I have a Facebook account on which I have duly locked down the privacy controls (several times, it feels like). In theory, no one can get at my information unless we become Facebook friends.
In practice, I’ve discovered, it’s another story entirely. After spending the better part of ten days, recently, integrating Facebook into another website, I have new rules for how I use Facebook. I realize they sound a little tin-foil-hat-style crazy, so after the rules I’ll explain a bit about why I adopted them.
Rule 0: I’m not closing my Facebook account. I know a few people who have gotten off Facebook entirely, recently, but Facebook is the only place I’m in touch with my cousins who live out of state, my best friends from elementary school who are scattered to the wind, and my husband’s family who live on the east coast. These people aren’t going to get on Twitter, and I do want to hear about their lives.
Rule 1: I always browse Facebook in a separate browser. If I’m doing my random web browsing in Firefox, then I open Facebook in Chrome (or less frequently, Safari). It’s not sufficient to open Facebook in a different window of the same browser, or a different tab of the same browser. It has to be a different browser. (If you only have one browser right now, you can install Firefox here, or Chrome over here.)
Rule 2: I make sure my non-Facebook browser has no residual FB cookies. I used to just leave a Facebook tab open while I browsed random web sites in other tabs, but that’s incredibly dangerous. If I am logged in to FB, any of those third-party sites could be silently collecting my Facebook information without notifying me. Once I decided to separate my browsing, I deleted all cookies in my non-Facebook browser. As long as I don’t log in to FB again in that browser, other sites won’t be able to access my Facebook information.
Rule 3: I never browse anywhere else in the Facebook browser. I use Chrome for Facebook, so I don’t use Chrome for anything else. Any external links I want to click on from Facebook, I open in Firefox. This can be a pain in the ass because links on FB usually redirect you through another FB page. So in FB, I right click the link, select “Copy link location”, switch to Firefox, paste the link in, edit it to remove the Facebook prefix, and then hit return to go there.
In practice, I do use Chrome for other stuff, but I log out of Facebook and clear all my cookies first. Which leads to…
Rule 4: I always log out of Facebook. They’ve hidden the log out option; it’s at the top right, the last option under “Account.” It’s not sufficient to close the Facebook window, or even to quit the browser you’re using for Facebook. In either case you leave behind a set of “logged in” FB cookies that other sites can read. I always explicitly log out of FB when I’m done.
Rule 5: There is no rule 5.
Rule 6: I never use Facebook to log in to another web site. Any web site can use Facebook as their log in system, instead of (or in addition to) letting visitors create accounts. Most of these sites are not officially affiliated with Facebook. It’s convenient to use FB for this, sometimes, instead of creating yet another username and password to remember.
Feeling crazy yet?
I am. Or maybe “paranoid” is a better word. Before I started working with the Facebook API, I had no idea how much information was available to third-party web sites. Things I don’t think of as public – including my email address – are available by default.
The public/private dilemma
Honestly, most of the information I have on Facebook is public knowledge anyway, including my email address. But it doesn’t sit well with me that FB lets third-party sites access information that non-friends can’t see. What else might they decide to share someday – the links I’ve clicked on? The groups I’ve visited but not joined? The exes I’ve searched for?
By keeping Facebook quarantined, I hope to contain the fallout of any future “experience enhancements.”
And now, if you’ll excuse me, I need to go use my hat to make dinner.