By default, Facebook assumes that when you sign up, you want to share a certain amount of data, establish connections and be found by others.

Claudiu Popa

This makes some sense, since it is after all a social network and it didn’t get to be the world’s largest such community by encouraging users to be paranoid about their online activities.

But over the years, Facebook has demonstrated that their definition of privacy, perception of security and their own priorities have changed significantly.

As such, many people are now preferring to manage their own accounts and control their information in a specific way: by deciding what gets shared and what doesn’t on an individual basis, rather than by accepting Facebook’s arbitrary defaults which err on the side of openness.

To make matters worse, Facebook’s application platform allows developers to access information on users and their friends in ways that are both direct and indirect (i.e. by aggregating data), leaving people to wonder exactly how risky it is to use Facebook when daily headlines describe increasing numbers of data breaches perpetrated on the system by morally corrupt individuals.

So I’ve taken it upon myself to create a security guide to Facebook that is unlike others in two significant ways: One of the reasons it’s a tad bit complicated to create such a guide is that Facebook’s pages are not consistent in their layout and appearance, so different settings that you and I would think go together are often in poorly lit back alleys of the system, where you might not stumble upon them until your personal page is already indexed by search engines or accessed by Facebook apps. Facebook is also prone to making periodic changes to its privacy and security settings either without enough prior warning to users or after complaints from the public or government agencies.

Before you procede to use the the guide, please take note of the following:

First, it is a hardening guide and not a set of tips for increasing your privacy. It aims to turn OFF all the system’s security and privacy settings to their most secure (and least open) setting, thus allowing for the individual activation of those settings when the user is good and ready to take advantage of them. 

Second, the file is available as a spreadsheet, allowing users to modify it to their heart’s content, build upon it, or just save it as a point-in-time snapshot of their settings. This is useful because as we all know, Facebook makes periodic changes to their functionality, privacy settings, security configuration and defaults, so it makes good sense to refer to this document and regain some comfort that you’re doing what you can to protect your data, while still partaking in the social networking phenomenon.

While I appreciate all comments and feedback, the reason for this format is for you to make this a living document and to customize according to your own preferences. That said, it is entirely possible – given the convoluted nature of Facebook’s configuration options – that a feature, setting or entire section is missing from this guide, so I certainly appreciate all additions and contributions.

Click on the image below to access the Facebook security and privacy hardening guide (FHG v.1.0):

For more information, visit the page entitled “Controlling How You Share”

About the author:
Claudiu Popa, CISSP, PMP, CISA, CIPP is an information security/privacy consultant and CEO of Informatica Corporation ( A published author and media resource, Claudiu passionately discusses privacy issues, security breaches, governance and all matters of risk management. Write to or simply contribute your comments to this blog. Follow him on or connect with him on
Share on LinkedIn Share with Google+
  • This article is very helpful. People should be aware of the privacy risks that Facebook creates. Everyone has probably heard of the “” website. It aggregated information from Twitter and Facebook. However, it filtered out all information except that relevant to whether the user was on vacation. If the user was on vacation, the information was placed on the website. There have been some reports of burglaries due to this data aggregation.

    Although, this website has subsequently shut down, there are still privacy concerns in other realms. Managers and Lawyers love to find information about people using social networks. In fact, it’s smart for them to do so. In so much as there is some social networking etiquette, from a business standpoint, it seems that if the user is dumb enough to keep her settings private then she should face the repercussions.

    While it is important for users to remember that they are created a “public” image when posting on social networks, it is also interesting to see this from the perspective from lawyers and businessmen. Actually, has an article written from this perspective (the article is scheduled to post September 28, 2010 at 6am). Perhaps if you read that article you will feel even more compelled to share this article with your friends. You really are making yourself a target by posting all of your personal information on Facebook and Twitter.

    I hope this article stays current because Facebook’s Opt-Out plan makes all users stay on-top of their privacy. Great article!

  • Indeed, we’re looking to keep the FHG (currently in v.1.0) current and look forward to everyone’s suggestions over time.