Do you know how much of your Facebook activity is viewable by strangers?
A self-described “ethical hacker” in Belgium released a website, provocatively called Stalkscan, that answers that question — and shows just how powerful Facebook’s search tool is if you know how to use it.
The site, released in Dutch and English, allows users to plug in a profile and perform granular searches. Let’s say the profile is mine. Stalkscan can search for photos of me at age 22, events attended by me in 2016, comments I’ve left on videos, photos of single people I’ve liked, political parties liked by members of my family who are female, and more.
“It doesn’t really contradict your security settings,” the site’s creator, Inti De Ceukelaire, told me in a Twitter DM. “It’s just a tool that shows that much of your Facebook activity is public without most people even knowing.” In other words, if you’re like most users, more of your information is publicly viewable than you realize.
De Ceukelaire works for a public broadcasting company, but he also hunts software bugs in his spare time. When I asked why he didn’t submit this issue to Facebook directly, he told me it’s not a bug. “It’s a feature,” he said. “Many people don’t know about it. I think it’s a bit concerning / misleading. That’s why I made a website.”
Just to recap, these are a few of the things that are public on Facebook that you may not be thinking about:
Likes are public.
Public events you mark as “going” or “interested” are public.
Comments you made on other people’s posts may be public, depending on their security settings.
Photos others have taken of you may be public, depending on their security settings.
Metadata around items that are public, such as your age in a photo, is public.
All of this public information can be combined in ways you might not expect.
Everything Stalkscan does can be done on Facebook if you know how to structure the complicated query required. For example, a search for posts Mark Zuckerberg has liked from people in his city turns up a link that looks like this: https://www.facebook.com/search/30/users-age/stories/intersect/4/current-cities/residents-near/present/stories/intersect/4/stories-liked/intersect.
This is based on Facebook’s Graph Search, a feature that was introduced in 2013. Graph Search enables Facebook users to look for things like “friends who like Star Wars and Harry Potter” or “who are single men in San Francisco and are from India.”
“I think people should be informed about what other people can find about them.”
“Graph Search aims to make the information people have already shared with each other more useful and in a way that is completely personal and respects privacy settings,” Facebook wrote in 2013. However, Graph Search was quickly criticized for its potential for abuse by phishing scammers, stalkers, and even oppressive governments.
Facebook removed some of the original search patterns, dumbing down the tool, but it is still very powerful. “In some ways, privacy has become impossible on Facebook,” wrote Thomas Fox-Brewster at Forbes. “Over the last few years, Mark Zuckerberg's firm has been quietly making it impossible to create a truly private profile.”
Stalkscan itself isn’t super intuitive, and you have to be logged in for the links it generates to work at all. However, it’s still much easier for a nontechnical person to parse than Graph Search.
For malicious actors, this tool — and to a lesser extent, Facebook’s Graph Search — is a gift. I asked De Ceukelaire whether releasing Stalkscan made him part of the problem. He pointed to the fact that police use Graph Search this way, and suggested that “the tool needs to be a bit creepy” in order to increase public awareness.
“I’m not the only one that knows about it. It makes me the transparent one,” he said. “I think people should be informed about what other people can find about them.”
Facebook users can review their privacy settings using its Privacy Checkup tool, but it may not reveal the extent to which information is public in the way Stalkscan does.
“Like most services, we offer a search feature, but search on Facebook is built with privacy in mind,” a Facebook spokesperson told The Outline in an email. “This website merely redirects to Facebook's existing search result page. As with any search on Facebook, you can only see content that people have chosen to share with you.” Facebook noted that it offers a variety of tools to help people control who sees their information, including the ability to select an audience for every post and a feature that limits visibility of past posts to only your friends.