
Who Does Facebook Think You Are Searching For? - jkeesh
http://thekeesh.com/2011/08/who-does-facebook-think-you-are-searching-for/
======
kmavm
Hi, my name is Keith Adams, and I worked on Facebook's typeahead. The system
has evolved a bit since we launched, but I talked about first_degree.php in
the tech talk we did about the typeahead back-end last year:

<https://www.facebook.com/video/video.php?v=432864835468>

Briefly, first_degree.php returns objects you're directly connected to in the
graph, and if there's space a few machine-generated guesses at other good
results. We preload these as soon as you focus the "Search" box at the top of
the page, in the hopes of having some decent results to show when you start
typing. The index field does, as the article inferred, represent our best
guess at a ranking function on these first degree objects. The inputs to this
ranking function explicitly _do not_ include other users' behavior on the
site. I talked a bit about our ranking function in this quora question:

[http://www.quora.com/How-does-the-new-Facebook-search-
engine...](http://www.quora.com/How-does-the-new-Facebook-search-engine-know-
what-Im-thinking/answer/Keith-Adams)

 _Edit_ : To clarify what a lot of people seem to be wondering, visiting
someone's profile does not affect the search results of anyone but yourself.

~~~
AmericanOP
Keith, I would like a feature to clear my facebook search history/profile view
history. I consider it a privacy issue.

The knowledge that anyone who stumbles across my logged-in profile can see who
I'm interested in by experimenting in my friend search bar has a chilling
effect on the profiles I view. Google and most browsers have a 'clear search
history' feature- it would be nice if facebook had the same.

~~~
reso
That's not a privacy issue, its a security issue. If you can't be bothered to
log out your account on shared computers, people are going to get access to
your account, and a malicious person will be able to do anything they please.
Search type-aheads are the smallest of your problems.

~~~
greendestiny
Being able to uncover what profiles have been viewed is a significant problem
for a lot of people. And they aren't worried about malicious users - they are
worried about their partners/parents/children seeing which profiles they've
viewed. Who looks at what profile is one of the most sensitive pieces of
information facebook has, and I'm a little surprised that they do this.

~~~
davedx
I'd be more worried about people accessing my Internet banking or my email
than who I look at on Facebook. Log out of your bloody accounts before you
leave your PC!

~~~
greendestiny
Just to be clear - I don't think people are especially worried about strangers
seeing which profiles they've viewed (it would be quite unlikely it would be
meaningful) - they are worried about the people they trust seeing which
profiles they've viewed.

Facebook doesn't show which profiles you've viewed explicitly for a good
reason - I think they were just hoping that this would be obfuscated enough
not to get much notice.

~~~
CWuestefeld
_they are worried about the people they trust seeing which profiles they've
viewed_

In other words, you don't trust the people you trust. Perhaps you need to
rethink your behavior, based on your revelation that you don't actually trust
them.

~~~
Helianthus
this is the old "you don't have anything to hide" mantra dressed up in more
personal terms. people aren't perfect and they have the right to distrust
their closest friends if they want to.

~~~
CWuestefeld
Of course they do. That's why modern operating systems have security.

It just doesn't make sense to insist that both (a) I want to leave everything
unlocked and open; and (b) I don't want anyone to be able to see what's there.

You've got every right to protect your privacy from prying eyes. But if you
want to do so, _do it_.

------
modeless
Boy, this would be a great way to hijack Facebook accounts. Just convince a
bunch of people to run your bookmarklet on their Facebook profile.

~~~
kmavm
Indeed, it is not wise to run third-party bookmarklets while logged into
Facebook. This one may be benign, but the next one may not be. If you want to
see the JSON we're talking about, just load

[https://www.facebook.com/ajax/typeahead/search/first_degree....](https://www.facebook.com/ajax/typeahead/search/first_degree.php?__a=1&filter=user&viewer=***userid***&token=&stale_ok=0)

with ' __userid __' replaced with your numeric Facebook account ID.

~~~
danger
For mine to display scores, I had to remove the "[0]" after "filter":
[https://www.facebook.com/ajax/typeahead/search/first_degree....](https://www.facebook.com/ajax/typeahead/search/first_degree.php?__a=1&filter=user&viewer=***userid***&token=&stale_ok=0)

With the "filter[0]" in the url, all scores came back as 0 for me.

~~~
kmavm
Thanks, edited accordingly.

------
impendia
Out of my top ten, seven are women I have had a crush on at some point. Seems
they are on to something...

