Password recovery questions: who already knows your mother’s maiden name?

We’ve all been there- you go to log into a website and realize that you just can’t remember your password. And it’s not like you can easily guess it, because your probably used a strong password rather than something insecure like your dog’s name (right?). So you click that little link that says “forgot password” and start the process of getting back into your account.

The website developers made a choice at that point, and it affects your security. They might send a password reset link to your email address and let you reset it there. Hopefully they don’t send you your current password in the email itself, that just means they’re not protecting it right. It’s a bit better if they send you a temporary password that expires after a set period of time. But in many cases, they’ll prompt you to reset your password by verifying your identity and answering password recovery questions.

In the early days of social media, there was a game making the rounds. It said that your “adult entertainer” name was your first pet’s name and the street you grew up on. If I had played it, I would have been Alex Sunset, which honestly has a nice ring to it (I’ll explain in a bit why I don’t mind telling you that). But do those pieces sound familiar? “Pet’s name” and “Street you grew up on” were at the time (and in too many cases, still are) some of the most popular password recovery questions. By giving hackers and identity thieves that information, you’ve already made their job a lot easier.

Fast forward to today, we’re living in the information age. Back in the 1800s when telegraph banking became a thing, most people didn’t know another person’s mother’s maiden name unless they were a part of the family or at least from the area. So when they came up with security standards, it seemed like a good question to ask someone who was asking for their money to be transferred to a different area. Yes, “mother’s maiden name” as a security question is really that old. But today, websites collect that information for you and make it very easy to find. The other answers might be found on your facebook page or other “people search” websites.

Fortunately, many websites have realized this and changed up their questions to ones that can’t be easily found. They’re more opinions and personality traits than searchable facts, things like “what’s your favorite vacation spot” or “who was your favorite teacher in high school?” Sure, someone following you on social media might also know the answers to those questions, but the idea is that only you would know all of them. Well, maybe you and someone who lives in your home or grew up with you. That’s the biggest flaw in even these “second generation” security questions- they assume that only you would know about your memories and opinions, and that’s clearly not always the case.

There’s no delicate way to put this, so I’ll just say it: it’s okay to lie. Or maybe I’ll put it another way- it’s perfectly fine to use answers that you’d remember but someone else might not think to use. If your favorite vacation spot is New York City, make a habit of naming your LEAST favorite vacation spot instead. Instead of naming your favorite food, name your favorite drink. Be consistent, be unpredictable, be secure. There’s another benefit to doing it this way- most sites will alert you if someone tries to reset your password. You get an alert but your password remains intact.

So feel free to use my first pet’s name and the street I grew up on to reset my passwords, because I don’t.

(Just want to mention, another option is to use a password manager to store your very secure passwords. That’s another topic on its own, but if you’re going to use one make sure you’re able to protect the primary password, since it controls access to the rest of them!)

Set your own PACE

In some professions, communication is important. In the military and public services, for example, they use what’s called a PACE plan to make sure they always have a way to send a critical message when time’s a factor. And you can, too.

PACE stands for Primary, Alternate, Contingency, and Emergency. In other words, it’s a way to make sure there’s multiple ways to reach someone or communicate even if something goes wrong and the primary method isn’t an option. Broken down, it looks kind of like this:

Primary is the way you routinely talk to someone. It’s the one that makes the most sense to use and is often the most convenient. For example, many of us will be using our phone to call, text, or DM someone we want to talk to. If it’s what you normally use to talk, that’s probably going to be your primary method.

Alternate is what you use if the primary method isn’t available. If you drop your phone in the bathtub and have to wait for the bag or rice to work it’s magic, what would you to do reach out to someone you want to talk to? Maybe then you’d use your computer or a tablet- that’s your alternate method.

Contingency is what you use if neither the primary or alternate method is an option. This is often something that’s a bit less convenient, but will still do the trick. This could be a neighbor’s phone, sending someone with a message, or another way to get information across.

