21-Apr-2015 (Tue)
Wherein I ridicule Facebook some more, then collaborate with the Panopticon.

In my last update, I busted on Facebook for their relentless -- yet halfassed and inconsistent -- morality policing. They had blocked a bunch of ads that Hubba Hubba Revue had purchased, claiming that the ads didn't follow the rules, when in fact they did. Eventually they relented -- who knows why. But some of the most telling responses I got were from several people who said, "I sent this to my friend who works at Facebook, and they said that that definitely should not have happened, and they probably could have fixed it, but they weren't going to because they didn't like your tone."

So let's get this straight: Facebook has a widely known, years-long reputation for capricious, fickle enforcement of their policies; a corresponding reputation for giving the victims of their inconsistencies no recourse; and despite this, when these fine employees of theirs hear of a problem, their response is, "Well, because that guy pointed out a bug without also blowing sunshine up my ass, I'm going to just leave our product buggy." They seem to love their company so much that they're willing to let their own product suffer, so that they don't have to open their eyes to the problem. It's the other kind of "tech bubble".

Say you're driving at night, and someone yells, "Hey jerk, your headlights are out!" Do you say, "That guy was mean, so I'll show him, I'm going to keep driving in the dark!"

I ended that post with:

Fuck Facebook. They really are just the worst.

If you work there, I implore you to quit. I'm sure you can find a job working for a company that you don't have to apologize for all the time. You can do it. I believe in you.

But, you know, maybe they have attracted exactly the employees that they deserve: the kind who care more about their feels than about shipping products that work.

Meanwhile:

Facebook remains the 800 pound gorilla in the room, and you've just got to hope it doesn't poop too much. And this brings me to a change I made to our web site recently that makes me feel really, really dirty. But I went and did it just the same.

You're probably aware that Facebook knows just about every single web page you've ever looked at. If you're logged in to Facebook, and you visit some other page that has a Like button on it, Facebook knows what page you visited, even if you didn't click the button. In fact, they probably know who you are and what page you visited even if you aren't logged in to Facebook at the time. There are ways, and they've been sued over that sort of thing before.

You've probably noticed this if you ever browsed something on Amazon that you've never looked at before, and suddenly Facebook has ads for it. That's how it happens. Facebook knows all about your dildos and hemorrhoids. (And the NSA has all your dick pics.)

(Google has just as much information as Facebook, not because of Like or Plus buttons, but because everyone in the world uses Google Analytics, which invisibly tracks you just as well as those buttons do.)

Anyway --

We buy ads on Facebook, because they work. When you buy ads, you try to narrow the scope to one that makes sense: geographically, and by using keywords like the band that is playing, or other bands that they sound like, and based on that, Facebook shows those ads to some random set of people that they think are most likely to click it. But buying ads is always kind of a gamble, because it's really hard to tell whether that ad turned into a sale.

Except, you can add "conversion tracking" to your checkout page, which basically means we added an invisible piece of Javascript similar to a Like button to the checkout page that says, "Hey Facebook, twenty bucks just got spent, ka-ching!"

We don't have to give them any identifying information about who spent the money, like name or email address -- because they already know, by virtue of the fact that you left yourself logged in to Facebook in another window.

So what this means is, the ad report now says things like: "This ad was shown to 500 people, 50 of them clicked on it, and shortly after those clicks, 20 of those same people spent a total of $300 with you."

So that's some pretty positive evidence of whether the ad was worth buying! Maybe those 30 people would have found out some other way and bought tickets anyway, but drawing a direct line between an ad purchase and a sale is not something you can often do.

It's so gross, though.

The first gross part is that it just highlights how heavily surveilled you are by Facebook, all across the web. Even before we put this checkout tracker on, we already had Like buttons, because everyone does it and those drive traffic. This new thing feels like snitching on our customers, but those Like buttons were already "game over".

The second gross thing is that we've given just one more piece of information about our customers to Facebook, but not in a way that is directly useful to us. Even though we're doing the leg work to build up this dossier on our customers, we don't actually get to look into the file. Only Facebook does. When Facebook eventually goes away, the information is gone. When Facebook becomes more extortionate, the information is gone.