~~~
manojlds
Not them, you :)

------
bilalhusain
Those who don't want to run the script can visit the facebook first_degree
page[1], search for "path" in the output. Note that you need to replace your
facebook id in the link which can be obtained via graph api [2].

[1]
[http://www.facebook.com/ajax/typeahead/search/first_degree.p...](http://www.facebook.com/ajax/typeahead/search/first_degree.php?__a=1&filter\[0\]=user&viewer={your_facebook_id})

[2] <http://graph.facebook.com/{your_vanity_name}>

------
jefft22
Would it be possible for somebody to create a virus that would grab this file
and publish it to people's profiles? I think I'd crawl into a hole and die if
my ex girlfriend discovered how highly she ranked...

~~~
enjo
My wife is ranked really rather low... bad news.

~~~
coryl
Not necessarily, if you see each other everyday there's no real need to
interact through Facebook.

------
mrspeaker
This is pretty funny in the ajax code:

    
    
        success: function(result) {
            alert('Please try again.');
        },
        error: function(data) {
            var text = data.responseText;
            // ... processes the data here...
        }
    

Why is success error and error success?

~~~
albertsun
I think because the request is asking for content type JSON but the Facebook
response comes back as javascript with a for (;;); at the beginning. The
content types don't match so jQuery invokes the error callback.

------
pclark
Looked at mine. First thought: whoa, I hope no one else _ever sees this_

Facebook you scary.

~~~
tuhin
My list is all random. The first entry is my girlfriend, the next though is a
random girl from college whose profile I have hardly visited more than say 4-5
times ever on Facebook. Same for others down the list.

So is it something were people are apparently assuming that it is onto
something because they can see those 2 names they do not want anyone to know
about among the 10 being in the top or is the result for everyone actually
correct?

In the case of the latter how is it so random for me? I have Michael Arrington
on the top 15 and I swear I do not stalk his profile.

~~~
bauserdotcom
Facebook's reps haven't said the list is based on _just_ on profiles you view,
they said it's based on "people you interact with" -- there may be other stuff
in there, like messaging activity, or commenting, or liking. Even if you don't
go directly to Arrington's profile, you can be interacting with him in the
newsfeed.

------
46284
My roommate is infatuated with this girl he's known since HS. I just ran it on
his laptop and she's at -68. Everybody else is above -4.

Can anybody beat that?

------
seagaia
1\. This is very cool 2\. This is very scary. Someone hacking me then posting
the top 10? Social disaster

~~~
jrockway
Why? I don't use Facebook, but visiting people's profiles on social sites
doesn't mean much on the other ones. Most of the people I look at on Twitter
or Google+ have done something so brazenly spammish that I have to go to their
profile to find the "report spam" link or whatever. These people aren't my
friends, they're just people that spam me that I want to go away.

Hardly a social disaster.

~~~
seagaia
Well, imagine if you will you were stalking some person you kind of know but
not very well, or someone who is an ex-whatever, etc...and that info gets out,
and they know. It could spell disaster. Sure, it's entirely the person's fault
for stalking in the first place, but the internet enables that so...

------
AdamTReineke
Here's how the top 209 people in the list rank for me (the whole list was too
long for me to bother cleaning up at 1:30am). 22 people had rankings of less
than zero. <http://i.imgur.com/WqcKF.png>

~~~
user24
Here's a graph of my entire list, annotated with "I don't know this person"
and "This person is invited to my wedding".

<http://i.imgur.com/zd2Ts.png>

Top ten:

1) best man

2) random person who lives in my apartment blocked who I stalked once to get
their mail to them

3) Wife-to-be

4) Her sister

5) Good friend of mine from Uni

6) Me

7) Place my wife-to-be volunteers at

8) Another friend from uni

9) Wife-to-be's best friend

10) Someone I know online but not IRL.

------
kirillzubovsky
Tried browsing through the javascript to see if you're screwing with me
somehow ... got too lazy 1/3 way through and decided to trust that as a member
of HN community you wouldn't (probably a terrible idea). But yea, the script
works ... all too well.

~~~
jonah
You can always just use the inspector in your browser to view the original
JSON and run it through JSLINT to make it readable. No external script needed.
;)

~~~
kirillzubovsky
Yea, I ended up doing it afterward, to take a deeper look into the date. tnx!

