Primordial

Facebook Beacon – Evil genius? February 22, 2008

I just got an ad in my Facebook news feed about a movie my friend Mike rented at Blockbuster. 

This seemed like a typical social application notification at first, so I assumed Mike was using the Blockbuster Facebook app. After looking more closely however, I realized the ad was from Facebook, not an app.  I found that very surprising!  That got me very interested in how Facebook managed to make the connection between Mike’s Facebook ID and his online Blockbuster account…

Beacon strikes

My starting assumption was that this was Facebook’s notorious "Beacon" advertising program in action, which turned out to be correct. 

Beacon launched in December and caused a big brew-ha-ha about privacy violations because the program sends notifications to your friends about purchases you have recently made.  MoveOn.org even got involved and applied pressure to make this an opt-in only program. Facebook eventually bowed to the pressure and created an privacy setting to let users opt-out of the advertising program.

http://www.nytimes.com/2007/11/30/technology/30face.html

The public outcry reminded me of the reaction I saw to the introduction of the Facebook news feed, which users eventually came to love.

http://www.time.com/time/nation/article/0,8599,1532225,00.html

http://www.insidefacebook.com/2007/11/21/beacon-concerns-like-news-feed-concerns-of-a-year-ago-will-fade/

When this first blew up, my assumption was that things I buy through Facebook were broadcast to my friends (for example: I follow an ad link from Facebook to buy something on Amazon, and then Facebook sends an alert to my friends).  This struck as the cost of using a service that notifies your friends about most of what you do on the service.  No biggie, quit your whining.

My understanding of Beacon turned out to be completely wrong and now that I understand the way it really works, I can only say it is absolutely genius and quite possibly evil.

The investigation (IM-style)

