Facebook Graph API's multiple privacy options

Facebook and privacy. These two words can't live without the mention of controversy and concern in the same article. Over the past few years the developers (and I assume multiple solicitors & product managers in the background) have tried to do their best to help users understand the privacy settings of Facebook. I remember when there were about 50 checkboxes to control everything and it was quite a mind-numbing process to go through all the individual settings and select the appropriate ones only - this has now changed into a much more simplified interface which is really simple, robust and yet, still allows you great control over your privacy settings.

I'm currently working on a Facebook application using the Facebook Graph API - and although I'm not going to get into the details of why and how I'm developing this particular application in question (that will be discussed in a later post), instead, I'm going to discuss something that has struck me while working with the Graph API - the fact that how much there is to learn about the multiple levels of privacy settings when dealing with Facebook App development (or just your own profile's privacy) regardless of the previously discussed attempts to make privacy settings and control easier to understand. Don't get me wrong, I know that there has been a number of controversies over the "Graph search" and how it invades privacy, however it all bogs down to one thing - the awareness of the user. Apparently everything is on Facebook, all you need to do is look, but some people may not know how much information they are really sharing and may not find the right place for the right privacy setting.

The big question is, what can the Graph API access?
Generally speaking a call to the Graph API requires an Authorisation Token, but I'm not going to discuss the exact mechanisms of that at this time, let's only talk about what is exactly available to a developer who is creating a Facebook App. Well, the answer is strange - everything and nothing. It really depends on the U
user's privacy setting - and before you start getting into an argument with me that it depends on the permissions requested at login, yes, you're right but now we are talking about an application that is only used by one person - the developer.

So what exactly do I mean by 'everything and nothing'? By default, Facebook allows you to retrieve the 'Basic' information set about a user - that is, information available without providing an access token. The information consists of:

  • id - Facebook ID of the user
  • name - Full name of the Facebook user
  • first_name - First name of the user
  • middle_name - Middle name of the user
  • last_name - Last name of the user
  • gender - Gender of the user
  • locale - A string containing the ISO language code and ISO country code of the user (e.g. en_GB)
  • username - The user's chosen Facebook username
  • link - A link to the user's Facebook profile

On top of this, everything else requires an access token and a permission - so for example to retrieve the birthday of the user (providing the fact that the user has added that to his profile) we need to submit the so called "user_birthday" permission and, in theory, the Graph API should return us an array, including the birthday of a user - correct? No it's not, at least not entirely. There's another level of filtering.

Essentially, users, on top of their own profile's privacy, can also control the information that other, third party apps can access from their profile as well as control what apps that other people are using can access. This last bit is really important - it did give me a bit of a headache and it wasn't really straight forward to me why my API calls returned different things for different users albeit both users' information is displayed on their profile. To be more specific, consider Users with ID 1 and 2. Both of them are added as friends and both of them have the birthday added to their profile, however two, separate API calls produce different resultsets:

<?php
//A lot of code was removed from here!
$this->_facebook->api("/1"); //case 1 - returns an array of information about User 1
$this->_facebook->api("/2"); //case 2 - returns an array of information about User 2
?>

Case 1 returns something similar to:

Array
(
    [id] => 1
    [name] => User Name
    [first_name] => User
    [last_name] => Name
    [link] => http://www.facebook.com/username
    [username] => username
    [birthday] => 01/01/1975
    //further keys
)

Whereas case 2 returns the following:

Array
(
    [id] => 2
    [name] => Another Username
    [first_name] => Another
    [last_name] => Username
    [link] => http://www.facebook.com/anotherusername
    [username] => anotherusername
    //further keys
)

Strange isn't it? You'd expect to see the [birthday] key as well in the second case, especially if the 'user_birthday' permission is used. This is where the "App Others Use" (the official name) privacy setting comes into place:

facebook-graph-apps-others-use

Should a user decide to uncheck the birthday field, the only way you can get hold of this information if the user is actually using your app. Has this "feature" been publicised? Are Facebook users actually aware of this setting? It certainly tells me that Facebook is taking the privacy concerns seriously and trying to address them, but users who are not aware of these (somewhat) hidden settings may reveal more than what they would like to. The above dataset seems to be the 'default' one, so if you don't change it, out-of-the-box, you are sharing all that information.

Show Comments