Scott Hanselman

Facebook's privacy settings are too complex for ANYONE to use - Change these settings today

April 14, 2012 Comment on this post [19] Posted in Blogging
Sponsored By

The Friends privacy setting on status updates extends to tagged friends and their friends

My wife is quite a bit smarter than I am. She is also more educated that I am. Frankly, I'm happy she talks to me at all.

She put a photo on Facebook last week of she and a friend and was careful to double-check that the photo was set to "Friends only."

A few days later she rushed in and told me that she thought the photo was public even though it was set as Friends only.


"Because random people that I don't know are commented on this photo! Like, who is this guy? I don't want him to see this - I don't know him! Why did they let non-friends see it?"

I looked for a minute and noticed that she had "tagged" her other friend in the photo as in this example photo below:

A photo in Facebook with 4 people "tagged"

In this photo there are four people tagged. When you tag someone they are notified that they've been tagged and they can remove the tag which removes it from their "photos of me" list. The photo above is totally public but let's say it was posted by me and I tagged my three friends and marked as "friends only."

Who can see the photo of me and my 3 friends? Who can see the photo of my wife and her friend when the photo is marked Friends?

Who sees the photo? The union of all our friends!

Answer: The union of all the friends of everyone tagged in the photo. If someone else sees the photo and tags some more people, the circle of visibility for that photo or post expands.

This may seem obvious to a software engineer or someone with a background in set theory but it's not obvious even to smart regular folks. It certainly surprised my wife although she gets it now. Here's the thing, though. Now she says she really is less likely to put photos on Facebook and certainly less likely to tag folks in photos.

Confused a little? There's more. Recently my programmer man crush and favorite Canadian Reginald Braithwaite wrote a post called When you share personal data with Facebook friends, you're sharing your personal data with every app your friends use. Read that title again.

Remember that when you aren't paying for something (like Facebook), someone is paying. The advertisers are paying and you, your friends and all your info are the product.

Reginald points out that when you grant an application (Farmville, etc) in Facebook access to your profile you are often granting that application access to your friends personal information. That means that your annoying friend who is always pushing the Mob Wars invites has likely granted an application access to your information by proxy.

UPDATE: When you are sharing something note that you can pull down the privacy dropdown, select custom and make changes then hover your mouse over the gear to get a plain English tooltip showing the resulting visibility of this update:

The Tooltip will show the resulting visiblity of the post

Your Homework - and pass it on

Go log into Facebook and in the upper right corner click Privacy Settings:

Privacy settings in Facebook is in the upper right corner

Then, spend some time in these two areas of Settings. Timeline and Tagging and Apps and Websites.

Update your facebook privacy settings

Under tagging you can choose what happens when someone tags you and tags that friends add to your own posts or photos. You can also control tag suggestions. You can lock this down as much as you want.

Check your Timeline and Tagging settings in Facebook

Next, click on Apps and Websites and freak out when you see how many you (or your teen) has added. You can remove them as you like. Most importantly, click on "How people bring your info into apps they use."

Review the "Apps you use" at Facebook

How much of this info to you want your friends sharing with their applications? Turn this stuff off.

Uncheck all the checkboxes at "How people bring your info info apps they use."

And finally, check out the Public Search option. Do you want Facebook and your public timeline to show up when someone Googles for you  or your child? If not, turn this OFF.

Turn off your Facebook public search settings

You can also go back in time and "limit old posts." This will take posts from years ago when you didn't know this information and make them visible to friends only.

Limit the visiblity of old posts

Facebook will likely try to talk you out of it. Use your judgment.


Now, for a fun over-dinner exercise try explaining this to your 14 year old and why everyone should be careful about information leakage. Seriously. At least try.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
April 14, 2012 2:43
All I want to know is how do I make it so photos I upload from my phone are friends only (it's nearly always pictures of my kids) and any links I share (regardless of where they came from...Twitter, Share on the website, status updates from anywhere, etc) are all public? That's all I care about. :-\
April 14, 2012 2:45
I got to the point where the goal posts are being moved so often by Facebook that the only rational approach for me was to delete the account. I like Facebook and the connections it allows but I find it too complex to stay up to date with all the ramifications. Once the data became open to app companies then theoretically all that information is available to everyone given any security leak. I haven't missed it to be honest. And no one else has either (no one has yet commented that I'm suddenly missing from Facebook). And after watching that video, "Don't Talk To Police" on Youtube I'm apprehensive about having any information available publicly available.
April 14, 2012 3:13
I've never bothered to look into it, but if I say apps can't access any of my data, does that stop people who have a windows phone from automatically importing that information into my details in the people hub.