The future of this looks a lot like all of those bands who spent years building up subscriptions to their Facebook fan pages, only to have Facebook turn around and tell them, "We've changed our mind, if you want to actually reach those fans, suddenly you have to pay."

Sigh.

I'm sure now someone in the peanut gallery is going to pop up and call me a hypocrite for despising Facebook's business practices, and yet still taking advantage of their services. Well, I don't like it, but I am pretending to run a business here, and that leaves you with something less than absolute moral clarity.

So I guess what I'm saying here is:

Run an ad blocker.


Bootie
QBert
Clan of Xymox
La Plebe
So Stoked

Pig Destroyer
Death Guild 22nd Anniversary
Death Guild 22nd Anniversary
Strung Out
Hubba History of the World

31 Responses:

  1. John Adams says:

    This is an excellent post.

  2. Jon says:

    At least for the like button tracking there is a solution: Shariff – originally created by a large German IT publisher to allow like buttons on their web page (heise.de) without violating their users privacy.

    https://github.com/heiseonline/shariff

    And there's a WordPress plugin based on it:
    https://wordpress.org/plugins/shariff-sharing/

    I'd really like to see more pages not giving in to the whole tracking mess. Especially since they may even profile people who have not even subscribed to facebook.

    On the other hand: I find tracking users who have clicked on ads in facebook not quite as bad: they use facebook, they deserve it.

    • jwz says:

      When that came out, Facebook made a statement claiming that what Heise did was a violation of their terms of service. I never heard whether they actually sued them, or just slunk away.

      • Jon says:

        That has been resolved by changing the design of the Heise button. Also the first version of that button required two clicks (so Facebook complained it was not behaving like a real like button even though it pretended to be one).

        Read the update parts in the article you just linked to.

        The Shariff project is a continuation of that first two-click attempt and requires only one click by the user and therefor resembles the true like button behaviour. So the original point made by Facebook does not apply anymore at all.

      • Jon says:

        I just saw that the translation of that article is really bad. What the second update says, is: Tina Kulov from Facebook Germany said there is no problem with the two click solution in principle it just should not graphically pretend to be the original Facebook like button.

        But apparently Facebook managed to spread enough FUD leading to web masters like you giving up on the issue. Well played, Facebook.

        • jwz says:

          Actually I gave up on it because when they first made a fuss about this, their plugin was a pain in the ass to install, and the two-click thing was a pain in the ass to use; and then I never heard about it again. But thanks for assuming I'm just gullible.

          • Jon says:

            I just wanted to point out that you don't have to allow facebook to spy on all of your visitors as other pages have managed to work around that problem, but I understand that you don't have the time to dig into all legal issues or installer insanities.

            Anyhow: I've been enjoying your blog and the tools you are giving away for free for a decade or so.. no need to feel offended or assume I'd think you were gullible.

            • Leonardo Herrera says:

              Jamie never said he had to put that thingamagik in his page. He could have written his own conversion tracking logic for the website but apparently time and money may be valuable things.

      • Viktor says:

        The funny thing is that in Germany, it might be illegal to NOT use some solution like Shariff, as the original Like button violates privacy laws (not just privacy ethics).

        • Jon says:

          Yeah. We wish. The like buttons are all over German websites and noone has found a law against them, yet.

          • Viktor says:

            Or no one has the guts to sue Facebook for them. According to this article in Der Spiegel, it is actually not clear whether the Like button violates German laws or not - which is why I wrote "it might".

            • Nils says:

              The law is usually rather vague when it comes to these things so you pretty much have to take it to court. Since everybody and their mother has those share buttons nobody dares to sue. Or maybe there are already cases in courts...

      • anony trace says:

        Technically FB is nothing but a newer GeoCities. They owe 99% of their success to their contributors.

  3. Ray says:

    Disclaimer: I do minimal web stuff and I'm not trying to give advice phrased as a question, I'm just curious what I'm missing.

    Is there a reason not to use referrer logs (or google analytics, which you imply you're using) to track how many facebook-ad-clicks lead to sales? Or is the goal to improve facebook's ad targeting?

  4. nooj says:

    When Facebook eventually goes away, the information is gone.

    I'm sure the ol' Vampire Squid will keep those databases alive for the eternal anger-humping everyone has come to expect.

