Recent security and privacy-related revelations about Facebook should concern every Facebook user. Here is what you need to know - and how to protect yourself:
1. Facebook might be sharing with strangers your identity and where you have been, including telling people that you have been places that you do not want people to know you have been, and may be identifying you to people whom you do not want to recognize you.
As reported by Kashmir Hill, Facebook has apparently been using the location of people's smartphones to make friend suggestions, suggesting to people to "friend" others who have used the Facebook app in similar locations. While this might seem like a valuable feature - if you cannot remember the name of someone whom you met at a party or networking event, for example, having Facebook suggest him or her as a friend might be wonderful - it can have terrible consequences as well. Should people who are in the same waiting room at a doctor's office really be suggested to one another? How many people have met others at parties whom they are literally afraid to meet again? Should criminals who were arrested and brought to police stations be presented with the arresting officers' Facebook profiles? And how many people living in environments where publicly "coming out" as gay, can, unfortunately, have severely negative consequences, wish to have Facebook de facto share the fact that they attend private events within the gay community? There are countless other examples.
The risk of unintentional disclosure of information via social media is not new; in a patent filing made back in 2012 - for a patent, which was, ironically, issued just days before Hill's article - I wrote that "Information that can be extrapolated from what the user may think are innocuous postings, settings, or other aspects of social media can be seriously damaging to the user." In fact, the danger of information extrapolated from social media wrecking all sorts of havoc was one of the reasons that I founded SecureMySocial, which today provides technology that prevents all sorts of information leaks from harming people and businesses.
According to Hill's article, Facebook has "flip-flopped" as to whether it actually uses people's physical proximity to make friend suggestions. There seems to be anecdotal evidence, even if not verifiable, however, that, at least in the past, it has done so.
As such, what should you do to prevent Facebook from providing "too much information" about you via the suggested friends feature?
Until Facebook clearly guarantees that it will not utilize your location for such a purpose I strongly suggest turning off Facebook's access to your location data. That can be done in the Location Settings for your smartphone or mobile device.
2. As was reported in several venues, links transmitted in Facebook "private messages" (i.e., Facebook Messenger sessions) may be visible to other, unauthorized users. This is a serious problem for several reasons:
A. People treat private messages as private and might share links that they do not wish others besides the intended recipient/s to know that they are sharing.
B. Some links inherently contain confidential information. Do people asking a trusted friend or relative about abortion providers or for advice regarding an illness or a troublesome child really want the world to know about what they are seeking advice? In some cases the information in question might even be protected by confidentiality agreements, privacy laws, or compliance regulations.
C. Some links contain the equivalent of passwords - links to non-public files on file sharing services (e.g., DropBox), for example, often contain access credentials within the link so that people do not have to register in order to access shared files. Unauthorized parties obtaining such links could potentially access information, photos, and videos to which they are not supposed to have access, and over which the user has an expectation of privacy and security.
I should note that while the vulnerability in question allegedly allows registered Facebook Developers to access other people's private messages via special types of queries, it does not allow typical Facebook users to see the messages. It is also true that if a Facebook discovered that a Facebook Developer was abusing Developer access (at least over time) and attempting to access such messages, Facebook would likely terminate that person's Developer membership. While such limitations are obviously good news that reduces the scope of the problem, the risk is still serious for the reasons that I mentioned above.
How to best protect yourself?
Don't send links via social media private messages that would cause you serious harm if it became publicly known that you were sending them. In fact, it is best not to send confidential information of any sort via social media private messages; besides the risks discussed above there is the risk of disclosure if any as-of-yet unknown and unpatched vulnerabilities are exploited at the social media provider, and the risk that conditioning yourself to share such information via social media platforms might lead to you accidentally posting confidential information in a public post rather than in a private message. Sound unlikely? Consider that the CFO of Twitter seems to have made precisely such a mistake.
3. Your "private" posts and comments might be seen by many people who you do not realize can see them.
People often share information with permission settings set to "friends only" expecting that only their Facebook friends will ever see the posts, or comment on friends' posts thinking that only their friends (or perhaps, the friends of their friends) will see the comments. Such privacy expectations are often simply wrong. Besides the obvious risk that someone could screenshot a post and share it with anyone else as an image, there is also the risk that various settings will allow more people to see a post. If you have your post permissions set to "friends of friends" (as many people do), for example, the universe of people who may see your posts may be much larger than you think. Comments that you make on a friend's post could be totally public if your friend's settings for the post allow the post to be seen by anybody, and posts and comments made in Facebook groups may be seen by people who are not members of the group if they are added to the group at a later date. There are many other examples - the basic point is that many people do not fully grasp the true extent to which their posts may be seen. While that is not Facebook's fault from a technical perspective, it is still an important issue about which users must be aware.
How to address this risk?
Check the privacy settings whenever you make a post, assume that comments on other people's posts are public, and assume that all posts to groups may, ultimately, become public. Keep in mind that as Facebook adds features, new privacy concerns will emerge, and relevant permissions will likely become increasingly complex. Better yet, if information truly must stay private - simply don't post it on social media.