but it’s very difficult to restrict sharing once your data is sprawled out to your Friends, or their friends. Imagine taking a racy picture intended for someone you are close to and having that “accidentally” shared to the wrong group of people, and their friends, etc. It’s well nigh impossible to then try to restrict who has a copy of that photo going forward. It’s also a good idea to restrict Facebook photo uploads to things that wouldn’t cause hate and hurt if they seeped out into a wider audience. After all, there are many humorous websites where screenshots of allegedly private Facebook conversations and content sharing, and someone in an unintended audience grabs a screenshot and broadcasts it to the wide world. Don’t let this happen to you.

Assuming you want to take a more secure approach, you may start by ratcheting down your privacy so that only you, or very select small groups of friends may see your content. If someone legitimately gets offended that you seem to be excluding them from sharing, just add them individually to a given group. This way it’ll be easier to control your data, which over time is a far better – security wise.

It’s also good to note that you have the ability to delete items from the timeline that you may not want integrated into it.

As you can see, you can also just hide it from timeline, but then it still may appear elsewhere. If there’s a reason to hide content, there’s likely a reason to delete it altogether, unless you have compelling reasons to retain it.

Also, there are controls to hide friends’ post from appearing on your timeline by default, which might be handy if your friends get a little carried away with sharing content you may not consider flattering, and/or that may become visible to those groups you’d rather not share with by default. (Consider that a prospective employer may agree with Aesop that “a man is known by the company he keeps” and draw conclusions about you based on the lewd iPhone snapshot that your best man put on your timeline.)

On the other hand, you can always just use the “Report the post” if it gets too far over the line and violates Facebook’s Terms, so that may be an option to keep in the back of your mind if your friends get a little too crazy.

Of course, you can review the content and then decide as well, on a case-by-case basis. Here’s a screenshot of the context menu for the timeline on an item:

It’s good to know what to look for when you’re trying to control the sprawl of your data, so keep an eye out for these context menus and you’ll have a finer degree of control.

Who can see what’s on your Timeline?

Next we look at who can see details about you on your timeline, like your hometown, birthday, or other details:

Again, you can either set these directly, or use context menus on your profile to control what information appears on your timeline, using the audience selector. It’s nice that only your friends are allowed to post on your timeline, averting a potential privacy mess if the audience were wider, especially if you don’t pay much attention to how many friends that your friends are collecting on their list.

Also, note you can turn on the “Timeline Review” feature. Let’s say you want to review items BEFORE they get posted to your timeline, here’s where you might enable that:

It’s nice that you get a Pending Post notification, so you’ll know when there’s content awaiting approval. Also, it’s a good idea to check your activity log periodically to note changes. Haven’t looked at yours lately? Here’s what the Activity Log is all about:

Activity log

It’s a good way to take a quick look at content from the time you set up your account to the present. It’s tough to keep up with all the content day-to-day, so this might be a quick way to roll back the years and see if there are things you’ve missed, all in one place. Here you might want to dive in and change sharing of one or more items that have reached a wider audience than you planned, and/or at least KNOW what got shared and when.

Some European Facebook users have requested a full log from Facebook of all their content and been provided with a substantial numbers of records, sometimes hundreds of pages in length, burned onto a CD and shipped to them. Getting all that data is harder for North American Facebook users, but you can submit a request for what Facebook does make readily available here. It may be a good idea to take a peek at what content they show on your profile, and adjust accordingly.

In our next Facebook security and privacy post we will look at reviewing our timeline from other people’s perspective, using a tool called “View As”. Until then, we hope this post will help with tuning your timeline settings to your liking.

Timeline View As

You access the View As tool via the gear wheel icon below your cover photo, as described in this  help screen:

Notice the context menu for this as well. Here, we find a way to take a look at how things might appear to a friend, coworker, or whomever. This is a nice sanity check to see if all your content has the viewing audience you would prefer, in other words, yet another way to make sure you have the right audience for your content.

Past items on Timeline

Next we look at how past items are displayed. We are told:

Notice that items in the past have been essentially frozen in the context they were when originally posted. It’s still worth using the “View As” feature to double-check and see if everything is as you expect from other people’s point-of-view: better safe than sorry.

All past items visibility

If you decide you want to restrict all your past items to only friends, there’s a way to do that:

So you could ratchet down items that you no longer want to be publicly visible, items that you should consider reviewing anyway. If, however, you have a mix of content, some that you want to be shared to a wider audience, using this feature is irreversible, so ratchet down wisely. On the other hand, you can review your past items and set their context individually. Still, if you want a quick way to restrict visibility, this tool will help you keep things much more private.

Who can see your friend?

If you want to restrict who can see your list of friends, there are tips on how to do that:

Here, it’s a good idea to think about restricting visibility into your list of Friends, especially if you have Friends who really aren’t interested in sharing their friend preferences widely. Here, the adage that “you are known by the company you keep” can turn into a valuable tool for those trying to evaluate you in terms of whom you know, for better or worse. Regardless of viewers’ intentions, in terms of privacy, less is more, so you might want to restrict this.

Block people from posting on your timeline

Suppose you have certain circles of friends that you don’t fully trust to resist post unsavory items on your timeline, here’s how you control that:

By setting this feature to “No One”, you severely restrict the ability of less-than-honorable would-be posters from upsetting your timeline. Note also the ability to restrict them from seeing your posts at all:

This is a still further way of restricting their visibility, which may apply, depending on your situation.

Timeline wrap-up

As you can see, understanding the context of your timeline can seem a bit daunting. But remember, having your private information accidentally creep out onto the Internet can often mean you won’t get it back, which is much tougher to live with, so it may pay to take the time to set your Timeline sharing as you would like it. And remember, if you really want privacy, either ratchet down some of the settings as described above, or better yet, don’t post things you don’t want to be visible in the first place. There are many examples of people losing jobs and opportunities, or messing up relationships in significant ways, by missing a setting or two on Facebook content sharing, so don’t let it happen to you, it’s much more painful and tough to fix after the fact.

Cameron Camp
Security Researcher


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s