Ping (zestyping) wrote,
Ping
zestyping

The new Facebook API exposes the events that some users attend to anyone on the Internet.

To protect your privacy, mark your events "Not Attending".

Update (06:00 PDT): So far, some people have reported that their events are exposed, and some have reported that they aren't. I don't have an explanation. I've sent a note to Facebook asking them not to expose events this way.

Update (13:00 PDT): theharmonyguy commented that event lists were already exposed in the old API, as he reported in December.

Note: This post is based on my observations as an individual Facebook user, curious to know what is revealed about me through the new API. I wrote this article to help others protect their privacy, and I am also in touch with Facebook's team, who is working to fix this. Although I work for Google, this blog represents my personal views and not Google's. Thanks to everyone for your interest.

Update (23:00 PDT): The Facebook API is no longer revealing event lists for the users mentioned in this article, or any other users I've tried. Thanks to the Facebook folks for improving their stuff!

Update (May 12): Please see the new FAQ about the Facebook API Browser.

 

Yesterday, I discovered something strange while playing with Facebook's new Graph API: the API was showing a list of my events, and it seemed that anyone could get this list. Today, I spent a while checking to make sure I wasn't crazy.

I didn't opt in for this. I even tried setting all my Privacy Settings for maximum privacy. But Facebook is still exposing the list of events I've attended, and maybe your events too.

What can your event list say about you? Quite a bit. It might reveal your home address, your friends' home addresses, the names and groups of people you associate with, your hobbies, or your political or religious activities, for example.

Here's what the Facebook API publishes about Mark Zuckerberg's events:

As of last Wednesday (Thursday?), anyone on the Internet can now get this information. Using a freshly created account with no connection to you, anyone can make requests to the new Graph API and get a list of events, with dates, descriptions, and locations. Based on my experimentation, it looks like this list contains any event that (a) has a privacy setting of "Open" and (b) you have marked as "Attending" or "Maybe Attending". The content of the event itself is also available, including any comments posted on the event and the names of other people who are invited or attending. (For the housewarming party today that Mark said he was "Maybe Attending", the API provides the address of the party and the names of about 110 people who were invited.)
 

Does this affect you?

Here's how you can try this out for yourself, to see which of your events are revealed:

  1. Go to http://zesty.ca/facebook (a tool for exploring information exposed by the API).
  2. Using the search box on the right, search for your name or e-mail address.
  3. Click the link next to "id" to get to your own profile.
  4. In your "connections" box, click the link next to "events".
 

But this only shows "Open" events, which are public anyway.

That's right. But there's a big difference between publishing an event page with a list of people attending, and publishing a list of events that you attended. Before the new API, to find out which events you attended, I'd have to visit every single event page on Facebook and look for your name among the people attending.

Now, I can just ask the API what you've been doing, and it will tell me. This kind of event list is not even accessible to your friends on the Facebook website; I haven't found any page at http://facebook.com/ that lets me list a friend's events. The API provides this list to anyone, so this is newly exposed information.
 

Surely there must be a privacy setting for this.

As far as I can tell, there is no way to turn this off with your own privacy settings. As evidence, here are my privacy settings as of this moment. I chose the most restrictive setting for everything in my Privacy Settings and unchecked every checkbox in my Application Settings for the Events application.

I applied these settings hours ago, so there has been plenty of time for them to take effect. Here's a screenshot of the information exposed by the API about my own events, with the above settings in effect. Lots of event information is visible, including street addresses (which I've covered up with black bars):

None of the privacy settings seem to have made any difference. (Since taking this screenshot, I have marked myself as "Not Attending" for the events with street addresses so they will no longer appear.)
 

What can we do, then?

So far, the only way I've found to keep events from being exposed in this way is to mark them "Not Attending". If you don't want any events to show up in your event list, then here's what you can do:

  1. Log in to Facebook.
  2. Go to your Events page.
  3. Go through your entire history of events (use the arrow buttons at the bottom to flip pages).
  4. Find every event marked "Attending" or "Maybe Attending", and change it to "Not Attending".

This can be quite a tedious process, since your Events page shows every event you've ever been invited to, and you have to go through them all to find the ones marked "Attending" or "Maybe Attending". I haven't found any way to filter the Events page down to just those events.
 

Am I crazy?

I'd appreciate independent confirmation of these findings. You can look at the source code of http://zesty.ca/facebook to see what it does. To make requests to the API, the program uses an access token for a Facebook account with no special access. To get this token, I created a new account with no friends and then visited the Facebook API documentation. As examples, the API documentation page provides several links with an access token customized for the current user. The program just uses one of these example tokens. Anyone can create an account and visit the documentation page; hence I believe that anyone can make these requests to the API and get these results.

