Facebook Graph Search

Security Must-Do’s For Facebook Graph Search

Facebook finally pulled the covers off its much-anticipated (or dreaded) Graph Search feature on Monday, after about six months in beta. The new search feature greatly expands the kinds of information Facebook users can access on other users of the social network, making it easy, for example, to cross reference data stored in Facebook profiles. For example, users can easily call up a list of their “friends who live in Boston” and like the show “Arrested Development.” Fun!

But, as has been noted, Graph Search is also a social engineer’s dream, because it lays bare lots of information – data – that Facebook users shared, casually, and without a thought of how it might be used in combination with other data they shared. For example, researchers have shown that they can use knowledge of a Facebook user’s “Likes” to “automatically and accurately predict a range of highly sensitive personal attributes including: your age, and gender, you sexual orientation, ethnicity, religious and political views.

And, in May a  security researcher released a new module for Recon-ng an open source “web reconnaissance framework” that allows anyone with a Facebook Developer account to use Graph Search and Recon-ng’s features to harvest phone numbers associated with Facebook user accounts.

Facebook Graph Search
Facebook officially launched its Graph Search feature, raising privacy concerns.

It’s probably too late to undo all the revealing interactions you’ve had with the world’s most populous social network. So what’s a privacy-conscious user to do? Here are some security must’s now that Facebook’s Graph Search is a reality:

Check out your Activity Log

Put simply: Graph Search collects information on what you do on Facebook, excluding only what you explicitly tell it to overlook. That’s why the first thing you should do to get a sense of what Graph Search might “find out” about you is to visit your activity log and see what’s there. Click on the Lock icon in the upper right corner, click the Who Can See My Stuff option then click the Use Activity Log link that’s provided. It will bring you to your Facebook activity log. Depending on how frequent a Facebook user you are, this may have reams of entries, or just a handful. Using the settings provided, you can determine whether each item appears on your timeline and who in your Facebook network can view it. The process for controlling individual items can be time consuming, but its the best way to spot potential landmines in your social graph.

Hide your info

Graph Search can’t reveal information about you that you want to keep private on Facebook. But its power is really in assembling a pretty good (or amusing) profile of you based on the seemingly innocuous data and “likes” that you do share. The moral: stretch your privacy umbrella. Start by looking at what strangers can see about you on Facebook.

There are a bunch of ways to do this. But start by clicking that “lock” icon in the upper right hand corner. Next, click the See More Settings option to view the full privacy dashboard. The meat of what you need to limit the spread of your private information are on the left hand column under the Privacy and Timeline and Tagging settings. That’s where you can set the default for new wall posts, determining whether they’re visible to everyone “Public,” your “Friends,” or “Friends of Friends.” Generally, the more restrictive you are, the less information that will be exposed to Graph Search queries.

Hide your friends

One of Graph Search’s most powerful features for a potential attacker is its ability to crawl your social graph – that is: your network of friends. Of course, that’s useful for you, but multiplied across Facebook’s 900 million strong user base, its a privacy nightmare. Specifically: you have no control over your friends’ privacy settings, as the Electronic Frontier Foundation has noted. To the extent that you appear on their wall posts or in photos that they control, that information is searchable by Graph Search.

The least you can do is to control access to your social graph public, so you don’t unwittingly expose friends to Graph Search’s prying eyes. From your Facebook profile page, click Friends, then click the Edit button (the pencil icon). Then select the Edit Privacy option to restrict access to your Friend list.

Hide your Photos

Photographs often get overlooked, because they’re managed separately from your wall posts, and because its easy to forget what photos we’ve been tagged in over the years. Alas, Graph Search makes it all to easy to search for photos of just about any Facebook user. To see what photos you appear in, just type “Photos of Me” into the Graph Search field. You’ll see both the photos you’ve shared and those other users have. For the photos that you uploaded, go to your Facebook profile page, click Photos and then click Albums. For each photo album, you can change the audience. Make sure your albums aren’t visible to the public or other equally expansive groups of users (Friends of your 900 Friends, etc.). For photos that you didn’t post, your options are more limited. You can remove the photo from your timeline. More pointedly, you can ask to be untagged from the photo and/or ask the Facebook user to take the photo down – but that’s at their discretion, and merely removing a photo from your timeline won’t make it invisible to Graph Search.


Ok. Ok. There’s no real “manual” for Graph Search. But Facebook does have some pages devoted to Graph Search’s proper use and steps for protecting the privacy of your information. It’s worth your while to familiarize yourself with what Facebook has to say about their own feature. Check it out here.

Good luck!

Comments are closed.