Facebook Groups: Reducing Risks

Facebook groups are used to bring together people with a common interest for the purpose of communicating, sharing news, and collaborating on projects. Many different kinds of groups exist, and their uses range from organizing a fan fiction gathering to spreading the word about a political rally or cause. Facebook groups were not designed for secure collaboration, but as the popularity of Facebook grows, they are inevitably used by many to coordinate work that may be vulnerable to sabotage or surveillance by other, malicious Facebook users or governments.

In the early days of the social media platform, Facebook sometimes deleted large politically active Facebook groups without warning, and the company has a reputation for changing privacy settings in unclear ways. If you are discussing sensitive issues, it may be better to consider other tools or sites that make security and privacy a priority.

That may be impracticable if your audience is unwilling or unable to move from Facebook. So, if you've been tasked with creating a Facebook group for a sensitive topic or vulnerable community, or are the administrator of one, here are a few things you should consider.

Adjust your group’s privacy settings

Before creating a group, think about your purpose and goals. Are you hoping to use a group to discuss a controversial topic? Start a political movement? Who do you wish to publicize your group to? Will group members want to keep their membership confidential? From whom? These considerations will help you determine your threat model and which privacy setting is best for you.

Unlike Facebook pages, which are used to publicly represent a brand, business, organization, or public figure, groups are not always public (viewable to anyone on Facebook). When you create a group, you can choose one of three privacy settings—Public, Closed, or Secret. This chart shows who can join these groups and what people can see about them according to the privacy setting that is chosen.

Public Facebook groups are visible to anyone on Facebook, including unfriendly users or government actors. And both Public and Closed Facebook groups can be found in search. This is particularly important to keep in mind if your Facebook group is being used for a political purpose.

If you've already created a group and would like to adjust its privacy settings, all administrators of the group have the ability to change the settings. However, the privacy of groups with 5,000 members or more can only be changed to a more restrictive setting (example: Public to Closed, or Closed to Secret) to protect members of these groups from having their posts shared with audiences they didn't intend. If you decide to change your group's privacy to a more restrictive setting, you only have 24 hours to change it back before it's locked into place. No matter the size of the group, all members will receive a notification when the privacy settings are changed.

Note that malicious flagging, according to Facebook, does not result in removal of content if the content does not violate Facebook’s Community Standards, however erroneous takedowns do still happen. Facebook might also be compelled to hand over the list of group members through a legal order.

Establish group rules

You may consider establishing other rules or guidelines for your group to encourage constructive engagement and help protect the privacy of your group members. While group rules can be difficult (or even impossible) to enforce, they help define the purpose of your group and determine what conversations are best had in the group versus elsewhere. Your members should know that in addition to any rules you’ve established within the group, they are also subject to Facebook’s Community Standards and Terms of Use. Remember that group members may blatantly disregard rules so in order to determine what security solutions will work best for your group we suggest conducting a threat modeling assessment. Check out our guide to threatmodeling for more details.

Know your group’s admins and moderators

Administrators have a great deal of power over the privacy settings and membership of groups. Only a group admin can appoint other group members to be admins. Admins can change a group's settings, manage content, and control the membership of the community. There can be multiple admins per group so it’s important to know who holds that role. An admin is different than a moderator. Moderators can manage content and membership, but can’t change group settings. Click here to learn how to remove admins or moderators from their roles.

If an admin adds someone to a Public or Closed group, contacts in that individual’s network may see, via News Feed or search, that they have been invited to or joined a group. This is important to remember in situations where a person does not want others to know they associate with your group, or it is illegal for them to do so. As such, you may want to consider setting your group privacy to “Secret.”

If the group admin allows, group members may add anyone they are friends with to the group. Users don’t get a choice when they are added to a group. That means that someone could maliciously add you to a defamatory group (“The Terrible People Who Are Plotting The Downfall of The Government Group”). You can always leave a group.

A note on Facebook’s authentic names policy, and the anonymity of administrators Anchor link
Facebook does not allow the use of pseudonyms. Users can only use their “authentic identities”—the name their friends call them in everyday life that acceptable identification forms can show. While group admins often have good reason for wanting to protect their identities, a group admin who does use a pseudonym could be reported and subsequently suspended for violating Facebook’s authentic identity policy. If this happens and no admins remain in the group, Facebook checks whether any moderators remain in the group. If yes, all current moderators are offered the role of admin until one person accepts the role.  If the group has no moderators either, all group members receive a “Make me an Admin” option or a “Suggest an Admin” option. Consider having at least one administrator have a known name: potentially someone who can safely attach his or her identity to the group.

Block unwelcomed users

You may have good reason to block a group member. Maybe they are a community member who violated the group rules or an outsider who has managed to join the group. Only an admin can remove or block someone from a group. Group admins who want to ensure their group is not visible to a former member should block that user. Members who are blocked by a group’s admin can no longer see the group or any information about it. Check out this chart for more information.

Former members that have voluntarily left a group may still have access to some of its information, such as its name, description, and tags. For example, former members of a secret group can still find the group in search, see the group's description, and see the group tags.

Know what happens to content on Facebook when it is deleted

Facebook reserves the right to delete Facebook groups that violate its (extremely broad) terms of service. If this happens to your group, you could not only lose previous messages and discussions from your group members, you could also lose access to your membership list, which means that unless you have kept separate track of your members’ names, you will be unable to re-contact your supporters or community following a group deletion.

There's still a lot we don't know about the removal requests Facebook receives from governments, law enforcement, and individuals, however we do know that such requests can often be political in nature—especially in places around the world where the right to free speech and association is not always honored.

You can also choose to deliberately delete a group. A group creator can delete a group by removing all of its members and then themselves. Deleting a group is a permanent action and it cannot be reversed. Admins can’t delete a group they didn’t create unless the creator chooses to leave the group first. Admins can, however, archive a group. Archiving a group means it won't appear in search results to non-members, and no new members can join the group. Groups can be unarchived by any admin. To learn more about the differences between archiving and deleting groups, click here.

Additional information about what happens to content on Facebook when it is deleted can be found in Facebook’s privacy policy. Even if you’ve deleted data, it may still be accessible for Facebook—particularly if a law enforcement agency has requested the data be preserved. Facebook’s Guide for Law Enforcement (current as of 01-20-2017) states, “We do not retain data for law enforcement purposes unless we receive a valid preservation request before a user has deleted that content from our service.”

With these considerations, you are now able to make an informed decision to determine whether a Facebook group is the appropriate tool for your needs.