I see a consistent level of posts on privacy subreddits asking if it’s possible to use Facebook while still retaining some level of privacy. So, is it possible? Yes, of course! Today I’m going to share with you how I would go about creating a Facebook account if I had to use it for whatever reason.
Now, let’s be cautious about our expectations here, because you may have to change the way that you use Facebook in order to avoid the worst of the privacy invasions. It’s still important to find alternatives to Facebook where we can and be mindful of limiting the ways in which we use this service.
Having said that, I understand that some people have a need for Facebook because they own a business, are required to use it for school, need specific groups to find housing, etc. Or, perhaps you want to eventually delete your Facebook account, but are looking for a stepping stone to slowly ease your way out of the service without immediately cutting all ties. There are many reasons why one might need to use Facebook, so let’s look at the best way to go about using the service while maintaining as much privacy as possible.
Since Facebook is such a pervasive presence on the web, I will cover both privacy tips from inside your account as well as tips for outside of your account so that you can stay off of Facebook’s radar as best as possible. Some of these tips should apply to you even if you don’t have a Facebook account.
1. DON’T Use the same Facebook Account you’ve had for a decade.
DO Make a new Facebook account and start with a clean slate.
I recommend that you delete your current Facebook account and start fresh with a new account if you intend to use Facebook for the foreseeable future. Now, with that said, don’t rush into this. First, you should request a report of the data that Facebook has on your account. This can take several days to prepare, so it’s important to be patient through this process.
Once your data is available, go ahead and download this (probably large) file. Skim through the data if you’d like to see what Facebook has associated with your account. It’s important to not make the mistake of thinking this is really everything, though. I doubt that Facebook will give you all of the “anonymized” data that it collects about you and shares with advertisers, since it’s technically not directly linked with your account.
Before you pull the plug on your old account, I would make sure your new account is up and running first. Make sure you can log in to it for at least a week, and make sure you don’t get caught in the fraud detection dragnet and have your account deleted for unnamed “terms of service violations.”
Perhaps it’s just wishful thinking to believe that Facebook won’t link the identity of the new account to your old account, but I still stand by this recommendation because, well, it can’t hurt and it’ll force you to reevaluate how you use Facebook.
2. DON’T Use Facebook with your legal name.
DO Use Facebook with a nickname or reasonable pseudonym.
When you sign up for your new Facebook account, don’t use your legal name or the same name as you had on the first account. Now, we can’t go wild here and put down anything. The best thing to use is a nickname, misspelling, or other reasonable pseudonym that would pass if Facebook ever forced you to submit an identification to verify your account.
Ideally, you won’t trigger Facebook’s fraud detection systems to require an identification. Unfortunately, Facebook and many other online services have been increasingly ramping up this invasive practice in order to counteract fraud on their sites. If it happens you will have limited options, often either to provide your ID, or lose the account.
3. DON’T Use your regular email address when creating your Facebook account.
DO Use an email address specifically created for your Facebook account only.
This is a big one that most people don’t do. I recommend that when you create your Facebook account, create a new email address that you use only for Facebook. It doesn’t really matter which service, except I would avoid any type of “burner” email services. You could use Gmail if you want to blend in more and have a reduced chance of triggering a fraud alert. Set any incoming messages to automatically forward to another email account that you check regularly.
The key point here is that we don’t want to tell anyone else but Facebook about this email address. The danger is that your friends and family members will often share their contact’s information with Facebook if it is saved in their phone. This can also happen if you give your email address to a business. They can submit that email address to Facebook Ads and both advertise to you directly and advertise to people who Facebook determines are similar to you.
Let us, as privacy-minded individuals, limit which contacts and business interactions Facebook knows about. This practice is crucial to prevent Facebook from making these links behind our backs.
4. DON’T Reuse a password on your Facebook account.
DO Make your Facebook password a new, randomly generated password that is as long as possible and stored in your password manager.
Using a password manager is one of those things that many people are hesitant to start doing, but it actually makes your life so much easier and at the same time greatly improves your security.