------
fecaldog
I might be one of the few here who has a facebook account with 0 friends and
never really use it. So the results are very interesting as they contain
people who I know but do not interact with. Some of them must be from profile
searches I have performed but I cannot explain the others. I am inclined to
believe they must be incorporating 'other users behavior on the site'.

------
mleonhard
If you have folks with non-ASCII names, here's a Python three-liner to convert
the output of first_degree.php to a text file:

    
    
        with open("first_degree.php.txt", "w") as f:
         for e in json.loads(open("first_degree.php.json","rb").read().replace("for (;;);",""))["payload"]["entries"]:
          f.write(("%s %r\n" % (e['text'],-e['index'])).encode('utf-8'))

------
markmccraw
I'm curious whether these numbers factor in people who are looking for
you/interacting with your profile. My list has some people I don't recognize
as well people who I definitely have not clicked anything of recently, which
is why it might.

~~~
markmccraw
Well I changed my privacy settings to visible to all, made a dummy account and
click raped my profile and my dummy account didn't show up. I'll add the
accounts as friends and then make note of the number, then do clicking from
the dummy and see if it changes. There could be some privacy implications
behind the initial coolness of this.

Also, if you make an account and do nothing your value for yourself is
0.939565, which I guess is some sort of baseline of 0 interaction? Although I
don't understand how they are modeling your interaction with yourself, tbh.

~~~
markmccraw
It seems like there is a lag time between clicking stuff and the value
changing, because I'm not getting my dummy to show up at all.

------
follownicholas
I'm not a frequent Facebook user but I log in at least once a day. The first
person on my list is a girl I am dating who is about a -2. I am the second
person on my list also at about -2. About 30 more people have a negative
number. The remaining people (about 500) are all a positive number. I don't
even know who many of the people are at the bottom of my list.

It is interesting to note however that my brother is a frequent Facebook user
and his first person on his list ranks at about a -26, and EVERY SINGLE person
in his graph is assigned a negative number. Despite this, he still doesn't
know who a lot of the people are on the bottom of his list.

Other things I noticed: \- Some people that I barely even know but just became
friends with are ranking highly on my list. I imagine this is because I
probably viewed a bunch of their pictures after being friends, combined with
the fact that I don't often view profiles of people I am friends with.

\- Some of my more recently added friends have the same exact value.

I wonder how much information could be extracted about the algorithm by
creating a dummy community of people and connecting them together, then
recording the results. I imagine much of the algorithm could be reverse
engineered by this if anybody were up to the task. I will probably work on it
if nobody else does and publish my findings.

EDIT: Explained what I was trying to say better, fixed grammar.

------
NnamdiJr
I think it's a bit funny that with a score of -0.3 I am #2 on my own list (#1
being a girl who's profile I checkout a bit too often), I'm stalking myself??

That said, I've always thought it was strange how FB comes up with the people
not only in search but also the ten friends list on the left in profiles, the
chat list on the right, and 'people you may know'. I've done a few tests w/
friends regarding the topic, and pretty much what everyone here has guessed
seems to be true. There's a very good chance FB factors in people who are
looking for you/interacting with your profile (unreciprocated), but of course
they won't admit that..

I don't think it's such a big deal in either case. The top Chinese Facebook-
like SNS site, <http://renren.com/>, shows everyone the most recent 9 visitors
on a page, and its often used (by would-be stalkers) as a way to overtly show
interest "hey, i'm checking you out" kinda deal, or for couples to let each
other know they are attentive. Otherwise, its just friends keeping tabs on
each other. I'll admit, at first I was weirded out by it, but now it seems
almost normal.

I'm probably way out of the norm here, but I honestly wouldn't mind having
this in FB.

~~~
pharrington
Pretty much exactly what I was going to say about this (I'm #3 on my list). I
just posted the article and my top 10 on my wall, tagging everyone in it.
Curious as to what the non HN crowd thinks.

~~~
bauserdotcom
Great. You're probably going to be Ground Zero for next week's version of the
"run this program to see who looks at your profile" rumor, and the week-after-
next's bogus virus warning about running the script.

