Posted by theharmonyguy in Facebook | 2 comments
Facebook Knows What You Did Last Summer
Pardon the creative title. In working on accessing Facebook photo albums lately, I noticed that one of the stories on Mark Zuckerberg’s privacy settings mentioned that he’d removed his events from his profile. After finding a way to view public photo albums, I wondered if I could find a way to pull up a user’s public events. That pursuit taught me a little more about Facebook’s privacy settings, and also raised another aspect of Facebook privacy I’d not previously considered.
At first, I followed the same approach as with photos – I tried to make special requests that imitate what happens when you click on a tab in a user’s profile. Doing so brought up no event information for Mark Zuckerberg, but did for a friend of a friend. It turned out this behavior could actually be controlled by a user’s privacy settings. However, the setting may not be where you’d expect – it’s on your application settings page. Facebook treats their events module as an application, and in the settings for the Events application is a field controlling who can see the application. Setting it to “Only Friends” blocks the trick I was using if you’re not the person’s friend; I’m guessing the same setting for the Photos application would block the bookmarklet I posted.
But while Events does appear in the application settings page, it’s not your average application. I knew that the Facebook API included commands for requesting event data. I loaded up Facebook’s API Test Console, set the method to events.get, and put in a user ID.
What came up surprised me – a complete record of practically every public event that user had been invited to. Note that this was not a friend of mine. I could easily filter by whether they had RSVP’d that they were attending the event.
The list only includes “open events,” (Update: “Closed” events are also visible, just not “secret” events) those that are publicly accessible. But the results reminded me of the controversy over Facebook’s original News Feed – while the feature didn’t expose any new data, it made it much easier to access. I’m guessing most Facebook users do not realize you can pull up a list of all the public events they’ve attended so easily.
Also, any application that a user authorizes also has access to secret events a user has been invited to, since the application operates on behalf of the user.
Seeing years of events come up when I put in my own Facebook ID was a wake-up call for me. I handle event requests routinely, but hadn’t really ever given thought to the fact that Facebook has stored all that information – and makes it accessible to others (for public events) and applications. It’s one more aspect of privacy that Facebook users may want to reconsider.
Trackbacks/Pingbacks
- Tweets that mention Facebook Knows What You Did Last Summer | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by theharmonyguy, Mohamed Almazroui. Mohamed Almazroui said: RT @theharmonyguy: New Post: Facebook Knows ...
- uberVU - social comments - Social comments and analytics for this post... This post was mentioned on Twitter by theharmonyguy: New Post: Facebook Knows What You ...
- Social Media Security » Social Media Security Podcast 7 – New Facebook Privacy Settings, Twitter Lists, FTC and Bloggers - [...] you know that your Facebook events can be viewed via the API as [...]
- Security Musings » Blog Archive » New Security Horizons with Geolocation - [...] applications are not the only ways people can share their location. Facebook users often leave a trail of event ...
- Want to Know What to Know What Facebook Is Saying About You? Try This Tool - [...] information he didn’t recall giving Facebook access to (another developer says the old API provided this as well). Thanks ...
- Know What Facebook Is Saying About You? | Fraz Us ! - [...] As of yesterday, the tool was also showing some information that most users had not made public. Yee — ...
- Facebook’s Disconnect: Open Doors, Closed Exits - [...] public events have public invitation lists. That triggered changes to a policy implication that was latent in the Facebook ...
- Facebook’s Disconnect: Open Doors, Closed Exits | Let's Discuss Technology here!!! - [...] public events have public invitation lists. That triggered changes to a policy implication that was latent in the Facebook ...
just wondering why they dont hire u?
Wow that was super interesting to discover. I went to my application settings and then found events and photos. My events were set to everyone and photos to friends of friends. Hmm….not anymore. :) I checked a couple of other random applications and realized they are all set to various levels of security so I am changing them all to friends. I had no idea that setting existed!