Surprise! Your Facebook visibility isn’t what you thought it was.

I’ve long wanted to be able to add Facebook to the list of sources that my elmcity service queries for local event information. It was never possible before, but the recent changes to the Facebook API (and terms of service) prompted me to take another look.

At first glance, it seems doable. Here are some sample queries:,nh arbor, mi,nh

You can see what turns up for your town by swapping in your city and state. A lot of the events are public and could reasonably be included in a citywide aggregation. But then there are ones like this:

SURPRISE Lantheaume Baby Shower
1000 Market Street, Portsmouth, NH 03801

Clearly this baby shower should not appear on a citywide public calendar. Why does search find it? Let’s look at the data about this event that’s visible to the world:

{ “id”: “314667046847”,
“owner”: {
“name”: “Jesse Barnes”,
“id”: “11000551”},
“name”: “SURPRISE Lantheaume Baby Shower”,
“description”: “Baby \”Ox\” is on his or her way! Come and celebrate with the mom-to-be and her closest friends and family! Please remember to bring your decorated onesie so that we can display them for Kris. \n\nLook on this site for additional details that are still being determined. “,
“start_time”: “2010-06-26T20:00:00+0000”,
“end_time”: “2010-06-26T23:00:00+0000”,
“location”: “1000 Market Street, Portsmouth, NH 03801”,
“privacy”: “CLOSED”,
“updated_time”: “2010-04-02T15:01:10+0000”}

When you create a private event, there are three options:

Open: Anyone can see this Event and its content.

Closed: Anyone can see this Event, but its content is only shown to guests.

Secret: Only people who are invited can see this Event and its content.

Clearly Jesse should have marked this event Secret, not Closed. Until very recently, an error like that would be unlikely to result in an embarrassing information leak. But now things have changed, and people are going to start learning harsh lessons about the visibility of their Facebook stuff.

I don’t see any way to teach my service to exclude events that people marked as Closed because they thought it meant Secret. So I guess elmcity’s Facebook feature is going to have to wait until those lessons are learned.

Posted in ., .

13 thoughts on “Surprise! Your Facebook visibility isn’t what you thought it was.

  1. A better way: The tools that encourage you to create web-facing surface area should also help you evaluate its visibility.

  2. Jon,

    Just saw this (now only public or private):

    “You can also choose between two types of events: a public event, available for anyone to RSVP and attend, and a private event. Private events will only be visible to people who have been invited, and only invited people can see the event in their News Feed.”

  3. @Will Ambrosini; “How will Jesse learn her lesson without apps like elmcity exposing her mistake?”

    So wait, you’re saying the human is at fault, not the service which may have un-smart defaults, unclear visibility settings, or settings that make sense within the UI of facebook but not outside?

    Well, I guess that’s the engineer’s gut reaction.

  4. No, I’m saying this is a loosely connected system. Given there’s no central bug list and no code dictator to tell us who should “fix” their code, how is the system suppose to correct itself?

  5. Will,

    Facebook should make people opt out of privacy (i.e. defaults should be set to highest privacy level). Of course, Facebook isn’t the first company to take the “opt into privacy” route, I’ve been told the “White Pages” system forces you to “opt into privacy” which means by default your data is public. Thus, it isn’t just Facebook, how about the fact that I can Google Map all the way to the front-door of your residence?

    The more we ignore privacy, the more problems await us on this rapidly coalescing Web of Structured Linked Data :-(


  6. I’m unclear how to interpret “…elmcity’s Facebook feature is going to have to wait…”.

    Does this mean it’s been turned off and not available? Or yes, it is available, but the point is that one should understand the caveats and must explicitly turn it on via “facebook=yes” in metadata?

    Thanks for clarifying.

  7. Pingback: Facebook Tricks

Leave a Reply