Skip to content
Naked Security Naked Security

Facebook revamps security, privacy settings following huge data scandal

Facebook says it's going to reach into the 20 or so dusty corners where it's tucked away privacy and security settings and pull them into a centralized spot for users.

Following the Cambridge Analytica (CA) privacy train wreck that has been the past two weeks, Facebook says it’s going to reach into the 20 or so dusty corners where it’s tucked away privacy and security settings and pull them into a centralized spot for users to more easily find and edit whatever data it’s got on them.
The changes are due to arrive over the coming weeks.
It gave details in a blog post on Wednesday.
Facebook VP of policy and chief privacy officer Erin Egan credited the CA revelations for showing the company that they’ve got work to do:

Last week showed how much more work we need to do to enforce our policies and help people understand how Facebook works and the choices they have over their data. We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed.

Last week, CEO Mark Zuckerberg announced a crackdown on abuse of Facebook’s platform, strengthened policies, and pledged an easier way for people to revoke apps’ ability to use their data.
The core of the data analytics personal data-gobbling scandal is, of course, how very, very easy it’s been for apps to get at that data. … And how precious little Facebook has done to police those apps. … And the near-nil steps Facebook took to verify that the data of 50 million Facebook users inappropriately shared with data analytics firm CA had in fact been deleted (it hadn’t).
Egan said in Wednesday’s post that the revamp of privacy and security controls has been in the works “for some time,” but “the events of the past several days underscore their importance.”

We’ve heard loud and clear that privacy settings and other important tools are too hard to find, and that we must do more to keep people informed.

The changes, not surprisingly, put the onus on users to delve into what data Facebook has on them. The changes don’t speak to the lack of vetting Facebook has put app developers through.
The security and privacy settings changes fall into these three buckets:

  • A simpler, centralized settings menu. Facebook redesigned the settings menu on mobile devices “from top to bottom” to make things easier to find. No more hunting through nearly 20 different screens: now, the settings will be accessible from a single place. Facebook also got rid of outdated settings to make it clear what information can and can’t be shared with apps. The new version not only regroups the controls but also adds descriptions regarding what each involves.
  • A new privacy shortcuts menu. The dashboard brings together into a central spot what Facebook considers to be the most critical controls: for example, the two-factor authentication (2FA) control; control over personal information so you can see, and delete, posts; the control for ad preferences; and the control over who’s allowed to see your posts and profile information.
  • Revised data download and edit tools. There will be a new page, Access Your Information, where you can see, and delete, what data Facebook has on you. That includes posts, reactions and comments, and whatever you’ve searched for. You’ll also be able to download specific categories of data, including photos, from a selected time range, rather than going after a single, massive file that could take hours to download.

Note what Facebook isn’t making it easier to find: the Doomsday button, as in, the sayonara, suckers, I’m out of here option of deleting your Facebook account and all its data entirely. (Want to know how? Carefully, and only after you’ve downloaded all your data. Here’s how.)


Pulling the Facebook plug will put you into good company: the #DeleteFacebook movement includes such luminaries as Elon Musk and comedian Will Ferrell, for example.
Though Egan didn’t say a peep about making it easier to delete your Facebook account, the BBC says that it “understands the firm also intends to make the link to fully delete an account more prominent.”
Post-CA damage control at Facebook also includes diminishing its cozy relationship with data analytics firms such as CA and AggregateIQ (AIQ), an analytics firm tied to CA that recently, allegedly left its code lying around, open for all to access.
As CNN reports, Facebook announced, also on Wednesday, that it’s cutting third-party data providers out of ad targeting by shutting down a tool that enables advertisers to target users with information gathered by external data brokers.
The tool is known as Product Categories. Graham Mudd, a product marketing director at the company, said in a statement that killing the tool should lead to greater privacy:

While this is common industry practice, we believe this step, winding down over the next six months, will help improve people’s privacy on Facebook.


8 Comments

The “Move Fast and Break Things” chickens have come home to roost. I kinda feel sorry for them.

Reply

I can’t see how Facebook could verify that the data had been properly deleted. Even if a facebook official scoured their computers and servers for any trace of their data, they could have a copy stashed on a DVD somewhere.
Besides, I would be very hesitant to give a facebook employee or even a trusted third party investigator full access to my servers. Even most of my own employees shouldn’t have that level of access.

Reply

I was thinking along those lines, too – but Facebook could at least have demanded an explanation of the procedure used to delete the data, an affirmation that the procedure was followed, and some evidence to support the claim.

Reply

Okay, stupid question, Lisa. Why does Sophos advise downloading my personal data from Facebook before deleting – not suspending – my Facebook account? Doesn’t that data get deleted along with my account? Or does downloading it in some way take it away from Facebook (not likely)? I’ve long had my Facebook settings on maximum security – and I’ve never downloaded the Facebook or Messenger apps (I user the regular browser site even on my phone) but just being a part of that platform makes me uneasy these days.

Reply

It’s just a precaution – we’re saying take a backup when you can because you won’t have the option later.

Reply

Are we sure that fully deleting an account will actually Delete the data on facebook’s servers?
As I understand, it never did previously as facebook said it became their property once it was posted/uploaded. The data would just be flagged as not to be published. ???

Reply

If you click on the “Here’s how” link in the article you’ll learn about the different sorts of account deletion. FYI, here is the relevant URL:
https://nakedsecurity.sophos.com/2018/03/20/facebook-fallout-what-are-your-options/
IIRC, Facebook offers “deactivate your account” (which means you can return later and your data will still be there if you change your mind) and “delete your account” (which really does zap your data).

Reply

It’s Cambridge Analytica that you should be worried about having your data. They have it, they will not give it up, and they are using it to manipulate each person they can for the political agendas of their criminal customers.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!