------
erikb
That is really strange to me. Maybe I don't stalk enough or something, but
often when I look up a friend (someone who is actually in my friend list and I
communicate often with) it seems to be impossible for Facebook to find this
guy and I have to go directly to the friendlist search to get this person's
profile. Always (or so often that I don't remember the exceptions, which is in
usability terms "always") when I use the normal search bar I get people I
don't know, have not even indirect relations with or be in any way interested
in. Sometimes the names don't even consist of the words I was putting in the
search bar. That's why I really wonder why people can think of facebook's
people search as something cool or "stealable".

------
svsaraf
As some have mentioned, doing a couple of tests with dummy accounts seems to
indicate that a friend visiting your page can influence your first_degree.php,
which would explain why there are a few people who you never stalk who happen
to be on your list.

~~~
follownicholas
That's a possibility. The post that Keith Adams made however refutes this, but
it is still possible that he is wrong/mistaken or that the first_degree.php
was changed after he left Facebook.

~~~
svsaraf
I should have been more clear. Keith seems to indicate that views from other
users don't affect your first_degree.php. I disagree, here was my process:

I built a dummy account in incognito that is friends with with my regularly
used profile (A) and a profile owned by a friend of mine (B). All friend
requests were made from A & B TO the dummy. I then checked the
first_degree.php of the dummy, as expected, me and my friend were first.
Perhaps not surprisingly, the next people on the list were the intersection of
A & B 's friend lists.

Now I logged back in to A, knowing that B wasn't searching for the dummy, and
searched for the dummy a few times a day for a couple days (I learned about
first_degree a couple weeks ago).

Checking the dummy's first_degree showed that friends passed A & B had more of
A's friends.

My guess is that Keith is right in general. I might not be able to move myself
up the ladder of the dummy, but I can change the Facebook Social Graph by
changing my viewing behavior. The machine generated list uses that graph to
determine first_degree. Even if it's indirect, it means first_degree can be
influenced by searches of others. Or I'm wrong!

------
jkeesh
Thanks for all the comments and feedback on the bookmarklet. Glad it was
entertaining. As mentioned by other commenters, the popularity of something
like this does raise many interesting security issues.

------
chad_oliver
Facebook rape (posting embarrassing statements when using a friend's account)
is common. What happens when facebook rape becomes "post who your friend has a
crush on"?

------
sakopov
Not knowing much about facebook API, tried plugging in somebody else's profile
ID instead of "Env.User". Thank God it came back with "not authorized."

------
oe
The bookmarklet doesn't work if you have secure browsing (https) enabled on
Facebook. As you should.

------
nabaraj
Time to run this script on my crush's profile to see if I am on her top of
list or not.

~~~
javert
Doesn't work unless you are logged in as that person. (I tried, just to make
sure.)

~~~
follownicholas
That's why you have to hack into their account first :-) (kidding)

------
PurplePanda
is facebook censoring this? i tried to post the link to the thekeesh.com page
to a friends 'wall' and everything in my comment after and including the link
was elided. Or maybe facebook post entries are always that broken.

~~~
bauserdotcom
I don't think they're censoring it -- The HTML on this page makes heavy use of
the TABLE and SPAN elements for formatting. That seems to be something that
makes it difficult for Facebook's link-grabber to read pages. I've encountered
the same problem posting links to other sites with idiosyncratic HTML.

------
DarkMeld
I just noticed how incredibly fast Facebook search is

~~~
melvinmt
It's not that fast, Facebook actually starts the search query from the second
letter (about 174 ms), before that, it uses the prefetched cache of first
degree friends and apps.

------
ristretto
Facebook excels at making sensational frontpages with pretty vanilla
technology.

------
sebastianavina
that's a damn bad design. I stared at my laptop for a while to a bunch of
hats?

~~~
jeffool
I get why the parent was downvoted; it's not relevant to the topic. That said,
when you open a page and all you see is the header and the article title? I
think it's perfectly valid to comment on the design, or lack thereof, of the
page.

Seriously, the article was a worthwhile read, but I don't see how you can NOT
comment on the design.

~~~
hussong
Maybe it's the image requests that just made the server fall over.

------
bryanh
Luckily as I read this (and my significant other read it over my shoulder) all
my top matches are close male friends and my brother (and her).

Seriously though, this is a bit on the creepy side Facebook.

