Earlier this week Facebook held its annual F8 conference for web designers and application developers. At this conference they announced many new tools that web designers and application developers can use to expand a user’s Facebook experience. Normally that wouldn’t be such a bad thing, except when those tools can be configured to violate a Facebook user’s privacy. Mainly I am talking about the Facebook’s new social plugins & open graph API.These new tools are specifically designed to bring the information you post on Facebook and make it available on other websites. Unfortunately, they are also designed to bring what you do on other websites and bring that information back to Facebook as well. Below I will explain each of these new tools and exactly what you can do help protect your information. In some cases you will also be helping to protect your friends information as well.
Social Plugins
Social plugins are the new Facebook tool that web designers can use to integrate your Facebook account into their websites. As a web designer I can see some of these tools being very handy to use on a website. Facebook made it very easy for web designers to implement these tools and in most cases a simple copy/paste is all that is needed. This helps ensure even the most novice of designers will be able to use them. Unfortunately, it also means that they can also easily configure them to share too much of your information. Since these tools were only released this week, it may be some time before you start seeing some of them online. Here’s the rundown on each one:
Like Button
The “Like Button” is a very simple social plugin. According to Facebook it “enables users to make connections to your pages and share content back to their friends on Facebook with one click”. I tested a couple of these out myself today and sure enough, that’s exactly what it does. The only problem is that it didn’t confirm with me that I actually wanted to click the button, it also didn’t prompt me to login to Facebook when I clicked it. Yet later I found the following on my Facebook wall and on a friends news feed:
While on that particular instance I don’t mind… What if I accidentally clicked that button? Since I didn’t get a confirmation or login box, all my friends might have gotten a message that I liked something that maybe I didn’t want them knowing I was looking at. Who knows what that might be.. but you get the drift. Now to take this a step further, the Like button on the Conversion Marketing website now says the following:
Great! Not only do all my friends get notified of this, but now my picture and name are on this site! Fantastic! Here’s the good news on this one. Upon further investigation, your picture and name only show up when one of your friends also visits the same page. If a random stranger visits the page, they aren’t actually there, it would simply say that “85 other people like this”.
So you might be asking yourself how you can protect yourself from this? This one is simple, when your done playing on Facebook.. click the logout button. If you do not click the logout button then you are still considered logged in to Facebook until you close all of your browser windows. Also make sure that when you are logging in to Facebook that you don’t check the box that says “Keep me logged in”. If you are not logged in to Facebook, this button doesn’t work and would prompt you to login before posting to your wall thus providing us with the “confirmation” step we want.
** Note: Don’t confuse this button with the Facebook “Share” buttons that you typically find on blogs. An example share button can be found at the top and bottom of every one of my posts. These share buttons prompt you to confirm that you want to share the content with friends and provide you with a chance to add a message when doing so. The share buttons are safe and you should feel free to use them. Especially on my site!
Like Box
The Like box social plugin can be used by designers to link their Facebook page to their normal website. This shouldn’t be confused with the Like button I just mentioned above.
Facebook allows users to create “Pages” on their site the represent real life objects such as companies, artists, and products. Users could then find these on Facebook and “Become a Fan” of the object. This created a relationship between the user and the page, allowing the page’s updates and news to be displayed to the user in their news stream. As a designer I thought this was great because it allowed me to announce new products or services for my company and get that information to the users who we already had a relationship with. As a user you were able to keep up with all the need to know information that the company or artist was releasing, which was also great because you were a “Fan”. Now Facebook has changed these “Become a Fan” buttons to “Like” buttons to make it feel like a more light weight relationship between the user and the fan. Apparently Facebook thinks we are all stupid. I know I can’t count the number of times I was staring at the “Become a Fan” button and thinking to myself.. “Well, I like the company.. but I am not sure I would call myself a fan. What to do, What to do.” Hopefully your getting the sarcasm.. because I am laying it on pretty thick. Back to that “Like” box..
So the Like box allows designers to link those pages from their normal websites with more functionality and a little more ease. Since, you know, all those “Become a Fan” and “Follow us on Facebook” buttons spread across the web simply were not good enough and apparently not getting the job done. The like box looks similar to the “Like” button but instead of creating a one time link in your feed about a piece of content you liked on the web, it creates a relationship between you and the company, artist or product you happen to be looking at. That’s not a big deal except again there is no confirmation and no login box.
Now imagine the damage that this could cause if web designers decide to try and fool you.. Lets say I am browsing around on the web and get sent a link to a video about cute puppies. This video might just happen to be hosted on the Aryan Nation web site. Not really paying attention to the site I am on.. I watch the video and think its funny.. after all it is about cute puppies! I go to click the “Like Button” to share the videos with others and get confused because there is a “Like Box”. I click the wrong button and all my friends and family get a message saying I am now a fan of the Aryan Nation and White Power movement. That’s not good.
They simply could have left the wording alone as now they will simply be confusing users. To make matters worse, this new little plugin also has options to allow the site to display the profile images of it’s fans on the external site. Now before the changes these pictures would show up on the Facebook pages where you had become a fan. That wasn’t a big deal because it’s still on Facebook’s site and by uploading the picture, and by becoming a fan on the company, I basically gave permission for them to display it there. However, that was only on Facebook’s own site. Now, based on the example above, my picture could end up on the Aryan Nation website for all to see. I didn’t sign up for that!
So what do you do about this one? That’s easy. Just like the “Like Button” make sure you are logged out of Facebook when your done using it. Also make sure you know who’s is doing what with your information. If your going to become a fan of a company or artists.. go check their site and make sure they aren’t displaying fan pictures on their site. If they are, go back to Facebook and remove that fan relationship. Show these companies and artists that it’s not ok with you that they are displaying your picture, and linking to your profile, on their sites. To take it a step further you might even want to send them an email telling them you would want to become a fan but don’t want your picture displayed on their site. Maybe they will get the hint and turn that feature off.