spike: low pri question for u when you get a sec
mike: shoot
spike: Facebook is running an ad about the fact you added 24 to your blockbuster queue
spike: What activity caused that?
mike: that’s a good question
mike: on the blockbuster side, it must be linked to the blockbuster movies by mail system
mike: netflix competitor
spike: Actually, it says you added hitman to your queue
mike: but for facebook to be linked to blockbuster.com
spike: then gave me and ad for 24
mike: it’s listing what I added?
mike: personally
spike: that’s what it says
spike: "Mike Nimer added Hitman to their queue on Blockbuster"
mike: that’s really annoying, I don’t want that data shared
mike: and I’m pretty sure I haven’t added a blockbuster facebook app
mike: to my account
spike: I’ll tell u how to disable, but I’m trying to figure out how they know
spike: do you use Blockbuster?
mike: I would imagine that I have some blockbuster app
spike: that’s what I was wondering.
mike: on my account, which pings blockbuster and gets my last video
mike: although it doesn’t work very well, I added hitman weeks ago
mike: that’s the only way it could happen, right?
spike: Check out your apps list when u get a sec to see if you have Blockbuster installed
spike: yes, somehow they have bound your Blockbuster account to your FB ID
mike: ok this is wierd, I don’t have it listed
spike: think you did in the past?
mike: no
mike: I’m pretty sure I wouldn’t of bothered to add it
spike: hmm
mike: when did it show up that I added hitman, is it a new post?
spike: crazy
spike: It showed up in my news feed.
spike: FB generally inserts 1 ad per day in there
spike: I know they had an ad service recently that they got bashed for cross advertising personal info with
mike: but for blockbuster to know about me, and know I’m linked to you
spike: this is exactly what it looks like, but I was interested in how they linked it
mike: that kind of scares me, granted blockbuster itself is harmless – but in general the idea that it can work this way
spike: They also had some kind of connection with Amazon where they could tell your friends about stuff you bought
mike: doesn’t the facebook api allow you to find your firiends
spike: yes. But this ad is clearly coming from Facebook
spike: but Blockbuster gave them the info
spike: its not app spam like you would do if it was implemented directly by the app
mike: maybe it’s some deal with facebook
mike: could the social ads be it
mike: Privacy Settings for Advertisements Facebook occasionally pairs advertisements with relevant social actions from a user’s friends to create Social Ads. Social Ads make advertisements more interesting and more tailored to you and your friends. These respect all privacy rules. You may opt out of appearing in your friends’ Social Ads below.
mike: this must be it
spike: yeah. that’s how you opt out of "Beacon"
mike: I mean it let’s me set "Appear in Social Ads for"
mike: and considering that I added hitman weeks ago, which is probably when they started doing the data mining for the ad
spike: Here is the app: http://www.facebook.com/blockbuster
mike: I’ll bet this is related
spike: click on it and see if you’re a member
mike: I’m not
spike: here’s controversy article: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9053002  
mike: I just changed my social ad option. let me know if you ever see this again
mike: if so I’m going to have to go nuts on facebook
spike: where did you find the opt out?
spike: I’m just facinated that they made the connection btwn the 2 sites
spike: I wonder if its based on your email
mike: under privacy
spike: if so, that’s just Fn awesomely evil
mike: keep that news post
mike: I think so
mike: actually I don’t think it’s email
mike: facebook, is linked to my work email
mike: and blockbuster is linked to my @yahoo email
spike: hmm.
spike: F’ me!
spike: "Facebook Beacon works through the use of a 1×1 GIF web bug on the third-party site and Facebook cookies."
spike: jeezuz those guys are smart
mike: wow
spike: http://en.wikipedia.org/wiki/Beacon_(Facebook)  
mike: that’s what it was
spike: Yeah I knew it was, but I was trying to figure out how they do it
spike: now I know. Wow
mike: that’s evil
mike: that’s a spammer trick
spike: One of the big customer advocate groups went apeshit about it when they launched it
spike: that’s where the opt-out option came from
mike: I remember that
mike: I guess you still default it on
spike: I thought they had changed it to default to opt-out
mike: that’s what the articles claim
mike: but I barely use facebook, I have the most basic account
spike: MoveOn.org fought it hard
mike: I’m glad to hear that. what I’m curious to hear more about is what the computerworld article talks about
mike: with the supreme court hearing and blockbuster
mike: this sure seems like a violation of that
mike: most companies can plead ignorance, but not blockbuster
spike: yeah
spike: Do you have a message like this in your feed? http://bits.blogs.nytimes.com/2007/11/29/the-evolution-of-facebooks-beacon/  
mike: I don’t see anything like this on facebook, checking blockbuster now
spike: should be on FB
mike: don’t see it, but found this on blockbuster
mike: http://www.blockbuster.com/help/faq/  
spike: Do you see anything about blockbuster on this link?
spike: http://www.facebook.com/privacy.php?view=unconfirmed_actions  
mike: yes
mike: and I’ve now turned everything off
spike: can you send me a screenshot of what you see
spike: I’m writing a blog post about all this
mike: it’s not that facebook does this, it is that it’s on by default
spike: agree
mike: in the words of google, that is evil

So, what’s it all mean?

It turns out that cookies set by Facebook are being used by other sites that you visit to link your activity on the site back to your Facebook account.  Facebook then uses that activity information to send ads to your friends.

Dave McClure gives a good rundown of the total experience (though I think the experience has changed a bit since his post).

http://500hats.typepad.com/500blogs/2007/11/facebook-beacon.html

I’ve been involved in Web application programming a long time and I’ve always mocked the folks who disable browser cookies by calling them cookie-freaks because I felt the good of stateful web applications greatly outweighed the evils. This is the first time I’ve really encountered a use of those cookies that really made me feel like I’m being watched. I now feel a bit oblivious, because it turns out this cookie-sniffing technique has probably been used by big portals like Microsoft, Google, Yahoo for a long time to help optimize ads they serve you.

I have to admit, I love a good hack, and this one is awesome.  Now I just have to let it sink in to see how I really feel about all this and if there are other good ways to use this technique.

Is it evil? Where’s Darwin when you need him?

I’m not convinced this kind of tracking and advertising is evil, but I do think this is the kind of thing people should get to opt-in to instead.

