Join 3,494 readers in helping fund MetaFilter (Hide)


You were poked by Big Brother.
November 19, 2007 9:27 PM   Subscribe

Over the past couple of years, Facebook has become increasingly popular, until it seemed like everyone and their grandma was joining up. A new feature, called Facebook Beacon, lets corporations join the fray. Might this be cause for concern?

Previously.
posted by Reggie Digest (49 comments total) 6 users marked this as a favorite

 
See also.
posted by Reggie Digest at 9:29 PM on November 19, 2007 [1 favorite]


If you buy a book on Amazon, a little bit of code is embedded within that site then sends the data to Facebook and informs your friends that you've bought a particular book.

I don't get it...Facebook users have to enable this cross-platform tracking ability. If you don't download the code and install the application on your Facebook profile, then your purchases, web habits, etc, can't be tracked by Facebook, right?
posted by KokuRyu at 9:33 PM on November 19, 2007


The Blog of the Office of the Privacy Commissioner of Canada also recently posted this video on the topic.

The previous sentence, incidentally, would be completely insane to a citizen of the 20th century.

The blog is dry, but does have a lot of video, and would probably be of interest to armchair online privacy enthusiasts.
posted by blacklite at 9:34 PM on November 19, 2007 [1 favorite]


Don't worry, there is still lots of stupid advertising going on inside facebook, too.
posted by patr1ck at 9:47 PM on November 19, 2007


Howto block beacon.

As I mentioned here, at least facebook has the decency to tell you that they're sharing your data. It's still not clear to me to what extent google tracks your adwords conversions in the process of deciding which ads to show you.
posted by simra at 9:59 PM on November 19, 2007


The third leg in the social-advertising stool is one of the most interesting. It's called Facebook Beacon, and it effectively tracks the online behaviour of users - those who specifically choose to take part in the service - not just within Facebook but elsewhere on the Internet as well.
posted by KokuRyu at 10:01 PM on November 19, 2007 [1 favorite]


Howto block beacon.

Uh, don't add the 'Kongregate' application?

What is the threat to privacy here?
posted by KokuRyu at 10:05 PM on November 19, 2007


I keep waiting to hear about some cool Facebook thing that will motivate me to figure out/remember my login and password.

This isn't it.
posted by rtha at 10:07 PM on November 19, 2007


I'm pretty sure Big Brother wasn't a corporation, per se.
posted by aaronetc at 10:17 PM on November 19, 2007


If you don't download the code and install the application on your Facebook profile, then your purchases, web habits, etc, can't be tracked by Facebook, right?

As far as I can tell, there's no Facebook application involved; there's only the Javascript code on the external website. (It might not be Javascript but rather server-side code, but I'm guessing the external site knows which Facebook profile to ping based on the Facebook cookie you have from a previous login.)

If you go to your Facebook privacy settings, you'll see there's no way to shut off external website interaction globally; you have to go to the external website itself to tell it not to send info to Facebook, or else visit the external website and then return to your Facebook settings and turn off data harvesting for that specific website.

This means you'll have to tell Amazon, Epicurious, and whatever other sites are involved in the data harvesting operation individually to stop sending data to Facebook. Not only is this a pain in the ass from a UI perspective, it also means you have to keep a vigilant eye on every site you visit, as well as the Facebook external site privacy settings page, to make sure no one's getting through. Or you could set up your firewall/Firefox/whatever to block all requests to the relevant Facebook Beacon pages. Or you could just never accept any cookies from Facebook. But all this is asking quite a bit more of the average user than before.

This sort of cross-domain tracking is exactly why people hated DoubleClick. Except DoubleClick's reams of data could only ever be pinned on an IP address; Facebook's system ties all that site traffic data to a rich personal profile. So even if you're like me and you've given Facebook a minimum of information, it probably still knows details like what school you went to and what your real name is.

Facebook's recent moves to becoming a more effective advertising platform, as opposed to a more effective social network site, may indeed be the final nail in the coffin. But it's far more likely Facebook will keep trucking along, its users blissfully and wilfully unaware of all the data harvesting going on in the background. Losing a couple thousand members here and there won't mean much to Facebook, and to the average user it means nothing at all if all your friends are still on it.
posted by chrominance at 10:20 PM on November 19, 2007 [11 favorites]


I get it now.
posted by KokuRyu at 10:40 PM on November 19, 2007


Yes, chrominance is right - I actually found these settings in my recent perusal of my facebook privacy settings. The page says this:
"Privacy Settings for External Websites

Show your friends what you like and what you're up to outside of Facebook. When you take actions on the sites listed below, you can choose to have those actions sent to your profile.