Emergency is when you or someone else needs help right now, and there might not even be time to send a message privately or securely. Consider how the military communicates- in most cases, they’re using encrypted radios or some other way that hides what they’re saying. But if there’s an emergency, sending out a message “in the clear” can make sure everyone gets it and can respond quickly. You hope to never need to use an emergency method of contact, but deciding what it might be ahead of time is important.

Another benefit of setting up your PACE plan now is that you have time to think about safety and security for the methods you choose. If your phone is your primary method of communicating with your support system, of course you want to make sure your phone is protected and private. But if your computer is your alternate communication method, you should probably make sure it is too- just in case you need to use it.

So set your own PACE, what that means is up to you.

The Aldrich Ames mailbox

Sending a signal, just like in the movies

Have you ever watched one of those exciting, edge-of-your seat spy movies? Or maybe an equally exciting documentary about the life of a real-life spy? In both cases, there’s one scene in particular they tend to get exactly right.

At a certain point, the spy needs to signal to his or her handler that they need to speak. Or maybe that they have information. Or maybe that there’s trouble. Whatever it is, they use a pre-arranged to send that important message. Sometimes, it’s a piece of tape on a window. In the real-world case of Aldrich Ames, the CIA double-agent would leave small chalk marks on a specific mailbox. The important part is that the spy and their contact both knew what they messages met and what to look for, and their adversary didn’t.

While you’re (hopefully!) not a spy, you might someday have a need to send secret messages in a way that won’t alert an abusive partner. With the advent of social media, this is a lot easier to do than it was before but traditional options can still be useful. For example, leaving the window blinds open at a 45 degree angle could mean “please check on me.” Posting a specific picture on instagram might mean “my phone is being monitored.” Using a specific phrase on facebook could be saying “call 911.”

If you choose to set up a clandestine communication method like this, keep the following important principles in mind:

1. Set up the signal and what they mean ahead of time with someone you trust. Make sure they understand what each signal indicates and what they need to do

2. Make sure the signal doesn’t stand out or raise suspicion. In the previous examples, if you never change the way the window blinds are oriented doing it to send a signal would be seen as out of character

3. Make sure the signal is unique and stands out, but isn’t likely to be accidentally used (or thought to be used)

4. Establish how often your ally should be checking for a signal, if applicable. Is it enough for them to drive by your house once a week to see if the houseplant in the window has moved? Should they be looking at your twitter feed regularly?

Even if you feel you can safely reach out to your support system or call for help if you need it, it’s helpful to set up an alternate way to communicate with others just in case you need it. Setting up signals ahead of time and making sure they’re not too obvious to someone not “in the know” can help you do so safely.

Happy Thanksgiving

Thanksgiving means many things to me. It’s a day to gather with friends and family to enjoy one another’s company. It’s a day that my daughter and I put together grandma’s famous fruit salad for everyone to enjoy (and she eats the cherries as fast as I can cut them!). It’s also a day when I like to stop and think about the many things for which I’m grateful and how my life has been enriched by others.

If you’re reading this, know that I’m thankful for you.

When I founded Operation Safe Escape in 2016 (at the time using the awful name of “Project Safe Escape,” what a mistake that was!), I dreamed that we could help a few dozen people feel safe and start a life they had only dreamed of. If I let my mind wander, I could imagine helping 100 people. 100 people! The effects would be felt for generations if we could help break the cycle of abuse for so many.

Over 3,000 successful escapes later, Operation Safe Escape is still going strong. It’s more than I had ever hoped for and I’m thankful every single day for it. I’m thankful for the volunteers that give their time to help people they’ll probably never meet. I’m thankful for our partners, who have donated goods and services that we can make available to survivors. I’m thankful for for people like you, who support us in so many ways. Many of the people reading this message have literally save lives in one way or another. It’s truly remarkable.

Whether today is Thanksgiving for you, or if it’s Thursday, I hope you have much to be thankful for. I hope this upcoming year is even better than the last.

