May 20, 2010

If you’ve been watching the slow motion train wreck that is Facebook.com‘s recent effort to revamp its privacy promises, you may be wondering where to start making sense of the dizzying array of privacy options offered by the world’s largest online social network. Fortunately, developers are starting to release free new tools so that you don’t need to read a statement longer than the U.S. Constitution or earn a masters degree in Facebook privacy in order to get started.

Reclaimprivacy.org hosts an easy-to-use, open source tool that can help Facebook users very quickly determine what types of information they are sharing with the rest of the world. To use it, visit reclaimprivacy.org and drag the “bookmarklet” over into your bookmarks area. Then log in to facebook.com, and browse to your privacy settings page. Then, click the bookmark and it will run a series of Javascript commands that produce a report showing your various privacy settings, and suggest ways to strengthen weaker settings.

Software engineer Matt Pizzimenti said he got the idea for the tool while on a flight back from Michigan a few weeks ago.

“I realized as I was going through all my privacy settings that some stuff seemed to be missing, and that some had been defaulted back to ‘open’,” Pizzimenti said. “I’m pretty vigilant about my settings, but my family and friends aren’t as aware, and the navigation needed to fix all this stuff is kind of complicated.”

When I ran the bookmarklet on my Facebook account, it told me all but two of my settings were secure. It reported that “instant personalization is currently sharing personal information with non-Facebook websites,” and offered a one-click button designed to let you opt-out of instant personalization. The tool also told me that my Facebook friends can accidentally share my personal information, and included another clickable tab to sew up that privacy setting as well.ย  If you feelย  like alerting your friends to the Reclaim Privacy tool, there’s a button that allows you to do that, too.

This tool is handy in that it makes it easier for the average Facebook user to tighten up on his or her privacy settings. But it seems like it needs a bit more development to iron out the kinks. On my Mac OS X 10.6 system, for example, the tool scanned just fine but refused to fix any of the insecure settings. At first I thought maybe my installation of the Noscript add-on was blocking the changes, but the tool failed to make the changes even when I’d disabled Noscript entirely. Fortunately, clicking the links included in each privacy scanner listing brings up the relevant Facebook privacy settings page, and from there the options aren’t hard to set or undo.

On my Windows 7 system, the bookmarklet crashed the latest version of Firefox three times in row when I ran it. I’m still working out if one of my many Firefox extensions simply wasn’t playing nice with it, but I take some solace in the fact that Facebook applications are the most common causes of Firefox crashes: According to Mozilla‘s latest crash stats, Facebook and Facebook apps are the #1, #2, #4, #5, #6, #8 and #10 biggest causes of crashes in Firefox. In any case, it may not be a bad idea to save your work (and bookmark any important sites you have open) before you continue with a scan.

Have you run this scanner against your Facebook page? Sound off with your results and experience with the tool in the comments below.


35 thoughts on “ReclaimPrivacy.org: Facebook Privacy 101

  1. mrmikel

    On my 64 bit Vista machine, showed the problems, but the button didn’t fix. However, there was a link in the description line that did link to where I could fix it.

  2. Kevin

    I ran the tool on Firefox running on Ubuntu 9.10, and while there were no crashes, there were some hangs. Nothing catastrophic, but annoying.

    Using the fix-it feature only worked on one of the areas. I was fine in a couple, and one I had to manually change. As far as collating what’s being shared, it seems to work like a champ. Not surprisingly, my greatest risk was the stuff I shared with friends only being further shared with everyone in the galaxy because of THEIR sharing preference.

    1. Rick

      ‘Not surprisingly, my greatest risk was the stuff I shared with friends only being further shared with everyone in the galaxy because of THEIR sharing preference.’

      Hmm. It’s like the old adage about sleeping with half the world. Same thing actually.

  3. Chris

    On Firefox 3.6 on Mac OS X 10.6 it said all my settings were secure. Unfortunately they were not. Running it in Safari found some problems. People should test with multiple browsers on their systems.

  4. xAdmin

    Many IT Pros are deleting their Facebook accounts over these privacy issues. Many of us have simply had enough and don’t want to wade through the B.S. anymore.

    If you truly care about your privacy, you won’t place ANYTHING online! If it’s posted online, it may end up published for the world to see, regardless of any privacy settings. Why make it any easier for the world to gather your personal info? In actuality, the fact so many are so willing to post such info online speak more to the narcissistic tendencies that have become so prevalent in our society!