Please note that these settings only affect notifications on Facebook. You will still be notified on affiliate websites when they send stories to Facebook. You will be able to decline individual stories at that time.

No sites have tried sending stories to your profile"
posted by jacalata at 10:56 PM on November 19, 2007


Of course, I just realised that the probable reason for 'no sites' yet having sent stuff to my profile is that I have javascript blocked everywhere by default, and they use javascript for this.
posted by jacalata at 11:00 PM on November 19, 2007


jacalata: thanks

I just checked out "Privacy Setting for External Websites"...

It's funny how Facebook calls it "settings", because users are unable to change anything. Unless Facebook is setting up infrastructure for Windows Live Spaces or something.
posted by KokuRyu at 11:02 PM on November 19, 2007


This means you'll have to tell Amazon, Epicurious, and whatever other sites are involved in the data harvesting operation individually to stop sending data to Facebook. Not only is this a pain in the ass from a UI perspective, it also means you have to keep a vigilant eye on every site you visit

Except for the part where the external website outside of Facebook will alert you as it attempts to send a story to your news feed, prompting you to opt-out if you wish to do so.
posted by Lleyam at 11:34 PM on November 19, 2007


I saw this a couple months ago, and I wondered if it wasn't a little paranoid:

Does what happens in the Facebook stay in the Facebook?

Now I'm not so sure.
posted by Locative at 11:43 PM on November 19, 2007


Except for the part where the external website outside of Facebook will alert you as it attempts to send a story to your news feed, prompting you to opt-out if you wish to do so.

It may not be sent to your feed, but Facebook still gets the information.

Also, on one of the blogs a person mentioned having information sent automatically, without them ever being asked.
posted by Locative at 11:46 PM on November 19, 2007


*registers facefook.com*
posted by stavrosthewonderchicken at 1:20 AM on November 20, 2007


you'll see there's no way to shut off external website interaction globally

How irritating.
posted by grouse at 1:25 AM on November 20, 2007


Why the surprise? We all knew back in 1995 that the free lunch was going to end. We just didn't know how good the vendors would be at hiding the payments.
posted by lodurr at 4:08 AM on November 20, 2007 [1 favorite]


After reading all the links, particularly the first one, it seems that in order to have your purchases and activity at external sites get sent to Facebook, you have to friend/fan/whatever the profile for the external company (i.e. Amazon) or in some way become a "fan" of a brand. So by not becoming a fan of a brand, wouldn't that mean they wouldn't track your purchases?

A likely scenario:
Shauna, who enjoys Revlon products, indicates she’s a fan of the brand and becomes a Fan-Sumer. Marketers at Revlon can then purchase SocialAds, which will then display on Shauna’s newsfeed or on ads on her profile. If Shauna purchases Revlon makeup from Amazon, her newsfeed could indicate an eCommerce links recommending it to her 100 trusted friends, resulting in further sales.


I don't use Facebook, so maybe I am not understanding how this "fan" business works.
posted by Orb at 4:22 AM on November 20, 2007


In theory, couldn't you block all this from happening by using a throwaway email address for your Facebook account registration?
posted by HeroZero at 4:30 AM on November 20, 2007


Orb, are you being facetious (which would be thoroughly appropriate in this context), technical, or general?

I don't use Facebook so at a technical level I can't say how their implementation of it works, but in general the "fansumer" concept is the idea that you get users to do a crucial part of your marketing for you.

It's the Hot New Thing (these past several years) in online marketing. See "Church of the Customer" for one approach to the ideology of it, and it permeates basically everything Seth Godin says in public. It's also at the heart of all the talk about "voice" in the Cluetrain Manifesto, which should have been a clue from the beginning that the whole thing was a kind of self-deluding fraud.

I find it simultaneously fascinating and creepy, myself. The idea is that people will be more likely to accept a promotional message from another person than they will from a corporation. People like Seth Godin and Jackie Huba focus relenelessly on the positive possibilities; this story just hints at the negative potential.
posted by lodurr at 5:35 AM on November 20, 2007


As far as I can tell, there's no Facebook application involved; there's only the Javascript code on the external website. (It might not be Javascript but rather server-side code, but I'm guessing the external site knows which Facebook profile to ping based on the Facebook cookie you have from a previous login.)

