Facebook Graph Search: Privacy Control You Still Don't Have
Facebook's Graph Search has certainly caused quite a stir since it was first announced two weeks ago. We wrote earlier about how Graph Search, still in beta, presents new privacy problems by making shared information discoverable when previously it was hard—if not impossible—to find at a large scale. We also put out a call to action—and even created a handy how-to guide—urging people to reassess their privacy settings.
By locking down your privacy settings, you can help prevent your information from appearing in searches run by strangers and protect your friends from showing up in results. (We've updated the how-to accordingly.) But even when you've set all your settings to "Friends" only, it turns out you can still appear in strangers' search results.
Some unwanted search results are through your associations with—and are therefore solely controlled by—your friends and family. This violates the principle of control of the Bill of Privacy Rights for social network users, and we urge Facebook to fix the problem by letting people opt out.
Actual Facebook Graph Searches
One notable blog that has been making rounds on the Internet is Tom Scott's Actual Facebook Graph Searches. Scott has compiled a number of unnerving—and in some cases, humorous—examples of Graph Searches.
A few stood out to us:
- Family members of people who live in China and like Falun Gong
- Mothers of Catholics from Italy who like Durex
- Spouses of married people who like Ashley Madison
- Mothers of Jews who like Bacon
These Graph Search results provide, as security expert Bruce Schneier has labeled, "incidental data"—data about or associated with you that other people post. The issue lies in the fact that the people who show up in such search results have no setting to control when they appear. As Facebook explained in a recent blog post, "You control who can see your friend lists, [but] your friends control who can see their friend lists."
Facebook's answer to this dilemma is for you to take it up with your friends. On Facebook's Graph Search privacy FAQ, it says, "If you're concerned about people searching for info about your friends, you can ask your friends to limit who can see their friends list as well."
This is no solution. First, you have no way of knowing your friend's settings—whether they publicly share their Likes, Friend lists, or any other of the myriad pieces of information on a Facebook profile. Second, you have no easy way of dissociating with your friends and relationships. No way, that is, except to unfriend them, and that hardly seems like the solution to this problem.
Tom Scott's Falun Gong example is a good hypothetical. Let's say you and your family live in China, and you have your sister listed under your "Relationships." You have the ability to make that relationship status as private as you'd like (e.g., visible only to friends); however, your sister could make it visible to the public. You may never know that sometime down the line she decides to publicly "Like" Falun Gong—and never have the opportunity to "ask your friends to limit who can see their friends list." The first notice that your friends' setting are too public should not be a knock on the door by the Chinese secret police.
This is a fundamental privacy issue. Before Graph Search, it would be extremely impractical to look through profile after profile to find the people who meet certain criteria—even if the information were set to public. If you tried to automate the search, you would run afoul of Facebook's anti-scraping defenses. Now that the search functionality is so easy, there is nothing you alone can do to stop it.
Fixing the Problem
So how do you fix this problem? Well, the immediately obvious solution is to allow users to opt out of Graph Search results. There is no way of telling what search queries lead to you as a result; honing in your or your friends' privacy settings becomes an exercise in futility.
And perhaps Facebook should also let you choose whose search results you show up in. Already you have fine control over individual pieces of information about you—your phone number could be visible to only your friends, but your listed websites could be made public. Why not extend this control to search results? Facebook's privacy settings already has a "Who can look me up?" section. Unfortunately the offered settings don't quite answer this question the way you think they might.
Graph Search is currently in beta, so only a small percentage of users can conduct searches. But everyone can end up in the results. We urge Facebook to address these issues before the feature is rolled out more widely.
Recent DeepLinks Posts
Sep 3, 2015
Sep 2, 2015
Sep 1, 2015
Sep 1, 2015
Aug 31, 2015
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Defending Digital Voices
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games