Here’s how Facebook’s Open Graph search could get you in trouble

cautionHave you played with Facebook’s Open Graph search yet?

Facebook’s new search tool is now available to all American users. The rest of the world still has to request its preview here.

Your search bar is now much more prominent in the interface and you should expect it to start playing a much bigger role in how people use the site. The tool mixes a little bit of fun with a little bit of creepiness. And while it’s definitely more useful that Facebook’s old search, it could get you in some trouble.

The good news is that the search respects your privacy settings. The bad news is a lot of people don’t seem to be that careful with their privacy settings.

We tested out these searches and were shocked by how many many profiles actually came up:

Screen Shot 2013-07-09 at 5.51.30 PM

Screen Shot 2013-07-09 at 5.53.44 PM

Screen Shot 2013-07-09 at 5.55.00 PM

How do you know if you’re protected from embarrassing searches?

We’ve made it easy to check. You can use our Safe Profile Beta app and get your privacy score and recommendations now.

Or you can check manually by clicking on the lock on the upper right corner of any Facebook page for “Privacy shortcuts”.

Screen Shot 2013-07-10 at 4.41.22 PM
Click on “Who can see my stuff?” then “What do other people see on my timeline?”

You’ll see what’s available to the “Public” your “Friends” or a specific person could find as they search for you.

If you’re not happy with anything that may come up, here’s an excellent guide for locking your profile down.

Open Graph search makes the information on your “About” page as well as the privacy settings of your “Friends”, “Photos” and “Likes” more important than ever. So be sure to check out the first four sections of this guide.

And — to be extra safe — I’m going to remind you to run Safe Profile beta, again. And if you do, let us know what score you got in the comments.



[Image by Eugene Zemlyanskiy via Flickr.com]


More posts from this topic


Why Cameron hates WhatsApp so much

It’s a well-known fact that UK’s Prime Minister David Cameron doesn’t care much about peoples’ privacy. Recently he has been driving the so called Snooper’s Charter that would give authorities expanded surveillance powers, which got additional fuel from the Paris attacks. It is said that terrorists want to tear down the Western society and lifestyle. And Cameron definitively puts himself in the same camp with statements like this: “In our country, do we want to allow a means of communication between people which we cannot read? No, we must not.” David Cameron Note that he didn’t say terrorists, he said people. Kudos for the honesty. It’s a fact that terrorist blend in with the rest of the population and any attempt to weaken their security affects all of us. And it should be a no-brainer that a nation where the government can listen in on everybody is bad, at least if you have read Orwell’s Nineteen Eighty-Four. But why does WhatsApp occur over and over as an example of something that gives the snoops grey hair? It’s a mainstream instant messenger app that wasn’t built for security. There are also similar apps that focus on security and privacy, like Telegram, Signal and Wickr. Why isn’t Cameron raging about them? The answer is both simple and very significant. But it may not be obvious at fist. Internet was by default insecure and you had to use tools to fix that. The pre-Snowden era was the golden age for agencies tapping into the Internet backbone. Everything was open and unencrypted, except the really interesting stuff. Encryption itself became a signal that someone was of interest, and the authorities could use other means to find out what that person was up to. More and more encryption is being built in by default now when we, thanks to Snowden, know the real state of things. A secured connection between client and server is becoming the norm for communication services. And many services are deploying end-to-end encryption. That means that messages are secured and opened by the communicating devices, not by the servers. Stuff stored on the servers are thus also safe from snoops. So yes, people with Cameron’s mindset have a real problem here. Correctly implemented end-to-end encryption can be next to impossible to break. But there’s still one important thing that tapping the wire can reveal. That’s what communication tool you are using, and this is the important point. WhatsApp is a mainstream messenger with security. Telegram, Signal and Wickr are security messengers used by only a small group people with special needs. Traffic from both WhatsApp and Signal, for example, are encrypted. But the fact that you are using Signal is the important point. You stick out, just like encryption-users before. WhatsApp is the prime target of Cameron’s wrath mainly because it is showing us how security will be implemented in the future. We are quickly moving towards a net where security is built in. Everyone will get decent security by default and minding your security will not make you a suspect anymore. And that’s great! We all need protection in a world with escalating cyber criminality. WhatsApp is by no means a perfect security solution. The implementation of end-to-end encryption started in late 2014 and is still far from complete. The handling of metadata about users and communication is not very secure. And there are tricks the wire-snoops can use to map peoples’ network of contacts. So check it out thoroughly before you start using it for really hot stuff. But they seem to be on the path to become something unique. Among the first communication solutions that are easy to use, popular and secure by default. Apple's iMessage is another example. So easy that many are using it without knowing it, when they think they are sending SMS-messages. But iMessage’s security is unfortunately not flawless either.   Safe surfing, Micke   PS. Yes, weakening security IS a bad idea. An excellent example is the TSA luggage locks, that have a master key that *used to be* secret.   Image by Sam Azgor

November 26, 2015

POLL – Is it OK for security products to collect data from your device?