I don't think that's how it works at all, cross-domain cookies have been disabled in browsers for years, and it's really difficult to have a two-way conversation between two websites in javascript, precisely to prevent this sort of thing. If that was how it worked, it wouldn't work in any browser since like IE4.

I had assumed it involved the user entering their facebook information on the interested site, probably using log-on widget.
posted by delmoi at 6:56 AM on November 20, 2007


delmoi: I haven't looked at the details, but I know that it's easy to insert tracking code into a page that punches data out to a third party site. That's how Google Analytics works. No cookies, just real time JavaScript.

So you could do it by essentially writing the cookie to a remote server. The methods of matching that I'm thinking of are a bit fuzzy (IP within a session), but they'd be good enough for this.

Not saying that's how they do it -- they most likely have a much better way than I can think of -- just saying that it doesn't sound implausible to me, since (even) I can imagine a way to do it.
posted by lodurr at 7:05 AM on November 20, 2007


I don't use Facebook so at a technical level I can't say how their implementation of it works, but in general the "fansumer" concept is the idea that you get users to do a crucial part of your marketing for you.

Right, but people generally only do that with products they love, and they only do it to people they think would love the products. What facebook is trying to do is force people to do this, or do this by default if they're lazy. And that is just going to annoy the hell out of people. Even though it's not visually distracting, it's far more annoying then even those "push the button to win the sumo contest and a free iPod" ads on myspace. and the Facebook newsfeed is full of crap now, crap that you can't even turn off. Let me see...

Okay, it's not too bad today, except for all the notices that one of my friends turned a bunch of people into "vampires" *rolls eyes*
posted by delmoi at 7:05 AM on November 20, 2007


What facebook is trying to do is force people to do this, or do this by default if they're lazy. And that is just going to annoy the hell out of people.

I agree with the first point, disagree with the second.

Basically, I think I'm more cynical about people's apathy level than you are.
posted by lodurr at 7:06 AM on November 20, 2007


delmoi: I haven't looked at the details, but I know that it's easy to insert tracking code into a page that punches data out to a third party site. That's how Google Analytics works. No cookies, just real time JavaScript.

Right, but basically two "DOMs" can't communicate with each other. Your website can communicate with the facebook server (using xmlhttprequest, for example), but if you do that, the facebook server will not see it's own cookies. Once that data comes back, it could use javascript to look at the cookies on the current site, if it's eval'd. But the current site's cookies are not that interesting, right?

Or, you could try opening facebook in an iframe. But, you'll be stymied again because even though the user can the facebook page, you can't get any data out of it, not through the DOM and not through javascript. I think Iframe's get cookies, but I'm not actually sure.

So you can do something like a log-on box, where the user enters their information, and then you redirect the whole page to a new URL with that information, but doing cross-page communication is difficult, due to all the security features. They're great for users, but it does make a lot of cool ideas impossible, or annoyingly difficult for developers.

But yeah, Google Analytics does not track you across sites.
posted by delmoi at 7:18 AM on November 20, 2007


So Facebook still sucks. Word.
posted by chunking express at 7:25 AM on November 20, 2007


When someone says "such and such web 2.0 site is worth $20 Billion" how do you think they come up with that number? How the hell else to you expect them to make money? A tip jar? This isn't a surprise and it's just going to get "worse".

I joined facebook (after much goading) with full knowledge that stuff like this will be introduced. Eventually facebook will get too annoying or unhip (or both) and everyone will move on.
posted by ODiV at 7:48 AM on November 20, 2007


Well, I don't know whether they've all introduced it yet, but I just switched off all my normal privacy settings in firefox and spent half an hour browsing the partner sites they list where I am a member, and none of them have tried anything. It looks like my outrage (and my attempts at figuring out how it might work) will have to wait a while.
posted by jacalata at 8:19 AM on November 20, 2007


The lack of a global opt-out is the same problem that's causing all the zombie superpoke spam on Facebook. Every week some asshole Javascript hack comes up with a stupid new viral Facebook application. And Facebook lets this new app spam my email until I go back to their site and disable that specific new application. It's terrible.
posted by Nelson at 8:37 AM on November 20, 2007


But will corporations play Scrabble with me?
posted by aught at 8:52 AM on November 20, 2007


I am not being facetious. I asked a question: how can Facebook know what a Facebook member is doing on Amazon, unless there's some way for Facebook and Amazon to link the two accounts ... which, according to the link in my comment, happens when someone decides to become a "fan" of a company or product through that company's profile page at Facebook. Like here we have "contacts" and their activity shows on the sidebar of the front page, at Livejournal they have "friends" and their activity shows on your Friends Page, and at Facebook they apparently have "fans" and their activity, be it uploading photos or whatever, shows up on your profile page (or somewhere you can see it easily anyway).

