Facebook’s Brilliant but Evil design
Note: the other day I mentioned how exciting I thought the world of social design was…turns out it might be a little too exciting…
Seth Godin writes how 8 billion dollars worth of gift cards seeps through the cracks each year. Astounding number. He rightly points out the reason we buy so many gift cards: it is not socially acceptable to give cash as presents. But when we shift that cash into a gift card, we lose the risk of giving an unwanted gift while giving something more socially appropriate.
Such a small, yet large, difference.
In Chapter 4 of The Wealth of Networks, Yochai Benkler discusses a similar distinction between “extrinsic” motivations and “intrinsic” motivations. Extrinsic motivations come from the marketplace, and involve money. They are appropriate in some situations and not others. Intrinsic motivations come from within, such as pleasure or personal satisfaction. They are also appropriate in some situations and not others.
This distinction is important in social design because so many of the activities people participate in online are motivated from a desire of social standing, not economic standing.
Take the case of a New York Times article recommendation. If I send a link of a NYTimes article to you as a friend, my only motivation is social…intrinsic…and it’s probably a small one at that. I saw this article and I thought you might like it. My reward might be a small up-tick in your opinion of me.
But if I’m getting paid money to give you that recommendation, then my motivation is in part economic, and that changes everything. You are now suspicious of the gesture…and my reward might actually be a penalty…your opinion of me will most likely deteriorate.
When friends deal with friends, money often makes no sense.
What the big social network sites are doing is similar: they’re creating a place where social standing, not economic standing, is the primary motivation. Or, more to the point, they’re modeling that part of our lives in which we yearn for social standing. As Danah Boyd and Nicole Ellison rightfully articulate in Social Network Sites: Definition, History, and Scholarship:
“What makes social network sites unique is not that they allow individuals to meet strangers, but rather that they enable users to articulate and make visible their social networks. This can result in connections between individuals that would not otherwise be made, but that is often not the goal, and these meetings are frequently between “latent ties” (Haythornthwaite, 2005) who share some offline connection. On many of the large SNSs, participants are not necessarily “networking” or looking to meet new people; instead, they are primarily communicating with people who are already a part of their extended social network.”
In other words, you’re mostly dealing with people you already know in some way. The motivation is almost always intrinsic.
But now, with the addition of social advertising on Facebook, an economic element comes into play. Facebook isn’t just showing us information about what our friends are doing as a gift, it’s showing us information in exchange for money. They’ve altered the state of the relationship.
To make matters worse, Facebook is now partnering with 3rd party sites and selling your information to them for money. How does this work?
Here’s a scenario: you go to Blockbuster.com and rent a movie. A little interface element pops up and tells you that Blockbuster is sending information to your Facebook account. It gives you ten seconds to say no…and then it sends it anyway. This is called “opt-out”. You only have the option to say no. It sends your personal information by default. “Opt-in” would be where no action is taken by default.
You then log into your Facebook account, and it says that “Blockbuster is sending a story to your account”. You have the option to say no to this, but it is not apparent at all. In fact, Facebook gives you the option “Don’t show me this again”, which seems to suggest that they agree this message is annoying. They have designed this screen for you to focus on the pain of having to read a silly message and dismiss it. But what isn’t very clear is that when you do so you’re also giving implicit instruction that all services can send information to your news feed in the future. This is a HUGE deal to Facebook…this is how they’re going to make money.
Here’s a good explanation with screenshots of how it works by Ethan Zuckerman. Read his whole piece, and read David Weinberger’s piece too. They’re important.
What kills me about what Facebook is doing is how good the design is. At every step they’ve done things almost perfectly. They’ve pinpointed the motivations of users at each step, and designed the screens in such a way as to make the default action the seemingly best one. They technically give you the option to get out of it, but they have designed the system in such a way to make it much easier to simply let it happen.
If I was on the Facebook design team, I would be proud of this design. It is some of the best social design out there. But if that were the case, if I was on the design team, all of these design decisions would have happened over a long period of time. I wouldn’t have noticed how they’re starting to be evil.
But wait, you say. How the heck can Blockbuster know that I am a Facebook user? I didn’t tell them I was and even if Blockbuster wanted to, they couldn’t read the Facebook cookie on my browser. (contrary to what David says, it’s not possible for Blockbuster to “read” Facebook’s cookie).
But what *is* possible is something more subtle. When you go to Blockbuster.com, what you see is a normal Blockbuster web page. In requesting that page, you also request all the code on that page, which includes javascript code that accesses a URL on the Facebook.com domain (possibly the URL of a 1×1 gif image). Since the javascript is being delivered by Blockbuster, it can attach a unique ID to that URL that identifies you.
