Facebook does not care about your privacy. They aren’t alone; we pay to use all manner of application and platform with our privacy. It’s the price of free. However, I suspect many of us would be more selective with our personal information if we really knew the scope of intrusion. While options are given to users under the guise of Privacy Controls, these are not much more than wool over the eyes. To really understand what’s exposed, you have to think and act like an investigator.
The field of Open Source Intelligence (OSINT) is a passion of mine that focuses on the tools and techniques to uncover information of a target over the internet. Because it’s only peripherally related to the theme of this blog, I’ll take you through the motions using a health-related target who I honed my skills on: chiropractor B.J. Hardick.
I first learned about B.J. through a flyer distributed around town (London, Ontario):
The book is a dreadful amalgamation of dangerous and ineffective alt-med practices that goes as far as recommending chiropractic spinal manipulation as cancer treatment. The book was advertised as a sort of manual that recommends dubious techniques used by chiropractor Charles Majors who was diagnosed with multiple myeloma. Although B.J. claimed that Majors cured himself using techniques presented in the book, the tragic irony is that Majors passed away earlier this year. This is a story for another post, however.
So how does this tie in to Facebook privacy? The public presence of alt-med gurus is very different than typical medical professionals. Success is less about providing sound evidence-based care, and more about relentless promotion through social media. In many situations, such social media accounts are identified as professional extensions of practitioners’ clinical practices, which means that sharing silly memes comparing vaccines to events like the holocaust may very well be in the purview of regulatory discipline. So let’s dig in.
B.J. Hardick is evidently tied to three Facebook accounts: his personal page, his professional page, and his clinic’s page. His personal page is obviously out of scope for this investigation and his clinical page is certainly within scope. While his professional page isn’t explicitly linked to his clinical practice, he shares health and medical information and uses the title of Doctor, which is a regulated title in Canada. Hence, this page is in scope.
The simplest approach to investigations on Facebook is Facebook’s own search. It’s actually rather powerful.
A simple search reveals that the Hardick Chiropractic Centre account has directly disseminated anti-vaccine propaganda that still remains available despite recent warnings to B.J. from the College of Chiropractors of Ontario. Not impressed? Alright, let’s go deeper.
Every Facebook page or account is associated with a numerical ID. Using these IDs, we can make use of Facebook’s graph API, which opens up a vast arsenal of creeping – err – investigating possibilities. Facebook hides these IDs within the source of each page. To view the source (in Chrome), simply right click a page and select “View Source.”
Don’t fret at the incoming wall of code; all we need to do here is search for a single item. If you’re on someone’s personal profile, you want to find the value of profileid. Simply hit Ctrl+F and type in profileid. If, as in this case, you’re not on a personal page but a professional page, you’ll want to find the value of pageid, which appears as follows in this example:
This number is our ticket to the wealth of information we can extract from Facebook. You now have two options. You can learn how Facebook’s Graph API works, or you can use any number of pre-built tools to generate searches for you. Simple, but effective is graph.tips. However, Michael Bazzell’s Intel Techniques has become a household name in the OSINT world due to its comprehensive search tools. Navigate to the Facebook page and you’ll find a form for a Facebook User Number. This is where you place the pageid or profileid value. Click Populate All and you will see a plethora of options. Click Go on any of these and the website will direct you to Facebook with the appropriate search URL.
Examining the pages liked by B.J.’s professional account, we see a frightening trend:
Photos posted, liked, and commented on also portray at least a modest disregard for science and public health (even Health Canada has issued an alert regarding mammography):
Perhaps most disturbing is that B.J. likes his own posts:
What has the world come to?
As our personal and professional lives slowly become entangled in the web of social media, it’s worth taking some time to explore what is revealed about us. I encourage readers to use these tools on their own accounts. Take back your privacy.