One Week After Open Graph Goes Live, Facebook Faces Its Death Panel

This piece was updated 4/29 -- see addendum below:

One piece of advice for Facebook CEO Mark Zuckerberg whenever he meets with New York senator Chuck Schumer over the social network's privacy: bring a translator, who can explain technology in layman's terms. Because most of the world -- including some very influential organizations, and millions of Facebook members -- have no idea what the Open Graph does, or doesn't do.

In case you hadn't heard, Zuckerberg is meeting Schumer, a senator who has rarely found a consumer protection bandwagon he couldn't jump on, over the new Open Graph social plugins that Facebook announced to great fanfare last week, including from the Social Media Insider. News of the meeting comes one day after Schumer and three other senators wrote Zuckerberg expressing concern over "instant personalization," which is at the heart of the Open Graph initiative, since it lets users see how their Facebook friends have reacted to content on other sites, while they are on those sites. Of particular concern to the senators, according to The New York Times, is "that this feature will now allow certain third party partners to have access not only to a user's publicly available profile information, but also to the user's friend list and the publicly available information about those friends."



Meanwhile, has started a "Respect My Privacy" group on Facebook, currently at about 21,000 members, which says: "[Facebook has] launched a new program that shares info about you and your friends with external websites-whether you want them to or not.

"They're calling it 'instant personalization.' We're calling it a major violation of your privacy. Again.

"Facebook is testing this new scheme with a small group of partners, but they're hoping to expand to more sites. We need to make it clear now that using our personal information without our permission is not acceptable."

Scary, huh? Except it doesn't look like either the senators', or MoveOn's, interpretation of instant personalization is true. According to my understanding of Facebook's announcement last week, and the Facebook blog, this isn't happening. The blog, in answering the question about what information Facebook is sharing, said:

"None [emphasis theirs] of your information-your name or profile information, what you like, who your friends are, what they have liked, what they recommend-is shared with the sites you visit with a plugin. Because they have given Facebook this 'real estate' on their sites, they do not receive or interact with the information that is contained or transmitted there. Similarly, no personal information about your actions is provided to advertisers on or on the other site."

This gap in understanding (and I'm going to leave open the possibility that even my own research is leaving something out) is why Facebook is now facing its "death panel." Like the misinformation in the healthcare debate that turned end-of-life consultations with doctors into a belief that the government would decide when to off Grandma, the belief that Facebook just opened its databank to third-parties is taking on a life of its own. And, unless Zuckerberg & Co. hire a translator, this belief is going to persist. In fact, it's even possible that "Facebook privacy" has become an oxymoron to so many people by now that hiring all the translators won't make a difference.

The problem, in addition to Facebook's customary naiveté about how people will perceive its actions, is that technology has become so complex that it's hard for many people who use it to understand how it works. That can be viewed as mildly disturbing when a consumer is cookied and the sharing of data is anonymous, but it's at a whole new level when a new technology -- such as Facebook's social plugins -- makes it appear as though you and your best Facebook friends have shared your digital fingerprints with the staff of Yelp or Pandora.

If you were a layperson, and you were just going on appearances -- as in what a site that has enabled social plugins looks like when you log on - of course you would assume that, in order for a Facebook frame to reside on a third-party site, that site must also have access to your information. After all, you're seeing your information on their Web page. It's very simple to understand, even if it isn't true.

But Facebook still hasn't learned to think like a person who doesn't know html from Hotmail, which, since it's now at almost 500 million users, probably represents the vast majority of its customer base. The entry on the Facebook blog I referenced above didn't show up until Monday, five days after Facebook announced the program. Meanwhile, it has largely let external sources, such as GigaOm, walk people through how to turn off instant personalization. It should have taken the lead on both counts, even if helping consumers opt out hurts its business plan. The social Web is all about transparency ... isn't it?

I've taken a considerably darker tone in this week's column about the Open Graph as compared with last week's, written only minutes after the announcement. I'm still enthusiastic about the technology and what it can do, but, if Facebook doesn't get better at explaining what it's doing, even the best engineer in the world won't be able to code its way out of the killer virus it's dealing with right now -- which is misperception.

 Addendum: OK, there is a loophole that makes what Schumer and MoveOn are concerned about real. The 11th (!) question on the Facebook blog post, asks "Why does a blue bar appear on some sites telling me it's being personalized by Facebook?"

