Having found myself roped into assisting as co-administrator a couple of Facebook groups with security/privacy issues, I thought I should, perhaps, share what little I know about defending your group against scam and spam posts and comments by tightening up group settings.

Caveat: I’ve never really wanted to spend a lot of time administering Facebook groups – in fact I’ve only created one myself that is still active, and I’ll tell you why later – and I haven’t made a lifetime study of the subject. Not even Facebook’s lifetime, let alone my own, which at present is many times longer than Facebook’s. It’s possible, therefore, that I’m not always accurate in my assumptions, and also that an assumption that was accurate when I wrote this was rendered false by changes made by Facebook the day after. But I’ll be as painstakingly accurate as I can. As usual.

Facebook tends to assume that your main ambition and purpose in life is to grow your group at all costs, and preferably devote several hours a day to that task. In fact, there are two main types of groups: private and public.

https://www.facebook.com/help/220336891328465/

Private Groups

A private group is one where only members of the group can see posted content and who are the admins. Furthermore, a private group can be hidden (secret) so that (hopefully) no one can see the group unless they’re already members, or are invited to join. This gives the administrator(s) something close to absolute control over who posts and what is posted, and is particularly appropriate for groups where sensitive information is exchanged. The more tightly controlled the group is, the harder it is for fake profiles to join.

That said, it’s a good idea to remember that Facebook sees everything (or can if it wants to), and is not always scrupulous when it comes to maintaining your privacy: even if/when that’s the company’s intention, it can make mistakes, and its policies and algorithms are generally opaque.

https://www.facebook.com/help/220336891328465/

The trade-off with a private group is that if you’re intending to grow your group, it’s harder for someone who might be interested and an appropriate potential member to happen across it and apply to join.

If you’re attracted by the privacy advantages of a private group and are considering making your public group private, bear in mind that once you’ve gone that route, you can’t revert it to a public group, because that constitutes a breach of the group members’ privacy.

https://www.facebook.com/help/286027304749263?helpref=faq_content

Formerly, this restriction only applied to groups with over 5,000 members, but now applies wholesale.

I don’t administer any private groups, so I shan’t risk any hostages to fortune by considering their privacy settings in detail. It’s worth noting, though, that while even Facebook’s own help pages sometimes contradict each other, it does seem as though there are other restrictions on large (5,000+) groups, such as how often and how many privacy changes can be made.

If this page – https://www.facebook.com/help/214260548594688/ – is still accurate, the settings you can change include enforcing membership approval by an admin or moderator for each subscription request. You can also require the requester to answer one or more questions and base your decision on whether or how the question(s) is or are answered.

Public Groups

Fortunately, since I was first pressganged into helping administer a group, some of the privacy settings formerly unique (as far as I know) to private groups are now available to public groups. While the enforced changes caused some confusion and consternation at first, they seem to me to be an improvement, on the whole. (Gosh, am I saying something positive about Facebook???) Since public groups are, by definition, easier to find, join and share than closed or secret groups, even the most open-by-intent group needs to think about its privacy settings if it’s to avoid some of the unpleasant spam/scam material that may be posted to a group if settings allow. Such material includes, but is certainly not limited to the following, more often than not posted from fake or cloned profiles:

• Sympathy scams like the posts described here: https://chainmailcheck.wordpress.com/2023/05/13/abusing-communities/
• Pornographic images, often masquerading as videos, that may attract group members to unhealthy links. These may be intended to trick you into giving away sensitive information, but they may also be intended to upload malware to your device.
• Fake news about dead or disabled celebrities, again leading to dangerous links.
• Posts about alleged offers by retailers such as supermarkets giving away coupons or even cash.
• Recommendations for product links that are at best irrelevant, possibly malicious.

And much more, but I’m not making a special effort to track all these: the above examples are just items that have crossed my radar recently.

When I actually created a group – at any rate, one that is still active – it was in order to replace a page that was becoming increasingly frustrating to administer due to changes introduced by Meta that were overcomplicated, bug-ridden, and based on the assumption that I was running it as a commercial enterprise and constantly needed reminding to take actions that would increase my visibility and non-existent profits (usually by paying Meta for a service I didn’t want). Fortunately, I discovered that I could maintain some visibility (in fact, a public group is required to be visible, not secret) and still get most of the control I wanted. Sorry, but if you want more information on maintaining the security and privacy of Facebook pages, you’ll have to look elsewhere. (Life’s too short: well, mine is probably going to be, and there are other things I want to write about.)

Here’s a selection of the most relevant settings.

• Participant Approval – if this is off, anyone on Facebook can post or comment, and group members can join chats. (One of the issues I’ve seen kill a group recently was fake profiles posting porn/scam links to chats linked to the group.) If it’s on, however, members and visitors must be approved to post or comment, and only (approved) members can participate in chats.
• You can also allow both profiles and pages to contribute, or else just profiles. Since some scams are driven by pages masquerading as profiles (only an admin can post to a page, so it’s difficult to flag a scam actually posted on the page), there’s something to be said for not allowing pages. But profiles can, of course, be fake.
• You can ask up to three questions and invite anyone requesting approval as a member or visitor to answer them: if they don’t answer or answer inappropriately, you can decline to approve them, if Participant Approval is on.
• You can choose whether or not to allow anonymous posts and edits. My guess is that this will be more desirable in some groups than others: sometimes it’s fair to be reluctant to be identified, but sometimes that privilege can be abused.
• You can require an administrator or moderator to approve all posts. Clearly, this could be a lot of work in a popular group, but allows control of obviously malicious posts.
• You can set it so that potential spam posts and comments are held for your approval as an admin.
• You can set it so that edits to posts must be approved: this helps to address cases where an approved post is edited maliciously by changing a link from something innocuous to something harmful.
• You can set it so only admins and moderators create chats, or you can set it so that approved members can also create chats.
• You can allow or disallow whether events, tag events, polls or GIFs can be posted.

NB: the more relaxed your settings, the more you’ll need to set your notifications so that you get to see everything incoming and remove as necessary. Irritating if you happen to have a life outside Facebook, but there it is.

Note also that you can also notify Facebook in many cases for them to run a review: however, if their algorithms are not up-to-scratch (impossible, do I hear you say?) you may find that the thing pops up again and you get a message telling you that the post or comment didn’t contravene their community standards. Sigh…

David Harley
Reluctant FB Group Administrator

*** This is a Security Bloggers Network syndicated blog from Check Chain Mail and Hoaxes authored by David Harley. Read the original post at: https://chainmailcheck.wordpress.com/2023/12/23/group-therapy-security-and-privacy-in-facebook-groups/