Best wishes,
Chris
Director, Operation Safe Escape

The Safe Connections Act Passes Congress, Pending Presidential Signature

Cell phones have changed the way we work, play, and communicate with one another. They can be used to talk to loved ones anywhere in the world, do schoolwork, play games, and so much more. In fact, for many of us, it’s hard to imagine life without it.

323.6 million Americans own cell phones, most having “smart phone” capability. Unfortunately, statistically speaking, up to 6.3 million of those people have been, are currently, or someday will be in an abusive relationship. In many of those cases, the abuser has control over the survivor’s phone plan- even after a breakup. That may allow the abuser to access their phone records, see who they’ve been speaking to, shut off the service at will, and prevent the survivor from moving the device to their own (more private) plan.

In January 2021, Senators Brian Schatz, Deb Fischer, Richard Blumenthal, Rick Scott, and Jacky Rosen sponsored Senate Bill 120, The Safe Connections Act. This bill requires mobile service providers to separate the survivor’s phone line, as well as their children or others in their care, from the abuser’s line whenever technically possible. Furthermore, the providers are not allowed by law to charge fees for this service.

The bill also requires providers to complete the separation within two days of making the request, allow remote methods to make the request, protect the survivor’s confidentiality, and provide information to the public about the service so people know it’s an option.

Happily, this bill has since passed both chambers of congress and is waiting for the President’s signature to become law. Operation Safe Escape agrees with the Electronic Frontier Foundation, who says:

“We would have preferred a bill that did not require survivors to provide paperwork to “prove” their abuse. For many survivors, providing paperwork about their abuse from a third party is burdensome and traumatic, especially when it is required at the very moment when they are trying to free themselves from their abusers. However, this bill is a critical step in the right direction, and it is encouraging that Congress so overwhelmingly agreed.”

But, it’s a start and a huge victory for survivors of domestic violence and their advocates.

View details on the bill here.

Protecting your passwords

You’ve probably heard it before: “never write down your passwords. Use unique passwords for each website and memorize them.”

It’s great advice, but it’s not always easy. In 2022, the average person has between 70 and 80 passwords they need to keep track of! This can sometimes lead to people using easily-guessed passwords (like their birthday or pet names, things like that) or reusing passwords for multiple sites (if one site is hacked and the passwords stolen, hackers can see if the passwords work for other websites, too).

Fortunately, you have options for protecting your passwords and accounts. Here’s a few:

1. Use a password manager. A password manager is an app for your phone or computer that can securely store encrypted passwords so you don’t have to remember all of them. All you have to do is remember your password for the password manager, which you should make as strong as possible. This means you can use very strong and unique passwords for each website without having to remember each one.

2. Write them down. I know, right? You always here it- don’t write down your passwords. But this is where you need to decide which is safer for you. Remember that your online accounts can be attacked by anyone with an internet connection, but gaining access to a notebook or password sheet requires access to wherever it is placed. If you feel you can protect a sheet of paper and know you need to use strong and unique passwords, this might be an option.

3. Write them down, but know the secret. If you feel like writing down your password (and securing it) is an option for you, you can add an extra layer of security by changing the password from the actual one. For example, anyone looking at the password sheet wouldn’t know that you actually added an extra letter to the end. Or that you added 2 to all of the numbers in your password. By changing it, you can not only protect your accounts but you can also get an alert if someone tries to use it.

Whichever you choose, you should always turn on two-factor authentication. Two factor authentication (2fA) requires an additional measure to prove your identity prior to logging in. Sometimes, this can be an app, or it can even be a hardware token that must be present in order to log in. Using 2FA means that even if someone knows your username and password, they still can’t log in without you knowing.

Whatever password solution you choose, we recommend changing all your passwords at the same time if possible. This prevents anyone from leveraging their access to undo the work you’re doing to protect your accounts. And don’t forget to choose the option “log me out of other locations” whenever possible! If someone is in your account without permission, this will kick them out and make sure they can’t log in again.

