More Advertising Issues on Facebook (Updated)

Originally posted June 7

Today I logged into Scrabulous and was greeted with a rather unusual ad.  Above my games list, a banner encouraged me, “Put one of Your FRIENDS on an Album cover!”

What was unusual is that the banner included the names and profile pictures of several Facebook friends.

Since the ad is appropriating the likenesses (and names) of my friends without their permission, I wonder if it could raise legal questions (though it does not present the images as endorsements).  That alone is cause for concern, but that was only the beginning.

I did a little digging and discovered this ad was an iframe being loaded from SocialMedia, a third-party advertising network for developers of social applications.  I’m not aware of any applications by SocialMedia that I’ve authorized, so I wondered if this was similar to the issues I raised with a previous application sending profile data to Google for targeted advertising.

Oddly enough, though, I loaded the iframe address in a separate tab and still saw a similar ad.  In other words, I entered a socialmedia.com URL into my Web browser and came up with an ad that included my friends’ names and profile pictures.  The ad did not use JavaScript to connect to Facebook, so the data was somehow coming server-side.  The URL did include a publisher key to identify it as a Scrabulous ad, and I think the data may have been restricted to Scrabulous users, since several names were blank and several profile pictures were the default question mark.  For the friends that did appear, the ad tracked if I clicked on a particular one by including the friend’s Facebook ID in the link’s URL.

I’m still at a bit of a loss on how SocialMedia is able to access data about my friends from a socialmedia.com page.  I tried removing the API key from the URL to see if I still saw the ad, but it doesn’t seem to come up any more even with the API key.  (The iframe URL loads different ads as you refresh.)  Perhaps SocialMedia or Scrabulous has already received some complaints.  Still, the only way I could think that SocialMedia is able to use a Scrabulous API key to access friend data would be if they had the Scrabulous secret used for API authentication.  If any developers can offer other ideas on how SocialMedia accomplished this technically, I’d be very interested in hearing them.

Either way, SocialMedia is using friend data that I never authorized them to access.  If Facebook banned Google Friend Connect, I wonder what they’ll do with Scrabulous, since Scrabulous apparently transfers the URLs and IDs of friends to SocialMedia.  Facebook and Scrabulous have been notified.

Update (June 10): I’ve seen the same ad on another Facebook application, and the friends used in the banner did not have the application installed.  I’ve contacted SocialMedia to get more information on this type of advertising.

This yet again highlights the challenges of using social networking data for advertising.  The fact that the ad included data on my friends and not just me also raises issues of who can authorize data to be used in what way.  Advertisers, advertising networks, and application developers need to be very careful in how they access a user’s data and how they use it.

Update 2 (June 14): I received a response from SocialMedia.  Here’s part of their reply:

Thank you for your thoughtful question and insightful blog post.   We take considerable measures to abide by our social network partners privacy policies, our valued developer partners privacy policies, and have our own privacy policy available for review at: http://www.socialmedia.com/?q=privacy It is not within our purview to comment about any one social network’s policies nor our varied developer policies regarding data and privacy.  socialmedia.com does not use the authorized Facebook application’s secret key nor does socialmedia.com use the application’s session information.

Visiting the link they mention brings up their privacy policy, which includes this interesting tidbit:

SOCIALMEDIA will access your picture and first name voluntarily provided by you to your social network to display in ads shown to others within the social network for which you have provided this information. When an ad is delivered to a user, our ad server finds relevant friends of that user, which may include you, and if so, may display your first name and/or picture to that user within the ad. SOCIALMEDIA also accesses your age and gender information provided by you to your social network for demographic targeting purposes. If you do not wish to have your name and picture displayed in ads delivered by SOCIALMEDIA or your demographic data used to deliver targeted ads to you, you may change the privacy settings of your public social network profile to disable access to this information or you may opt-out of SOCIALMEDIA’S ability to access your first name and photo by clicking here.

I’m guessing most Facebook users have no idea this is happening, which could generate some interesting discussion on its own.  However, I still haven’t gotten an answer on how this is technically being achieved.  How does SocialMedia access my list of friends?

I realize that data such as an application’s API key, a session key, etc. are passed on to an iframe within an FBML page. I was not unable to use this information to call the REST server from another page, though. I did some further experimenting with SocialMedia’s ad URL and discovered something quite interesting.  Using a browser that was logged out of Facebook, I pulled up the URL with only my user ID specified as a data parameter – no publisher ID, no session key, no API key, etc.  I also deleted any cookies for facebook.com or socialmedia.com before loading the URL.

Guess what?  I still saw ads that included names and pictures of my Facebook friends.

I can only conclude that SocialMedia is not only accessing my friends list when I use an application (though I’m at a loss for how they accomplish that), they’re storing data on who my friends are – a clear violation of Facebook’s TOS.  How else can they serve ads that include my friends when I simply supply a Facebook user ID?

To further test my theory, I changed the ID to that of a friend.  Sure enough, I now saw ads that included her friends’ names and pictures.  Same result with someone who’s not even my friend.  I see no way this information could be gathered from Facebook when I load the URL, since SocialMedia would have no way to make an API request with only a Facebook user ID.  Tack an ID onto the end of http://www.socialmedia.com/facebook/monetize.php?fmt=canvas&fb_sig_user= to see what I’m describing.

Perhaps there’s some way of accessing this data, but I can’t think of it.  If you can, please let me know.  In the mean time, I’m going to contact SocialMedia once again.

Update 3 (June 18): Thanks to SocialMedia once again for their reply on this.  Here’s what they said:

We do not store friend lists provided directly by social networks but work with select application developers whose applications observe interactions between friends as part of their application, without using session information nor secret keys.  We take considerable care to follow every social network’s Terms of Service, and appreciate your desire to investigate this, but we cannot disclose any further technical details at this time.

Quite interesting.  It reminds me of a point I made regarding issues with other applications that let users view activity data for people not their friends.  If you can tell I often superpoke someone, you can guess that they’re my friend, even though you never directly accessed my friends list.

Apparently, SocialMedia stores data on interactions (e.g. who I play Scrabulous with) – which would not violate the Facebook TOS prima facie – and uses that to infer who a user’s friends are when serving ads.  Clever.

The moral of the story?  Privacy on social networks remains a difficult issue to understand and manage.

Update 4 (June 20): SocialMedia has added a “What’s this?” link on the edge of ads containing names and pictures of friends.  The link takes you to a more information page on “Social Banners,” which explains a bit of the rationale behind the ads, assures you of their privacy policies, and provides a link to an opt-out page.  I don’t recall seeing this link on the “social banners” prior to today.

Addendum (June 23): CNET News.com has a post today discussing SocialMedia’s new banners and some of their privacy implications.