The answer: "Separate from our social plugins, we have established a small pilot program with an exclusive set of partners-Microsoft, Pandora and Yelp-to offer personalized experiences as soon as you visit those services. These partners have been given access to public information on Facebook-such as names, friend lists and interests and likes-to personalize your experience when you're logged into Facebook and visit their sites." (You can read more of it here.)

On the one hand, obviously, I regret the error. On the other, I'm not at all surprised -- and I don't regret it the way I normally would. Why? Because, the whole time I was writing this week's column -- even after studying what Facebook was doing, watching last week's F8 keynote several times, and reading more about it over the last week -- I realized its complexity meant there was a much higher possibility than normal that I would make an error, for just the reasons I stated in the column. I also knew there was the possibility that even if there was a loophole concerning whether Facebook is sharing data, that most users wouldn't make the distinction between those sites and ones running a plain vanilla social plugin, so whether I was right or wrong, the "death panel" analogy would still make sense.

In fact, though MoveOn uses the term "instant personalization" to describe what Facebook is doing with, Pandora and Yelp, that's not the way Facebook director of products Bret Taylor used the phrase during the keynote. He described "instant personalization" in reference to social plugins.

Further, though Zuckerberg mentions this pilot project 35 minutes into the keynote, he's not particularly forthright about how it works. He speculates about what it might be like if a few "trusted" sites "already knew the public information about all of their users" before launching into a demo of Maybe Zuckerberg's use of the word "public" is different than mine. If you look at the answer to the question above, you see that what he really meant was "public within Facebook." Most of us would think he was referring to data that was already in the public domain.

Unfortunately, since none of us can get the terminology right, or what it relates to, this only proves my point. Thanks to my MediaPost colleague, Wendy Davis, for pointing out the loophole.

(Editor's Note: OMMA Social NYC, scheduled for June 17, is shaping up. Take a look.)

12 comments about "One Week After Open Graph Goes Live, Facebook Faces Its Death Panel".
Check to receive email when comments are posted.
  1. Brian Asner from Upshot, April 28, 2010 at 4:58 p.m.

    You hit the nail on the head by describing Facebook's "customary naiveté about how people will perceive its actions." It's a shame, because we (at Upshot) think there is enormous potential for these new offerings.

    We just wrote an article about this, which can be viewed in PDF form here:

  2. Cathy Taylor from MediaPost, April 28, 2010 at 5:40 p.m.

    Hey commenters,

    One of my colleagues just found a loophole that I didn't. Addendum to come.


  3. John Jainschigg from World2Worlds, Inc., April 28, 2010 at 6:02 p.m.

    You're absolutely right. All Facebook is doing is standardizing a way for web publishers to make their content part of the stream of stuff that Facebook users see and share, and generally (based on 'like' votes) promote desirable content among friend-pools and across Facebook at large. Facebook, according to the OpenGraph docs, is absolutely, positively not sharing user data with sites that choose to mount a 'like' button.

    The question Senator Schumer needs to ask is: 'Why would they have to?' People who want anonymous reader-sentiment data about the Like button clicks can presumably use the API to retrieve this information, or wrap the like buttons in a little code that does the same thing locally. If you can get the user to register and login, you then have a mechanism on your site that the user is pre-conditioned to use (and to some extent trust) that can tell you exactly what they, as an individual user, like and dislike.

    So far, not too profound a threat to Democracy. But this gets more interesting over the next few months as Facebook pages start showing up on Google, and as other methods for probing Facebook from inside for user information are perfected. The state of all this is currently very nebulous - but technical readers will at least acknowledge that there's no absolute, structural barrier (technical or legal) prohibiting connection of metrics derived from Like buttons on third-party sites with Facebook user information derived from searches.

    And _then_ there's the possibility of cadres of third-party websites (like pornsites, or banks) standardizing these approaches and federating, sharing all their pools of Like-button and search data and eventually creating a very complete picture of individual user activity, who your friends are, and all the stuff that Senator Schumer fears.

    Not to mention that, by propagating a cross-the-web, widely-accepted, visually standardized set of user-interface norms for embedding Facebook stuff in third-party sites, you're also creating a model for creating convincing-but-FAKE Facebook stuff in third-party sites. I leave the 9000 ways that could be used for evil as an exercise for the reader.