It turns out Facebook already has a great opt-in mechanism that makes sense for this, its called Facebook applications, and when you add them to your profile, its because you are interested in sharing information about the services the application provides with your friends. Facebook even provides a huge warning dialog when you add applications that lets you know that you are letting the application have access to your friends and your personal information. And *everyone* on Facebook is well aware that these apps send notifications about your activity to your friends.

I actually like the idea of implicitly sharing some of my outside Facebook activity.  Some of the sites I visit say a lot about me, and I want my Facebook profile page to be a reflection of me and my interests.  For instance, I like to have the music I’m addicted to on my profile page, so I created an app to broadcast songs I’m playing on my Zune.  And since I’m a movie buff, I’d like to have a Netflix application on my profile that shows the movies I’ve recently rated so my friends can see what I thought of them.  Hell, I’d also like to put my Amazon wishlist on my profile so folks can know about things I’m interested in buying.

However, its important to realize that just because I use a service, that doesn’t mean its a good reflection of who I am, so I don’t think Facebook should just inject that info into my profile. 

This comes back to the original problem. If Mike thought that his movie rentals were a good reflection of his personality and wanted to share info about movies he is renting, he should have added the Blockbuster application to his profile and then Blockbuster could link his account to facebook and inject ads and notifications into his news feed.  If he finds these notifications are annoying or too personal, then he can remove the application. This forces Blockbuster to make their application and the notifications they serve appealing to FB users.  If the app is flexible enough to make its content/notifications/ads a good reflection of Mike’s personality, then he’ll keep it, otherwise he’ll uninstall it.

Opt-in for good apps/ads, opt-out for bad ones – Darwin at its best. Beautiful.

What should FB do?

Installed applications already have the ability to track users and send activity notifications to friends, which can include ads. This is basically the same thing that Beacon does.  The advantage of Beacon is that advertisers can get around the problem of making their applications interesting enough to get users to install their applications by paying Facebook for the privilege of injecting application-like notifications into the user’s activity stream without consent.

This seems backwards. What Facebook needs right now is great applications that keep users engaged.  The fact is, most of these partners probably have activity streams that users would actually like to share with their friends.  Facebook should be helping these partners create compelling applications, and then they should help promote these apps so they get installed by lots of users (with consent). Facebook should then move its Beacon program to be an advertising service offered to FB applications.   This means Facebook would need to find a way to make the use of the Beacon system a value-add for application developers (versus what applications can do on their own with notifications).  I’m not exactly sure what that value-add is, but based on what I’ve seen over the last year these FB guys are super-smart, and will figure something out.

What can you do to protect your privacy?

So I’m definitely a little creeped out by the way this Beacon thing works, and don’t really like the idea of notifications about my activity on the Web being broadcast to friends without my consent.  There are a number of things you can do if you want to protect yourself from this:

You can opt out of showing up in social ads on Facebook here:
http://www.facebook.com/privacy.php?view=platform&tab=ads

You can opt out of showing your Facebook friends what you are up to on external sites here:

http://www.facebook.com/privacy.php?view=unconfirmed_actions

[Note: this doesn’t necessarily keep the site from sending Facebook notifications about what you are doing, it only prevents Facebook from showing it to your friends.

Supposedly, Facebook also shows you an alert that an advertiser is sharing information about your activity to your friends.  You can use the alerts to remove the notifications from your activity feed. I’ve never seen one of these alerts, and my friend Mike couldn’t find one related to Blockbuster on his Facebook page.

http://bits.blogs.nytimes.com/2007/11/29/the-evolution-of-facebooks-beacon/

Moveon.org also has a petition you can sign to prevent companies from telling your friends about what you buy on sites or let companies use your name to endorse their products without your permission.
http://civ.moveon.org/facebookprivacy/

Consider complaining to your service providers about sending your private information to Facebook (and possibly other advertisers).  Apparently, several of the original Beacon launch partners bowed out of the program based on the negative customer feedback. Wikipedia has a list of Beacon partners that may be sharing your information.

Supposedly, if you explicitly sign-out of Facebook, this will prevent external sites from tracking you and sending notifications to Facebook.

Finally, you can disable all your browser cookies, which is drastic, so I’ll still refer to you as an cookie-freak.