I mentioned this the other day in a comment, but I figured it gets a lot more visceral punch if you actually see it happen, so I wrote up the consequences in an article and wired together a working tech demo. I haven't seen anybody exploit this misfeature "in the wild" yet, but then again I'm not exactly plugged into the social networking scene.
It astounds me that somebody thought making the Like button be silent opt-in to "permission" marketing was a good idea.
Added bonus points (not covered in article): this creates a security hole in every Liker's account, because it slaves the security of their News Feed to the security of every site they have ever liked. Pretend you like something published by Scrappy Startup A. Six months pass. Scrappy Startup goes out of business and their URL gets grabbed, or Scrappy startup gets their server owned, or Scrappy Startup merely permits defacement of the contents of their HEAD. This lets the attacker immediately assert publishing privileges for all connections created by Likes (6+ months ago), and then spam the connected Facebook News feeds with live URLs carrying an endorsement from Scrappy Startup.
Now pretend Scrappy Startup is, or purported to be, Obama. (Thumbnail sketch: you and 10,000 other people favorite a picture of Obama hugging two puppies titled "Obama Gives Constituents a Lift", six months later the Facebook login crowd sees "Obama Gives Constituents a Lift: Click here and put in your bank account details to receive your instant stimulus package".)
I'm a bit surprised that you published this to your bingo blog and not Kalzumeus.com. Aren't you worried about your stereotypical user clicking it by accident?
The only way in is via direct link to that URL. I put it there because I happened to have Rails code written to do most of the work here (back from when I implemented Like buttons for the site, prior to understanding what they actually do), and because I'm positive Nginx can take the load (it is 100% static content after the first access) but less than sanguine about my Apache setup.
Your "takeover" scenario isn't true and cannot happen simply by having a URL change ownership. You need access to both the domain AND the Facebook user account or application to which the open graph objects (websites) are tied to.
Also, if you can get access to a Facebook user account or application, you don't even need the domain name.
I'm pretty sure, but not positive, that I did it to myself earlier today: edit the page, add in a new og:app_id pointing to an application that you control. The documentation mentions the object's title and type being durable, and I wasn't able to successfully overwrite those, but you can change the other parameters and then just call the Lint tool on the page again.
(n.b.: If you have something as og:type="article", that apparently causes there to be no OpenGraph node created for the page in spite of what the docs say. That might be a bug. Anyhow, the upshot is that this means that everything tagged as an "article" is safe.)
But I think I remember being able to add an app to my "cause" after it was first liked.
Maybe I'm missing something here, but this seems like much ado about nothing. I mean, I get it, if I "like" something then that site now has the ability to leave me messages. I just don't see this as much different than following someone on Twitter - once I follow them, they have the ability to DM me all they want (until I unfollow anyway).
Liking anything lets the owner spam you.
This just sounds like a scare-tactic to me. That's like saying "following anyone lets the owner spam you", or "emailing anyone lets the owner spam you".
I guess the real point here is to only "like" things that you trust. Just as I won't start following shady looking accounts on Twitter or handing out my email address to every website I visit, I won't "like" shady looking websites.
I certainly wouldn't expect that kind of side effect at all, but maybe it's because I'm used to having a greater degree of control over who gets a claim on a slice of my attention. For me "like" is not a binary concept -- either you like it or you don't. I might like something enough to put it in my bookmarks, but that doesn't necessarily mean I'll want to recommend it to all of my friends or subscribe to its RSS feed. If signaling that I like something will automatically imply "subscribing" to it, then I'd like to be informed about it beforehand.
We're not talking about like the English language word we're talking about "like" the Facebook specific action indicating that you wish to be associated with a particular page of content on that site.
See, this is why computer applications keep failing "average" users: "Stupid users, why didn't they RTFM? Had they done that, they would have realized that Facebook's definition of the word 'like' is drastically different from the English language word they use every day."
I also didn't expect this but it doesn't really bother me either. It seems pretty logical to me - if I like something I'd like to have access to more of it.
The concept itself is actually a good one; it's just named wrong. Had they called it "follow" or "subscribe", or even the old name "become a fan", it would have been much clearer.
They do give you the choice to display the button as "Recommend" instead.
In my opinion, both "Like" and "Recommend" would be perfectly suitable names for this feature were it not for the ability of those pages to post to your feed thereafter. I think that socially, it's a genuinely good feature.
There was a post on here the other day - basically you hide the like button (opacity 0%) and make it's clickable area the size of the screen. Then if a user clicks anywhere on the page -- you've got them.
I'm confused. Hasn't this always been the case when you 'Like' (previously 'Become a Fan' of) something? Pages I became a Fan of well over a year ago (maybe longer!) have been publishing updates to my stream ever since. (The ones I don't want to get updates from have either been removed or blocked.)
The Page-to-User relationship is absolutely no different than the User-to-User one. By becoming Friends with someone, I'm letting them publish as frequently as they'd like to my stream. They can spam me if they want, and if I don't like it, I can block/remove them.
Saying that 'Like' buttons give Page owners permission to spam you is grossly misleading, and leaves out several important pieces of information that allow one to understand what is actually going on.
I'm sorry to hear that this behavior was a surprise to you- Perhaps FB could do a better job at making it clear what this does, but to me this was always the expected (and desired!) behavior.
