[+] Wayc0de's Blog[+]


Facebook's ticker privacy scare, and what you should do about it

Amongst the recent new changes to appear on Facebook, there is a "ticker" (a rolling real time list of what your friends are doing).

Not everyone has received it yet, because it's on a staggered rollout, but millions have already seen it.
You'll find it on the right hand side of your Facebook page, in the collapsible chat bar.

It's smashing if you want to keep fully up-to-date with your friends' activity, but there is a problem with it.

Facebook Ticker

The ticker makes it very simple for you to eavesdrop when one of your Facebook friends says something to someone you've never heard of - and even see what the stranger originally wrote too.

Ticker eavesdropping

Testing shows that your privacy settings are working the same as they did before, providing you used them in the first place.

The appalling enforced eavesdropping in the ticker (your friend said something to someone you've never heard of) is the result of the lax or non-existent settings of your friends, so here's the deal..

What happens is this:

1. You have "friends of friends" or "public" as the privacy setting for your posts.
2. One of your Facebook friends comments on your post, or clicks "Like".
3. As well as all the people commenting on the thread seeing what has been posted (this much is normal), Facebook also tells all *their* friends what was said.
4. Your friend's settings *cannot* stop this from happening, *your* settings can protect your friends' privacy, in this instance.

Facebook privacy inline control
The ticker has just made it much easier to eavesdrop on what were probably intended to be more private conversations.

So, do this - and make your friends do it too:
* Stop using the "Friends of friends" setting. This is what is broadcasting so widely.
* If you use the "Public" setting, explain that you are doing so. Then people can decide if they want *all* of their friends to be informed of their comments.
* "Limit" all previous posts you have made via the privacy settings (unless you had "friends only" or specific lists already) - this will change everything to "friends" only and will stop people you deleted but did not block, people who sent you friend requests that you ignored, and friends of friends from seeing your activity (yes they can, if you are not on "Friends" or lists).
* Use lists to decide who you want to see things (use the privacy controls in the top right of your posts).

* Encourage your friends to restrict their setting to "friends" or custom lists too. This is the important bit.
* Inform strangers or the connecting friend when strangers show up in your feed. It is their settings that made them show up. This will illustrate to them why they also need to change their settings.

It is not just your settings that control what goes in your Facebook newsfeed and appears on your friends' tickers. Anyone's posts which have privacy set to more than "Friends" will go to all the friends of all the commenters. This is a fact! We've tested it!

Custom privacy on Facebook
Still baffled?  Don't worry.  The problem is complicated to explain, but the solution is simple.  If you want to stop strangers from seeing everything you do, you and your friends need to change your privacy settings to "Friends" or custom lists.  That's it.

The hard part is getting your friends to do it.

If you find your friends aren't understanding the issue, forget about explaining the details and "copy and paste" this to your status:

"If you don't want your actions broadcast to everyone via the ticker/News Feed please set your privacy to "Friends" and ask your friends to do the same.  Pass it on."

What *not* to tell your Facebook friends
Now, there is also a piece of advice being circulated which reads like this:
"Please do me a favor and move your mouse over my name here, wait for the box to load and then move your mouse over the "Subscribe" link. Then uncheck the "Comments and Likes". I would really rather that my comments on friends and families posts not be made public, thank You! Then re-post this if you don't want your every single move posted on the right side in the "Ticker Box" for everyone to see!"
Scroll over my name..
This appears to be the most commonly suggested solution on Facebook, and it's rubbish! It still doesn't stop *your* posts being broadcast. It's an illusion. This option stops you seeing when other people have broadcast a message to a wide audience. It does *not* stop your actions being broadcast by your friends!

You have to do this for every single one of your friends. Time consuming *and* it does not solve the problem - it just stops you from seeing it.

Please don't spread this advice, as it is confusing people and stopping the real problem from being fixed.

How to tell if a post will broadcast to all your friends:
Under each post (on the right) there is an icon which will tell you who it was shared with:
GlobeThe globe icon means that the post is going to be public.
That means, if you comment your friends will be shown the comment immediately and that everyone on Facebook (except those people you have specifically blocked) can see it.
HeadsThe icon showing two heads means that the post is shared with friends only.

It should be safe to comment, with no threat of exposure to strangers via the ticker/news feed.

Custom or Friends of Friends
GearA gear icon can actually mean one of two things - either Custom or Friends of Friends. You will have to hover your mouse over the icon to see which.

Custom means that the post will be safe to comment on with no leakage to strangers via the ticker/news feed.

Friends of Friends, however, can be considered unsafe - as all your friends and all of their friends will be shown the comment immediately via the ticker/news feed.
You can check your own posts easily that way if you want to make sure that your settings are right.

And don't forget - next time you leave a comment on someone else's Facebook post, don't say something that you may later regret.

nb : nakedsecurity.sophos

Tidak ada komentar:

Posting Komentar