Facebook's Biggest Privacy Threat May Be You

There have been numerous stories circulating about how Facebook and other social media websites invade our privacy, selling our personal information to advertisers who in turn target us in our own personal spaces online. But the truth is, many privacy risks lie much closer to home. In fact, two of the biggest live in your home—you and your spouse.

A new investigation by Consumer Reports into data collection and privacy on Facebook, conducted last January as part of the magazine's annual State of the Net Survey––the results of which are now published in CR's June issue—concludes that many of us are undermining our own privacy in the digital realm by revealing too much information about ourselves and not using the security options Facebook offers.

Among CR's key findings are that only 37 percent of Facebook users have used the site's privacy tools to control how much of their personal information is visible to apps, leaving this information available for any friend's app to surreptitiously access and share. And perhaps more risky, CR found, many millions of Facebook users have openly and actively revealed personal information about themselves during the past 12 months:

• 39.3 million identified a family member in a profile
• 20.4 million included their birth dates and years in their profiles
• 7.7 million "Like" a Facebook page pertaining to a religious affiliation
• 4.8 million have posted about where they plan to be on a certain date
• 4.7 million "Like" a Facebook page about health conditions or treatments
• 4.6 million discussed their love lives on their walls
• 2.6 million discussed their use of alcohol on their walls
• 2.3 million "Like" a Facebook page regarding sexual orientation

The consequences are real, CR says, citing its finding that seven million households had trouble with Facebook last year––ranging from someone using a login without permission to threats or harassment––an increase of 30 percent from 2010.

Of course, all of these numbers pale in comparison to the population of Facebook users, which is now more than 900 million users worldwide and more than 150 million in the U.S. And even utilizing Facebook's privacy settings won't eliminate the risks posed by the company's business practices alone, CR concedes. The magazine points out, for example, that Facebook is informed each time someone visits a page with a "Like" button, whether or not the individual clicks on that button, is logged in, or even has a Facebook account.

Also on the flip side, CR concedes that Facebook has declared its allegiance to users' privacy, and the magazine quotes a Facebook spokesperson as saying, "We have a dedicated team that reviews apps using a risk-based approach to ensure we address the biggest risks, rather than just doing a cursory review at the time an app is first launched."

Still, Consumers Union, the advocacy arm of Consumer Reports, is pushing the U.S. government for a national online privacy law that sets uniform privacy standards for all companies and allows consumers to choose not to be tracked online. This is in addition to CU's efforts to push for clear national rules about how personal data is collected and used online, and in addition to a petition aimed particularly at Facebook, calling for improved privacy controls and information sharing practices.

Those efforts aside, though, there are measures Facebook users can take right away to boost their privacy on the site. Here are the nine offered by CR in its June issue, which arrives on newsstands on May 8:

• Think before typing. Even if a user deletes his/her account (which takes Facebook about a month), some info can remain in Facebook’s computers for up to 90 days.
• Regularly check Facebook exposure. Each month, users should check out how their page looks to others. Review individual privacy settings if necessary.
• Protect basic information. Set the audience for profile items, such as town or employer. And users should remember: Sharing info with “friends of friends” could expose them to tens of thousands.
• Know what can’t be protected. Each user’s name and profile picture are public. To protect one’s identity, they should not use a photo, or use one that doesn’t show their face.
• “unPublic” the wall. Set the audience for all previous wall posts to just friends.
• Turn off Tag Suggest. If users would rather not have Facebook automatically recognize their face in photos, they could disable that feature in their privacy settings. The information will be deleted.
• Block apps and sites that snoop. Unless users intercede, friends can share personal information about them with apps. To block that, they should use controls to limit the info apps can see.
• Keep wall posts from friends. Users don’t have to share every wall post with every friend. They can also keep certain people from viewing specific items in their profile.
• When all else fails, deactivate. When a user deactivates their account, Facebook retains their profile data but the account is made temporarily inaccessible. Deleting an account, on the other hand, makes it inaccessible forever.

(There's no need to wait until next week to read about CR's Facebook investigation in the printed magazine, however. All the details are also freely available right now at Consumer Reports Online.)