Facebook, Here is Misinformation

Update

I have received a response from Facebook’s Vice President of product marketing and operations, Chamath Palihapitiya, in the comments which I then verified over email: Hi The comment in question above was a miscommunication. I was speaking specifically to if data is STORED when someone clicks “No, Thanks”. We have contacted the NYT to clear this up but are still waiting for an update to be posted. Please find a complete explanation below. When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook in order for Facebook to operate Beacon technologically. If a Facebook user clicks “No, thanks” on the partner site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well. I responded: Chamath, Thanks for your quick response. I have posted your comments on my blog. That information is good news. However, as much as I appreciate you personally responding, the policy you described isn’t mentioned in the Beacon FAQ or your privacy policy. I am not questioning your honesty, but considering the general hysteria that people have had in the last two weeks over Beacon I would think they might want more than your comment on a blog as random as my own. I would suggest that you to include this information in your FAQ as well as your privacy policy. This way people (who as you know are very skeptical of Facebook this week) will know how you handle their data and feel that Facebook could be held responsible if ever it was discovered they deceived them. Again thanks for your response, it’s good to know you are taking active initiative to resolve this issues. Nate He replied again: Thank you - this is good feedback. I am surprised the FAQ, at a minimum, hasn’t been updated with this new information so we’ll get on this. Feel free to ping me directly if you ever have issues with us and want direct feedback going forward. We want to hear it and I am available to listen… Thanks, Chamath and again: Nate - we just updated our FAQ. Please see it here below: www.facebook.com/help.php?page=57 It is the 6th Question+Answer from the top. I would appreciate if you could update your blog and possibly link to this FAQ if you thought it was appropriate. Again, thanks for the feedback. Chamath So that’s the official word from Facebook. They do receive the data, but they are not storing it when you select ‘No Thanks’. I am sure the debate will continue over Beacon, but at least they’ve made an official stance on the matter.

Original Post

Today Facebook announced new updates to Facebook Beacon, which you can read about here. However, the thing that struck me most was an answer from an interview by the New York Times with Facebook’s Chamath Palihapitiya, vice president of product marketing and operations at Facebook. Q. If I buy tickets on Fandango, and decline to publish the purchase to my friends on Facebook, does Facebook still receive the information about my purchase? A. “Absolutely not. One of the things we are still trying to do is dispel a lot of misinformation that is being propagated unnecessarily.” Now that… is not exactly true. And I tested it this morning.Using the Firefox Plugin, FireBug, you are able to look at all of the requests that your browser makes. It also shows you the data and response that is sent along with each request. So I went back onto Kongregate (sorry Jim), and opened up a game. After a few minutes the Facebook Toast popped-up (This is the little window that appears in the corner) letting me know it was sending the data to Facebook. I clicked ‘No Thanks’. So, by all means I ‘declined to publish my action on Kongregate’. Regardless of this, Facebook absolutely received data on my action. See for yourself, here is a list of all the requests that are made when Beacon fires up the Toast.
But what you have to look at is the data is sent with all of those requests. I’ll just show you one of the scripts. The bold name (such as ‘action_name’) is the name of the variable, and the text to the right of the variable is the data for each variable that was sent.
As you can see, regardless of the fact that I clicked ‘No Thanks’ the data of my action as well as the url of the page I viewed was indeed sent to Facebook. In fact, clicking ‘No Thanks’ sends no additional data to Facebook, all it does is run javascript to close the Toast window. As I said previously, just because we can’t see the data (by opting out), this doesn’t necessarily mean that the data is not there. I’m not saying that Facebook is storing this data, there is no way for me to know. But they are without a doubt receiving it. So the question that Facebook absolutely needs to make clear is simply: “When we click ‘no thanks’ or opt-out of a site, is that data then being deleted and therefore not stored anywhere?”

Facebook Beacon: Two Weeks Later

It’s been two weeks since my post about how to block Facebook Beacon and a lot has happened.

  • Newspaper and networks are beginning to cover the response to Beacon.
  • Om Malik called for a protest of all participating companies.
  • MoveOn.org has created a petition demanding a blanket opt-out system.
  • The post has been viewed over 80,000 times.
So I felt that with all that is being said that I needed to make my stance on the matter clear. I think people in general are missing the point. Asking for a blanket-opt-out feature is as effective at protecting your privacy as covering your eyes to hide from a charging bear. Just because you can’t see it, doesn’t mean the bear is not there. Likewise, just because you say ‘don’t show this data’, the mere fact that you can switch it back to ‘show this data’, means that it is still in Facebook’s database.
Compare it to this. When you read articles on most news websites, such as the New York Times, alongside the article there is an icon to share the story you are reading on Digg, Newsvine, Del.icio.us, Facebook, etc. The Beacon system should be no different than how that functions. Right now, Beacon simply is clicking that share button for you.
And that is what should be the real concern here. Especially with the number of growing stories about Facebook releasing user’s data upon request without permission or a warrant. Currently, the system is employed on only 44 partner sites. But as indicated on Facebook’s website, they have every intention of allowing any site be a Beacon partner. And as the system expands, Facebook will be able to collect data about you from more and more sites. The question you should ask yourself is this: Would you find it acceptable for someone to stand behind you while you surf the internet, write down everything you look at, and then keep those notes for themselves? Would you trust that person to safeguard your data?

