Facebook Screen

The End of OSINT for Facebook?

Edward Ajaeb


The worlds of open source intelligence analysts and online investigators were rocked recently when Facebook abruptly killed its beloved Graph Search capabilities. While the vast majority of everyday Facebook users and the general public may not have noticed this change, it is nonetheless a major setback for investigators, journalists, security professionals, and other online and social media intelligence practitioners.

What is – or was – Facebook Graph Search?

Facebook Graph Search was unveiled in 2013 as a way for Facebook users to find information about their network of friends using a natural-language search. For example, a user could type “My friends who live in Houston” in the Facebook search bar and see a list of their friends who indicated that their current city of residence was Houston. Similarly, a user could use Graph Search to find Facebook users beyond their own network of friends. For example, a user might search “People who like The Beatles and live in Seattle” to see a list of users who like the Facebook Page for “The Beatles” and indicate “Seattle” as the current city on their Facebook profile.

Of course, these searches would only retrieve public information and data that other Facebook users chose to openly share on their respective profiles. It was not exposing information that was meant to be secret or circumventing any privacy or security settings. It was simply an open source search technique that allowed finding people and information on Facebook simpler.

Investigators and intelligence analysts used Facebook Graph Search somewhat differently than the average Facebook user. Instead of searching for friends or people based on hobbies, investigators would use Graph Search to locate public information about a person or entity beyond what was immediately available on the target’s Facebook profile. In other words, investigators would use specialized search techniques that were made possible by Graph Search to find posts, pictures, tagged content, and other information available on a user across Facebook.

For example, an investigator might use Graph Search to locate “photos commented on” by a particular user. An analyst might use Graph Search to find public posts that a particular user liked, commented on, or interacted with. Fraud specialists could use it to find posts and photos a user was tagged in. Journalists might use it to find who worked at a particular company or attended a certain university.

While this might seem invasive to the average Facebook user, it bears repeating that anyone performing these search techniques would uncover only publicly available information. This isn’t hacking. This isn’t breaching privacy settings. Facebook Graph Search functioned within the native Facebook platform to show users only the posts, pictures, and other content marked as “public,” unless the person doing the search was already “friends” with their target, in which case they could see content set to “friends only.”

Facebook giveth and Facebook taketh away

Facebook Like Thumbs

Facebook’s abrupt move in killing Graph Search without warning or discussion signals its haphazard commitment to enhance privacy for its users. Certainly, open source tools such as Facebook Graph Search can be, and sometimes are, abused by malicious actors. But these tools were incredibly helpful and often life-saving for investigators, intelligence analysts, and human rights advocates. The ability to search for publicly available information on Facebook using a set of simple yet powerful techniques has stopped fraud, solved crimes, exposed corruption and abuseuncovered human trafficking, and undoubtedly saved lives and prevented catastrophic events from happening. It’s rather perplexing that Facebook makes attempts to become more “private” by removing the ability to see information that was already public in the first place.

In an email to Motherboard, a Facebook spokesperson stated that “[t]he vast majority of people on Facebook search using keywords, a factor which led us to pause some aspects of graph search and focus more on improving keyword search. We are working closely with researchers to make sure they have the tools they need to use our platform.” (Thanks for the heads up, Facebook.)

Facebook’s move has sent shockwaves through the OSINT and investigative communities. Open source intelligence trainer and investigative expert Michael Bazzell said in his podcast that this was “one of the most devastating weeks towards online investigations that I have seen in my 20 year career.” He predicts that the future of open source intelligence and online investigations is going to get more difficult now that tools and shortcuts such as Facebook’s Graph Search are disappearing. However, Bazzell says that the internet is still the top source of intelligence and information, and that knowing advanced investigative methodologies and the underlying infrastructure of online platforms will serve investigators better than quick shortcuts and free tools. The true value, Bazzell says, is the ability to turn online information into actionable intelligence.

What now?

The silver lining to all of this is that open source intelligence experts and online investigators are already coming up with new tools and techniques to replace or supplement Facebook Graph Search. Some of Facebook Graph Search’s functionality still remains; it’s just now a little trickier to perform the searches. Rather than plain URL manipulation to find people, posts, and pictures, it now requires a bit more technical know-how.

Thankfully, several OSINT experts and software developers have already launched some tools that replicate some of the old Graph Search capabilities. GitHub user “sowdust” has developed a free shortcut tool for finding information on people, posts, photos, pages, places, and more.

SourceCon also described a technique that still uses the native Facebook search function, similar to Graph Search, but with more limited capabilities. Searching, for example, “Engineer Boeing Seattle” and clicking on the “People” tab in the search results will uncover a long list of Facebook users meeting these three search criteria. While this isn’t quite as intuitive as Graph Search, it’s a small ray of hope.

The bottom line is that this isn’t the first time, nor will it be the last, that Facebook changes its functions and limits how users – including investigators – can use its platform. Facebook Graph Search was a convenient way to find publicly available information scattered across Facebook. In its absence, the OSINT and investigative communities will adapt and find new ways of leveraging online resources and social media to gather actionable intelligence. Most importantly, understanding the methodologies and framework for open source intelligence collection will outlast any one specific tool or technique.

Author’s Note: Facebook’s move to disable Graph Search functionality highlights the risks associated with over-reliance on one single social media platform to collect intelligence for investigations. Much like a stock portfolio, intelligence sources and investigative techniques must be diversified. Nighthawk Strategies founder and president Edward J. Ajaeb will be presenting at the upcoming Global Security Exchange (GSX) Conference on the topic of “Online and Social Media Investigations: Go Beyond the Big Sites.” This session will provide an overview of some additional social networking sites, mobile apps, and online applications that provide hidden value to investigators. Join us at the GSX Conference in Chicago, IL, September 8-12, 2019.