Facebook’s Graph Search worries security experts

Facebook’s new Graph Search has security experts warning people who use the social network to raise their privacy settings in order to avoid embarrassment or becoming victims of cybercriminals.

Graph Search, which Facebook introduced this month and is rolling out gradually, lets people use naturally phrased queries, such as “Mexican restaurants my friends like,” and receive personalized results. The service makes a lot more useful information available to people, and it gives Facebook a new venue for selling advertising.

Unfortunately, while better search is good for Facebook and its users, it also brings more opportunities for scammers and potential embarrassment for people who are careless about their privacy settings.

Tom Scott posted on the microblogging and social networking site Tumblr queries that returned results that few people would want to be a part of. They included “married people who like prostitutes” and “current employers of people who like racism.”

He also showed how totalitarian governments could use the service to find dissidents or undesirables through queries such as “Islamic men interested in men who live in Tehran, Iran,” where homosexuality is illegal; and “family members of people who live in China and like Falun Gong,” a religious group persecuted in the communist country.

The post raised again questions of user privacy with Graph Search, which Facebook users cannot opt out of. They can reset privacy settings to prevent their “likes” and other personal information from appearing on search results.

[See related: Storify shows Facebook privacy more illusion than fact]

Facebook believes its responsibility is to provide the privacy settings, while users are responsible for using them. “You control who you share your interests and likes with on Facebook,” the company said Thursday in an emailed statement.

When joining Facebook, people trade their personal information for free use of the social network. Given that, security experts agree that people are responsible for controlling who sees that information.

However, some experts believe Facebook does not go far enough in educating users about the potential threats in keeping information public. Because Graph Search makes all that personal information easily searchable, education on its dangers should be a much higher priority for Facebook.

“Some people do not grasp the importance of Graph Search,” said Bogdon Botezatu, a senior e-threat analyst for Bitdefender. “So maybe it would be better for Facebook to actually inform people that some things will change.”

“The way they use to interact with Facebook has changed and this could have consequences they haven’t thought about yet,” Botezatu added.

A scenario not readily apparent to Facebook users is how their personal information can be used in phishing attacks. For example, a cybercriminal can do searches that reveal enough personal information, such as friends, hometown and former college, to tailor an email to make it more likely someone will click on a link to a malicious website.

The same security risk applies to corporate employees, who may unknowingly reveal too much about their work and colleagues. Rick Holland, a senior analyst for security and risk management at Forrester Research, said companies should include Graph Search in security awareness campaigns.

“Security awareness is much more effective when it has the personal hook. Some of the searches that you can run are pretty shocking, what better way to demonstrate the personal risks of using Facebook?” Holland said. “Tie Facebook and protecting your family’s privacy into a broader training session that also covers spear phishing/social engineering. Win for the employee and win for the company.”