So, imagine that Blockbuster writes this out on their web page:
<img src="http://facebook.com/beacon.gif?ID=8675309" />
Then, when your browser makes a request for that Facebook URL (which includes the unique ID assigned by Blockbuster) it also sends your cookie for the Facebook.com domain (as most HTTP requests do). At this point Facebook knows who you are from your cookie and also knows what unique ID belongs to you on the Blockbuster site. Then it’s a simple matter of Blockbuster pinging Facebook and asking “tell me more about the user with this unique ID”.
Facebook then sends demographic information (not identifiable information) to Blockbuster that can then be used to advertise movies to you as long as you keep that unique ID. Blockbuster sends your movie preferences back to Facebook.
(note this is how I imagine it works. I’m no ad guy…folks who are familiar are welcome to clarify how it actually works)
Here is some corresponding legalese about cookies from the Facebook privacy policy:
“Advertisements that appear on Facebook are sometimes delivered (or “served”) directly to users by third party advertisers. They automatically receive your IP address when this happens. These third party advertisers may also download cookies to your computer, or use other technologies such as JavaScript and “web beacons” (also known as “1×1 gifs”) to measure the effectiveness of their ads and to personalize advertising content. Doing this allows the advertising network to recognize your computer each time they send you an advertisement in order to measure the effectiveness of their ads and to personalize advertising content. In this way, they may compile information about where individuals using your computer or browser saw their advertisements and determine which advertisements are clicked. Facebook does not have access to or control of the cookies that may be placed by the third party advertisers. Third party advertisers have no access to your contact information stored on Facebook unless you choose to share it with them.
This privacy policy covers the use of cookies by Facebook and does not cover the use of cookies or other tracking technologies by any of its advertisers. “
Now you might ask: isn’t that some kind of breach of contract? Well, according to their terms of service, Facebook can do pretty much anything with your information that it wants.
“By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose, commercial, advertising, or otherwise, on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing.”
Take a look at this video: Does what happens in Facebook stay in Facebook?. I think on some level most of us assume that our transactions with companies stay with those companies. I know I do. I’m not naive enough to think that there isn’t sharing going on, but in those instances where I’ve seen it I definitely have stopped my relationship with the companies involved. Needless to say, Facebook certainly has my attention.
As Ethan and David mention, the defaults for this system are wrong. Though Facebook can talk a pretty game, what they’re doing feels like a step down the slippery slope of evil.
To give you an idea, when Leah Pearlman announced SocialAds on the Facebook blog, she claimed that Facebook would never “sell any of your information”. But…hmm…aren’t my demographics *my information*? Isn’t what type of movie I like *my information*? Who is Facebook to determine what my information is? Even though companies can’t identify me personally, they are paying Facebook for my age, my interests, and other things about me that make me who I am.
And really, does Facebook think that Blockbuster doesn’t have my identity here? I need an account to rent a movie…so obviously Blockbuster knows who I am. So Facebook is kind of saying “we’re not going to give any identifiable information to 3rd parties…as you’ve already done that”. It really doesn’t matter that Facebook doesn’t give up my email…that’s a cop-out. What they’re doing is connecting the dots…in an under-handed way.
In addition, Pearlman’s blog post says that “You now have the option to share actions you take on other sites with your friends on Facebook.”. This is false. What it should say is “You now have the option to NOT share actions you take on other sites with your friends on Facebook”. If I had the option to share, that’s opt-in. This is opt-out.
It’s all about the defaults, after all.
Facebook offers really good privacy settings for friends and groups. They should offer the same set of privacy settings for 3rd parties. You should be able to say “never share any of my information outside of Facebook ever”. This should be the default! Right now the only option is for controlling what information gets sent back to Facebook from 3rd parties. In other words…you don’t have the option for Facebook to stop selling your information as long as you use the service.
Now, I may be wrong about all of this. Maybe Blockbuster and other 3rd parties aren’t paying Facebook for access to my demographic information. But I want to know!
That’s part of the problem. I don’t know, and very few others seem to know. Very little of Facebook’s relationships with 3rd parties is clear. Who is paying who for what? Don’t people who use Facebook deserve to know what’s going on with their information?
This might not bother some people, but Facebook has changed my relationship with them from one of social rewards to one of economic rewards.
Such a small, yet large, difference.
Make them Care! - Struggling to communicate the value of your product or service? I'm writing a new book that shows you how to make people care about your product or service by clearly communicating the most important bits. For designers and marketers creating product web sites. Find out more.Previous
Do Canonical Web Designs Exist?