Period Tracker Apps and Safety

After the recent supreme court ruling overturning Roe vs Wade, many of you are rightfully concerned about your rights, your health, and your safety. One of the ways this has manifested is mistrust of many period tracker apps when you can’t control your data or ensure it’s being properly safeguarded- the worry being that the data will be given or sold to states that are adding criminal penalties for abortions, other losses of pregnancy, and other forms of heath care. Many users have started uninstalling their period tracker apps out of concern, particularly those in such states.

Today, Operation Safe Escape began development of a period tracker app that we will make available for free for Android and iOS. There will be no ads or monetization of any kind. Additionally, the following privacy features are intended to keep users safe and able to make health decisions without compromising their safety or sense of safety:

  • The app will not access the internet for any reason
  • The only data collected by the app will be what the user enters and what is necessary for the app to function on the device. None of this data will ever be sold, shared, or given away. Since even we can’t access it, we couldn’t anyway
  • The information will exist only on the user’s device, not the cloud
  • All data will be encrypted
  • All data on the app will be in control of the user, and the app will allow a quick wipe of the data
  • There will be a space for safety resources and links

Critically, the app will be open source to allow the community (and the users themselves) to know exactly what the app is doing and how their data is being stored. There should be nothing to hide. We will be looking for other ways to protect users from other threats, such as cases where an abusive partner may get access to the device.

More information will be provided as development continues. If you have any input or ideas, please feel free to reach out at [email protected]

Reproduction and body autonomy is a common target by abusers. Reproductive coercion is a form of abuse where the abuser forces the victim to get pregnant or terminate a pregnancy against their will. According to the National Coalition Against Domestic Violence, 25% of domestic violence survivors have experienced this form of abuse. Reproductive health is directly related to domestic violence, and Operation Safe Escape stands against all forms of abuse.

June 28, 2022 update:

The question was asked, why create a new tool versus supporting existing open source projects? That’s a great question.

Historically, we’ve tried both creating our own tools and requesting changes / updates to existing open source ones. We admire and appreciate the open-source maintainers; they keep the world running. But we have to consider and include our primary mission in everything that we do. I this case, ensuring that the users impacted by domestic violence and stalking have their concerns and needs quickly addressed. This is something we want to do to help everyone, but survivors of abuse sometimes have different needs. Our perception of risk doesn’t stop with any government, although this is certainly a concern. We’re not only concerned about government overreach and weaponization of the courts, we’re also concerned about the abuser trying to control the individual’s fundamental reproductive rights. By developing our own tool, change control and approval is less of a concern. For example, including information and resources on reproductive coercion might seem important to us, but might not be a change that’s accepted on another team’s app (not assuming, just an example). Another issue is that abusers adapt quicker than the government does, so the ability to very quickly add new features, information, and tools can make a major difference for a specific set of users. 

Removing Unwanted Network Devices from your Wifi

In some cases, an abusive partner may add new devices to a wireless network in order to monitor and harass their victim. For example, cameras, microphones, smart home devices, and more are relatively easy to conceal and may be used to listen in on conversations.

When the bad actor (that is, whoever is trying to cause harm) has  previously had access to the wireless network, it may be possible that they added those devices to the wireless network to remotely access and receive information. This article will discuss how to identify and remove any unauthorized wireless devices from your wireless network.

If possible, you should look for connected devices any time you’re concerned that your conversations may be being monitored. At the very least, you should follow this process when the abusive partner leaves the home permanently- especially if they had access to the network.

Option 1: Using your router’s browser or web interface

(Please note: logging into the router as administrator will leave a record in the device logs. It will show that the administrator account has logged in, but won’t show who was using it.)

If you’re not familiar, your router is the device, most often provided by your service provider, that connects you to the internet. It’s normally a black or silver box with network jacks on the back, status lights on the front, and it might have an antenna or two on it. If you’re having trouble identifying it, you can always call up your service provider or do an internet search for “[internet provider] router models” (without the quotes).

The router has a web interface that you can access through the browser in order to make configuration changes. The instructions for doing this would have been provided in the documentation that came with the router, but you can also look online if you know the model number. In many cases, the information is on a sticker that can be found on the back or bottom of the router.

