I didn't think too much of it when I first read of phishing attacks on Facebook, but had the following Facebook IM exchange today with someone I hadn't heard from in years. Even if I wasn't suspicious that he he needed me to perform an urgent favor, the imposter tipped his hand when he said he needed me to wire $870 to Germany for "a rare software."
I tried to call my friend, but apparently the imposter modified my friend's profile to divert his email and phone numbers.
Well, what do you want from a free service anyway?
Om Malik observes that SMS apps on Facebook get very little usage. Although he found three dozen of them, the most popular only get around 500 daily users in an environment where games like Scrabulous get 1,000 times that. He further observes that Facebook VoIP widgets suffer a similar fate and posits that despite Daniel Berninger's argument for the utility of a social directory, people in Facebook don't really want to communicate with each other in real time.
I've observed the same phenomenon but have a somewhat different theory. Facebook encourages a definition of "friend" that encompasses a much larger group than those people I would want to interrupt with an SMS or a phone call. If I know someone well enough to SMS or call them, I already have them in my contact list and synced to my mobile phone from which I can message or call them without opening any widgets. There is still plenty of utility in tying Facebook to SMS - Facebook's own Mobile app gets more than 370,000 daily users, but it provides unique functionality such as broadcasting news feeds. I think there is plenty of opportunity to use SMS as a way of connecting people with applications, but if two people just want to talk to each other they will reach for the phone.
Facebook has introduced the long-awaited fine-grained privacy controls. Now, if I can find it under "customize" I can share various parts of my profile information with my friends of friends. If only my life was so interesting that I needed to hide things from the general public, or at least those members of the general public who aren't in the "network" defined by the part of the country in which I live.
Ther recent imbroglio over internet celebrity Robert Scoble being banned from Facebook raises some long-overdue questions. It appears that Scoble used a beta version of a tool from Plaxo to extract his social graph from his Facebook account. Facebook's automated mechanisms detected a heavier-than usual pattern of access and shut off his account until he appealed. The account has since been reinstated, but not until it caused a Facebook group Facebook re-open Robert Scoble account !!!!! to gather 539 members and the TechCrunch post to generate 93 comments. While the comments contained the usual quotient of foaming-at-the mouth, several legitimate points were raised:
Facebook goes to some lengths to obfuscate the email addresses on a profile by displaying them as bitmaps, which Plaxo cheerfully OCRs back into text.
While Facebook touts its openness, is it really open if it prevents its users from taking their data with them, and whose data is it anyway?
This last point is the important one. If I display my email address on my profile, or for that matter if I give someone by business card or tell them my email address, do I have any right to control what they do with it? While I may have legal recourse if they use it so sent me spam, it's really no business of mine whether they load it into Outlook, Plaxo, or write it on the back of their hand with a Sharpie. Perhaps the fact that the process is automated may give someone pause, that is only a matter of degree.
If we were to deal forthrightly with the matter of ownership of one's social graph, it might make sense to make a distinction between the nodes and the arcs. Clearly the arcs of my social graph (who I am friends with) are my property, although one could make the case that the nodes (the information about each of my friends) should be controlled by the people described by the nodes. Ultimately this gets into the area of nondiscretionary controls, which as Ray Ozzie has pointed out, are easy to fake but almost impossible to implement.
Christopher Caldwell offers a fresh perspective on the Facebook Beacon imbroglio in today's New York Times, entitled Intimate Shopping. He applies the concept of "implicit contracts" which was developed by Andrei Shleifer and Lawrence Summers in their 1989 paper Breach of Trust in Hostile Takeovers. Shleifer and Summers argues that the increase in share price after a hostile takeover stems from the new owners reneging on the implicit agreement between employer and employee that if employees work hard when they are young the company will take care of them when they are older. The new owners can say they weren't around when that agreement was made and thus change arrangement ex post. Anyone who lived through the Eighties can recall the moment when corporations discovered they could abandon such implicit contracts, for instance moving plants from Michigan to North Carolina, then to Mexico, India, and Asia. Economists will argue that the resulting arrangements were more efficient and thus could lead to more prosperity, but those caught up in the change weren't always happy with the disruption. Still, being on the early side of making those changes could be very lucrative, whether it was globalizing manufacturing, outsourcing services or, most recently, securitizing mortgages.
Caldwell points out that this same process is at work on the Internet. The average user had an expectation that information on one's purchases would not be widely shared. It turns out that this expectation is not grounded in any law or contract and thus open to reinterpretation by sites such as Facebook. Had Facebook gotten away with it, they might have benefited handsomely, but in this case they overreached and had to retrench. I'm confident this won't be the last time we see this dynamic play out.
In the next phase of its better to ask for forgiveness than permission approach to new features, Facebook has modified its controversial Beacon program to be opt-in instead of opt-out. There is still no way to opt out of the entire program, but now each time a site is about to send an announcement back to Facebook the pop-up asks for permission instead of assuming no answer means yes.
I suspect what motivated Facebook to act was that some merchants, such as Overstock.com, had suspended their participation until Facebook changed the program.
