Facebook Knows What You Did Last Summer

Pardon the creative title. In working on accessing Facebook photo albums lately, I noticed that one of the stories on Mark Zuckerberg’s privacy settings mentioned that he’d removed his events from his profile. After finding a way to view public photo albums, I wondered if I could find a way to pull up a user’s public events. That pursuit taught me a little more about Facebook’s privacy settings, and also raised another aspect of Facebook privacy I’d not previously considered.

At first, I followed the same approach as with photos – I tried to make special requests that imitate what happens when you click on a tab in a user’s profile. Doing so brought up no event information for Mark Zuckerberg, but did for a friend of a friend. It turned out this behavior could actually be controlled by a user’s privacy settings. However, the setting may not be where you’d expect – it’s on your application settings page. Facebook treats their events module as an application, and in the settings for the Events application is a field controlling who can see the application. Setting it to “Only Friends” blocks the trick I was using if you’re not the person’s friend; I’m guessing the same setting for the Photos application would block the bookmarklet I posted.

But while Events does appear in the application settings page, it’s not your average application. I knew that the Facebook API included commands for requesting event data. I loaded up Facebook’s API Test Console, set the method to events.get, and put in a user ID.

What came up surprised me – a complete record of practically every public event that user had been invited to. Note that this was not a friend of mine. I could easily filter by whether they had RSVP’d that they were attending the event.

The list only includes “open events,” (Update: “Closed” events are also visible, just not “secret” events) those that are publicly accessible. But the results reminded me of the controversy over Facebook’s original News Feed – while the feature didn’t expose any new data, it made it much easier to access. I’m guessing most Facebook users do not realize you can pull up a list of all the public events they’ve attended so easily.

Also, any application that a user authorizes also has access to secret events a user has been invited to, since the application operates on behalf of the user.

Seeing years of events come up when I put in my own Facebook ID was a wake-up call for me. I handle event requests routinely, but hadn’t really ever given thought to the fact that Facebook has stored all that information – and makes it accessible to others (for public events) and applications. It’s one more aspect of privacy that Facebook users may want to reconsider.