It's a pity that useless apps can ruin potentially useful features.
April 14, 2012 3:48
Where's the love, Facebook?
April 14, 2012 4:02
This is case in point why I do not and wont ever use facebook.
April 14, 2012 6:17
And when you post it on your blog, its really public! Can't wait for my party!!!
April 14, 2012 6:18
I treat every posting/photo on Facebook as public.
That's the intention of Zuckerberg too, but he has to deal with public resistance to that move (to share everything publicly).

In 10 more years people would stop caring that much about privacy and their photos leaking to the public eye.
April 14, 2012 6:49
Scott, I think you missed a very big option (and easy one) in the Privacy Settings, that precisely address the problem your wife had, about friends of tagged friends being able to see the post/picture, check it out:

April 14, 2012 6:51
oh and the same option (to not let tagged friends' friends see the post) appears in the inline selector
April 14, 2012 6:52
Dennis, no people wont. You may always have some fresh kids joining up that don't know or yet care about privacy. The someday they or one of their friends will get a scare like Scotts' wife did. Or a parent will hear about a child getting harassed after school by some child stalker that thought the kid really wanted their attentions.

Its just a matter of how long it takes someone to realize how stupid it is to tell the entire world every detail about their personal life.
April 14, 2012 11:44
Another reason why I deleted my Facebook account long ago. Never will go back to it.
April 14, 2012 13:21
I'm with Dennis - anything I'd be unhappy about becoming public doesn't go on a wall. I don't quite treat it as public, but I definitely treat it as potentially public.
April 14, 2012 21:29
Young people are likely to understand these privacy issues at a much deeper level than we think, or than eve we understand it; to them, the Facebook culture is representative of the larger the cultural norm for privacy. This norm is accepted deep in their worldview, and as time goes on and these younger people become more socially influential, these attitudes will prevail.

To those who lived their entire lives fiercely defending privacy, this evolving norm rightly appears shocking, and I'm not saying it would harm younger people to understand the role privacy has historically played (primarily in constitutional protections against search and seizure rooted in both philosophy and directly in colonial tensions, as well as in various contemporary issues like LGBT rights and terrorism). But it also helps us to understand that culture shifts as needed to maintain equilibrium with the environment surrounding it (which includes the internet "environment") while permitting society to survive, if not thrive, economically.
April 15, 2012 0:11
The thing that amazed me the most in this post is that nowadays people expect privacy when posting on Internet. You don't want anybody to see a picture ? Simple, don't put it on the Internet. That's all. Real smart people understand this.
April 15, 2012 17:03
I share pictures on the internet for my family and a few close 'real' friends to see them. If that site wants to offer paid printing on those photos to offset their cost, then I am fine with that. If they want to expand who can see the photos without my explicit grant, then I am NOT fine with that.


As long as people are judged and have repercussions for certain kind of personal life moments posted, people in any generation will want privacy. People will continue to want to post things that are personal. But there will always be some things they want to share with one group, but not another group. People have that assurance with email, texting, phone calls, etc... They expect the communication provider only sends it to the intended recipient(s). People expect their social network to do the same thing.

A provider may be required by law to share a communication with law enforcement by subpoena, and there may be occasional hacking of a communication system to intercept certain communications. But that is an inherent risk in any communication.
April 16, 2012 20:24
And when you're done, go to the upper-right hand corner of the window and select 'log out'.
April 18, 2012 2:25
I liked this article. I liked it so much that I translated it to Turkish and passed it along in my blog.

Thanks for the heads up.

Ozgur Cakmak
April 19, 2012 10:07
If you want to check it out:
May 09, 2012 14:56
I was having the same problem, few months back. Thanks to my social media genius uncle, he fixed it in no time :)

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.