  4. George Eberstadt from TurnTo, April 28, 2010 at 6:21 p.m.

    I think you're confusing the plug-ins with Instant Personalization. The plug-ins run within what's called an iframe. You can think of that like an embassy. It's sovereign soil of Facebook nation that just happens to sit on another website. The other website has no idea what goes on there. Instant Personalization is different. That's like Facebook Connect without the user authorization. Facebook Connect (now renamed the "Graph API") enables a user to authorize Facebook to release data about them and their friends to a site. That enables the site to personalize the whole user experience, not just the parts within the iframe. Instant personalization takes away the part where the user first has to authorize the connection. As soon as the user shows up on a site using instant personalization, the data is transferred.* Thus the Instant part. It's far more aggressive from a privacy perspective, thus Facebook's emphasis on providing the service to just a few, highly trusted sites.

    (* The user does have to be logged in to Facebook at the time of visiting the other site. Bust most Facebook users stay logged in all the time. This can be confusing to non-techies. You don't have to have Facebook open in a browser window to be logged in. You just have to have not logged out the last time you left Facebook...)

  5. Arnold Waldstein from Waldstein Consulting, April 29, 2010 at 7:37 a.m.

    Thanks for this post...

    The privacy debate is a bit retro...what Facebook is doing has been done for years with targeted advertising, cookies connected to our IP addresses... and is the core of Google's business.

    The social web requires we give up some things to get a lot more. Nothing new here.

    My blog post on this yesterday "“The best way to protect your privacy is to understand that you live in public. And act accordingly.”

  6. Tobias Bray from 360 Sales Focus, April 29, 2010 at 7:58 a.m.

    Run almost any announcement from fb through a clarity grader and it comes back with a D or F. Successful consumer oriented companies that play in this space know that Homer Simpson is on the receiving end of every message. Tech loves to be insular and mysterious - just the opposite of social and accessable.

  7. Cathy Taylor from MediaPost, April 29, 2010 at 9:38 a.m.

    Hi George,

    You were right. If you revisit this site take a look at my addendum. Unfortunately me being wrong has the bizarre effect, in a way, of proving why I was right.


  8. George Eberstadt from TurnTo, April 29, 2010 at 12:15 p.m.

    Hi Cathy. I agree your wrongness proves your rightness.

    Your last point about what constitutes "public" is important. Facebook members now have to reorient their understanding. It's not just "public to humans looking for info about me on Facebook." Now it's "info labeled Public may be automatically passed on to other services without anyone asking me first."

    Which raises the key question: is that bad, or just different?

    On a different note: I'm very interested in how Facebook is going to choose the "few, trusted" services to whom they make instant personalization available.

  9. Catherine Dwyer from Pace University, April 29, 2010 at 12:57 p.m.

    Perfect headline!
    I knew those death panels were real!

  10. Kyle Lake from Done In Sixty Seconds, LLC, April 29, 2010 at 1:51 p.m.

    Great read. Haven't we all known all along that with the growth of Facebook and the unbelievable amount of data collected- by all of us voluntarily submitting it- provides a waiting powder keg of temptation for someone (i.e. Facebook) to sell us all out to corporate solicitation? I mean it's I'm interested books, movies, music, food, travel, etc....oh and btw here's how old I am, my occupation, where I live, who I'm in a relationship with and just to be sure, a few hundred pictures of me partaking in said interests! Really scary stuff. "An Online Video Creation Tool"

  11. Kaila Colbin from Boma Global, April 29, 2010 at 6:21 p.m.

    What kills me is this comment: "These partners have been given access to public information on Facebook-such as names, friend lists and interests and likes-to personalize your experience when you're logged into Facebook and visit their sites." It's beyond disingenuous. Zuckerberg is suggesting that there's nothing wrong with sharing this data since it's already public -- when the only reason it's public in the first place is because Facebook made it public for you just two months ago.

    So they make it public without asking anyone (stating at the time that nobody cares about privacy anyway and making it ridiculously complicated to opt out), and then say there's nothing wrong with giving the data to third parties because it's already public. Talk about rewriting the rules in your own favor!

  12. Jerry Foster from Energraphics, April 30, 2010 at 3:08 a.m.

    What I like about Facebook and other social media is it defeats the death grip Google had on us before, where we did not control the information that appeared in search results about us individually. Now we can feed as much disinformation or positive information about us that we want into the system and Google search results can be jam packed with material we created.

    Unlike with Google, we control what we say through Facebook.

    It is your fault if you put your real year of birth in Facebook and you can still rectify that mistake. You certainly don't need to show your friends the year of birth.

    Anyway, one should just go to Privacy Settings/Instant Personalization and un-check the opt-in box that has been so conveniently checked for you. What is frightening about this is that a potentially hostile site can know everything about you just because you visited.

Next story loading loading..