Pretend you don’t know me. To save you some manual effort you surely won’t mind giving me permission to not only add things to your calendar, but also, you are okay with me sharing your calendar or even deleting it.
I will stop calling you Shirley if you agree that this is crazy.
But apparently some tens or hundreds of thousands of people are okay with this. They click right by this screen.
Do you really want to grant these permissions to give addevent.com to delete all my calendars? I stopped and said no.
From years of running events that have potentially / ideally would have participants from all over the world, one of the biggest challenges is time. If I just plan something that starts at 11:00am Friday, and state that, it does not help you much if you are somewhere outside of my time. I’ve used a variety of world time clocks and tools that convert to local time, and they help a lot.
I currently favor the World Time Buddy event widget that I learned about via running the Virtually Connecting web site. An idea struck me a few weeks ago I shared with others in the VC Slack who share technical stuff that what would help folks a lot is one of those buttons that make it one click thing to add an event to whatever calendar you used.
Maybe the last time I did this for a site was maybe 8-10 years ago, and recall using some JavaScript library. When I dug into the various solutions people used, nearly all of them went down to using the “free” service from Addevent.com. I decided to test it out, which means creating an account, and a little test event.
That was easy. But it sure made my worry spot itch a bit about running this through a third party service. The way these add to calendar links work, from my recollecting, is forming a specific URL that has as parameters the event date, time, and something to help the calendar figure the time differences.
And then I started getting all kinds of getting email notifications from Addevent about my “event”. Someone favorited it. Then all kinds of other reminders. I decided to refocus on a solution (still not done) not requiring a third party service. I found it interesting that there is no way I could delete my account on AddEvent. I had to email and ask for that.
Anyhow, the long winded, ranting intro gets to today. I wanted to tune into the live #el30 conversation between host Stephen Downes and Maha Bali. And look! An Add to Calendar button, that’s helpful!
And I almost added it to my Google calendar, because that would be easy, quick, and… HOLD THE EFFING BUS! Why would I grant such broad permissions to Addevent.com??
Are you seriously willing to give https://t.co/qoHEx1pGe0 these kinds of rights to your calendar simply for the convenience of not adding it manually?
Not me. I'll do the timezone math myself. This is way over-reaching.@downes this is from your #el30 site. pic.twitter.com/Sp2Po3JD8a
— Alan Levine (@cogdog) November 14, 2018
I mean the service is called ADDEVENT.com not DELETEMYCALENDARS.com
No ***ing way. I just looked at the east coast time of the event, adjusted to my local, and added it myself.
I would have tweeted to Addevent.com but … they lack twitter. So I did go their site. I first looked around for any kind of terms of use or technical specs that would say why they need access to delete all calendars I have access to.
You do find statements in their privacy notice that seem re-assuring:
We are not in the business of selling your Personal Data. We consider this vital information to be a part of our relationship with you. Therefore, we will not sell your Personal Data to third parties, including third party advertisers.
The very next sentence is vague and chilling, eh?
There are, however, certain circumstances in which we may disclose, transfer or share your Personal Data with certain third parties without further notice to you.
So, it’s “We are nice we won’t sell your data” but “we have hidden secret reasons that we will just give your data to and never tell you.”
I’m a bit new to reading terms carefully, it’s rather enlightening.
I was however, unable to find anything there that explains why they need permission to delete my calendars.
So I decided to ask them.
I will keep you posted.
I will also be vigilant and asking you, as well, to give some thought about the permissions you just give. It’s not that I think they are doing anything evil; I want transparency about their needs for these permissions.
You can say “no”.
Update: November 15, 2018
“Good news”- a response from Addvent.com:
Holy banana, thank you so much for letting me know about that issue Alan.
Looks like Google just now changed their permission scopes. It has been changed in our code and will be updated tomorrow – now it will require a lot fewer permissions. We basically only need permission to insert events.
Meanwhile, you can read more here what the permissions are used for and how we use it:
https://www.addevent.com/privacy/google-calendar
Thanks again for letting me know, much appreciated! Let me know if you have any questions. Hope you’ll have a great day!
I don’t remember seeing this link yesterday, but happy to see it today.
But I am skeptical of this statement, “Looks like Google just now changed their permission scopes.”
I find it hard to imagine the API changing to broaden access that much. But what do I know?
I found a reference to a change on Oct 31, 2018 that added more fine grained permissions, but really that would change default permissions to be broader? Here are the current permission scopes in the Calendar API v3
Google Calendar API authorization scopes- if the basic authorization is used, than it gives an app the rights "See, edit, share, and permanently delete all the calendars you can access using Google Calendar"
I’m glad AddEvent fixed this, and it’s a good reminder to always think before you grant permission.
Featured image: Pixabay image by Catkin shared into the public domain using Creative Commons CC0.
they still have the sam permission – any idea how to REMOVE their permission once granted (i intended to allow ADDEVENt access for this one entry, and then immediately revoke it but cant find it in setting etc for google calendar)
You should be able to see and revoke via https://myaccount.google.com/permissions?pli=1
came across this post because I’m managing a site that’s using addevent button without having an acct with them. https://www.addevent.com/add-to-calendar-button
I’m sure this must violate a TOS.
——
More and more I’m seeing apps/services requesting broad access to gmail/calendar. Noping out of all of them.