You’ll need the device’s IP address to connect to it. Type that number into the browser’s address bar, where you would normally type in a website address. This will take you to the web interface login screen. The username and password, if it hasn’t been changed, will be found in the documentation provided with the router. If it’s been changed or if you don’t know that information, contact your ISP and they’ll help you recover the information. You might also find the default login information online by searching “default login” and your router model number.

The specific location for this information may vary depending on the model and brand of router, but it will generally be under a link, tab, or button called “attached devices,” “connected devices,” or “DHCP clients.” You’ll probably find this on the wifi configuration page or on the status page. This may also be on the main screen for some devices.

  • On may D-Link brand routers, this can be found by clicking Status, then Wireless.
  • On many Linksys routers, you’ll find this option under Status > Local Network > DHCP Clients Table.

The list can be confusing at first, but it will show you what devices are connected to the network. Note that if you’re only looking at the “DHCP” devices, you might not see everything. Make sure to look at anything that shows connected devices. If you’re not sure, refer to the device documentation or contact your ISP.

Looking at this list will give you an idea of what devices are connected to your network. Look for anything unusual or that you don’t recognize. If you see a hostname that looks suspicious, search the web for the recognizable parts of the name to try to get an idea of what it might be.

An example interface showing connected devices. Courtesy how-to-geek.

Note that you are likely to see things you don’t recognize, and in many cases that’s normal. Your phones and computers aren’t the only things you’d expect to find here; you’ll also likely to find your home security system, video game consoles, authorized smart home devices, televisions, and more.

This is a good basic step to take, but it’s not foolproof. Device names can be changed or faked to look legitimate. If possible, additional steps should be taken to make sure you know exactly what’s on your network.

Option 2: Change the WiFi Key

Hopefully, you’re using the strongest encryption available on your device, which may be WPA3 if available. Otherwise, WPA2 should be an option. If neither option is available, contact your ISP for a new router because your current one is likely obsolete and needs to be upgraded or replaced. The type of encryption can be checked on the password settings page.

The good news is once you change your password, it will kick all devices off the network until they’re updated with the correct password. This will effectively remove any unauthorized devices off the network and a good way to ensure only devices you know about and approve are connected. This step should be done as soon as possible, especially since your wireless signal can often reach outside the home.

Refer to your system documentation for any wireless devices that will need to be reauthorized, such as smart TVs, cell phones, home surveillance systems, etc.

Consider reviewing the router configuration page after each device you add, so you’ll recognize it when you check up later.

Option 3: Ask Your Service Provider for Help

If you’re not comfortable or are having trouble logging into the router, contact your service provider and explain to them that you’re concerned about unauthorized devices and unauthorized access. They also have an interest in making sure that no one can use your network without your permission, so they will be able to assist you. They may send out a technician that will help confirm your settings and identify any rogue devices.

Option 4: Reset Your Router

This is the most secure option, because it will restore your router to a known-good configuration and remove any rogue devices.

If you’re not able to access your router’s web interface, you can reset it to the default settings. This will re-enable the default passwords as well, which will be noted in the device documentation, affixed to the router itself, of may be found online.

The process for each device may vary, and can be found in the device documentation or online. In most cases, there’s a small hole on the back of the router that says “reset.” Unplug the device. A small pin or paperclip can be used to press the button inside the hole; hold it down for 30 seconds, then remove the pin. Plug in the device again, and it should be reset to its default configuration.

Note that any custom configurations or passwords, including for WiFi access, will be removed and will have to be re-added.

A Whole New You: Name Changes and Identity Updates for Survivors of Domestic Violence

A Whole New You: Name changes and identity updates for survivors of domestic violence

Leaving an abusive relationship is the start of a new life. And, sometimes, that new life comes with a new identity in order to remain safe. This article will discuss two important elements of establishing a new identity: the name change and obtaining a new social security number.

Name Change

A court-ordered name change is obtained by petitioning the court in the county in which you reside. This is generally approved, unless the court believes that the name change is intended to defraud creditors. If everything is in order the court will issue an order authorizing you to start using the requested name.

