Tuesday, November 27th, 2007

Facebook Beacon JavaScript

Category: JavaScript, Social Networks

The Web has been all a flutter with the Facebook Beacon launch, and how all of a sudden people are worried about privacy as they see third party sites throwing content into their news feeds:

I put a lot of trust in sites like Facebook to do the right thing when it comes to privacy. After all, the only stuff that gets out into the public is the stuff that I actually put in. Until now.

Earlier this week, I bought a coffee table on Overstock.com . When I next logged into Facebook and saw this at the top of my newsfeed:

I was pretty surprised to see this, because I received no notification while I was on Overstock.com that they had the Facebook Beacon installed on the site. If they had, I would have turned it off.

I used my personal email address to buy the coffee table, so I was puzzled why and how this “personal” activity was being associated with my “public” Facebook profile.

Jay Goldman took the time to deconstruct the JavaScript API that is used which includes a real usage:

  1. <script type="text/javascript" language="javascript">// < !&#91;CDATA&#91;
  2. // < !&#91;CDATA&#91;
  3.    runOnLoad(function() {
  4.        if (Facebook) {
  5.                Facebook.publish_action('queue',
  6.                    'http://www.epicurious.com/recipes/food/views/240748?mbid=fbfeed');
  7.        }
  8.    });
  9. // &#93;&#93;></script>

  1. publish_action : function(action, urls) {
  2. urls = urls || window.location.href;
  3. setTimeout(function() {
  4. if (Facebook._BROADCAST_ACTIONS[action]) {
  5. var query_params = [['action_name', action]];
  6. if (typeof urls == 'object') {
  7. for (var i = 0; i &lt; urls.length; ++i) {
  8. query_params = query_params.concat([['urls[' + i + ']', urls[i]]]);
  9. }
  10. } else {
  11. query_params = query_params.concat([['urls[0]', urls]]);
  12. }
  13. Facebook._send_request('http://www.facebook.com/beacon/auth_iframe.php', query_params);
  14. }
  15. }, 50);},

Not only does he walk through the code base, but he takes a look at Beacon from a high level, including how to simply block it yourself.

Posted by Dion Almaer at 3:21 am

3.6 rating from 25 votes


Comments feed TrackBack URI

I’m more surprised whether this violates the privacy policy of the merchant’s site. Some merchants specifically state they will not share your personal information with outside companies.

Comment by Jordan — November 27, 2007

This is SCARY!!! Thanks for pointing that out…

Comment by matt — November 27, 2007

I agree it is a big privacy issue, particularly concerning what Jordan mentioned. However, Beacon’s site says:
“When a user performs the action, they will be alerted that your website is sending a story to their profile and have a chance to opt out. ”

A good question is whether Overstock suppressed the alert. If they did, I would say that is their mistake. If the alert didn’t work out of the box then it would be Facebook’s fault. And finally, if there was an alert and Jay missed it.. I would not say it’s his fault because this is an issue of privacy and what was happening should be made overly apparent to him.

I think Facebook’s typical pattern is cross the line to get people aware and then backs off and rethinks their privacy settings. Just like when they created the news feed.

Despite all this I think it’s an awesome feature.

Comment by Rob — November 27, 2007

Bokardo had a great writeup about this – http://bokardo.com/archives/facebooks-brilliant-but-evil-design/

Comment by EmEhRKay — November 27, 2007

This is why I usually only purchase anything from a virgin install of Opera that deletes all settings, cookies, and history after each use. :P

@Jordan: Oh, they usually say that, but if you read the smaller print, somewhere there’s usually a passage about “Though, we will share your information with relevant business partners.”

Comment by mdmadph — November 27, 2007

i would create script on my page which will post news like “Ms.Smith bought big dildo at mybestdildos.com” :)

Comment by Anonymous — November 27, 2007

This very much seems to cross the line into spyware. It is spyware – is it not? Facebook is providing ‘other services’ the ability to directly log with them user actions on ‘other services’. I don’t care if the user is supposed to be provided a chance to ‘opt out’. No doubt this can be suppressed, and even if it’s not users don’t want the alert and often won’t understand nor care to understand it.

This is a clear violation of the user.

Comment by Eric — November 27, 2007

This is absolutely shocking. I “deactivated” my account because I refuse to support a company with such shady ideals. They have totally lost their purpose/focus and instead are reaching out for the dollar bill any way they can. Even if that means violating their own “community”. Time to jump ship

Comment by Van — November 27, 2007

They would be better off if they let you know about the feature on their homepage, and then opt in if you are interested.

Comment by Rob — November 27, 2007

With Google keeping an eye on Facebook’s latest dive into the contextual ad market they are trying to diversify as much as possible, perhaps in hopes of not being crushed by Google.

Comment by Site Smart — November 27, 2007

This also completely changes the dynamic between customer and retailer. It used to be a one on one relationship between the two. Now Facebook and, say, Amazon, have decided that Facebook is part of this. Without my input. Sure I can stop the effects of it, but the burden is on me.

How do I benefit from this? How is that permission marketing? How am I, as the customer, in control?

Comment by Jonathan Trenn — November 28, 2007

I’m sorry, maybe I’m missing something, but:
Isn’t the Facebook Beacon a very good example of a mashup, the sort of thing this site has been clamoring to enable by reducing XSS security standards?
Either your browser enables this sort of thing by default, which — I agree with every comment here — would be totally scary, or your browser prevents this sort of thing by disallowing mashups. What’s the alternative? (don’t say JSONRequest, it isn’t one.)

Comment by Travis Wilson — November 28, 2007

@Justin: Sites *do* notify their users every time they set any kind of cookie. They send Set-Cookie headers to the user. If the user is using a web browser as the user-agent, the site sends those headers to the user-agent.
If your user-agent fails to notify you (the user) about such headers, there’s not much the site can do about it. You might consider modifying or replacing your browser.

Comment by Travis Wilson — November 28, 2007

Makes you wonder how much information people are willing to share before they pull the plug on their facebook accounts.

There is an easy way to let these companies know you don’t appreciate the way they treat you; take your business elsewhere. It stands for facebook as well.

Comment by Omega Torrents — November 28, 2007

Leave a comment

You must be logged in to post a comment.