I can’t imagine going without my password manager now that I’ve gotten used to it. I only have to remember the master password to access the database, and I never have to come up with good passwords on my own because it will randomly generate strong, long passwords that I can auto-fill or manually copy and paste into login forms.
This is what you should use for your Facebook account, a randomly generated, long (~20+ characters), password with letters, numbers, and special characters that you have never used anywhere else. With the ease that a password manager affords this task, there’s no excuse not to have high standards for your passwords anymore.
Now, you may be wondering, “Which password manager should I use? There are so many out there. How do I know which one to trust with my most sensitive data?” This is a bit outside of the scope of this article so I will give you my quick answer here.
I don’t recommend browser-based password managers. Sometimes, these can store your passwords in plain-text on your computer and generally do not have all the features I look for in a password manager, especially a random password generator.
I like Bitwarden if you need to automatically sync your passwords between devices, and KeePassXC if you’d rather your passwords were saved locally on your device. They are both free and open source, and I like and have used both clients.
5. DON’T Give Facebook your regular phone number.
DO Give Facebook a separate phone number that you use for 2FA purposes only.
What I said about email addresses also goes for phone numbers. You should expect that any phone number you share with friends, family, and sometimes businesses, will be shared with Facebook as well.
I’d like to start the push here with my blog for everyone to get multiple phone numbers on their devices. I have several phone numbers that I use for various purposes. One I use for friends and family, another I use for 2-factor-authentication. I never use my SIM card phone number for anything since that is linked to my real-life location.
So, how can you get another phone number? The easiest way is to download the MySudo app that gives you a second phone number for $1/month. Personally, I use a custom Voice-over-IP (VoIP) set-up which I will be explaining in an upcoming article.
6. DON’T Use Facebook with a public profile.
DO Follow a guide to lock down all of your Facebook privacy settings.
Unfortunately, I don’t plan on creating a guide to walk you through the privacy settings within Facebook. This is because, one, I don’t have a Facebook anymore, and two, the settings change so frequently that it would quickly become out of date anyway.
So, if you’d like someone to walk you through and explain all of the Facebook privacy settings, I recommend finding one of the many guides that already exist on the internet. Alternatively, just go to your account settings and take some time to go through all the settings available to you and lock down everything you can.
Here are some settings I recommend: Set your profile to private so that only your friends (and Facebook) can see the content. If possible, remove yourself from search results so that your profile will not show up if someone searches your name. Turn off facial recognition services that automatically tag you in photos.
7. DON’T Use Facebook in the official app on your desktop or mobile device.
DO Use Facebook while isolated in:
- a separate browser that you use just for Facebook,
- a Facebook container for Firefox, or
- an open source wrapper application like Frost for Facebook or Slim Social.
Absolutely avoid downloading any official Facebook app to your devices. If the app came preinstalled as bloatware on your phone, revoke all permissions, disable the app, and never log in to it.
This is important because the Facebook app requires elevated privileges such as recording audio through your microphone and video or photos through your camera. It also collects unique device identifiers such as your IMEI (your phone’s serial number) and can collect your contact’s information.
We also don’t want to connect to Facebook in our regular browser that we use for everything else. This is because some data can be shared between different tabs in your browser.
Thus, we must isolate Facebook as much as possible. I recommend a separate browser that you use just for Facebook, a Facebook container for Firefox (this is done via the extension multi-account containers or Facebook container), or an open source wrapper application for Android devices such as Frost for Facebook or Slim Social which are available on F-Droid. See my article on F-Droid here to learn more about this alternative app store.
8. DON’T Use Facebook from your unmasked home IP address.
DO Protect your real IP address from Facebook by using a Virtual Private Network (VPN).
If you don’t use a VPN when you connect to Facebook on your home network, you make it extremely easy for Facebook to link your identity to everything else you do on the web through your IP address.
