This article originally appeared on Motherboard.
When my parents first joined Facebook to stalk me, I thought the social network was going to become uncool and fade away like Myspace, Friendster, and the other social networks that came and went before it.
Boy, I was wrong. Since then, we’ve found out that Russian spies have used it to influence American elections, that a shady British marketing firm harvested the personal data of 50 million Americans to target voters with political ads, that Facebook researchers devised an experiment to see if they could make us depressed, and the UN has claimed it played a role in genocide.
We don't blame anyone for wanting out of the platform completely. In fact, my colleague Daniel Oberhaus quit, and wrote a guide on how do it if you want to do the same. But we also understand if that many people want or have to stay on Facebook to do their job or stay in touch with their family. And, after all, quitting Facebook is the ultimate first world privilege. For millions of people around the world, Facebook is the internet.
So this is our guide for using Facebook as safely as possible.
Of course, none of these measures would’ve helped in 2014, if one of your friends took the quiz app that harvested the data of more than 50 million people. Again, you can’t really stop all collection. In fact, even if you leave Facebook (or have never been part of the social network), the company is still gathering data on you and building a shadow profile in case you ever join.
Special thanks to Runa Sandvik, the senior director of information security at The New York Times, and one of Motherboard Humans of The Year last year, for starting this discussion on Twitter that led to this guide.
LOCK DOWN YOUR PRIVACY SETTINGS
Facebook’s entire existence is predicated on tracking and collecting information about you. If that concept makes you feel creeped out, than perhaps you should quit it. But if you are willing to trade that off for using a free service to connect with friends, there’s still some steps you can take to limit your exposure.
Review how much information you’ve given up. Go to our profile, see how much you have revealed about yourself, and remove it if you feel uncomfortable sharing that information. Think of birthdate, hometown, cities you’ve lived in, etc. Remember that this only stops future collections, apps that already got your data can still keep it and use it.
Check who can access that information. Facebook is designed so that some of your friends, and in some cases, friends of friends, can see some of your data.
Toggle and modify these settings depending on how much you want to share. Read carefully, there’s all kinds of important things here, such as how much information friends of your friends can see. You can also limit the availability of old posts, which were created when these more specific settings didn’t even exist. You can make it so only specific people can post on your timeline. And you can set it so that everytime someones tags you in a post you can review that and remove the tag before it goes up.
More importantly, encourage your friends and family to do the same. Think of it as herd privacy. If you lock it down but your brother has all of it exposed, you may be exposed too.
Use as few apps as possible. As we’ve learned with the Cambridge Analytica story, third-party apps are a great way for sketchy companies to collect your Facebook data. Avoid all apps if possible. But if you really have to, only use trusted apps (this is easier said than done but perhaps only apps you already use on your phone, or apps whose developers are established and well-know). Review the information these apps can access, and if it seems like it’s too much, avoid them.
Delete old stuff. Facebook is a goldmine of information from your past that you may want to scrap from the internet. Not just for advertisers, but even creeps, stalkers, or people who may want to dox you. Go to Activity Log and take a look around. You can filter by “Likes and Reactions” and by year. Then, you can either delete those Likes, or turn them private.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
KEEP YOUR FACEBOOK ACCOUNT SECURE
To avoid getting your Facebook account hacked, the generic advice we give in the Motherboard Guide To Not Getting Hacked applies. Here’s a refresher.
Choose a strong password. Use your password manager (like LastPass or 1Password) to create it, and make it remember it so you don’t have to.
Set up two-factor authentication. A strong password is not enough if hackers can trick you into giving it up. So better put extra security in your account by enabling two-factor authentication. To do that on Facebook, go to Settings, then click on Security and Login, and turn it on.
We strongly advise against choosing SMS as the second factor. Criminals are increasingly targeting people’s SIM cards and phone numbers, taking them over, to hack into people’s accounts. So, please disable text message (SMS) for two-factor and use the Code Generator, or, even better, a physical security key such as a YubiKey. (Note that you can turn on two-factor without giving your phone number at all if you turn on Code Generator and Security Key.)
Turn on Login Alerts. If you turn on this feature, when someone logs into your Facebook account, you will get notified, and can do something about it.
Review Authorized Logins. Facebook allows some third-party apps (such as Tinder) to log in without you inputting your password or second factor. This is very convenient, but can be abused. Review what apps have this superpower and revoke it if something seems off.
Be careful with Facebook’s security emails. Your Facebook account may be on lockdown and really hard to hack, but if someone takes over the email account associated with it, they may leverage that to get in. Check if Facebook has sent your email any security related messages to see if there’s anything suspicious, or anything you didn’t initiate (such as a password reset email).
Enable GPG for extra paranoia. This is an extra step that’s by no means necessary. But if you’re worried about people getting in through your email, this is a good way to mitigate that risk. If you set up your PGP or GPG public key with Facebook, then the company will only send you encrypted emails. In that case, even if someone is inside your email inbox and tries to reset your password, they won’t be able to because the email Facebook sends you will be scrambled.
KNOW THE LIMITS
If you do all this, please keep in mind that Facebook still will know * a lot * about you. And these are just basic steps to limit that collection a little bit (Facebook itself has a similar guide for journalists that can apply to everyone). But that’s the tradeoff you have to be willing to make to be on the platform.
This post has been updated to add the paragraph "Delete old stuff."