How to protect your Facebook privacy, as new search system is rolled out

Facebook lockIt’s time to review how well you well you have been protecting your privacy on Facebook.

Why? Because Facebook is beginning to roll out the new version of its search engine.

First announced by Mark Zuckerberg in January, Graph Search makes it easier for people to find content that has been shared on the social network through the use of natural language and filters.

The upshot is that if you have ever shared something on Facebook, it’s easily searchable by anyone you have given permission to view it. (Or – in some cases – anyone you have forgotten to remove permission from viewing it)

Sign up to our free newsletter.
Security news, advice, and tips.

To demonstrate what Graph Search can do, Facebook offers the example of searching for restaurants that your friends have visited:

Restaurants

Clearly it would have been much more laborious in the past to check out each of your friends’ Facebook profiles and trawl through their past restaurant trips.

The good news is that Graph Search doesn’t make anything you have shared on Facebook any more public than it was before.

The bad news, though, is that it does provide a much easier way to dig up information that might otherwise have been overlooked or hard for others to dig out of your Facebook history.

The Actual Facebook Graph Searches blog demonstrates the power of Graph Search quite well, with a series of example searches that may make you realise the potential dangers and embarrassments.

For instance, here are married people who like prostitutes:

like-prostitutes

One likes to think that most of the people who said they “Like” prostitutes were saying it as a joke. But can you guarantee that your workplace of employment or a potential new romantic partner would find it as amusing?

Here’s another example. Single women who live nearby who like men and list “Getting drunk!” as one of their interests:

like-men-drunk

Again, that’s something you might only want to share with a controlled audience – if anyone.

After a string of PR disasters involving its users’ privacy, Facebook is keen to be seen to be responsible. They made the following short video to explain how users can control who they share their information with:

[youtube=http://www.youtube.com/watch?v=PjcXZeL_3IQ&rel=0&w=550]

Although some will no doubt delight in Facebook’s new Graph Search ability, I am also confident that there will be plenty of people who will be embarrassed or disturbed about how easy it has become to learn information about them.


Tips for better Facebook privacy

In light of Facebook making it easier for people to find out information about what you like, where you have been, and so forth.. here are my tips for better protecting your privacy on the social network.

1. Make sure you are restricting who can see your Facebook updates

Everytime you post a status update on your Facebook page, you have the ability to control who can see it (or search for it later).

Status update privacy setting

If you make it “Public” then that actually means you have made the status update not only viewable by *everybody* on Facebook, but also everyone *not* on Facebook as well – including search engines which may archive the content. In short, you’ve opened Pandora’s box and even if you change your mind later and delete the post, or make it private, you can never be confident that the message isn’t lurking somewhere else out there.

“Public” may be fine for companies and brands, but is rarely likely to ever be appropriate for the personal Facebook pages of individuals.

The “Custom” option is probably a more sensible choice, as it allows you to choose specific people or lists of friends. “Custom” also allows you to explicitly say who you *don’t* want to share the update with.

Custom privacy

However, be very careful not to choose “Friends of Friends” unless you realise the possible consequences.

It may be that you have been very careful about who you have befriended on Facebook, but can you be confident that your Facebook friends have shown similar levels of caution?

2. Lock down who can see your future and past posts

You should also use Facebook’s privacy settings to adjust who can view your future posts, take the opportunity to review past Facebook posts you have made, and limit the audience for past posts that may have been accidentally shared with “Friends of Friends” or “Public”:

Facebook privacy settings

Handily, Facebook provides users with the option to review all of the posts and things that they have previously been tagged in. You should use the opportunity to untag yourself from places and photographs that you do not feel comfortable sharing with the masses. You’re learning about the benefits of online privacy, and won’t be so free-and-easy in future.

Additionally, you should block search engines from being able to link to your timeline, and may wish to limit who can look you up using your email address or phone number.

3. Control your Facebook timeline and where you are tagged

Facebook provides additional privacy settings which you should spend time checking to better protect yourself online.

For instance, if a friend tags you in a status update or photograph you can review that post *before* it appears in your timeline. Note: that doesn’t stop the update or photo appearing elsewhere on Facebook (you have to laboriously ask your Facebook friend to remove the photo or post in its entirety if you don’t like it), but you can at least prevent it from appearing on your page.

More Facebook privacy settings

The last option on this page is one of the most controversial.

Who sees tag suggestions when photos that look like you are uploaded?

This option is connected to Facebook’s controversial facial recognition feature. As your Facebook friends upload photo albums, Facebook can try to determine if any of the pictures look like you. And if they find what they believe to be a match, they may well urge one of your Facebook friends to tag it with your name.

As you can see from my screenshot, the “feature” isn’t currently available to me. But if you have the option, I would recommend that you disable this if you value your privacy.

4. Stop your friends’ Facebook apps from accessing *your* private information

Many Facebook users aren’t aware that – unless you have locked down your privacy settings correctly – the apps, games and websites that your *friends* use can also access your personal details, photos and updates.

Facebook argues that allowing other people to share your info with third-party apps makes the “experience better and more social”.

And, with depressing predictability, Facebook leaves options like this enabled by default.

Weak Facebook app privacy

In my view, it’s indefensible for Facebook to take this stance, so go to your Facebook Application settings and follow my recommendation to deselect every tickbox in the section:

Facebook app settings

At the same time, it wouldn’t do any harm for you to review on the same settings page what apps you have given access to your account, and – for instance – adjust settings if you are uncomfortable with them posting publicly on your behalf. If you have no need for an app, or believe that it could be malicious, you should revoke its access to your account entirely.

5. Stop posting private stuff on Facebook

Here’s the simplest advice of all.

Facebook is going to find it a lot harder (although not impossible) to expose your personal and private information to others if you never share it with the social network in the first place.

So, if you have something that you wouldn’t feel comfortable sharing with your boss, or with your loved ones, or with a jealous ex-partner or potential identity thief, then don’t post it on Facebook.


Facebook is in the habit of introducing new features which can impact users’ privacy, making it users’ responsibility to manage their own security and turn unwanted features off. The best defence is to keep yourself informed of changes that Facebook makes, and keep yourself clued up about new security and privacy risks.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.


If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.