The example I snipped from the article was weak, so maybe this explains it better:

Since social ads only work if a member has indicated they are a fan, brands will be working to earn and buy fans to accept them as members. Expect a lot of noise to be generated from this activity as brands run campaigns to encourage members to add them as fans through discussion boards, banner ads, and special offers.

It seems to me a person would have to go to a profile page on Facebook that is established for, say, Revlon, and decide to become a (Facebook) "fan", which would then allow them to essentially use you as an advertisement, so not declaring to the world you love Coca Cola and Revlon by networking your profile at Facebook with the profile of said companies should keep your purchasing habits and whatnot from being used as ads ... or no?
posted by Orb at 8:56 AM on November 20, 2007


...or no?

I think the whole 'fansumer' thing is not directly related to the integrated tracking of buying and browsing behavior. The "social ad", in other words, is a particular implementation and it has extra stuff that wraps around it.
posted by lodurr at 9:05 AM on November 20, 2007


delmoi: But yeah, Google Analytics does not track you across sites.

But it sorta could, if they wanted it to, and I would be kind of surprised if they didn't for some purposes on a limited basis. Direct tracking -- no, can't do that. But you could track inferentially. That would be good enough for this kind of application. Not good enough for the NSA, obviously, but good enough for Revlon.
posted by lodurr at 9:07 AM on November 20, 2007


Eventually facebook will get too annoying or unhip (or both) and everyone will move on.

Let's call it the Myspace Rule: Once a site is popular enough, it will attract spammers who will dramatically increase the annoyingness of a site.
posted by drezdn at 9:19 AM on November 20, 2007 [1 favorite]


Well, I don't know whether they've all introduced it yet, but I just switched off all my normal privacy settings in firefox and spent half an hour browsing the partner sites they list where I am a member

They have.

I am not being facetious. I asked a question: how can Facebook know what a Facebook member is doing on Amazon, unless there's some way for Facebook and Amazon to link the two accounts

You have to link the accounts yourself by giving Amazon your face book information, and/or vise versa. You can probably do that through facebook by clicking on a special link, but none of this can happen without you being involved.
posted by delmoi at 9:28 AM on November 20, 2007 [1 favorite]


But it sorta could, if they wanted it to, and I would be kind of surprised if they didn't for some purposes on a limited basis.

Right, they can track based on IP address, but that wouldn't work at all for facebook, I think people would be pretty upset if facebook started announcing to all your friends that the guy who's unprotected access point you're using is into Furry Lolicon.

Let's call it the Myspace Rule: Once a site is popular enough, it will attract spammers who will dramatically increase the annoyingness of a site.

But it's not even "spammers" it's facebook itself whoring out it's userbase. They need to set things up so that people can filter their notifications soon because it's really becoming obnoxious.
posted by delmoi at 9:33 AM on November 20, 2007


To slightly change the rule: Once a site gets popular enough, it will be made far more annoying by people trying to make money off of it.
posted by drezdn at 9:39 AM on November 20, 2007


Serious question, delmoi: What do you use Facebook for? What do you get from it?

I used to update my Yahoo profiles back in the day. I knew people who looked at them. I kept up a HotWired profile page for a while. May still have a scrape of it somewhere. (I'm a packrat.) I actually do have a MySpace ID that I never use, I have LinkedIn contacts I never look at -- I don't think I'm on Facebook, but I could be wrong, I sign up to a lot of random shit with throwaway email addresses just to see what it's like. But I don't do any of it because I want to "communicate" with people. If there's stuff I want people to know about me I put it on my web-based resume or on my blog, and even then, I tend to be surprised if someone gives a crap.

Adam Greenfield (elsewhere than MeFi, haven't seen his handle 'round here in a while), who is far, far more web 2.0 on his days off than I'm ever likely to be flat-out, recently had some observations on the topic, particularly w.r.t. the falloff in quantity and quality of flickr sets and the decreasing length and depth of blog posts.