Subscribe
  • Post a new comment

    Error

    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 81 comments
Previous
← Ctrl ← Alt
Next
Ctrl → Alt →
I've never used any events so that is empty for me. But it doe shave my 2 "likes" - pages I like to see in my news feed sometime. I may have to unlike them. Thanks for the tool.
hmm my private info is still private it's currently only showing the public info anyone can see my events don't show up
I don't believe it's showing my events. I currently have at least one open event that I'm attending, and it returns no data for my event list. The only things it returns are my name, picture, object class, time zone, id, and most recent update timestamp.
Hmm! Thanks for checking. Perhaps this is more complicated than I thought.

bostonsteamer

9 years ago

It's showing all my events. I'm cross, because my whereabouts is the main thing I want to keep private.
I can't see the events of anyone else, though, it seems.

pseudomonas

9 years ago

zestyping

9 years ago

pseudomonas

9 years ago

zestyping

9 years ago

Anonymous

9 years ago

zestyping

9 years ago

Anonymous

9 years ago

fanlain

April 26 2010, 12:20:27 UTC 9 years ago Edited:  April 26 2010, 12:27:22 UTC

It's not showing my events though I don't remember if I've ever checked any as attending. hukuma it returns data for so I forwarded to him to see if he's ok with that. Oh just searching for his name returned all with his same name. But searching for just his email gets to just him and not much is showing. Probably b/c we don't live in the Bay area anymore so we don't get invited to events via Facebook as much?
Yes, the events I marked "Attending" or "Maybe Attending" are visible using the API tool, despite stringent privacy settings. That's bothersome!
What bothers me a lot about this is a basic safety issue as well - some % of people using Facebook are possibly living domestic violence or other issues where they would not want this kind of information public, for their own safety. And now it's like having someone who could harm you know where you'll be when. It's not even just a privacy issue but also a safety issue.

Anonymous

April 26 2010, 13:19:02 UTC 9 years ago

my events do not show (thanks to Lisa K for pointing me to your site!) but my picture seems to be public now for searches? I cannot seem to turn that off anymore. It does share all the pages i have joined that are open content though.
See also facebook.com/help/?faq=17105.
The new Instant Personalization, even if you've opted out, will still use your data if friends use the applications MicrosoftDocs, Pandora, and Yelp. Use the above link to find links to those apps, and block them.

Already did that (see the settings screenshot), and it doesn't seem to have any effect on this issue, alas.
Interesting! Thanks for the pointer. So, event lists have been exposed for a while, then, though it looks like there are some slight differences between the old API and the new API. The new API doesn't show "Closed" events, but the publication of events also can't be turned off in the Application Settings for Events.

I can't find the API Test Console; is it gone?

theharmonyguy

9 years ago

looks like mine are hidden. poking around to see what i have set to private to make it so. it's sort of tragically ironic that the settings are so obscure that zuck himself can't get them right :/
oddly, i had it set to "everyone" but still couldn't see anything. argh facebook.
Thanks for doing this, Ping. Please keep us updated on anything new you find regarding this.

I'm feeling seriously put-out by this. I had a guy who was a borderline stalker try to contact me multiples times on facebook (and of course, I never added him) and now that he can see all of this, I am considering deleting my facebook profile altogether.
Thanks for digging into this Ping. I agree with fanlain that this could be a serious personal safety problem. Not only for abusers/stalkers/etc, but also people can figure out when you're not going to be home and if you have any events where your own address is listed, then potential thieves could know when you wouldn't be home and where you live and where/when to strike. Wasn't there someone who recently scrapped twitter feeds and created a site listing mentions of people who weren't at home?

Did the guardian talk to you before they wrote up their piece? It looks like they just quoted your blog.
Please Rob Me grabbed location-based tweets and Foursquare updates, though it looks like they don't anymore. Here's CNet's article about them.

Anonymous

April 26 2010, 19:29:02 UTC 9 years ago

My profile is completely friends-only, yet my profile picture shows up along with my events and other info. Unbelievable.
I believe my profile is set to maximum privacy settings. I checked every content item w/in your tool and found that 3 things are showing publicly, despite my settings:

likes, events, and notes

I don't want any of that to show up publicly, but FB's privacy settings aren't granular enough to give me control over this content.

Anonymous

April 26 2010, 21:55:51 UTC 9 years ago

I can't speculate on why, but not much is loading.

Is it possible that zesty.ca has made too many requests and is being blocked?

Anonymous

April 26 2010, 22:54:30 UTC 9 years ago

direct hits seem to be working better than going through zesty.ca

Mark Zuck.. (http://graph.facebook.com/zuck/events?access_token=2227470867|2.tWmrj81wkipd6McO5r12VQ__.3600.1272326400-744170503|PI285IpaPWSLVUtytQ6Mr5E9wTo.)

if you want to see your own, take that URL and replace "zuck" with your FB userid.

Anonymous

9 years ago

This is a HUGE security problem. Look at this guys events, it gives away everything including an address. Facebook should really look at this!

http://zesty.ca/facebook/#/5/events
Previous
← Ctrl ← Alt
Next
Ctrl → Alt →