Skip to main content

Facebook Graph API's multiple privacy options

4 min read
PHP

Older Article

This article was published 13 years ago. Some information may be outdated or no longer applicable.

Facebook and privacy. You can’t mention those two words without controversy and concern following close behind.

Over the past few years, the developers (and I assume multiple solicitors and product managers in the background) have tried to simplify the privacy settings. I remember when there were about 50 checkboxes to control everything, and it was a mind-numbing process to go through each one. That’s now been replaced with a much simpler interface that still gives you proper control.

I’m building a Facebook application using the Facebook Graph API. I won’t get into the details of the application itself (that’ll be a later post). Instead, I want to talk about something that struck me while working with the Graph API: there are multiple layers of privacy settings when dealing with Facebook App development, and they’re not always obvious. I know there’s been controversy over “Graph search” and how it invades privacy, but it all comes down to one thing: user awareness. Everything is on Facebook if you know where to look. Some people don’t realise how much they’re sharing, and they can’t always find the right setting to change it.

The big question is, what can the Graph API access?

Generally speaking, a call to the Graph API requires an Authorisation Token. I’m not going into the exact mechanics of that here. Let’s just talk about what’s available to a developer building a Facebook App. The answer is strange: everything and nothing. It depends on the user’s privacy settings. (And yes, before you jump in, it also depends on the permissions requested at login. But right now we’re talking about an app used by one person: the developer.)

So what do I mean by ‘everything and nothing’? By default, Facebook lets you retrieve a user’s ‘Basic’ information set, available without providing an access token:

- id - Facebook ID of the user
- name - Full name of the Facebook user
- first_name - First name of the user
- middle_name - Middle name of the user
- last_name - Last name of the user
- gender - Gender of the user
- locale - A string containing the ISO language code and ISO country code of the user (e.g. en_GB)
- username - The user's chosen Facebook username
- link - A link to the user's Facebook profile

Beyond that, everything requires an access token and a permission. To retrieve a user’s birthday (assuming they’ve added it to their profile), you submit the “user_birthday” permission. In theory, the Graph API should return an array including the birthday. Correct? Not entirely. There’s another layer of filtering.

Users, on top of their own profile’s privacy, can also control what third-party apps access from their profile. And they can control what apps that other people are using can access. That last bit gave me a proper headache. I couldn’t work out why my API calls returned different data for different users, even though both users had the same information visible on their profiles. Consider Users with ID 1 and 2. Both are friends. Both have birthdays on their profiles. But two separate API calls produce different results:

<?php
//A lot of code was removed from here!
$this->_facebook->api("/1"); //case 1 - returns an array of information about User 1
$this->_facebook->api("/2"); //case 2 - returns an array of information about User 2
?>

Case 1 returns something like:

Array
(
  [id] => 1
  [name] => User Name
  [first_name] => User
  [last_name] => Name
  [link] => http://www.facebook.com/username
  [username] => username
  [birthday] => 01/01/1975
  //further keys
)

Whereas case 2 returns:

Array
(
  [id] => 2
  [name] => Another Username
  [first_name] => Another
  [last_name] => Username
  [link] => http://www.facebook.com/anotherusername
  [username] => anotherusername
  //further keys
)

Strange, right? You’d expect to see the [birthday] key in the second case too, especially with the ‘user_birthday’ permission in place. This is where the “Apps Others Use” privacy setting kicks in.

If a user unchecks the birthday field there, the only way to get that information is if the user is actively using your app. Has this “feature” been publicised? Are Facebook users actually aware of this setting? It tells me Facebook is taking privacy concerns seriously, but users who don’t know about these (somewhat) hidden settings may be sharing more than they’d like. The dataset above appears to be the default, so if you don’t change it, you’re sharing all of that out of the box.