To protect your privacy, mark your events "Not Attending".

Update (06:00 PDT): So far, some people have reported that their events are exposed, and some have reported that they aren't. I don't have an explanation. I've sent a note to Facebook asking them not to expose events this way.

Update (13:00 PDT): theharmonyguy commented that event lists were already exposed in the old API, as he reported in December.

Note: This post is based on my observations as an individual Facebook user, curious to know what is revealed about me through the new API. I wrote this article to help others protect their privacy, and I am also in touch with Facebook's team, who is working to fix this. Although I work for Google, this blog represents my personal views and not Google's. Thanks to everyone for your interest.

Update (23:00 PDT): The Facebook API is no longer revealing event lists for the users mentioned in this article, or any other users I've tried. Thanks to the Facebook folks for improving their stuff!

Update (May 12): Please see the new FAQ about the Facebook API Browser.

Yesterday, I discovered something strange while playing with Facebook's new Graph API: the API was showing a list of my events, and it seemed that anyone could get this list. Today, I spent a while checking to make sure I wasn't crazy.

I didn't opt in for this. I even tried setting all my Privacy Settings for maximum privacy. But Facebook is still exposing the list of events I've attended, and maybe your events too.

What can your event list say about you? Quite a bit. It might reveal your home address, your friends' home addresses, the names and groups of people you associate with, your hobbies, or your political or religious activities, for example.

Here's what the Facebook API publishes about Mark Zuckerberg's events:

As of last Wednesday (Thursday?), anyone on the Internet can now get this information. Using a freshly created account with no connection to you, anyone can make requests to the new Graph API and get a list of events, with dates, descriptions, and locations. Based on my experimentation, it looks like this list contains any event that (a) has a privacy setting of "Open" and (b) you have marked as "Attending" or "Maybe Attending". The content of the event itself is also available, including any comments posted on the event and the names of other people who are invited or attending. (For the housewarming party today that Mark said he was "Maybe Attending", the API provides the address of the party and the names of about 110 people who were invited.)



Does this affect you?

Here's how you can try this out for yourself, to see which of your events are revealed:

Go to http://zesty.ca/facebook (a tool for exploring information exposed by the API). Using the search box on the right, search for your name or e-mail address. Click the link next to "id" to get to your own profile. In your "connections" box, click the link next to "events".

But this only shows "Open" events, which are public anyway.

That's right. But there's a big difference between publishing an event page with a list of people attending, and publishing a list of events that you attended. Before the new API, to find out which events you attended, I'd have to visit every single event page on Facebook and look for your name among the people attending.

Now, I can just ask the API what you've been doing, and it will tell me. This kind of event list is not even accessible to your friends on the Facebook website; I haven't found any page at http://facebook.com/ that lets me list a friend's events. The API provides this list to anyone, so this is newly exposed information.



Surely there must be a privacy setting for this.

As far as I can tell, there is no way to turn this off with your own privacy settings. As evidence, here are my privacy settings as of this moment. I chose the most restrictive setting for everything in my Privacy Settings and unchecked every checkbox in my Application Settings for the Events application.

I applied these settings hours ago, so there has been plenty of time for them to take effect. Here's a screenshot of the information exposed by the API about my own events, with the above settings in effect. Lots of event information is visible, including street addresses (which I've covered up with black bars):

None of the privacy settings seem to have made any difference. (Since taking this screenshot, I have marked myself as "Not Attending" for the events with street addresses so they will no longer appear.)



What can we do, then?

So far, the only way I've found to keep events from being exposed in this way is to mark them "Not Attending". If you don't want any events to show up in your event list, then here's what you can do:

Log in to Facebook. Go to your Events page. Go through your entire history of events (use the arrow buttons at the bottom to flip pages). Find every event marked "Attending" or "Maybe Attending", and change it to "Not Attending".

This can be quite a tedious process, since your Events page shows every event you've ever been invited to, and you have to go through them all to find the ones marked "Attending" or "Maybe Attending". I haven't found any way to filter the Events page down to just those events.



Am I crazy?

I'd appreciate independent confirmation of these findings. You can look at the source code of http://zesty.ca/facebook to see what it does. To make requests to the API, the program uses an access token for a Facebook account with no special access. To get this token, I created a new account with no friends and then visited the Facebook API documentation. As examples, the API documentation page provides several links with an access token customized for the current user. The program just uses one of these example tokens. Anyone can create an account and visit the documentation page; hence I believe that anyone can make these requests to the API and get these results.