Louse Story has a detailed account of Beacon's evolution in the New York Times, and Brad Stone has an interview with FacebookVP Chamath Palihapitiya who reiterated Facebook's philosophy of trying out features in the market instead of in the press:
A. “One of the things we try to do is listen to feedback as much as
possible. Just to give you where a lot of this feedback is coming from,
it’s coming more from the press than specific users,” he said. “Right
now, the right thing to do is to make sure we speak to actual users,
not the pundits.”
In another example of its "Better to apologize than ask permission" approach, Facebook launched Beacon, a system that allows participating merchants to notice when a purchaser is a Facebook user and send "alerts" back to the Facebook newsfeed announcing the purchase to all of one's friends. Like the newsfeed itself, Facebook may have underestimated the privacy backlash and will be forced to modify the system. On the other hand, all the publicity, including a campaign by MoveOn.org will raise Facebooks profile among potential advertisers. Once they get the privacy settings right they will have added an important innovation to online marketing. I'll have to say I admire their approach. Instead of agonizing around the conference table about each new feature (opening up the membership, the newsfeed, the F8 platform) they launch things into the world and see what happens. As long as they are responsive to their users they will retain the old users while continuing to innovate and build their business which, after all, is free to users and needs advertising to keep it that way.
The most controversial aspect of Beacon is that it that the permission dialog at the merchant site is opt-out instead of opt-in and that at the Facebook site the opt-out is on a site-by-site basis, with no way to opt out of the entire program. As David Weinberger points out, the defaults are kind of creepy, especially the opt-out toast that assumes you mean "yes" if you don't respond within a few seconds. [See the comments in Weinberger's post for a really interesting discussion of privacy.] For those who find all this too daunting, Nate Weiner has a simple and elegant solution: install the BlockSite add-in for Firefox and tell it to block access to http://*facebook.com/beacon/*. That will prevent the merchant site from executing the http://www.facebook.com/beacon/beacon.js.php that sends your data back to Facebook. Fred Stutzman explains how this works, which is that when you log into Facebook, Facebook stores your login ID in a cookie. When the merchant site runs the beacon script that sends Facebook the ID, along with your IP address and the URL of the page you are visiting, thereby giving Facebook a complete picture of where you have been and what you've done there. Cameron Marlow points out that this is what DoubleClick and Google AdSense have been doing for years, although with DoubleClick makes it easier to opt-out and to delete the data. Wendy Seltzer thinks part of the problem is that Facebook has taken cross-site correlation to a new level, although they are at least being open about it.
Ethan Zuckerman likens it to cookie-theft Cross-Site Scripting attack, although in this case it's the result of a legitimate, if unprecedented, cooperation between Facebook and the merchant site.
I suspect the real reason the tin-foil-hats are upset and the rest of us are queasy is that Facebook shares this information with your friends, while DoubleClick only shared it with corporations. Personally, I don't care if my friends know what video I rented, but I am concerned about the proclivity of insurance companies to make underwriting decisions on the basis of lifestyle choices, as they are threatening to do in Massachusetts.
Companies using or planning to use Beacon: AllPosters.com, Blockbuster,
Bluefly.com, CBS Interactive (CBSSports.com, Dotspotter), eBay, Epicurious, ExpoTV, Fandango, Gamefly, Hotwire, IAC (CollegeHumor, Busted Tees, iWon, Citysearch, Pronto.com, echomusic), Joost, Kiva, Kongregate, LiveNation, Mercantila, National Basketball Association, New York Times, Overstock.com, Red, Redlight, SixApart(LiveJournal, TypePad, Vox), Sony Online, Sony Pictures, STA Travel, The Knot, Travelocity, TripAdvisor, Travel Ticker,
viagogo, Yelp, WeddingChannel.com and Zappos.com
Deb Schultz has a suggestion for letting user regulate the amount and type of advertising they see in their Facebook news feed. It reminds me of Nicholas Negroponte's idea in Being Digital about having knobs to change the level of sex, violence and political leaning in on-line material.
Jessica Vascallero has a piece entitled Dinosaur Digerati (or try this link) in today's Wall Street Journal about how even high-tech executives have to work to keep up with developments such as social networking. The obvious solution embraced by many was talking to ones own family and colleagues, but some of the more unusual techniques mentioned were
overhearing conversations on the subway (Amol Sarva),
Cool School is a service of the New York marketing firm Electric Artists, which for $30,000 and up will take a group of executives from clients such as American Express or A&E Television Networks on tours of local blogging and social media companies.
WIth the cost of starting a web property continuing to fall there are as David Weinberger is quoted as saying, a lot of "half-baked" ideas that haven't had to prove themselves financially, with the result that word of mouth is still the most reliable tool.
For my own part, I do all of the above. I've never been to Cool School, but I do make frequent trips to the west coast and participate in industry events. I also scan TechCrunch every morning to see what 15 companies have launched that day. Most of them will never be heard from again, but watching the flow is a useful insight into the zeitgeist of the tech community. And of course there's always Slashdot.