While there are other ways a Facebook tracker can identify you on the web, your IP address is a primary data point that Facebook can use to link unrelated activity back to your Facebook account even if you are not logged in. Using a trustworthy VPN is the best way to prevent this. I like and personally use Proton VPN. Although I pay for the service, they do have a free tier that works pretty well.
Be aware, though, that increasingly services are blocking VPN usage. They assume that VPN usage equals criminal and you increase your risk of triggering fraud detection systems by using one. The only other option if you run into this problem is to use a public WiFi network with an https connection when you need to access Facebook.
9. DON’T Share your contact list with Facebook.
DO Manually search for whatever friends you wish to add.
I’ve mentioned a couple of times now that you should assume your contacts are sharing your contact information with Facebook. Don’t make the same mistake. I consider it rude when someone shares my contact information with another party without asking first. Don’t be rude to your friends and family members.
The better way to go about this, even though it’s slightly less convenient, is to manually search for the friends you wish to add on Facebook. This keeps you in control. This way, you get to decide exactly which contacts you want Facebook to know about and exclude ones that you’d rather keep to yourself.
Also, by manually searching for your friends, you don’t give Facebook a dossier of every phone number, email address, and home address of everyone you’ve ever met. If more and more of us stop sharing our contact data with Facebook, their power to map out social circles and create “shadow” profiles for people who don’t have Facebook accounts would drastically decrease.
10. DON’T Create any posts, share any images, or interact with posts.
DO Use Facebook strictly as a “fly on the wall.”
I realize this advice may be unrealistic for some of my readers, especially if you use Facebook for your business. You can break this rule, but I encourage you to be very mindful about what you do post on Facebook. Here are some privacy tips on how to post on Facebook safely
Be extra cautious about posting any personal information to Facebook. I recommend that you should never post, comment, or message, anything revealing your political or religious views, medical conditions, or location, especially the location or pictures of your home. Remember that anything you share with Facebook is permanent, it cannot be taken back. Also, please don’t post anything about your vacation plans, since you may be broadcasting this information to criminals that could be looking for the best time to invade your home. At the very least, wait until after you get home.
If you really need to post an image, remember to remove the EXIF metadata on the photos before posting. This metadata could reveal the location where the photo was taken or your device model. Please be mindful of the faces and people in your photos, since Facebook is notoriously scraped for facial recognition data. If there are other people in your photos, always get permission from those people before posting the photo online; it’s the respectful thing to do.
You may not think this data is very interesting, especially if you view yourself as a boring, law abiding citizen, however this data is very valuable to insurance companies, hiring managers, facial recognition companies, contact tracers, political groups, data brokers, and the list goes on. It does not matter who you are, if you are a living, breathing person, your data will be used against you and to manipulate you.
11. DON’T Use Facebook Messenger.
DO Take the conversation to another platform if someone sends you a message.
Anything you type into Facebook Messenger can also be used to profile you. Your other friends might not see the conversation, but Facebook certainly still does. Anything you wouldn’t post on your feed, think twice about putting into Facebook Messenger. The internet is permanent.
If someone does message you through Facebook, it’s best to direct the conversation to another platform, ideally a private one such as Signal. This doesn’t mean that you have to have a big privacy discussion with this person, you could simply say something like, “Hey, I don’t check Facebook Messenger very often, could we have this conversation over text instead? I would appreciate that so I can get back to you sooner.”
If this person really wants to talk to you, they will more than likely accept your request. People like to be helpful. Not everyone will want to switch, however, and you should be respectful if someone doesn’t want to switch because they don’t have enough storage space for another app on their phone, for example. Find a solution that works for both of you.
If someone really insists on remaining on Facebook Messenger, you don’t have to talk to them about personal topics. If someone asks you something personal, you could simply say “You know, I can’t talk about that over Facebook. Maybe we can have this discussion in person the next time I see you.” They might call you paranoid, but it might also spark an understanding and reflection on their own use of the platform. The best way to influence people on issues like this is to lead by example.
12. DON’T Mindlessly browse Facebook when you are bored.
DO Identify the reasons why you need Facebook and limit your use to only those activities.
