Facebook201005131957.jpgIt has happened so many times before: Facebook introduces a new feature they say  everyone will love. But instead, people get up in arms over what seems Facebook’s newest step towards a society without privacy. As usual, the truth lies somewhere in between. Even though Facebook’s privacy settings are regarded by many to be terribly confusing, it is possible to hide about 95% of your information from the public. Also, what do Facebook-enabled sites and apps know about you?

Restricting access to your profile

What you can hide

Here’s a comparison of my private and public profile:

Private profile201005131958.jpg

Public profile201005131959.jpg

I’ve been able to hide just about everything except my picture, name, gender and some of the pages I’ve liked. So how do you make your profile more private? There’s an easy way and there’s an effective way that requires more effort.

The quick-and-dirty option: hide yourself from Facebook’s search results

Facebook's privacy settings for search201005131959.jpg

If you don’t want to plough through all your privacy settings to hide your information from everyone, you can choose to hide yourself from Facebook’s search function here. Your profile will not show up in search engines, nor will anyone be able to find you except friends of friends. This has its drawbacks.

First of all, because of the weird way Facebook’s privacy settings work friends of friends may still be able to view parts of your profile. That still leaves a lot of people you don’t know with access to your profile. Secondly, if you pull out of Facebook’s search results, there’s no way for new friends to add you (friends of friends aside).

The better and harder way: setting all privacy settings to “Friends only”

Your privacy settings201005132000.jpg

I would have liked to see a feature that makes every piece of information private in one swoop. Sadly, it’s not that easy. Some say Facebook is making this hard on purpose so that they can make more revenue off public data, others think they don’t know any better. So here’s what you need to do: go to your privacy settings (Account > Privacy Settings) and set everything to “Friends only”.

But wait, it gets more complicated. If you cannot see Friends, Tags and Connections as shown above, you have to go to your profile, activate the Info tab and click Edit. Facebook will then migrate your profile page to a newer version. All of the things you check on this page will be publicly visible at first, but you can change this later.

Migrating to the new profile page201005132000.jpg

Once you’ve done that, you can start adjusting your privacy settings. Under Personal Information and Posts, you can hide most of your profile information. You can also configure the default privacy setting for future status updates, photos and videos. Note that this doesn’t affect content you’ve already posted, so you’ll have to change the privacy setting on these items manually. Under Contact Information, you can hide things like your e-mail addresses and mobile phone number.

On the Friends, Tags and Connections page, you’ll be able to hide information about your friends list, family, school, workplace, pages you like (music/movies/books/television only) and relationship status. Finally, Applications and Websites contains some important privacy settings concerning Facebook-enabled apps and sites from third parties and Instant Personalisation, which we’ll get to in just a moment.

Facebook apps and Facebook Connect

You’ve probably tried Farmville at some point, right? Maybe you’ve used your Facebook account to log in to another site. In both cases, some of your Facebook information is shared with those third parties. Here are a couple of interesting tidbits about your privacy on Facebook-enabled websites and apps:

What you share when visiting applications and websitesFrom Facebook’s help section (source)
When you visit a Facebook-enhanced application or website, it may access any information you have made visible to Everyone as well as your publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. The application will request your permission to access any additional information it needs.

Storing and Using Data You Receive From UsFrom Facebook’s developer policies (source)
By “basic account information” we mean: user ID, name, email, gender, birthday, current city, profile picture URL, and the user IDs of the user’s friends who have also connected with your application. (…)

Users give you their basic account information when they connect with your application. For all other data, you must obtain explicit consent from the user who provided the data to us before using it for any purpose other than displaying it back to the user.

Extended permissionsFrom Facebook’s developer policies (source)
Starting June 1, 2010, all applications will be able to access only a user’s public data unless the user grants your application the extended permissions it needs.

Facebook's new data request window201005132000.jpg
(Image credit: Facebook)

Long story short: things are a little vague at the moment, but starting June 1st 2010 apps and sites can only access basic information about you after you’ve given them permission. Additionally, if the app or site wants additional privileges, you’ll get another request window (as shown above).

This sounds like a fair policy to me, so I’m not too worried about privacy in Facebook-enabled apps and sites. As long as you carefully examine every Facebook data request window before giving permission and consider whether you want to share that information with this company, you should be safe.

There’s one thing you should look into though. Information about you is being shared with an app even if only one of your friends uses it, unless you explicitly put that app on your blacklist. Alternatively, you can limit the information that is being shared to your name, picture, gender and publicly available information on this page.

Verdict: use with caution

The universal Like button

A few weeks ago, Facebook introduced a universal Like button that any website can embed onto their pages. This is one of the so-called social plugins that Facebook has released. Does this have consequences for our privacy?

What personal information is shared with sites that use social plugins? (source)
None of your information (…) is shared with external sites you visit with a plugin. (…) They do not receive or interact with the information that is contained or transmitted there.

Can websites that use social plugins publish information about me? (source)
No information is published if you do not interact with social plugins. If you click “Like” or make a comment using a social plugin, your activity will be published on Facebook and shown to your Facebook friends who see an Activity Feed or Recommendations plugin on the same site. The things you like will be displayed publicly on your profile.

The result of a Like201005132000.jpg

In summary, when you click the Like button on an external site a link to that page will appear on your Facebook profile as shown above. No information is shared with the external site.

Verdict: safe

Instant Personalization

Instant Personalization201005132003.jpg
(Image credit: Facebook)

Instant Personalization is new controversial Facebook feature that immediately shares some of your public Facebook data with partner sites when you visit them. Unlike with Facebook Connect, you do not have to login before this data is shared. Although only public information about you is being shared, many people don’t like the fact that these sites know their name from the moment they arrive. Here’s Facebook’s take on this feature.

How does instant personalization work on websites participating in the pilot program? (source)
We have established a small pilot program with an exclusive set of partners – currently yelp.com, Microsoft Docs.com, and pandora.com to offer a personalized experience as soon as you visit. These partners have been given access to public information on Facebook (e.g., names, friend lists and interests and likes) to personalize your experience.

When you first visit any of these three partner sites while logged into Facebook, you’ll see a blue bar appear at the top of the site letting you know that your experience is being personalized. You can choose to learn more, remove the personalized experience or click “x” to remove the bar. If you don’t want your experience personalized on these limited number of sites, you can opt out by clicking here. You can also navigate there by going to ‘Account’ -> ‘Privacy settings’ -> ‘Applications and Websites’ -> ‘Instant Personalization Pilot Program’.

The worst part is that this feature is enabled by default, although it looks like Facebook may have changed its stance by the time you read this. I’d recommend checking if this feature is turned off on your account here. If you do decide you want a certain site to get access to your basic profile information from Facebook, there’s always Facebook Connect.

Verdict: worrisome