A few weeks ago Facebook announced the removal of a “Search” setting. That’s their marketing term for a privacy setting. The setting in question allowed a user to prevent his or her Facebook profile from being discovered via Facebook’s search function.
Now before you go look for it, you should know that most of us lost the setting in December 2012. At the time Facebook announced it as part of several “Better Controls for Managing Your Content.” One of these better controls included a notice that anyone not currently using this older setting, lost it. However those had enabled setting were allowed to keep it for awhile. In other words the ability was first taken from those not using it, and now stripped from those who were. (It sounds like there’s a political analogy in there somewhere…)
According to Michael Richter, Facebook’s Chief Privacy Officer, the setting was removed because it didn’t do enough. People could still access those non-searchable pages by clicking the user’s name on another page, a comment, a mutual friend’s Timeline, or even through the Graph Search. And of course Google would still link to the page. Richter pointed out that instead of preventing access to the Timeline, people should set more granular privacy settings on the content they share. But that argument assumes that this was the only privacy setting that people enabled. From my personal experience, people who enabled specific privacy settings like this, often enabled many if not most of the others as well.
Richter also pointed out that this “setting also made Facebook’s search feature feel broken” when a user wouldn’t show up in the search results even though you know they have an account. Personally I think that this was the bigger motivation for Facebook as their business model depends on people finding each other and interacting.
So what does this mean for you? If you had been using this setting, it means tough luck. Now your page will be much more easily discoverable. Of course if your friends or acquaintances used the setting, it might mean they can no longer hide from you. It also will be much easier to find information about people that you meet or target as part of a social engineering engagement. If you’ve got kids with Facebook accounts, now might be a good time to review those privacy settings with them.
The important lesson here is that over time, information leaks out. When you post information on the internet, especially on a free service like Facebook, you should always assume that it will become public knowledge. Facebook has gotten much better about offering privacy controls, but it’s still a company that profits off of people sharing information. Whether it’s an intentional change like this, or an unintentional action or security breach, your data will eventually be made accessible. If you’re not okay with that, then think twice about posting it.
Nathan Sweaney is a Senior Security Consultant for Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.