Ping (zestyping) wrote,

The new Facebook API exposes the events that some users attend to anyone on the Internet.

To protect your privacy, mark your events "Not Attending".

Update (06:00 PDT): So far, some people have reported that their events are exposed, and some have reported that they aren't. I don't have an explanation. I've sent a note to Facebook asking them not to expose events this way.

Update (13:00 PDT): theharmonyguy commented that event lists were already exposed in the old API, as he reported in December.

Note: This post is based on my observations as an individual Facebook user, curious to know what is revealed about me through the new API. I wrote this article to help others protect their privacy, and I am also in touch with Facebook's team, who is working to fix this. Although I work for Google, this blog represents my personal views and not Google's. Thanks to everyone for your interest.

Update (23:00 PDT): The Facebook API is no longer revealing event lists for the users mentioned in this article, or any other users I've tried. Thanks to the Facebook folks for improving their stuff!

Update (May 12): Please see the new FAQ about the Facebook API Browser.


Yesterday, I discovered something strange while playing with Facebook's new Graph API: the API was showing a list of my events, and it seemed that anyone could get this list. Today, I spent a while checking to make sure I wasn't crazy.

I didn't opt in for this. I even tried setting all my Privacy Settings for maximum privacy. But Facebook is still exposing the list of events I've attended, and maybe your events too.

What can your event list say about you? Quite a bit. It might reveal your home address, your friends' home addresses, the names and groups of people you associate with, your hobbies, or your political or religious activities, for example.

Here's what the Facebook API publishes about Mark Zuckerberg's events:

Read more...Collapse )

  • Post a new comment


    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
← Ctrl ← Alt
Ctrl → Alt →
A trip down memory lane here: I filed a similar bug back in *2007*.

Our app republished your FB events. Contrary to documentation, FB would not
filter out "secret" events even if asked to. Since we couldn't tell your public events from your non-public events, we had to disable that part of the app.

We filed bugs, but the resolution was that this was a documentation bug. (!!!) I can't find it, but it was a really low numbered bug at the time, like less than 500.

Here's a public announcement I made at the time.

They've iterated many times on the basic technology since then, and it seems that there are at least some ways to fix the problem now (there were none back then). But, it seems to me to be part of FB's general failure to think through privacy implications (or, more disturbingly, to think through, and then to shrug off.)
I can not reproduce this bug. I have all sorts of events and don't see any of them through the API. Can events be treated/configured differently? I have never created an event myself..

Interesting hack. I wish Facebook itself would provide me this kind of access to my data, preferrably using RSS feeds.
I'm not seeing your events anymore or the test person's. Do you think they fixed it? Maybe the head of facebook didn't like his stuff exposed. I am still seeing yours and my likes.
Yes, it looks like they changed it some time yesterday evening. (I made an update at the top of the post but I guess it's hard to see among the other updates).


April 27 2010, 14:23:57 UTC 10 years ago

Can't view my events or yours (Only thing public for mine is likes, and i'm SURE those likes are cause of the new "Profile Connections" feature, and not only have I opted out of the "Instant Personalization" thing, I blocked ALL 3 applications from grabbing info about me.)

I miss the 2006 version of Facebook, where the only annoying nags were pokes.
What about random photo albums of those users that had kept the old FB settings?

... and pasting this line into the address bar of a selected profile with an old FB settings:

That trick was controlled by two factors: 1) the privacy setting for the Photos application being set to "Everyone," and 2) the privacy setting for individual albums being set to "Everyone." Since both of those settings were defaults, it pulled up photos for many users.

But the code has been making the rounds, and lately seems to have been really spreading. Tonight it appears that Facebook has blocked the trick.

By the way, the first version of the trick was also posted back in December.
Great tool and public service, though I realize you're still experimenting with the reliability of results. Most of my data shows empty (as it should), but a lot of links say that the data failed to load.

Does loading failure indicate that the data is indeed private or that there's a bug somewhere?
Same thing happening to me, although my picture shows up. Just want to know what it means when you're tool says the data isn't loading.
I don't think they've completely fixed it. It won't list my events, but if I go to a specific one it lists me as having attended...

API Graph


April 28 2010, 10:18:43 UTC 10 years ago

Are we allowed to type other peoples names into this. Or is that frowned upon?

Data empty


April 28 2010, 11:29:59 UTC 10 years ago

When I tried to search my name, I didn't even show up. I guess that must mean I'm safe. I was able to find my sisters, so I know the tool can't just be down.
I would pay for a monitoring service that would tell me when anything new is exposed by the API. Is anyone doing that or thinking about it?
Back in November, I signed up for Facebook's BETA test of the ability to hide statuses from or show statuses to custom groups or friends. It seems when I did that, it made ALL of my previous statuses and links public. Now I'm trying to go through and delete them all. I wonder if your tool could link directly to the item in question on facebook so that we could go through the list from your site and delete that way, rather than having to deal with FB's cumbersome way to find old data.

Thanks a MILLION for your work!




April 28 2010, 19:55:29 UTC 10 years ago

In January I made my privacy settings far more restrictive than they previously had been. Before the new year, basically everything was public including status updates.

When I check my acct using this tool, I can see all status updates entered while anyone on FB could see my profile, even though they are no longer visible publicly on FB user interface to 'non-friends'. Even DELETED status updates still appear.

So it looks like users who've chosen to restrict privacy settings are out of luck with regards to some information entered prior to restricting. Which doesnt mirror the user experience on the front end of the application...
My profile on Facebook was locked down and I am only able to see a few of my things. Then again almost everything on my profile is friends only. If you make your profile friends only then you won't have a problem.

not nice


April 29 2010, 06:10:58 UTC 10 years ago

If you're denying what people before you have been saying, you should explain how they are wrong.
Since facebook IDs are numeric, scanning facebook should be trivial. Beyond the scanning, does this work regardless of age?
← Ctrl ← Alt
Ctrl → Alt →