MobileActive.org

Facebook has more 500 million users, half of which access the site through their mobile phones. Being able to communicate your message to an audience this large is exceptionally valuable. At the same time your activities on the site generate very detailed information about you and your networks. If you are concerned about surveillance, this information can put you at risk.

Assess Your Facebook Mobile Risks

Like Twitter, Facebook is a way to get your messages to a potentially large audience. It is not a secure method of communication for sensitive information.

This article offers advice about how to mitigate risks when using Facebook as a dissemination and organizing tool. In particular, we consider the following risks:

• The risk that your public activities on Facebook reveal compromising information about you or your networks - for example, revealing the identity of supporters or identifying people who were present at a particular event.
• The risk of your private information being revealed to a third party without your consent.
• The risk that your account details (username and password) are discovered, and that someone may impersonate you.
• The risk of your account being deleted or suspended.
• The risk that Facebook is blocked or becomes inaccessible.

in general, you should only use Facebook to share information that you consider public. Public information can be freely distributed by you, your organization, and your supporters, without any risk to individuals or organizational operations. In communicating public information, you can send and receive this information without taking any precautions.

Each of the these has different associated risks, and different options for mitigating action.

Facebook Security Tips

Because Facebook pages and feeds are highly public, it is important to prevent unauthorized access to your account. Here are a few ways to protect against another person gaining your log-in information and impersonating you.

1. Keep your account details safe

Use a strong password. A strong password is one that is

• Not a single dictionary word. Consider using a short phrase.
• Not easily guessed by someone with access to your personal details - for example, don’t use your name, the name of a family member, your birth date, address, or hometown.
• Ideally, contains letters and numbers.
• Not re-used for other accounts on different websites

Because keeping your password safe depends on having many different passwords for different websites, you may want want to consider using a small application called a password store or password safe. You should also ensure that your email address is up to date so that if you forget your password, you are able to use Facebook’s password reset functionality.

Facebook also provides three other optional features that can help to protect your account.

• Log-in notifications warns you every time your account is accessed from a new device (both computers and phones).
• Log-in Approvals takes things a step further by requiring you to enter a code sent to your mobile phone every time you access the site from a new device.
• In the US, Facebook users can send a text message to a predefined number to request a one-time password. Users then receive a text with a password that is valid for 20 minutes (if your phone number isn’t registered to your Facebook account, there is an extra email confirmation step). A one-time password is useful if you are accessing your account from a public computer - for example, in an Internet cafe - and are concerned that data you enter may be recorded. A word of warning, though: once you register your mobile number to your Facebook account, anyone who gets hold of your phone can request a one-time password, so make sure to keep track of all the devices linked to your Facebook account.

Finally, remember to log out - particularly when accessing Facebook from someone else’s phone or computer. If you forget, you can end active sessions from your Account Settings page, which will display all devices on which a Facebook session is open as well as their approximate locations. This is a good section to check periodically anyway, as it can help you to identify possible unauthorised access to your account.

If you suspect someone else is accessing your Facebook account, change your password immediately. Go through your Facebook Account Settings and make sure you have enabled the above security features. Then, review security precautions for all the devices you use to access your Facebook account - both computers and phones - and take additional steps if necessary.

2. Instead of using a mobile app, access Facebook’s mobile site (https://m.Facebook.com) over HTTPS

Many Facebook mobile apps send data in plain text rather than over a secure connection. Unless you are sure that the app you are using communicates over HTTPS, it is better to use your mobile browser to access Facebook’s secure mobile site.

• Your phone’s web browser needs to support HTTPS. Avoid older browsers, particularly Opera Mini Basic 3 and below.
• All your communication with Facebook should display a lock icon to indicate secure browsing, and a web address starting with https:// rather than http://
• Set “Always Use HTTPS” in your account settings but be aware that this setting is not applied when browsing from a phone! You may also notice that some applications warn you that you cannot access them using HTTPS. If you use such applications, be aware that they may turn the Always Use HTTPS setting off - you will need to go back into your account settings and turn it back on every time.

As with any sensitive online activity, be particularly careful to use only HTTPS when connected to an open WIFI network.

3. Be aware of what information your use of Facebook reveals - to you friends, to your mobile network operator, and to Facebook itself

 Facebook has a complicated and frequently changing system of privacy settings. In response to criticism, they now provide comprehensive privacy resources. However,  if you are working in sensitive environments, be sure to understand Facebook’s privacy settings, and know what parts of your profile other people can see.

• As a starting point, read about Facebook’s privacy controls. Be skeptical, however - remember that it is usually in Facebook’s interest to encourage you to share as much of your personal information as possible, as widely as possible. More cautious Facebook privacy guides are available from the EFF and Movements.org.
• Next, go through your account settings and make sure you share only the information you want to.
• Finally, check how your profile looks to different groups of people. Ask a friend to let you look at your profile from their account. Have them defriend you, and check again. Search for your name on Google and see if your Facebook profile is listed, and if so, with what information. See what is still visible on your profile when you aren’t logged in to Facebook.

Besides people, Facebook Applications also have access to your data. When you add an application, you will be told what data it uses. Unless you are sure you trust the application, do not add it.

4. Facebook can decide or be forced to hand over information about your account to third parties

• Regardless of your privacy settings, everything you do on Facebook is recorded and stored. Facebook may choose to hand over this information to law enforcement agencies. For more information, see the EFF’s survey of disclosures to law enforcement.
• You may also be asked by law enforcement agencies to provide your Facebook account details, and detained until you do so - as recently reported at an Iranian border control.
• With this in mind, try to avoid using a frequently updated personal profile for your online activism. If you have a personal profile, limit the information you post, and consider using a separate profile for online activism.

5. Be particularly careful about sharing photos and video, and location information

Facebook makes it very easy to accidentally share too much. This is particularly dangerous if you or your supporters want to stay anonymous.

• Be aware of who will see your posts before posting anything that reveals your location - wall posts, status, photo and video content and captions, check-ins.
• When you upload photos or video, avoid tagging people in any situation that could make them a target for unwanted attention.
• Even if you don’t tag someone in a photo or video, be aware that face recognition software my be able to identify anyone whose face is clearly shown.
• Check your privacy settings for each album, and make sure to restrict who can view or tag your photos if necessary.
• Consider other image sharing services - Flickr or Picasa, for example - if you need greater anonymity.
• When uploading images from your mobile phone, know the privacy settings on your ‘mobile uploads’ album.

6. Always have a backup plan

Facebook can be blocked, or experience extended downtimes

Activists in several countries have reported that access to Facebook has been blocked or throttled at crucial times. To avoid losing contact with supporters, we suggest:

• Download your profile information regularly (Download Your Information under Account Settings).
• Encourage supporters who connect with you on Facebook to also sign up to a an email or SMS list hosted outside of Facebook - for example, on your organization’s website.
• Make arrangements with a trusted contact in a different country to post your updates if you cannot. This should be someone you could contact by phone or by email.

7. Contacting Facebook about security issues

• Facebook does not have a support email address. Instead, access the Facebook Help Center and follow the links to report a security problem.
• The Facebook Help Center has sections on privacy and security
• If you need to report a security, harassment or other issues, see this page for instructions.
• For tips on protecting against spam and other routine security threats, see the Facebook Security page