Facebook’s Response vs. User Response

Facebook has brushed off the response over Beacon as “fairly muted”. And they are probably right….so far. Facebook users will remember the outrage in 2006 when Facebook first introduced the mini-feed. Groups were made, petitions were filed, fists were raised. Users were upset because their activity inside the Facebook site was now made visible to all of their friends. And within days Facebook had made changes to privacy settings and Facebook had publicly apologized. But the response over Beacon will be slow and gradual. This is because, unlike the mini-feed, which every user was presented with immediately upon logging in, users will only slowly begin to interact with Beacon over the course of the coming weeks and months. But if I were Facebook I wouldn’t so casually brush aside the growing response. Because if Facebook users freaked out when the mini-feed shared their internal Facebook activity, how are they going to react when they find out their activity from outside of Facebook is being stored and shared?

Some Solutions

Well with everything that I do on this site I try to offer solutions to problems, so this scenario shouldn’t be any different. First off, for the user, they can block Beacon until Facebook gets it together. Now for Facebook, they have a number of solutions. I don’t think they should scrap Beacon. As I said before, I think it’s a great idea and a boon to advertising. Unfortunately, this is another example of Facebook implementing a new feature without an initial consideration for their users feelings of privacy. Most importantly, sign-ups to the system need to be reversed. No data should be transferred, requested, or stored until a user has verified that they are cool with it. That should be the clean slate that they start with. They could offer a blanket opt-out system, if and only if, they were able to prove that when you said ‘don’t show this data’ it also meant ‘don’t store this data’. So that when a participating site sent a request to Facebook to see if the surfer was a Facebook user, Facebook makes no log of that transaction what-so-ever. If they aren’t willing to do that, then there should be an additional step made in how the transaction between a user, a partner site, and Facebook occurs. An example of the current process as is:
  1. User goes rents a movie from Blockbuster online
  2. Blockbuster Online asks Facebook, is this person a Facebook User?
  3. Facebook says yes (log could be made of transaction)
  4. Blockbuster sends the movie user rented to Facebook.
  5. Facebook stores data
This could all go away by simply adding a first step on Blockbuster’s end that says: ‘Are you a Facebook user? And if so, would you like to share the movie you rented with your Facebook friends?’ And if you choose to, THEN the transaction to Facebook could be made. And if not, Facebook hears nothing and everyone is happy. Compare it to this. When you read articles on most news websites, such as the New York Times, alongside the article there is an icon to share the story you are reading on Digg, Newsvine, Del.icio.us, Facebook, etc. The Beacon system should be no different than how that functions. Right now, Beacon simply is clicking that share button for you. For the merchant, adding a ‘share’ button alongside your user’s transactions would also let you expand your influence past Facebook. Just sayin’.

Block Facebook Beacon

So here I am, burning some brain cells and taking some time to relax playing a game on Kongregate, when a little window pops up in the corner of my screen and says “Kongregate is sending this to your Facebook profile: Nate played Desktop Tower Defense 1.5 at Kongregate.” Which immediately elicited a “Hellll no” from my mouth.

Maybe what shocked me was the way it was worded, essentially saying that Kongregate was sending the data without even asking my permission (even though there is a ‘No Thanks’ button in the corner) but needless to say, I was not too thrilled about my surfing habits showing up on my Facebook profile. So I clicked ‘No Thanks’, and hopped over to Facebook and looked at the privacy settings for this new program. And found they give you the options of choosing ‘allow’, ‘notify me’, or ‘never’. The problem however is, that even though you can choose whether or not it is made public that you visited these sites, Facebook still has the data regardless of your privacy settings. Now I don’t mean to sound like I’m tin-foil-hat-wearing paranoid, but that does seem to encroach a little past what Facebook’s role in my life should be. I want Facebook to sit still and let me check out how many of my friends enjoy the movie Sleepover and look at pictures of people I didn’t like in High School. I don’t need Facebook extrapolating data about me as I go about my business on the web. For those of you that don’t know, this is part of Facebook’s new advertising platform. Don’t get me wrong, I actually think Facebook’s new Beacon system is a great idea and a powerful tool for online advertisers. It is a great way to allow users to add more about their lives to their profiles. Unfortunately, it’s being done in a ‘you can opt-out’ manner, when it should be ‘you can opt-in’. As this gets rolled out to more and more sites, the potential for this being taken advantage of is pretty high. Because each site in the program will send requests to Facebook each time you arrive, which in-turn would allow Facebook to catalog a good chunk of the sites that you are surfing. So the easiest thing to do is just block it. I peaked at the javascript that controls the communication between the used site and Facebook and see that it’s quite easy to prevent the communication. (This assumes you use Firefox. If you don’t, just look around for ways to block specific pages in your browser):
  1. Download and Install the BlockSite plugin for Firefox.
  2. After restarting Firefox select ‘Add-ons’ from the Tools menu.
  3. Click the ‘Options’ button on the BlockSite extension
  4. Click the ‘Add’ button
  5. Enter http://*facebook.com/beacon/* into the input box
  6. Click ‘OK’
  7. Click ‘OK’ again and you are good to go.

If you look at the javascript that is used to make requests to Facebook, you will see that the requests are made to http://www.facebook.com/beacon/beacon.js.php so by blocking just the beacon folder, you are preventing the site from sending requests to Facebook without blocking the rest of Facebook. Update: As someone anonymously noted below, you should block both facebook.com and www.facebook.com, you can do that by replacing ‘www.’ with the wildcard character ‘*’ (see step 5 updated above)

Other Browsers

Commenters below have suggested ways to block Facebook Beacon in other browser’s, none of these have been tested by me, but here they are for your use: Follow Up: Two weeks after this post, I’ve written a follow-up about the response. Facebook Beacon - Two Weeks Later