Tech

Facebook Quietly Changes Search Tool Used by Investigators, Abused By Companies

Facebook logo on phone

Late last week Facebook quietly made changes to a set of advanced features that previously allowed users to search the social network in powerful ways, such as finding all posts on Facebook by a keyword and within a certain date range, all of the people who like a certain Facebook Page and live in a particular city, or places visited by two specific users.

All of the information gathered by these search features is from user’s public profiles, but the news highlights Facebook’s recent emphasis on privacy, and comes after a series of privacy and security incidents at the company. The features have been abused to lookup information on Facebook users en masse, but they are also of immense help to investigators who use them to uncover social media evidence of, for example, airstrikes in Yemen.

Videos by VICE

“Most tools are down,” Henk Van Ess, a social media research expert and member of online investigative organization Bellingcat, said in a Twitter direct message.

Do you work at Facebook? Did you used to? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The feature is called Graph Search, and essentially required entering the right URL into a browser with some parameters such as the keyword nested within that URL. Several members of the open source intelligence (OSINT) community built tools to streamline the generation of these URLs and make the search process easier. Van Ess published public tools on his website to search for posts containing a keyword on a specific day, month, or year, as well as a date range. OSINT trainer Michael Bazzell had a slew of Facebook search tools on his site, including finding all of the photos a Facebook user had commented on. Another service called StalkScan, run by ethical hacker Inti De Ceukelaire, allowed users to streamline similar searches.

“The normal Facebook search simply does not have the same functionality: it returns far fewer results, and the smallest time-frame you can search is a month,” Nick Waters, a member of Bellingcat, wrote in a letter addressed to a Facebook employee in a personal capacity, which Waters shared with Motherboard.

But on Friday, Graph Search stopped working, according to multiple social media researchers and tool maintainers.

“StalkScan is currently unavailable due to changes made by Facebook,” an announcement on StalkScan’s website reads.

Bazzell also had a set of other issues around his website, with his webhost threatening to close his site unless he removed his tools, Bazzell said in an episode of his podcast published over the weekend.

“The same hour that everyone started reporting that Facebook Graph was broken, my site went down completely and I got suspended from my host. Could be a total coincidence; I’m not blaming you Facebook. I’m just saying: what are the odds that all that would happen at the exact same time,” he said.

Groups who use these tools to research information in the public interest have already felt some impact. On Saturday, Waters tweeted asking for help finding material that will help research for a Bellingcat investigation into airstrikes in Yemen.

“The same hour that everyone started reporting that Facebook Graph was broken, my site went down completely and I got suspended from my host.”

“Now that Graph Search has gone down, it’s become evident that it’s used by some incredibly important section[s] of society, from human rights investigators and citizens wanting to hold their countries to account, to police investigating people trafficking and sexual slavery, to emergency responders,” Waters told Motherboard in an online chat.

Van Ess also shared with Motherboard several messages he said came from people looking for tool alternatives or updates, including journalists and companies tracking corruption.

The tools have also been abused, however. Bazzell said in his podcast that although his site faces a lot of malicious attacks, the tools section is the most heavily targeted, with people using them to automate tasks.

“My online tools have always been abused,” Bazzell said in the podcast. “There are numerous companies that try to use my PHP tools to collect information en masse.”

“My Facebook PHP lookup tool was often abused by people who would submit thousands of requests a minute to translate Facebook names into ID numbers, and then use that as part of their database creation process,” he added.

A Facebook spokesperson told Motherboard in email “The vast majority of people on Facebook search using keywords, a factor which led us to pause some aspects of graph search and focus more on improving keyword search. We are working closely with researchers to make sure they have the tools they need to use our platform.”

A source who did not have direct knowledge of the changes but who is a current, technical Facebook employee told Motherboard there is “lots of internal and external struggle between giving access to info so people can find friends or research things (like Bellingcat), and protecting it.” Motherboard granted the source anonymity to speak more candidly about internal Facebook processes.

“My online tools have always been abused.”

The change has also seemingly started a cat and mouse game between the OSINT community and Facebook, with the community finding work arounds before Facebook allegedly shutting those techniques down too.

“I patched my tools 5 times and each time, after 2 hours, the tools were crippled by FB [Facebook]. Other toolmakers experienced the same,” Van Ess said.

Van Ess said he has found a number of workarounds that still allow for the same search capability, and has now password protected his site so only vetted people can use the tools. Van Ess gave Motherboard access to verify the tools; Motherboard confirmed some of them do work, but others do not at the time of writing.

In his podcast, Bazzell said his Facebook tools were working again after updating them. Bazzell said they have some issues, and some use the mobile version of the site, “but we are getting that functionality back.” Those tools are behind Bazzell’s own members-only section, whereas they were previously public.

Bellingcat plans to publish an open letter to Facebook about the changes. At the time of writing, Bellingcat is still drafting the letter.

In March, Facebook CEO Mark Zuckerburg said the company was moving towards a new emphasis around user privacy. This announcement came after several privacy and security blunders, including the Cambridge Analytica episode. Shortly after, Facebook announced it had accidentally stored hundreds of millions of passwords in plaintext.

Disclosure: the author of this piece previously enrolled on Bellingcat’s open source intelligence course, which he paid for himself.

Update: This piece has been updated to include a statement from Facebook.

Subscribe to our new cybersecurity podcast, CYBER.