Eagle-eyed visitors to this website may have noticed we’ve added a link to a Bristol Bookfair facebook page (on home page). In fact for sometime now a bookfair supporter has maintained a facebook page for the bookfair, but we’ve never bothered to make much of it. Like many anarchists we remain concerned about the use of facebook and the internet by the state & corporations to gather information.
However, we are only organising an open public event, the bookfair. Not an armed insurrection. So after much badgering by our supporter, we’ve agreed to link to a new facebook page, on the basis it will help publicise the bookfair, and the spread of anarchist ideas and practices. In return our supporter has writen a short guide ‘Facebook Security’, which is below. We would also recommend anarchists check out the pamphlet ‘Tech Tools For Activists’, by HacktionLab, and other resources on their site. Plus you should read the Activist Security guide. Of course, if you are ever tempted to organise anything really naughty, you’ll know you should never organise it online or by phone. Read on….
Facebook security guide for activists
Facebook is a great way to make contacts, share information, and organise events. Unfortunately the police are well aware of this and are sure to use it too, both as straight surveillance and through the creation of undercover profiles. As well as finding personal details of activists they can build up a map of our political networks and disrupt actions by spreading misinformation. By using the range of security measures that Facebook provides and limiting what personal information you make available it is possible to make surveillance harder – at least as difficult as the traditional police methods of bugging, phone-tapping, infiltration etc.
The biggest security measure you can take if you have something to hide (political activity, drug use, sexuality) is don’t use you real name on Facebook. Use at least a fake surname. If you are really concerned don’t even use your first name or a nickname but something completely made up. If you need to introduce yourself to someone you can always send them a private message or let them know offline.
Of course many of us want our real name on Facebook so that old friends can find us. In this case set up two accounts – one with your real name so people can find you and another profile that you can invite only selected people to ‘friend’. If you want to be really secure don’t make your two profiles friends of each other – at least not until you have lots of other friends.
It would also be a good idea to use different email addresses to create each account and for these to be something other than your name too. Make sure your password is hard to guess and not the same as every other site you use. Try and base your passwords upon the name of the website with some modification. For example my password rule might be ‘the name of the website but with each letter one further on in the alphabet with the numbers 1,2,3,4etc interspersed. So my password for facebook would be g1b2d3f4c5p6p7l8. If you do all your passwords like this it is relatively easy for you to remember but very hard for someone to hack you. Even if they get the password you use from one website it is hard to work out what rule you have used to generate it.
Only accept as friends people who are known to you. If they aren’t personally known to you e.g. political contacts then add them to the ‘limited profile’ contact list when you confirm the friendship request. Remember that people browsing your profile can see your friend list. To restrict this go to ‘privacy settings’ under the ‘account’ menu on the top right of the facebook page. Go into the first section ‘connecting on facebook’ and change ‘see your friend list’ to custom. Select ‘friends’ only’ and in the ‘hide this from’ box type ‘limited profile’.
Consider how much information you need to add to either of your profiles. You really do not need to put your date of birth, home-town/place of birth, current location, mobile number or name of your partner. Access to all this information can be restricted on the ‘connecting on facebook’ page mentioned above.
You can also control who sees stuff that you post on facebook. If you go to ‘privacy settings’ under the ‘account’ menu on the top right of the facebook page you can access all the privacy controls. Under ‘sharing on facebook’ select ‘friends only’ and then go to ‘customise settings’ to restrict this even further to exclude people on the ‘limited profile’ list from seeing specific bits of information.
If you are concerned about surveillance don’t use a photo of yourself as your profile picture with your real name. It is not beyond possibility that a good photo of you on a demo could be matched to a portrait photo on your facebook profile and reveal your name. If you have a fake name and your other security settings are restrictive then it won’t reveal much except that you are on facebook. It is possible to restrict who can view photos you are tagged in on the ‘sharing on facebook’ page. It is also possible to remove your name tag from any particular photo. You can see all the photos you are tagged in on your profile page under ‘photos’. Generally don’t allow tags of your real name on photos and videos.
There is scope for facebook chat to be used to get the IP address of your computer. Whether it is possible to use this IP address to target your computer with malware or trojans or to find your geographical address depends on your particular internet access and security set-up. More information on this and whether it is a significant security threat would be a great addition to this document.
Group and event security
Groups and events are one of the best things about facebook but if used incorrectly they are one of the easiest ways to allow surveillance. When an event is created tick the ‘friends can invite guests’ box but neither ‘anyone can view and rsvp (public event)’ nor ‘show the guest list on the event page’. For existing events these controls can be accessed under ‘edit event’ in the top right. For groups under ‘edit group settings’ select either ‘this group is closed’ or ‘this group is secret’.
Be careful about joining groups or events if you don’t recognise the person inviting you. There is a possibility that it will be used to gather information about who responds or to mislead people – for example messaging everyone that a demo has been cancelled. If you are running groups or events create a profile specifically to do this and make people aware off-line that this is a profile they can trust. This will also protect individuals being targeted as ringleaders.
If you feel people are not being tight enough on security politely point this out to them and either explain the issues or point them to this document or similar. If you think someone is behaving suspiciously don’t be scared to share this information with others in a discrete way.
Most of the procedures discussed here are also described on the facebook ‘privacy settings’ page under ‘learn more’ in the bottom right of the screen. The main things they don’t mention are the use of fake names on profiles and the use of the ‘limited profile’ list to restrict access of some friends to personal information.
If you have anything to add to this document please edit it and re-circulate. You can contact the author via bristolanarchistbookfair [at] riseup.net
Stay safe but stay active
Pdf of this article: facebook-security