Links to this Post
Comments
1. Ehren 9:26am, Fri 16th, 2007
Joshua, this is an excellent post and you hit the nail on the head with regards to marketing and ethics. I also found your design perspective to be very intriguing as well and I agree with many of your points, particularly the “opt out” options.
As a marketer myself, I find myself drawn yet repulsed by Facebook at the same time. I think functionally, Facebook is fantastic but under the surface, there is too much going on and not enough what I call up-front transparency or accountability with the end user/consumer. So as a marketer while I do not mind advertising on Facebook, I do mind the fact that certain elements in the design are made to encourage the user to simply accept what is presented to them — it appears too underhanded at the moment, I much prefer the bold, up-front and honest approach. Perhaps some other marketers may not care as much.
If Facebook were to really move towards a relationship with the user to one of economic rewards, users would be receiving a share of the ad revenue or something in return (i.e. discounts?). But would that cause a decline in general credibility? Currently Facebook is simply integrating the business with the consumer on the surface but on another level, they are pushing towards making a grander and much more complex marketplace.
2. Lucy 9:31am, Fri 16th, 2007
I’m not sure of the exact technical process that is going on here between FB and their partners but it must rely upon a person using the same identifying email address for every website they use.
OK that may be the majority of web users but for anyone who owns a domain there is a simple and free way to break this unauthorised sharing of information.
3. Bronwyn 10:06am, Fri 16th, 2007
“A step down the slippery slope of evil?” It seems more like Calvin pushing his sled off the top of hill, with Hobbes clinging on behind hoping to get through alright.
4. Peter 10:21am, Fri 16th, 2007
Very evil, I must say. Also very clever. It never occurred to me that this is possible. Don’t really think you can call this ethical either.
5. Alex Barrera 10:33am, Fri 16th, 2007
Absolutely awesome post Joshua! You hit the nail on many issues of the Facebook ad platform. I like your idea of the hidden pixel. It might even be easier, if they request a pixel and get a 404 then you can tell that the user isn’t online right now. Scary stuff indeed. I wrote about this here and here if you want to dive into another perspective of the matter.
Great post!
6. Rahul Pathak 10:49am, Fri 16th, 2007
Awesome article – in-depth and thought provoking. Thank you. I think you’re spot on with your assessment wrt Facebook. I do think that not all the evil is unintentional. Is it ever?
7. Christopher 2:08pm, Fri 16th, 2007
You do have to be logged-in to the 3rd party site for it to share info with Facebook, right? I was trying to follow Fred Stutzman’s example (see his post on Beacon at his blog, Unit Structures ) on how Epicurious.com sends info over to Facebook… it turns out that Epicurious only sends info if you rate a recipe, and to do that you need to be logged in. I imagine that to order a Blockbuster movie, you have to be logged in too.
So, as long as you aren’t logged-in to whichever site you’re viewing…Beacon shouldn’t be scraping usage info, right??
8. Clark 2:44pm, Fri 16th, 2007
I finally signed up for Facebook after weeks of friends sending me invite requests. I find it kinda boring. haha
9. pepelicious 7:00pm, Fri 16th, 2007
Josh-
Thanks again for another great post. I’ve been following the privacy issues surrounding Facebook, from SocialAds to emoployees accessing user profiles, on the blogosphere. I’m curious as to why this hasn’t really bubbled up in to the mainstream media. They seem to be the teflon social network.
But why?
I have a feeling that is has a lot to do with Facebook being the social network your friendly dictator would love you to be a member of. The casually forced transparency is chillingly similar to communist regimes of the cold war era where nothing went unoticed by the leaders or your friends or your neighbors. I’d hate to see the point where *not* having a Facebook is an indicator that you must have somethig to hide.
ok i’ll admit that sounds kooky, maybe i should put down my kundera and kosinsky
10. Paul P 1:44pm, Sat 17th, 2007
Nothing to add — just a note of thanks. You’re writing the best stuff on social design that I’ve stumbled across yet. Thanks.
11. Bill H-D 5:56pm, Sat 17th, 2007
Josh, my man, these last two posts are truly outstanding work. I hope this stuff is going in the book. And if not, I gotta say that your chops are better than they’ve ever been, so the book is going to be outstanding!
12. peter caputa 12:40pm, Mon 19th, 2007
Hey Josh. Brilliant piece. Was going to quote something on my blog and link back. But, couldn’t decide what to quote.
I think you could spend a few weeks chunking this one up into digestable pieces.
13. Nick P 5:26pm, Mon 19th, 2007
I agree with Lucy… this can’t be on Cookie alone.