We have a dilemma, and maybe you want to help us. I have written a lot about privacy and the trust relationship between users and software vendors. Users must trust the vendor to not misuse data that the software handles, but they have very poor abilities to base that trust on any facts. The vendor’s reputation is usually the most tangible thing available. Vendors can be split into two camps based on their business model. The providers of “free” services, like Facebook and Google, must collect comprehensive data about the users to be able to run targeted marketing. The other camp, where we at F-Secure are, sells products that you pay money for. This camp does not have the need to profile users, so the privacy-threats should be smaller. But is that the whole picture? No, not really. Vendors of paid products do not have the need to profile users for marketing. But there is still a lot of data on customers’ devices that may be relevant. The devices’ technical configuration is of course relevant when prioritizing maintenance. And knowing what features actually are used helps plan future releases. And we in the security field have additional interests. The prevalence of both clean and malicious files is important, as well as patterns related to malicious attacks. Just to name a few things. One of our primary goals is to guard your privacy. But we could on the other hand benefit from data on your device. Or to be precise, you could benefit from letting us use that data as it contributes to better protection overall. So that’s our dilemma. How to utilize this data in a way that won’t put your privacy in jeopardy? And how to maintain trust? How to convince you that data we collect really is used to improve your protection? Our policy for this is outlined here, and the anti-malware product’s data transfer is documented in detail in this document. In short, we only upload data necessary to produce the service, we focus on technical data and won’t take personal data, we use hashing of the data when feasible and we anonymize data so we can’t tell whom it came from. The trend is clearly towards lighter devices that rely more on cloud services. Our answer to that is Security Cloud. It enables devices to off-load tasks to the cloud and benefit from data collected from the whole community. But to keep up with the threats we must develop Security Cloud constantly. And that also means that we will need more info about what happens on your device. That’s why I would like to check what your opinion about data upload is. How do you feel about Security Cloud using data from your device to improve the overall security for all users? Do you trust us when we say that we apply strict rules to the data upload to guard your privacy?   [polldaddy poll=9196371]   Safe surfing, Micke   Image by balticservers.com  

November 24, 2015

A temporary profile picture but permanent app permissions

We are all sad about what’s happened in Paris last Friday. It’s said that the terrorist attacks have changed the world. That is no doubt true, and one aspect of that is how social media becomes more important in situations like this. Facebook has deployed two functions that help people deal with this kind of crisis. The Safety Check feature collects info about people in the area of a disaster, and if they are safe or not. This feature was initially created for natural disasters. Facebook received criticism for using it in Paris but not for the Beirut bombings a day earlier. It turned out that their explanation is quite good. Beirut made them think if the feature should be used for terror attacks as well, and they were ready to change the policy when Paris happened. The other feature lets you use a temporary profile picture with some appropriate overlay, the tricolor in this case. This is a nice and easy way to show sympathy. And it became popular very quickly, at least among my friends. The downside is however that it seemed so popular that those without a tricolor were sticking out. Some people started asking them why they aren’t supporting the victims in Paris? The whole thing has lost part of its meaning when it goes that far. We can’t know anymore who genuinely supports France and who changed the picture because of the social pressure. I changed my picture too. And it was interesting to see how the feature was implemented. The Facebook app for iOS 9 launched a wizard that let me make a picture with the tricolor overlay. Either by snapping a new selfie or using one of my previous profile pictures. I guess the latter is what most people want to do. But Facebook’s wizard requires permissions to use the camera and refuses to start until the user has given that permission. Even if you just want to modify an existing picture. Even more spooky. The wizard also asked for permission to use the microphone when I first run it. That is, needless to say, totally unnecessary when creating a profile picture. And Facebook has been accused of misusing audio data. It’s doubtful if they really do, but the only sure thing is that they don’t if you deny Facebook microphone access. But that was probably a temporary glitch, I was not able to reproduce the mic request when resetting everything and running the wizard again. Your new profile picture may be temporary, but any rights you grant the Facebook app are permanent. I’m not saying that this is a sinister plot to get more data about you, it may be just sloppy programming. But it is anyway an excellent reminder about how important the app permissions are. We should learn to become more critical when granting, or denying, rights like this. This is the case for any app, but especially Facebook as its whole business model is based on scooping up data about us users. Time for an app permission check. On your iOS device, go to Settings and Privacy. Here you can see the categories of info that an app can request. Go through them and think critically about if a certain app really needs its permissions to provide value to you. Check Facebook's camera and microphone permissions if you have used the temporary profile picture feature. And one last thing. Make it a habit to check the privacy settings now and then.   [caption id="attachment_8637" align="aligncenter" width="169"] This is how far you get unless you agree to grant Facebook camera access.[/caption]   [caption id="attachment_8638" align="aligncenter" width="169"] The Settings, Privacy page. Under each category you find the apps that have requested access, and can select if the request is granted or denied.[/caption]     Safe surfing, Micke   PS. The temporary profile picture function is BTW simpler in Facebook's web interface. You just see your current profile picture with the overlay. You can pan and zoom before saving. I like that approach much more.   Photo by Markus Nikander and iPhone screen captures    

November 16, 2015