Facebook Graph Search tools are down: why that might not be a bad thing

Over the past few days, Facebook has taken steps to restrict third party access to a little understood feature called Graph Search.* Among other things, this feature was used by open source investigators, human rights researchers and investigative journalists to support a lot of their valuable work. Closing Graph Search access to third party tools like IntelTechniques and Graph.Tips has resulted in much uproar on Twitter, and now in media reporting, about the control platforms have over journalists’ access to tools and features. Over the past eight years, this is a pattern that has happened over and over again, with many useful tools like YomaPic, Gramfeed, Panoramio (and less useful ones like Facebook Signal) disappearing quietly due to API changes or data removal, leaving journalists and investigators frustrated and stuck with ever fewer ways to practice open source methods of investigation that had real impact.

*it’s not totally clear what Facebook has done, as they aren’t really talking about it, which is annoying and a problem, but not really what we’re discussing here.

I hear and feel the frustration, and without question Graph Search was used for extremely important work. But here I want to argue that Facebook closing developer access to Graph Search in the form it has existed for many years might actually be the right decision.

First off, what could Graph Search do? Put extremely simply, any Facebook user could use a number of freely available tools to find “public” datapoints about other Facebook users, in a way that is not easily accessible using the Facebook search interface.

Why is that useful to human rights researchers? Well, it allows us to find content that is invaluable for investigations — documenting people’s location at certain times, understanding connections between people, seeing what groups people affiliated with, and much more. There is no doubt that much of what we know about certain cases and stories would not have been discoverable if not for Graph Search. I have myself trained journalists and investigatirs around the world in how to use Graph Search for these ends.

But at a fundamental level, Graph Search investigations are based on a Facebook privacy vulnerability. Graph Search use by investigators is based on the gap between what people understand to be publicly accessible data (and by this I mean photos, videos, group memberships, friendship networks, comments, posts, likes) about themselves, and what is actually publicly accessible about themselves. Further, it exploits the gap between what Facebook users understand they can control about what is publicly accessible data, and what they don’t know they can’t control, due to Facebook’s ever changing and often flawed privacy controls.

The average Facebook user, for example, might think that if they mark their profile as private and undiscoverable, then their information would not be visible to the “public” through Graph Search, which seems a reasonable assumption. Not so! In reality, however, there may be data (photos, videos, group memberships, friendship networks, comments, posts, likes) available, either because (an inexhaustive list):

• You changed your privacy settings at some point, and as a result not everything you think is private is private. Or,
• You’re friends with someone who posts a photo with you, and their privacy settings are more open than yours. Or,
• You interacted with someone else’s content that wasn’t marked fully private.

Frankly I don’t fully understand how all the content accessible via Graph Search came to be so, and I suspect many of the investigators using it don’t either. My point is there are many ways data could unexpectedly be public.

This meant that the theoretical cartel boss who is on Facebook but keeps a very “locked down” profile might still be discoverable to a journalist (or law enforcement, or his rivals, or, well, anyone) if one of his friends at some point in time posted a photo of them together, at a point in time where their privacy settings weren’t similarly “locked down”.

That same infrastructure also means that, for example, an activist in Egypt who has a Facebook profile can similarly have their unwittingly “public” data revealed by a security officer wanting to lock them in jail, or worse. Or someone wanting to see photos of a Facebook user that had blocked them for harassment or stalking, could probably find photos of that person (posted by friends and tagged with them, let’s say), and potentially locate them via Graph Search. It is unthinkable that Graph Search tools were not also used for such purposes. One now closed Graph Search tool is called Stalkscan….

Beyond investigative value, the reason I used to train journalists and human rights activists in how to use Graph Search tools was to open their eyes as to what data was actually discoverable about them using these freely available tools — assuming as they must that they are the target of surveillance by bad intentioned actors.

The potential for misuse of Graph Search tools is at least as great as the potential for use for good.

In workshops, participants would often instantly prove the point: in one memorable case Participant A was able to quickly identify someone Participant B likely had romantic inclinations towards, because Graph Search showed them all the photos of that person Participant B had “liked”. In that context, in a conservative society in which relationships before or outside of marriage are essentially taboo, there was potential harm for both Participant B and the person they liked. This is not to say that they themselves shouldn’t have some awareness of the potentially public nature of their online interaction, but it does suggest – confirmed by Participant B in the workshop – that in the gap between what people think is public and what is actually discoverable, there is potential for real harm.

NB: To an extent, the use of this gap is true of much open source investigation methodology. I’d argue the volume of data, the depth of personal data, and the absolute ease of access mean that the potential harm here is unlike most others.

That has to matter more than our access as investigators to potentially useful information. Why? One reason, as a starter: Because in many contexts, our enemies and their resources outnumber us manifold, and these same infrastructure and tools can be used against us and our sources.

The uproar about the ending of developer access to Graph Search, much from investigators and researchers I have a tremendous amount of respect for, is thus alarming in the lack of consideration for the huge potential misuses and harms of the Graph Search tools we used. The question I would ask is simple:

There are obviously a lot of broader questions about platforms, quiet removal of access to tools, personal data, and what constitutes “public”, that I’d love to engage in at some point. But for now I just want to encourage a community I consider myself a part of to maybe think twice about the end of Graph Search access, at least in its completely unmediated form. As investigators, there are many things that would be useful to our work, but don’t exist for valid and important reasons – in this case, Graph Search access existed, but that fact does not justify its ongoing unmediated existence.

Looked at from another perspective: closing Graph Search tools might actually improve user privacy on Facebook – surely this is something that our community should laud and not condemn. Facebook just made our lives a bit harder, but they also made it a little bit harder for fascists, authoritarian regimes, organized criminals, <insert undesirable group here>, to surveil and target vulnerable citizens.

Using an ethically dubious infrastructure for good means does not a good basis for ethical practice make – as journalists and human rights researchers we have to step back and see a bigger picture that includes all the potential misuses of the tools and methods we’re developing and using.