Pretend you don’t know me. To save you some manual effort you surely won’t mind giving me permission to not only add things to your calendar, but also, you are okay with me sharing your calendar or even deleting it.

I will stop calling you Shirley if you agree that this is crazy.

But apparently some tens or hundreds of thousands of people are okay with this. They click right by this screen.

Do you really want to grant these permissions to give addevent.com to delete all my calendars? I stopped and said no.

From years of running events that have potentially / ideally would have participants from all over the world, one of the biggest challenges is time. If I just plan something that starts at 11:00am Friday, and state that, it does not help you much if you are somewhere outside of my time. I’ve used a variety of world time clocks and tools that convert to local time, and they help a lot.

I currently favor the World Time Buddy event widget that I learned about via running the Virtually Connecting web site. An idea struck me a few weeks ago I shared with others in the VC Slack who share technical stuff that what would help folks a lot is one of those buttons that make it one click thing to add an event to whatever calendar you used.

Maybe the last time I did this for a site was maybe 8-10 years ago, and recall using some JavaScript library. When I dug into the various solutions people used, nearly all of them went down to using the “free” service from Addevent.com. I decided to test it out, which means creating an account, and a little test event.

That was easy. But it sure made my worry spot itch a bit about running this through a third party service. The way these add to calendar links work, from my recollecting, is forming a specific URL that has as parameters the event date, time, and something to help the calendar figure the time differences.

And then I started getting all kinds of getting email notifications from Addevent about my “event”. Someone favorited it. Then all kinds of other reminders. I decided to refocus on a solution (still not done) not requiring a third party service. I found it interesting that there is no way I could delete my account on AddEvent. I had to email and ask for that.

Anyhow, the long winded, ranting intro gets to today. I wanted to tune into the live #el30 conversation between host Stephen Downes and Maha Bali. And look! An Add to Calendar button, that’s helpful!

Event page with an Add to Calendar button, arrow points to the options that appear- "Apple, Google, Outlook, Yahoo"

And I almost added it to my Google calendar, because that would be easy, quick, and… HOLD THE EFFING BUS! Why would I grant such broad permissions to Addevent.com??

I mean the service is called ADDEVENT.com not DELETEMYCALENDARS.com

No ***ing way. I just looked at the east coast time of the event, adjusted to my local, and added it myself.

I would have tweeted to Addevent.com but … they lack twitter. So I did go their site. I first looked around for any kind of terms of use or technical specs that would say why they need access to delete all calendars I have access to.

You do find statements in their privacy notice that seem re-assuring:

We are not in the business of selling your Personal Data. We consider this vital information to be a part of our relationship with you. Therefore, we will not sell your Personal Data to third parties, including third party advertisers.

The very next sentence is vague and chilling, eh?

There are, however, certain circumstances in which we may disclose, transfer or share your Personal Data with certain third parties without further notice to you.

So, it’s “We are nice we won’t sell your data” but “we have hidden secret reasons that we will just give your data to and never tell you.”

I’m a bit new to reading terms carefully, it’s rather enlightening.

I was however, unable to find anything there that explains why they need permission to delete my calendars.

So I decided to ask them.

Screenshot of my email message asking the reasons for such broad permissions to my calendar

I will keep you posted.

I will also be vigilant and asking you, as well, to give some thought about the permissions you just give. It’s not that I think they are doing anything evil; I want transparency about their needs for these permissions.

You can say “no”.


Update: November 15, 2018

“Good news”- a response from Addvent.com:

Holy banana, thank you so much for letting me know about that issue Alan.

Looks like Google just now changed their permission scopes. It has been changed in our code and will be updated tomorrow – now it will require a lot fewer permissions. We basically only need permission to insert events.

Meanwhile, you can read more here what the permissions are used for and how we use it:

https://www.addevent.com/privacy/google-calendar

Thanks again for letting me know, much appreciated! Let me know if you have any questions. Hope you’ll have a great day!

I don’t remember seeing this link yesterday, but happy to see it today.

But I am skeptical of this statement, “Looks like Google just now changed their permission scopes.”

I find it hard to imagine the API changing to broaden access that much. But what do I know?

I found a reference to a change on Oct 31, 2018 that added more fine grained permissions, but really that would change default permissions to be broader? Here are the current permission scopes in the Calendar API v3

Google Calendar API authorization scopes- if the basic authorization is used, than it gives an app the rights "See, edit, share, and permanently delete all the calendars you can access using Google Calendar"

I’m glad AddEvent fixed this, and it’s a good reminder to always think before you grant permission.


Featured image: Pixabay image by Catkin shared into the public domain using Creative Commons CC0.

If this kind of stuff has any value, please support me monthly on Patreon or a one time PayPal kibble toss
Profile Picture for Alan Levine aka CogDog
An early 90s builder of the web and blogging Alan Levine barks at CogDogBlog.com on web storytelling (#ds106 #4life), photography, bending WordPress, and serendipity in the infinite internet river. He thinks it's weird to write about himself in the third person.

Leave a Reply

Your email address will not be published. Required fields are marked *