    Personally, I absolutely refuse to participate in sharing ANY private information, even on sites such as LinkedIn. Call me a Luddite! But, I’m a happy camper! ๐Ÿ™‚

    1. Kevin

      My facebook presence wasn’t so expansive or friends network so extensive, that I had any qualms about just deleting my account altogether. When the media reports that Facebook takes their user’s privacy seriously, I may give them a 2nd chance.

    2. Blair

      @xAdmin — Dude, you just shared private information on this site! ๐Ÿ™‚

      (Presumably Brian is a bit more trustworthy than a faceless corporation.)

  5. Gin

    Running Firefox 3.6.3 w/NoScript enabled. It scans everything but hangs on two:

    1. scanning personal information…
    2, scanning friends, tags, and connections information…

    Waiting doesn’t yield results. Everything else reported “secure.” Wish it would scan everything, though.

    1. wiredog

      Get the same thing, FF 3.6.3 on Windows Server 2008. Not using NoScript, am using AdBlock.

  6. JM

    Tried it, and it was nice to see that my information are shared as I have intended them to be. No problems/crashes whatsoever. I shared them to my friends too ๐Ÿ™‚

  7. Kevin

    I deactivated my Facebook account. Enough is enough.

  8. TheGeezer

    I have no problem with facebook privacy. I don’t use it and don’t intend to.

  9. Morris

    I’d had enough of their ‘privacy’ bs, and deactivated my FB account several weeks ago.

    It’s not worth the risk in my opinion.

  10. QQ

    I knew Facebook’s judgment days will come, this ‘evil interface’ and ‘gone rogue on privacy’ soup have been cooking for months, maybe years.

    When I first took a look at facebook, It was crystal clear to me that this is a blackhat gold mine, with lots of gold, it was like Craigslist just much better!

    All top security site/blogs are crushing facebook now, which is really cool since most people consider computer security as bunch of geek BS and are sure that canadian pharmacy is for real and that facebook has no financial interest in screwing them.

    TBH I don’t hate facebook, it is just too exploitable and naive to exist, but it was interesting to see how it came along.
    If Facebook somehow survives this press storm relating the Facebook name with so many negative things, they really should get a nobel prize.

    1. Rick

      ‘they really should get a nobel prize’

      Yeah. And no one more deserving than Zuck? A prize in what field?

  11. Well

    On the latest firefox, the reclaim privacy bookmarklet on win7 x64 shows them all as (correctly) secure, but for two, ‘scanning friends, tags, and connections information…’ and ‘scanning personal information…’ which hang on scanning.

  12. tummdrumm

    Worked well in Opera 10.53. A great app; passing it along to friends.

    I actually find FB to be an easy way to keep up with what my many far-flung pals are up to, but can’t stand the way they’re always messing with what worked well enough initially. A classic case of “if it ain’t broke, let’s fix it”.

    1. Rick

      You could use electronic mail too. Or any number of other applications.

      1. xAdmin

        Or that old thing called a telephone! ๐Ÿ™‚

  13. zorchmont

    Facebook has the same problem as all free services do. They’re not there to serve the end-user, they’re there to serve the people generating income, namely advertisers. Google is the same way.

    The problem with Facebook attempts is that they’re trying (perhaps half-heartedly) to try to assauge the concerns of people who are vocal about wanting privacy, but doing it in a way to minimize the amounts of data that are marked as unavailable for Facebook to use for its own purposes. Given the combination of a wide array of settings and options (and narrow scope of each option), and defaulting everything to maximum “open”, they’re lowering the frequency with wich people will try to lock down anything, much less everything. In the end, although they may allow something close to a full lockdown, it’s reluctant on their part, because that takes away data (and metadata) that they can profit from, by selling to advertisers.

    Users that have locked-down, opted-out data is, to them, cost without corresponding benefit.

    Ultimately, Facebook’s (and again, this applies to nearly all free services) interest in privacy extends only far enough to keep the critics sufficiently quiet that it’s not causing PR problems for them. In the end, they want all the data to be as open as possible.

    1. Rick

      They represent a total bait and switch. They got people in by offering privacy. The only reason they got VC is because the investors knew this would change. All the FB people are doing is eroding privacy but trying to keep a smokescreen. That they would sell everyone out was inevitable. And obvious.