Paradoxically, many jurisdictions require a public notification, generally in a newspaper, of the name change. The purpose is to ensure creditors are aware of the name change and have the opportunity to pursue the debts against the new name. However, requiring publication of a name change can also alert a stalker or abusive ex-partner to the new identity.

It’s important to understand the laws in your state when pursuing a legal name change. Whenever possible, seek legal aid or qualified legal assistance if there’s any concern about your safety or legal options.

18 states allow sealed name changes for victims of crime, to include survivors of domestic violence when there is a reasonable concern for safety. Those states are:

  • Arizona [Ariz. Rev. Stat. Ann. §§ 12-601]
  • California [Cal. Civ. Proc. Code §§1275-1279.6]
  • Georgia [GA Code § 19-12-1 (2020))]
  • Minnesota, only for applicants in a witness and victim protection program [Minn. Stat. Ann. §§ 259.10-259.13]
  • Missouri [Mo. Ann. Stat. § 527.290]
  • Montana [Mont. Code Ann. §§ 27-31-201]
  • Nevada [NV Rev Stat § 41.280 (2020)]
  • New Mexico [NM Stat § 40-8-2 (2020)]
  • New York [New York Civil Rights Law section 64-a(2)]
  • Ohio Ohio [Rev. Code Ann. § 2717.11 (2021)]
  • Oklahoma [(12 OK Stat § 12-1633 (2020)]
  • Oregon, for participants in the state Address Confidentiality Program [ORS 192.826]
  • Pennsylvania [54 Pa. Cons. Stat. Ann. §§ 701-705]
  • South Dakota [S.D. Codified Laws §§ 21-37-5.2]
  • Virginia [Va. Code Ann. § 8.01-217]
  • Washington [Wash. Rev. Code Ann. § 4.24.130]
  • Wisconsin [Wis. Stat. Ann. § 985.07]
  • Wyoming [Wyo. Stat. Ann. §§ 1-25-103]

These states will, when certain conditions are met, seal all records of the name change

28 States either don’t require publication of name changes or allow waiver of the publication requirement. However, these states do not currently have a mechanism for sealing name changes even when a risk exists.

  • Alabama
  • Alaska
  • Arkansas
  • Colorado
  • Connecticut
  • DC
  • Florida
  • Illinois
  • Iowa
  • Kansas (in Kansas, there is no requirement unless directed by the court)
  • Kentucky
  • Louisiana
  • Maine
  • Maryland
  • Massachusetts
  • Michigan
  • Mississippi
  • New Hampshire (in New Hampshire, there is no requirement unless directed by the court)
  • New Jersey
  • North Carolina
  • North Dakota
  • Oregon
  • South Carolina
  • Tennessee
  • Texas
  • Utah
  • Vermont
  • West Virginia

There are only five states that will not waive publication requirements and do not seal name change records:

  • Delaware
  • Idaho
  • Indiana
  • Nebraska
  • Rhode Island (varies by location)

If there is a safety or security concern, it may be worth exploring other options after establishing (even temporary) residency in a different state.

Social Security Number

Another important piece of staying safe and secure after a name change is changing your social security number, if you meet the requirements to get a new number. This will help prevent a stalker or former partner from potentially running a credit report and obtaining potentially sensitive information about your location.

Until relatively recently, the Social Security Administration (SSA) would not issue a new number unless there was evidence that the number itself had been misused. Fortunately, this is no longer necessary in cases of harassment or abuse.

From the SSA fact sheet (https://www.ssa.gov/pressoffice/domestic_fact.html): “The SSA joins with other Federal agencies to provide greater assistance to victims of domestic violence. Some victims seeking to elude their abuser and reduce the risk of further violence choose to establish a new identity.