Imagine the following scenario: I have a facebook profile, the cookie is stored on my PC. The next day my wife goes online and purchases some lingerie and the 3rd party sends that purchase information to facebook. Except my wife doesn’t have a facebook account and it appears on my profile. It then appears that I’ve been purchasing lingerie to all my facebook friends and colleagues.
Of course this is just one example. Surely it must be also using a common email address to avoid this shared computer/multiple facebook account families and so surely the obvious answer is to use a difference email address for facebook?
14. Pauric 9:39am, Tue 20th, 2007
Devil’s advocate: I’ll point to the philosopher John Loche’s (1632-1704) thinking on community and security;
He believed that we create a social contract when we form a community/society, whereby we cede certain natural rights to an authority in return for security and other guarantees.
Locke’s argument is that any fair social contract must have certain qualities: It must respect its citizens rights to life, liberty, and property. If these rights are violated, we are entitled to rebel against the authority.
These rebellions have happened in the past at Digg and Facebook when they added functionality that was perceived to be in violation of user’s expected rights.
Facebook is a free service so we can assume some give & take in the relationship with its users. The pill has been sweetened with the the clever social design that masks what is going.
In the grand scheme of things, is facebook being evil or simply getting a little ROI from the social contract? They’ve held up their part of the deal, now we need to start paying (o;
15. iNSiPiD 6:24pm, Tue 20th, 2007
It’s not only legal, it’s happening all the time. Most users apply the same email address (and even password!) to every new online account they setup. Be it Facebook, PayPal, eBay, Hotmail…the list goes on.
This gives any average hacker (or unscrupulous site owner) enormous power to exploit these accounts and the information they might contain.
For people who work in large organisations, email addresses and IP addresses are not usually shielded while browsing (silly, I know).
But even for those who adopt some level of obfuscation are kidding themselves if they think they are safe.
Despite comments above, they don’t need your email address. It is only sufficient that you have a current session open (read: are logged in) with any of the above providers for someone to access that information through a beacon.
Beware the “Remember me” checkbox!
16. Gazeteler 2:13am, Fri 23rd, 2007
“Facebook offers really good privacy settings for friends and groups. They should offer the same set of privacy settings for 3rd parties. You should be able to say “never share any of my information outside of Facebook everâ€. This should be the default!”
That’s why i’m not member of Facebook or any other Social Networking site. am i paranoid ?
17. leinad 10:18am, Tue 27th, 2007
I tell thee the world is evil we are being watched. Ya gotta laugh as check it out they changed our language to shrt hand text. Then they put spyware in my machine and followed my cookies. If only Bin Laden logged on at the local libary the whole world and blockbuster would be able to pinpoint him and know what films he liked. Anyways follow the link and it will show you the darkside of this site. Me thinks I would write my dissertation on something like this. Is modern day business going unchecked what are the ethical problems posed by capitalist markets?
18. sanjay 2:06pm, Sun 2nd, 2007
Informative post.
I agree that fb trades on member behaviour not altering default settings. While you could argue that privacy settings on fb are becoming fine-grained, it relies on the ordinary member to actively alter them. And that doesn’t take account of what happens to member data when it ‘leaks’… See Is Facebook Evil? privacy leaks, data flows and conspiracy theories
19. Åukasz Nowak 4:11am, Wed 13th, 2008
In Poland we’ve got the same problem with polish “facebook” – 6 milion users – nasza-klasa.pl not really care about users privacy, and who knows what they do with that data.
20. Mike 8:37pm, Sun 7th, 2008
The fun part is… im going to go on my facebook and see a story published about how I posted a comment on this site!!!:D
21. paydayadvances 10:00am, Wed 18th, 2009
Hi Joshua. Glad to read such a powerful post. A lot of information. I value this work, becouse I’m interested in social web. And in design too.
22. tommy 12:39am, Wed 25th, 2009
Nice article. However, you and most readers of your blog are a tiny fraction of all webusers. The large majority, unfortunately, has no interest in understanding the technology behind it, the way web marketing works, or how much of their privacy they are willing to openly volunteer to the world.
I find itastonishing that many of my friends are perfectly willing to register in facebook with their real name, in full, and contribute images, that they might not even show to their parents.
23. Gay dildo free galleries 8:53am, Fri 27th, 2009
Gay masturbation with a naked stud and his big dildo! Brrrr
Sexy studs sucking cock and getting anal fucked with dildos!
24. Julia 10:48pm, Fri 27th, 2009
This is a very deceptive way to make money, but it works. The title of this post hits the nail on the head. Thank you for sharing this information. More facebook users should read this post.
aggressive dog training
dog obedience training
dog behavior problems