What Does Facebook Tell Third Parties?

A Programming Exercise from Teaching Privacy (Module 5: Sharing Releases Control)

Part 1: Gather Your Tools and Your Keys

Install the Libraries

First install the urllib3, Requests, and Facebook SDK Python libraries if you don’t already have them on your computer. You will need these libraries to extract data from the Facebook API.

The easiest way to do this is using pip. Open your terminal and type the following separate commands into the command line:

pip install urllib3
pip install requests
pip install facebook-sdk

For more on getting and using pip, check out the documentation or the w3schools.com tutorial.

Set Up API Access and Get Token

To use the Facebook Graph API, you first need to grant yourself permission. For this, you must get an access token:

  1. Open your browser and log in to your Facebook account. If you don’t have a Facebook account or don’t want to use it for this exercise, you will need to create a new one.
  2. Go to https://developers.facebook.com, declare yourself a developer, and register a new app. For detailed instructions, see https://developers.facebook.com/docs/apps.
  3. Go into the Facebook Graph API Explorer Tool.
  4. In the top right-hand corner, click the ‘Get Token’ button and then the ‘Get User Access Token’ button.
  5. Select a subset of permissions you want to grant from the menu that appears, then click ‘Get Access Token’. The generated access token will be displayed in the long box at the top of the screen. (It will expire after about two hours.)
  6. Copy the access token into another private document, or just keep the tab open so you can use it in future steps.

Initialize Your App

Open up your preferred source code editor (such as Sublime Text or Atom) and make a new .py file for your app.

Start with the following initialization commands. Replace your-access-token-number-here with the access token number you got in the previous step.

import urllib3
import requests
import facebook
token = 'your-access-token-number-here'
graph = facebook.GraphAPI(access_token=token, version = 2.7)

Part 2: Extract Facebook Data on Kai Peroc

In this part of the exercise, you will extract data about a character named Kai Peroc.

Objectify Kai

Each user or page on Facebook has a unique ID number, which you will need to get information via the API. You can use this ID number to create a Python object for the person, from which you can query their personal information.

The ID number for Kai Peroc is 431395783688716. Create an object for Kai using the following command:

kai = graph.request("431395783688716")

Find Some Information

Look at the “Fields” and “Edges” categories in the Facebook Graph API documentation to figure out what fields or edges you want to extract for Kai. Add calls to the code you started writing above. You can print the results to the console or a file.

For example, you can access all the pages Kai likes using the following command:

likes = graph.get_object(id = "431395783688716", fields = "likes")

Hint: Keep in mind that many of the objects returned are dictionaries, so you will need to index them using the appropriate syntax. If you have not used dictionaries before, you can check out these videos: www.youtube.com/watch?v=daefaLgNkw0 or www.youtube.com/watch?v=XCcpzWs-CI4

For this part of the exercise, make sure you extract at least Kai’s liked pages, birthday, cover photo, photo albums, and timeline posts (or, in other words, xyr feed).

Part 3 — Bonus Exercise: Extract Facebook Data about Yourself

With Basic Permissions

Now that you’ve seen how much information you can extract about a random person, let’s see how much you can extract about yourself!

Go back to the Graph API Explorer Tool, grant yourself whatever permissions you’d normally grant a random app, and generate an access token.

Referring back to Facebook Graph API documentation, experiment with what information you can extract: family relationships, likes, friends….

Hint: Instead of using your user ID in the graph.request query (as we did in Kai’s case), you can simply use the me command.

Add Some Permissions

Now go back one more time to the Facebook Graph API Explorer Tool and generate a new access token, this time granting yourself more permissions.

Experiment with what new information you can extract about yourself with these additional granted permissions.

Part 4: Brainstorm and Reflect

Think about the information you were able to gather about Kai Peroc.

  • What did you learn about Kai from the data you gathered? What kind of data was available?
  • Using that data, what inferences can you draw about xyr demographics, what kind of person xe is, what xe’s interested in?
  • What kinds of apps might have access to this data? What are the limitations on who can get it?
  • How do you think those apps might use that information?
  • If they gathered information on many users at once, how could they use that aggregated information?
  • If Kai could remember xyr password, do you think there’s things xe would like to change/delete/undo? How would that affect apps’ access to that data?
  • Besides apps, who else might use Kai’s data that xe wasn’t expecting when xe originally decided to post something/friend someone/like something?
  • If you were Kai’s friend, would you trust xyr judgment about what apps xe allowed to access data about xyr Friend connections?

If you did the bonus exercise, think over the information you were able to gather about yourself by requesting access as a third-party app.

  • If you have Facebook, do you know what third parties have access to your data that isn’t set to be “Public”?
  • Prior to this exercise, what information did you think they had access to? Have your ideas about that changed?
  • When you experimented with granting your app more permissions, were you surprised by which data actually became viewable? Were there any surprises about what you weren’t able to view?