The new Facebook timeline: The danger of putting it all in one place

For the moment, pretend I’m someone with bad motives. Maybe I’m a stalker, a burglar, or an identity thief. Perhaps an ex-spouse or an aggrieved former business partner. I could even be a sexual predator with an eye on one of your kids.

Or maybe I’m basically an OK person with legitimate motives. Perhaps a prospective employer or a bill collector. So I look at your Facebook profile and see that you’re out of town. That can be useful if I’m a burglar, but it’s not so scary otherwise. But now let’s assume I can scroll through your past messages all in one place. Yep, there it is. Two years ago, you were organizing a group to ride to Tuscaloosa and gave out your phone number. So I’ll just take that phone number and punch it in to a reverse phone lookup to see what I can find:

Bingo.

Of course, most of us have learned not to put our phone numbers in public Facebook posts. But there’s a big difference between “I don’t do that” and “I’ve never done that.” Back when you were an innocent Facebook newbie and trusted the system, you probably did. The way things are in the current world (currently 9/25/11), it doesn’t matter much. “I don’t do that” probably keeps you safe.

After all, as things are now, even you couldn’t find most of what you’ve posted over the years, let alone your average snoop. But in a few weeks, when Facebook implements the new timeline on your profile (you won’t have a choice, by the way), it’ll be easy to find that and other clues that can be used to steal your identity or worse.

When that happens, the only thing that will keep you safe is, “I’ve never done or revealed that.”

But maybe I’m not a thief. Maybe I’m just a nosy neighbor wondering about your health or your drug habits. Nearly everybody already posts his or her birthday, which just happens to be the information many pharmacies use to verify the identify of the person calling about a refill. Now, if I have your address already, I can probably guess pretty quickly where you get your prescriptions filled. But by scanning over your newly assembled “scrapbook” (to use Mark Zuckerberg’s word for it), I can probably pinpoint it. Then it’s just a matter of making a simple call to the pharmacy. “Hi, this is Helen Whomever. I need to see if I have any Zocor refills left. No? I’d have sworn that was the one I was taking. What was it, anyway?” With just some low-level social engineering, I can probably find out a great deal about your health and medication habits, as well as who your doctor is.

Our hundreds and thousands of messages, photos and status updates often paint a frighteningly complete picture when you bring them all into one place. For many of us, it’ll be pretty easy to pinpoint where somebody banks, drinks, dines, works and sends their kids to school.

Of course, we’re assured that we’ll have a great deal of control over what gets “shared,” but details at this point are pretty sketchy. In his presentation at F8, Zuckerberg described a simple “sliding bar” to control how much you “share,” but most of us haven’t seen it yet. In the past, Facebook’s broader controls have been woefully inadequate, and truly locking down your information has taken a good bit of work. I have to think that will be the case this time.

To be fair, we’ll have to wait until the full rollout to see just how much control we really have, and how well the controls work. I didn’t consider it a good sign that immediately after the very minor changes earlier in the week, my status updates had defaulted to “public,” even though I had a custom setup with certain groups excluded. If Facebook holds true to form, the initial “default” will be far too loose for my taste.

For the time being, I’ve deleted some photo albums and set most others to “me only.” I’m keeping my Facebook account open, but I’m keeping a close eye on the changes. Leaving is a pretty extreme move. It should be possible to get rid of the bath water and keep the baby. Let’s hope so, anyway.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>