Activity Box
Here’s another little gem that Facebook added for web designers to use. It’s an widget box that allows the website to display all the the social activity that has happened on their site from the other Facebook plugins. This could be anything such as liking a piece of content, becoming a fan, or simply commenting on a page. The box then displays your name, picture, and links to your profile to let everyone know that you are being active on the site.
According to the documentation for this plugin, the box will automatically personalize itself for the user who is viewing the site by placing action’s by their friends at the top of the list. The remainder of this list is simply random strangers.
So once again we have a plugin that displays my name, shows my picture, and links directly to my profile for random strangers simply because I liked a piece of content on the site. I can just see a stalker type using this to find new prey to harass online. Granted that’s not going to happen to me personally as I am not cute enough to be stalked.. but it could happen to someone who is.
The best way to block yourself from this one is to be careful about which buttons and plugins you’re clicking on websites. Also change your privacy settings on the Facebook website to only show your comments, likes and other items to only be shown to friends. This will help protect you from being chosen as one of the random strangers. If you don’t want your picture and profile being linked from any external sites, then don’t engage in any of the social media actions, likes and comments, on the sites that use these new activity boxes.
Other Social Plugins
All of the other social plugins that Facebook announced actually look fine. The other ones all require the websites to specifically require your permission to use or they are obvious enough that you can tell what you are doing. These are things like comment boxes, login boxes and other general nonsense. Some of the other plugins also have options for linking to your profile and displaying your pictures on external websites, which I also see as an invasion of privacy, however you do have to perform an action on the website and “Allow Access” to the application before it happens.
Instant Personalization
This is where Facebook definitely crossed a line. The Instant Personalization program is a new partnership program with Facebook where select websites can instantly personalize their content based on your public Facebook information. As of right now there are only 3 websites that can offer instant personalization, they are Yelp, Pandora Radio, and Docs.com.
Here’s an example of what I mean by personalizing the content online based on Facebook information. Lets assume you went to Pandora to listen to some online radio. Pandora will now, in the background, go back and check with Facebook to see what music you listed on your Facebook profile and customize a radio station to your preferences. As if that isn’t bad enough, it will also check the music that your Facebook friends listed on their profiles as well and use that information to further customize your playlists and offer you suggestions of other types of music you may like.
Now for the worst part, as a Facebook user you were automatically signed up for this service. That’s right. They didn’t even bother to ask you if that’s what you wanted to do, they just signed you up for it. To protect yourself and to opt-out of this wonderful new feature, simply login to Facebook and go to “Account” – > “Privacy Settings” -> “Instant Personalization” where you will fine a setting to turn this off. Unfortunately that doesn’t fully do the job. The setting will only turn off the feature if you access one of the instant personalization websites, not if your friends do.
To make sure your information isn’t used when your friends visit these sites, you have to login and specifically block these applications from being able to access your information. To do this you have to go to the Facebook page for each application and click the “Block Application” link on each one. After all Facebook didn’t want to make it too easy for you to do. I do want to make it easy for you however, so here are the links to each application:
Each of those links will take you directly to the Facebook page where you can block the application. If Facebook adds any more of these personalized websites in the future, you will also have to go specifically block those as well. Hopefully Facebook will not be adding too many sites as “Instant Personalization Partners” in the future.
Open Graph API
Facebook also announced this week that they setup a new website for web designers to simply the interface for them to access Facebook user information. This can be used by Facebook applications or by external websites to further customize your browsing experience for you. The nice thing about this API is that each application must specifically request your permission to access your profile information. The bad thing is the amount of information that’s actually available through this API.
Here’s something to think about. If you have ever played any games or taken a quiz on Facebook then you have likely authorized an application to access some, if not all, of your profile data. These applications now have simplified access to even more of your data via this new API. All of the following is available through this new API:
- Profile Information
- Friends List
- Your Wall
- News Feed
- Photo Albums (With links to the actual pictures & tags information)
- Books List
- Movies List
- Notes
- Videos
- Groups
- Events
Those are just some of the information that is available via the API. For example here is a link to the API call for some of my information. As you can see some of the information is available to the public and there’s an entire list of things that are available to developers. If a developer happens to get your permission to access your API information, they can get some very detailed information in a very easy to use format.
To make matters worse on this one the information is presented in a way where it could be exported to an external database once someone has access. So If I was a malicious website developer and wanted to gather information about my website users, I could deceive them into giving me Facebook API access and then transfer that information into a private database away from Facebook. This way if the user ever decided to revoke my application’s privileges to their information, I still have historical data in my own database copy to use for whatever I wanted. You starting to see how this could be a bad idea?
So to protect your information from this API, you need to go double check your privacy settings on Facebook and make sure you know exactly what information is being shared with “Everyone”. Also go through your list of authorized applications and remove any of those that you don’t want to have access to the information listed above. In the future also make sure you know exactly what applications you are authorizing to access your information. On each access request the application must tell you specifically which types of information they need access too, read those and make sure you understand them before clicking approve.
Conclusion
Personally I think we could have done without many of the new tools and changes. Facebook is trying to become the social center of the web and is compromising user privacy while doing it. I think that Facebook information should have been left on Facebook’s website where it belongs and where the users have the most control over it. There have been reports of users, including Google Engineers, closing their Facebook accounts because of these changes.
If you’re concerned about the changes that Facebook has made and you want to warn your friends about it, then use the Facebook Share button at the top of this article to post a link to all of your friends. The button will prompt you to confirm before posting a link on your wall.
Post Tagged With: Facebook, Web Safety
[No Site Links]