Exploiting competitor information via the Facebook API

Interesting day at Facebook’s London Mobile Hack yesterday.   Disclosure:  I  skipped the hack part, which was scheduled for 5pm to 9.30pm.  But I attended a full day of lectures before I snuck off.  So I hope I can wear the t-shirt without shame.

At one point I asked Simon Cross (who built the Graph Explorer) about the relationship between:

  • the custom actions you can create, make available for users to perform,  record inside Facebook on the users’ Graph, and make available for publication to your users’ TimeLines, Tickers and Newsfeeds (subject to Facebook’s algorithmic discretion, and subject to the user having granted your app the requisite write permissions)


  • the fine-grained activity permissions that users grant to applications, which you can inspect (and troubleshoot) via Graph Explorer

I wasn’t really sure why I was asking the question – I just had a nagging feeling I was missing something.  I didn’t understand how custom actions, which are extensible, were related to activity permissions which were (presumably but not necessarily) defined in the same way (but not necessarily set to the same value) for every app.

In retrospect I was just confused.   My thinking now is that there is no necessary relationship.  The custom actions which are graph extensions occur as a combination of app design, Facebook approval, then, at run time, are instantiated and populated via user agency occurring via the app.  These custom user actions doesn’t necessarily have any link to the FB app action permission schema,  although they of course might have a link if the app action involved actually involves, at a more abstract level, any of the types of actions which occur in the permission schema.  Ok well that’s sorted then.    Maybe.  Unless I’m actually wrong here, which of course I might be.  In which case tell me.

Setting aside for the moment whatever ontological muddles I might have gotten into,  the answer I got from Simon was, I think, much more interesting than the question I asked.   What he said was that subject to the appropriate permissions having been granted by the user, it was possible for an app to read data stored in the user’s graph by other apps.    He explained that this was because Facebook viewed all data as the user’s data, and it was, therefore, for the user to decide who could view it.

Here’s an example which I just fished out of the docset:

“If the user has granted your app with the user_games_activity permission then this api will give you scores for all apps for that user. Otherwise it will give you scores only for your app.”  (source:  https://developers.facebook.com/docs/reference/api/user/#friends accessed 13.34 GMT 6 March 2012)

This has a variety of interesting potential uses, which I am sure you are busy thinking about right this minute.

Of course – what’s sauce for the goose is sauce for the gander.   If the user has granted permission, you can see the trail other apps have left, but other apps will be able see what YOU have salted away in the graph, too.

1 thought on “Exploiting competitor information via the Facebook API

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s