Maybe it really is all a fad, or a succession of fads, cranky-old-man as that sounds.
posted by lodurr at 9:46 AM on November 20, 2007


Thank you, delmoi. That's what I was trying to figure out without having to sign up for Facebook: that the user has to do the linking of various accounts.
posted by Orb at 10:52 AM on November 20, 2007


First off, Amazon's not on the list of Project Beacon partners.

Second, it has nothing to do with being a facebook-fan of a brand or store. Everyone drop that line of thought right now. It's not an opt-in program; it's an opt-out program.

Third, the Facebook help page for this topic says the notifications only work if you're logged into Facebook at the same time you're on the external site. If you don't want to be bothered by these notifications, don't leave yourself logged into Facebook 24/7.

How are they cross-referencing? By having the external sites load some JavaScript (including this) from Facebook servers so that Facebook can grab one of its own cookies and figure out who you are. Not that tricky. From a brief look, it appears the script is using the referring URI to associate the user with a transaction -- there must be something non-Javascripty on the back end that lets the external site share the details of the transaction. (Although the JavaScript is being generated by a PHP file, so I suppose they could include the transaction ID in a query string -- we all know how much PHP programmers love their URI parameters.) They'll probably sync in batches, so expect a time delay between the external site's prompt and the story actually appearing at Facebook.

I'm saying "appears" and "probably" a lot, because I haven't run into a Beacon box yet. The only "partner" site I use with any frequency is ebay, and they don't seem to be online with Beacon yet.
posted by faster than a speeding bulette at 11:19 AM on November 20, 2007


Let's call it the Myspace Rule: Once a site is popular enough, it will attract spammers who will dramatically increase the annoyingness of a site.

Nobody goes to Myspace anymore; it's too crowded.
posted by ODiV at 2:20 PM on November 20, 2007


Serious question, delmoi: What do you use Facebook for? What do you get from it?

One reason is the ability to "keep in touch" with acquaintances, or friends that I don't talk to as much as I should. I have some old friends from high school that I lost touch with, but as long as everyone has a face book profile, I don't have to worry about it.

And, uh, that's pretty much it, and if I meet someone new I can get their face book details, rather then keep their number in my phone, their email in by address book, etc, which can get lost.

Sending emails through face book is more "fun" (I guess) then SMTP mail, and it's interesting to see what's going on with people via their news feeds. And sending pokes or "super pokes" can be fun too. A lot of the utility of the site comes from the fact that everyone I know is on the site as well, if they weren't, it would be pretty dull.
posted by delmoi at 3:05 PM on November 20, 2007 [1 favorite]


You didn't seem like what I had in my mind as a "facebook type"; I guess my visualization was not well-examined. Nothing earthshattering, but that's the point: You're using it for ordinary things. So, thanks.
posted by lodurr at 5:48 AM on November 21, 2007


For the consideration of searchers: noticing delmoi's comment after mine a couple of days later (yes I looked at how many people favorite my posts, I know you do it too, shut up), I thought maybe he had a point. I turned up a couple of ways to get around cross-domain cookie access if the two sites trust each other (as is the case with Facebook and the external sites), but maybe you'd rather know how it all actually works.

In essence, your profile is tied to your website action via a dynamically-created iframe on the external site, which loads a Facebook page and sends a GET query string containing the ID of the external site. The external website doesn't have access to your Facebook cookie, but Facebook itself does, which is how we get around the whole cross-domain issue. Facebook now has the ID of the site you've just visited (as well as the action you've just taken) and the identity of the person who just visited the site (i.e. you). Beacon does not rely on Facebook Pages for any functionality whatsoever and is not an explicit opt-in service.
posted by chrominance at 1:08 AM on November 30, 2007 [1 favorite]


Another one of those heel-of-hand-to-the-forehead solutions. Obvious once it's stated. And clear that you could easily stop the whole thing with Adblock.
posted by lodurr at 2:55 AM on November 30, 2007


Also for the records:
Deconstructing Facebook Beacon Javascript
Beacon now requires an explicit opt-in

What a stupid mistake Facebook made.
posted by Nelson at 8:28 AM on November 30, 2007


« Older Scientific esthetics- Made With Molecules. Some c...  |  Facing an unprecedented series... Newer »


This thread has been archived and is closed to new comments