Applications for a new social security number must be made in person at any social security office. Bring evidence of your age, identity (to include both old and new names), and citizenship status. If new numbers are being requested for your children, bring court documentation showing that you have custody. The SSA will require evidence documenting the harassment or abuse. From the fact sheet: “The Social Security Administration will assist you in obtaining any additional corroborating evidence, if needed. The best evidence comes from third parties, such as police, medical facilities or doctors and describes the nature and extent of the domestic violence. Other evidence might include court restraining orders, letters from shelters, letters from family members, friends, counselors, or others with knowledge of the domestic violence.”

Address Confidentiality Program

All states have some form of Address Confidentiality Program (ACP), although the specifics will vary from one state to another. These programs provide a state-owned mailing address that is separate from your physical address, allowing you to use that address for things such as utilities, voter registration, driver’s licenses, and more. Any mail you receive at that address will be forwarded to your address of choice, but the forwarding information is not available to the public.

This is, of course, most helpful for after you’ve already moved. Using a confidential address will help prevent your address from showing up in online “people searches” and being otherwise discoverable.

Your local courthouse, advocate, or attorney can help you figure out what options are available to you.

Conclusion

Increasingly, federal, state, and local governments recognize the challenges faced by survivors of domestic violence and other crimes. By understanding the laws in your area, you can take steps to keep yourself safe and start your new life.

Protecting your Facebook Account (and your Privacy!)

Facebook, as we know it today, started in 2004 as TheFacebook- a directory of students at Harvard University. Almost immediately it, and it’s founder Mark Zuckerberg, were embroiled on controversy about privacy, security, and integrity. These controversies continue today, with concerns about user tracking, data handling, and privacy in general. This guide will discuss the options you have to protect your information.

This guide is current as of Jan 27, 2022.

Original TheFacebook Page
The original login page for what is now Facebook

There’s a saying that goes, “if you’re not paying for a service, you’re not the customer. You’re the product.” It doesn’t cost anything to create an account, which means that the company must make its money elsewhere. And they do. Last year, Facebook made $29 billion, mostly from selling ads. And those ads are often targeted to you using data Facebook collects.

Have you ever had a conversation with a friend, only to later find Facebook suggesting a product one of you mentioned in your feed? Maybe you’ve searched for a solution to some problem you’re facing, only to find ads that seem to address what you were looking for? This is called “targeted ads” and it can range from annoying to dangerous. For example, a LGBTQ+ teen may not feel comfortable or safe coming out to their family, but targeted ads may raise questions they’re not ready to answer. Similarly, transgender individuals have been forced to answer difficult questions when Facebook recommended their private account to friends and family.

You have a right to privacy and security.

To access Facebook’s settings, click the arrow in the upper-right corner of the screen. This will allow you to set your privacy and security controls.

Accessing facebook settings

1. Prevent Facebook from using your information for targeted ads

Click “Privacy Shortcuts,” which will take you to the Privacy and Security page. Scroll down until you see “Your Facebook Information.” Here, you can see what Facebook knows about you and what data they collect. Click “View or clear your off-Facebook activity.”

This is how Facebook describes “off-Facebook activity”:

Off-Facebook activity includes information that businesses and organizations share with us about your interactions with them. Interactions are things like visiting their website or logging into their app with Facebook. Off-Facebook activity does not include customer lists that businesses use to show a unique group of customers relevant ads.

How did Facebook receive your activity?

When you visit a website or use an app, these businesses or organizations can share information about your activity with us by using our business tools. We use this activity to personalize your experience, such as showing you relevant ads. We also require that businesses and organizations provide notice to people before using our business tools.

The phrase “clear history” is a little bit misleading in this context. This option doesn’t actually clear your history, but it does disassociate the data from your account and prevents targeted ads. You can also see which sites are sharing information about you with Facebook.