  14. Mike

    Running this gives absolute access of your Facebook account to the developers. I haven’t run this program and don’t intend to, why would I give that away? It could do anything!

    This is going to be the new wave of phishing, I can see it now. It’s irresponsible of the makers to claim this is somehow “secure” when that’s nonsense.

    1. BrianKrebs Post author

      @Mike — You’re right: This code could do anything, as could any javascript that got active in your browser if you were on a domain like Facebook.

      However, this specific code is open source, and you can review the code itself at reclaimprivacy.org. If it did something untoward or hostile to your account, it’s unlikely that would go unnoticed by the security/developer community.

  15. Gannon

    The only thing you can do when somebody claims:

    — Secret, but perfect software (Google, Street View)
    — Open, but flawed software (Apple, Video Codec)

    is argue with them. You can’t, under any rationale, trust them.

    Now Facebook has a horse in the race with … (wait for it) … Secret, but flawed software

    Just a word of advice: Bet the Trifecta.

  16. Rick

    Henry Blodget (remember him?) seems to think this is all cool. Makes one wonder if he’s trying to keep a stock afloat again…

  17. John N.

    It’ll be interesting to see if Facebook decides to treat this program the way they treated Power Ventures and its Power.com service. (See http://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventures,_Inc.)

    On one hand, they have a precedent to try to maintain, on the other it would look really bad for them to sue someone attempting to help people understand Facebook’s privacy features right now.

  18. Rootkits through the air

    Facebook should be renamed Facepalm.

    The image conjured up of the Facebook community is like that of a swimming pool which is never cleaned, everyone urinating and defecating in the same water they wade in, merrily conversing with one another while their lives quickly ebb away.

    Another way to look at it is a tar pit, one fool jumps in and pretends to party but discovers something isn’t quite right about the situation while another fool jumps in to join him, the process continuing with each new registration.

    With more and more private docments going online without our approval, often hosted or connected to compromised systems running arcane versions of Windows or recent versions of Windows well rooted with intentional back doors or unintentional trojans/rootkits, data spills must be loved by governments, it’s an easy way for them to obtain the information since they must investigate the spills which usually means data pull from suspected machines.

    Whether or not you use Facebook does not matter, your personal data is being compiled and put online at an alarming rate and unless you’re living in the jungle and communing with people who all remain off the grid, at some point your data is or will be spilled, hackers or no hackers.

    No rootkit in the machine at a software level, how about blackbox hardware components? How many systems are “owned” by government(s) by satcom? How much do you really know about the limitations of hardware? Do you know how easily your PCI cards and network cards can be owned?

    Have you researched your computer’s cables and shielding? Are your network or computer(s) shielded at all? When you dig deep enough through research, you’ll discover, as I have, our computers are much more powerful and vulnerable to attacks from space and other vectors outside of our buildings than most can ever imagine.

    Privacy is dead in the world of electricity.

  19. Gringo Guy

    I rarely use FB, but there is always one friend or another who only communicates that way. The privacy settings were obscure when I started, and they are far worse now.

    After struggling and guessing, I finally created a second FB user, so now I can login and confirm what others are actually seeing.

  20. Dweep777

    I’ve worked in IT for 25 years and have watched the ‘social networking’ phenomenon with interest. Had a FB account for about 15 minutes which is how long it took to realise the lack-of-privacy implications of having that account. Leave my personal data online forever, so that anyone with half a brain can have full “mining rights” to it ? No thanks.

    The premise that anything at all could be on line in the public Internet space, and at the same time be private, secure and remain your sole property, is kind of…well…a contradiction of terms. The longer you think about it, the more absurd such a premise becomes.

    The long line of corporations queueing up to put their data “in the cloud” is totally ridiculous for way too many reasons to list here – not the least of them being the “cloud” terminology. Equally amazing is the panic of corporations to RECLAIM their online data after a couple of national governments flicked the “kill switch” … good luck with that one. Do you think you reclaimed all of it, or could there still be a copy of it floating around out there in “the cloud” somewhere ?

    Call me old school, but I prefer sending good old email (I don’t leave it online) & blogs, making phone calls, meeting people face to face (i.e. actually in person), and so on. If I want person “A” or “Z” to know what I’m doing, I prefer to tell them myself …

Comments are closed.