  5. madddddddddddd says:

    if you want to track people who bought things through ads, send the ad to a landing page on your domain so you know which ad they came from, and then set your own tracking code in their session or a cookie... then roll your own conversion reports. it's not hard. you're doing it wrong.

    • jwz says:

      I love it when these drive-by trolls show up to tell me how effortless everything is.

      Maybe your time has no value, but mine does.

      • MattyJ says:

        I'm not sure why you think the 'spawn your own ad network' is such a difficult thing. I mean, come on, a perl script here, some node.js there, it practically writes itself.

        Preston Tucker is unimpressed.

  6. J says:

    Maybe Facebook don't like their business practices either, but they're pretending to run a business as well?

    • passerby says:

      Well spotted.

      I believe that was the plot of Chesterton's The Man Who Was Thursday - all the conspirators were undercover agents.

      Maybe some moral restraint, perhaps out of fear of God - nah, forget it. Too late.

  7. nana says:

    thank you for that text - thank you. maybe a little bit to aggressive - but i understand you frustration+. didnt fb even mention a "bug" that "accidently" enabled the tracking of also non fb users? pf, these like-buttons, and "analytic services" onload js adds were suspicios on the first day they appeard (img src whats that - whats happning - i dont see it). DO NOT TRACK cookie - it's a running gag at fb/google management.

  8. just a says:

    This may be update...Published: 15:13 GMT, 31 March 2015
    http://www.dailymail.co.uk/news/article-3019821/Facebook-illegally-tracks-visitors-site-not-accounts-logged-opted-says-new-report.html
    "Facebook 'illegally' tracks all visitors to its site even if they do not have accounts, are logged off or have opted out says new report "

  9. just me says:

    Well, I have the Ghostery plugin installed on all my browsers, also on my mobile firefox. Blocking all kinds of trackers and tracking cookies very reliably, including Google Analytics. Also replaces Facebook like buttons on every web page by "click to play" versions which get activated onky if you click on them. I know, it can collect some statistics on the trackers it finds and send them home, bur this is purely opt-in. I really like it. The tracker database is updated regularly.

  10. Tracking users through ads is just the easiest way to do it. All the other ways you interact with the internet can be used to similar effect. Connecting to a tracker is a good way of publicly broadcasting a fingerprint of yourself (you list which torrents you want info on). Your OS has a fingerprint in terms of the way it acts within TCP sessions. Your user-agent is very identifying. TOR can be used to identify individuals if you track it long enough. Certain OSes broadcast which Wifi networks they want to check for. Put any of these together and you get a pretty good probability of identifying people.

    • I forgot to add an actual conclusion to my assertions. I guess I would say that since you're already fucked, you probably should focus on having compartmentalised online identities with dead-drops between them.

    • jwz says:

      Panopticlick: "Your browser fingerprint appears to be unique among the 5,260,093 tested so far."

      How YouPorn Checks What Other Porn Sites You've Visited.

      Evercookie: virtually irrevocable persistent cookies.

      • It's worth mentioning that (AFAICT) Panopticlick uses old fashioned detection techniques and still gets amazing results. I saw a talk at Ruxcon 2014 where people use Steam's browser identity check to help combat fraud, but repurpose it to identifying people for marketing. The idea is that while you can't enumerate a users' fonts without java, you can just try writing out in a bunch of fonts in a canvas element, serialise it to a string and post it to the c&c box. If a line is not blank, or if the font has certain kerning or whatever, it serves as the ultimate identity check. So it's not even UA or cookie based, and good luck getting anything to run when you disable JS.

      • Peter says:

        That article on YouPorn describes how they, and many other sites, used to track which other sites you've visited, by examining how anchor links are styled (and whether they are displayed with :visited pseudoclass attributes). This no longer works, as Chrome will lie to javascript if you query on :visited.

  11. Justin says:

    You can always use social media buttons as images that when clicked will direct you to the sharing link.

    But that takes more work and people are lazy, it's something I do just because it lowers the page load... having simple sprite images and hrefs instead of loading all these different plugins from these different servers.

  12. Cookie Wolf says:

    I've never been more proud to have been kicked off Facebook than I am right now. ;-)

  13. Ronald Pottol says:

    I always use an incognito browser window for FB, and I don't see any signs that they associate my account with anything else I do on the web.