You can further restrict Facebook’s ability to display targeted ads by:

  1. Go to settings
  2. Select “Ads”
  3. Select “Ad settings”
  4. Select “Data about your activity from partners”
  5. Toggle it off
  6. Select “Ads shown off of Facebook”
  7. Toggle it off
  8. Select “Social interactions”
  9. Toggle it off

2. Turn off location tracking

iPhone:

  1. Go to settings
  2. Select “Privacy”
  3. Select “Location Services”
  4. Tap on “Facebook”
  5. Select “while using the app” or, if you don’t need Facebook to track your location, “Never”

Android:

  1. Go to settings
  2. Select “Location”
  3. Select “App location permissions”
  4. Tap on “Facebook”
  5. Select “Allow only while using the app” or “deny”

3. Limit information Facebook shares with its partners

Many websites allow you to log in with your Facebook account, rather than creating a new account for that site. While easy and convenient, it also allows Facebook to collect additional information about you, and allows the site to collect some information from your Facebook account. This can include your name, email address, photo, and other public information.

View which sites are currently collecting information about you by:

  1. Go to settings and privacy
  2. Select “Settings”
  3. Select “Apps and Websites”
  4. Click “See More”

Here, you’ll be able to see which sites are connected and sharing information. Click “remove” to disconnect the site.

4. Use two-factor authentication

As in… always use two-factor authentication. Whenever you can.

Two-factor authentication requires a second form of validation when logging into an account. You’re probably familiar with the concept, such as when you’re trying to log into your bank and you have to confirm that it’s really you through the app or by typing in a code that you receive via text message. The benefit of this is that even if someone were to guess or steal your password, your account will still be safe as long as your second authenticator is in your control. This also serves as a way to detect if someone is trying to break into your account.

Two of the most common methods of two-factor authentication are text-based and an app, such as one provided by the service or a dedicated app such as Google Authenticator or Authy. While both are better than a username and password alone, an app-based solution is preferred over text messages which are less secure.

To enable two-factor authentication on your Facebook account:

  1. Go to settings
  2. Select “Security and Login”
  3. Select “Set Up Two-Factor Authentication”
  4. Click “Get Started”

5. Make sure only people that you want to find you, can find you

The default Facebook privacy settings make it very easy to find your account in the search bar, or even in search engines like Google. You can change this by:

  1. Go to settings
  2. Select “Privacy”
  3. Find “Do you want search engines outside of Facebook to link to your profile?”
  4. Select “Edit”
  5. Unselect the checkbox

On the same page, you can change how people find you within Facebook:

  1. Select “Who can look you up using the phone number you provided?”
  2. Change to “Only me”
  3. select “Who can look you up using the email address you provided?”
  4. Change to “Only me”

6. Limit who is able to see your content

You can limit who’s able to see your content, such as profile, photos, videos, and updates. This should be restricted as much as possible to ensure only people you trust can see your content.

  1. Go to settings
  2. Select “Settings and Privacy”
  3. Select “See more privacy settings”
  4. Select “Privacy”
  5. Select “Who can see your future posts?”
  6. Edit as desired
  7. Select “Limit the audience for old posts on your timeline”
  8. Edit as desired

7. Conduct a privacy and security checkup

Facebook also offers a privacy and security checkup, which shows you who can see your posts, who’s able to message you, and more. This should be done every couple of months, or more often if possible. This is because Facebook occasionally changes its security and privacy settings, which may impact your account without your knowledge.

This is a good way to catch anything that you may have overlooked, and display your sharing settings, privacy options, and security information.

8. Remember that what you put on Facebook may be re-shared, regardless of your privacy settings

No matter how secure you make your account, you can’t control the actions of other people. So be careful what you post, which can be shared with people outside your trusted circle. For example, if you talk about your upcoming vacation, one of your Facebook contacts may, often without intended to cause harm, mention it to someone that you don’t want to know. So be careful what you post online- regardless of which platform you’re using.

Facebook, like other social networking sites, can be a great way to stay in touch with friends and family, and a powerful tool for finding and giving support. However, as with any online service, there is some risk involved. By taking advantage of the security and privacy options that Facebook offers, and by being careful about what you post, you can minimize the risk and get back to enjoying time with your friends online.

The owner of this website has made a commitment to accessibility and inclusion, please report any problems that you encounter using the contact form on this website. This site uses the WP ADA Compliance Check plugin to enhance accessibility.