It hit the news cycle, and now technical details which have existed unchanged for years and which no user actually cares about (HTTP referrers) provide new grist for the mill. And, of course, it is distorted beyond all recognition: "Anyone who runs a web page on the Internet -- including advertisers -- is passively informed of the page you were looking at when you clicked a link to their site. This is built into the Internet and is the way it has always worked" becomes, quote, "Facebook, along with MySpace, Digg, and a handful of other social-networking sites, have been sharing users' personal data with advertisers without users' knowledge or consent."
I don't fell all that sorry for Facebook, but man, am I sure glad I have never had my business interests aligned against a media narrative.
Peter Bright of Ars Technica points out in the comments on their story:
here's why this is particularly objectionable: Facebook bounces user links through a redirect to strip the user data out of URLs. Facebook already has the technology, understands it, and uses it elsewhere. But not for adverts. The failure to use the existing technology is peculiar.
The original article was sensationalist, and I think this was much more likely an oversight than something malicious, but still... oops.
The failure to use the existing technology is peculiar.
Only if you have never coded software professionally in your entire life. A junior engineer on team B did not use the library code written by team A several years ago, which is probably documented mostly as a matter of oral lore among members of team A. Instead, mistakenly believing the problem to be trivial ("I have the URL they're going to! All I need is to output it. Hah, psych, I'm going to run it through our HTML escaper to make sure there is no cross-site injection. Security++ I am the awesome."), they handwrote a one-liner which worked fine. Two years later it is the subject of a WSJ article.
This only happens every single freaking day on every project I've ever been on. Heck, I have missed opportunities for re-use (and caused subtle side-effects through doing so) frequently when I was the only coder on the project.
Amusingly, an alleged employee of Facebook here challenged me to find a single example of Facebook selling private information, and this seems to be the clearest example so far.
My challenge stands. There is no indication that Facebook made a cent off of this bug, nor that any advertiser was aware of the fact that a small percentage of ad clicks contained a user id.
"Alleged" employee? My name is Keith Adams, and here's an entry I posted to the Facebook engineering blog this week:
Your challenge does not stand. It gets weaker every day.
There is a reason why Facebook is more appealing than other advertising venues. They offer more personal information. Facebook is smart enough to use a redirect cloaker for other content, why didn't they do it for ads? The reason is quite clear to me.
And yes alleged. Your comments and profile offered no proof of your employment so I was careful to represent that in my statement. Do you find anything wrong with that?
I think that what makes this case particularly special is that Facebook referring URLs share much more data about you than the average site. A typical Facebook URL can be something like:
This means "I am user 123 and I'm looking at the photos of user 456 after having clicked through to their profile. I found this user's profile through Facebook's friend recommendation page."
Why does Facebook have to put all that info in the URL in the first place?
The referring URL for an average site would simply share "I am an anonymous user that's looking at 456's photos".
An advertiser could use Facebook's Graph (where your name, picture and other information is forced to be public now and indexed via the above Ids) and you have extremely detailed info about someone and their Facebook activity.
Note: It looks like Facebook has stripped the part of the URL that needlessly self-identifies now, so that's good.
It's like watching a snowball roll down a hill at this stage.
Imagine what you could do if you could harness the power of that narrative in the other direction.
It's interesting to see how people react to realizing what has been going on under the hood pretty much for as long as I remember. I think that when the doubleclick trouble hit people just couldn't make the mental connection and for the media it was much too dry. Facebook is very close to home and it ties in to everybody's lives at such a close-to-home level that they seem to feel threatened way out of proportion.
> Imagine what you could do if you could harness the power of that narrative in the other direction.
Facebook got to where it was by riding the media narrative up (from the start Zuck pulled strings to get positive coverage in the Crimson and from then on it was off to the races). They made Facebook and now will destroy Facebook. Fun to watch from the sidelines at least.
I think Apple is an example of a company that rode the upside of a narrative. Microsoft is evil. Microsoft is insecure. Microsoft is old and crufty, etc. There were a lot of practical reasons for Apple machines to never talk off (no support, poor supported software, no one uses it, hardware investment, etc), but they made decent products, and more importantly, fit in the story.
Diaspora has already had its run in the media, they were at their peak pulling in $4500 per hour in donations, they've fallen back to < $1000 per day now.
The media has given them a nice old time of it (especially a major article about them taking on facebook and pointing people to kickstarter) but they failed to fan the fire as far as I can see, they're well in to the 'valley of despair' now media wise, unless they cook up some stunt.
Otherwise their next shot at a media slot is launch day, and they better not mess it up.
News is fickle that way.
And they have a bit of a delivery problem ahead of them, the expectations are way beyond reasonable at this point.
If they manage to pull it off I'll be most surprised, if they manage to take > 1% marketshare away from facebook without active help from facebook I'll be even more surprised.
Yeah, sucks to be them. They only raised 10x what they needed without giving up any control. Now all they can do is build the app they wanted to build and try to squeeze by as a well funded internet startup with great PR.
Right. Because all you need to take on the #2 company on the web with 400 million registered users is a few hundred grand and some newspaper articles.
Really, seriously. The Diaspora guys are probably great people but it takes a bit more than that and the above ingredients to make this happen. They'll have to keep drumming that PR motor without any news at all if anybody is to even remember them by launch day, and they have a very high bar to cross in terms of expectations.
At some point the amount of money you have doesn't matter.
Let me give you one small example: In the netherlands there was a small local site called 'marktplaats' that had nested itself in peoples' consciousness when it came to buying and selling second hand goods.
In the end, Ebay, with a marketing budget that would dwarf most other companies turnover just gave up and bought them, so strong was the power of being the entrenched party.
On that scale 200K bucks and a bit of press amount to nothing.
The party that determines the future in this respect is facebook, and if they don't mess up royally (and there's always a chance for that) the outcome of all this is fairly predictable.
Given everything I know about all this today, and the fact that fall is about 5 months way and that they'll be able to hire an additional 35 man-months of coding time (assuming they themselves will only use that 10K they originally budgeted), that translates in to a team of 11 people that still needs to be broken in and that needs to produce a relatively large amount of software in a very short time.
I put the odds at significantly less than 5% of this succeeding in a way that the first batch of users will be happy. If they find an investor that will give them several years of runway it's a totally different story, but then they still have to unseat facebook.
I hope they'll give it their best shot and that something good will come out of it, instead of just a signal to FB they have a public relations and a privacy issue.
I don't recall these guys ever saying they were trying to take down Facebook. That was the media's spin. A lot of people only understand change in terms of bloody revolution.
They're some geeks with a solid idea and they've got way more cash to build it than most successful open source projects ever see. There is absolutely no problem here. But I guess if you swim with sharks...
A social app, by definition, is governed by the network effect. For it to be successful, it needs much more than a great codebase. It needs users.
Diaspora will need to attract users, and that probably means enticing them to come from elsewhere. The purpose isn't destructive against FB, it's constructive for diaspora.
I don't fell all that sorry for Facebook, but man, am I sure glad I have never had my business interests aligned against a media narrative.