Many people ask, “If I never post on Facebook, but just read posts from other people, are there still privacy concerns?” The answer is, unfortunately, yes. Facebook keeps track of which posts you stop to read, which posts you click on, and which posts you interact with. Even if you never posted anything on Facebook, but just browsed your feed occasionally, Facebook still has the capability of learning about your interests, and will categorize you based on this information.
However, the good news is that their ability to accurately profile you is reduced. The more you use Facebook, the better their ability to profile you is. This is why I recommend that you limit your use of Facebook as much as possible, and work to eliminate it eventually, if possible.
Identify the specific reasons why you need Facebook, and limit your use to those activities only. Do you need Facebook as a school requirement? Do you need Facebook for your business? Do you need Facebook to talk to that one friend that refuses to switch platforms? Identify those reasons and don’t fall into Facebook’s additive trap.
13. DON’T Use a browser without any privacy protections.
DO Use a browser set up with ad-blocking and script blocking to block Facebook tracking throughout the web.
If you really want to keep your data away from Facebook, you’ve got to understand the ways in which Facebook invisibly tracks us in the background even when we’re not on their website. If you’ve never heard of this before it may sound a bit scary, so let’s break down how this tracking happens and what we can do to prevent it.
Anytime you see a website with a Facebook share or like button, this functions because the site has embedded code written by Facebook into their page. This code let’s Facebook see some data about each user that visits the page, regardless of whether or not the user clicks on the button.
A Facebook “Pixel” works similarly but serves to give advertisers analytics information on their users to better target ads. For example, a website owner with a Pixel embedded on their website could re-target anyone who adds a product to their cart but doesn’t check out. As opposed to the share button, this code is truly invisible to the end user without special tools.
This type of tracking is typically called “fingerprinting,” since they take data such as your IP address, your browser version, your operating system, etc. to create a unique “fingerprint” of data points. These data points can then be matched up to a number of other interactions with the same fingerprint to ultimately identify you as an individual.
The best way to prevent this type of tracking is to use an ad blocker that blocks Javascript. I will soon be publishing a full guide on how to do this with uBlock Origin, from the initial set up to everyday use, so check back soon.
14. DON’T Use your Facebook account to log in to other, unrelated services.
DO Make new accounts by providing unique usernames and passwords.
When creating a new online account, you’ve probably seen the buttons that say “Login with Facebook” or “Login with Google.” While it’s slightly more convenient to not have to come up with a new password and remember it later on, the tradeoff is not worth it in the slightest.
The way I see it, these login features try to solve a problem that is much better solved by simply using a good password manager. With a password manager I can use the random password generator to easily come up with a strong, unique password and I never have to remember it because I can copy/paste or auto-fill my login details every time I need them.
Taking it a step further, I can also use an email alias service like Anon Addy or Simple Login to have unique email addresses for all my accounts. These are then also recorded in my password manager.
You might be concerned that both of these solutions result in a single point of failure. With the password manager, if someone got access to this and found out my master password, it’s game over for my accounts. The same is true with the Facebook login, plus one of the biggest advertisement companies in the world now knows exactly which other websites I use as well as how often I use them.
I’ll explain in more detail why I’m not very concerned about the single point of failure of a password manager and ways that you can improve its security in an upcoming article.
15. DON’T Rely on Facebook for everything.
DO Try to begin finding replacements for functions on Facebook that you find useful and work towards eventually deleting your account.
The sad truth is that Facebook is just too aggressive in harvesting user data and tracking you across the web that it just isn’t possible to use the service 100% privately. You’re going to have to make some tradeoffs and decide what matters to you based on your own threat model.
If you’d like to be free from Facebook’s dragnet but just aren’t quite ready to make the plunge and fully cut ties, here’s my advice: Practice some or all of the steps above, but work towards finding replacements for Facebook and prepare to eventually delete your account. It doesn’t have to happen all at once, but the less you rely on Facebook, the less power you give them.