The Facebook "Like" button is akin to "Follow" on Twitter. It subscribes you to their feed.
That's the whole POINT of the like button. The "Tell your friends" is ancillary; It's akin to twitter telling your feed "Colin is now following .... CocaCola"
It's a VERY useful feature, and the name makes sense to me; If you Like AntelopeFurniture.com, and they have a new sale running or something, you'd want to hear about it. You already said you like them ;)
With that understanding in mind ("Facebook:like == Twitter:Follow"), it starts to become clear that seeing their posts isn't spam- It's the entire point!
I think that the user expectation when clicking Like next to an antelope chair is to register approval of an antelope chair, not to sign up for the I-can't-believe-its-not-mailing list about antelope chairs. Your savvier users probably understand that Liking is semi-public rather than anonymous, like HN upvotes are. (Your savvier users clearly do not include some of my younger cousins, grumble grumble.)
Compare Antelope Furniture's desire to deliver news about its new sales to their legal requirements for handling things like email. Someone has typed in their email address (which is only used for receiving communication): can you assume they want to hear about your sales? No. Someone clicks a thumbs up. Can you assume they want to hear about your sales? ... Really?
I mean, pretend for a second that HN makes its upvote buttons into functionally equivalent copies of Facebook like tomorrow morning. Do you think the #1 thread in the morning will be titled "Wow, cool"? (Particularly after somebody with multiple kilokarma gets the bright idea to hit the broadcast button?)
That might be the expectation of certain "Like" buttons floating around the web, however Like buttons (aka "Become a Fan") within the Facebook context have always allowed that Page or Open Graph Object owner to publish messages into your main news feed. Why would you want to create two different user experiences tied with one common button?
>And since when in English ... Like =~ Follow? Sure, maybe for maniacs.
If you're going to be pedantic about made up web-2.0 (3?) terms then why not argue that "follow" on twitter doesn't let you actually follow the person only receive occasional messages from them.
Why don't they call it "receive occasional messages from"? There's your answer.
It is straight out ignorant to say follow doesn't imply you'll be interacting in the future with that person/company. Like (in itself) is an action verb that implies approval of the subject matter, not interaction. I like articles on HN (by up voting) but that does not mean I want to receive regular updates from the site due to a singular approval of one piece of content.
>It is straight out ignorant to say follow doesn't imply you'll be interacting in the future with that person/company.
Follow as a natural word is one-way relationship - you follow someone else, they don't have to take any action. It's thus not interaction. Nor is it a word that requires a continued future action; "following" would do that. I'm not sure there's a good word for the type of relationship you're [wrongly IMO] saying "follow" implies, perhaps "liaise" or "apprentice" is close?
On the contrary, follow specifically does refer to a continuing future action.
"Follow that cab!" doesn't mean just for one block. You expect the driver will follow that cab until you tell him to stop following it.
To agree with you, however, the cab being followed need not be aware of your continued future action. They can speed up, slow down, stop, U-turn, do whatever they would do if you weren't following them. To your point, "follow" is not "interactive". It's active for you, passive for the one being followed.
It's therefore the perfect word for Twitter's button.
I think this is the crux of the matter. Sure "I Like <something>" may lead into "I want to receive more information about <something>" but it's not necessarily a '===' relationship it's not even an 'implies' relationship. More like "x implies y sometimes."
To me the Like button seems used like it's more similar to a Digg this button (they are frequently next to eachother even). While I expect that my Digg friends can see my Digg, I don't expect the article I just Dugg to be able and spam me later on. It's a huge invasion of privacy and Patrick's comparison to email opt-ins is on point.
What does it mean to "Like" a Page?
When you click "Like" on a Page, you are making a connection to that Page. The Page will be displayed in your profile, and in turn, you will be displayed on the Page as a person who likes that Page. The Page will also be able to post content into your News Feed.
Can anyone actually defend the statement that it is a huge privacy invasion?
I think it is a silly statement to make because, clearly, there is little or no privacy invasion. The button is probably a little deceptive to users - but clicking it does not open up any private details about you. It does, yes, allow them to post messages which appear in your news feed; but I am struggling to see that a a huge privacy problem
I can understand why someone would be confused about that but I’m not really sure whether a frequent user of Facebook would be.
I have never ‘liked’ anything and as such never experienced the consequences of doing so. I figured that because of the placement of like buttons on websites (in the sidebar or below articles, often next to digg or reddit buttons) clicks on the ‘like’ button are akin to upvotes. I’m not at all a frequent user of Facebook, that’s why I’m not sure how widespread that perception is among frequent users.
I never read anything in my Facebook stream (or however that is called) anyway, so I couldn’t care less.
This really doesn't seem like a big deal. You can click the 'X' next to the spam to end it forever. If a certain publisher is getting removed frequently, Facebook could block them from posting to anyone's news feed. I doubt this functionality will negatively affect many people unless Facebook fails to police it properly.
Seing that there's this "Mark as Spam" functionality, I would guess that Facebook would quickly revoke the spammers ability to add like buttons to their page once enough people clicked that spam button (or even make any further business with Facebook)
IMHO, not that big a deal. Then again, I don't use Facebook, so I can't really know.
I clicked it and haven't gotten my note yet... By "spam", I think you're saying they can put something into my news feed, right? If this opted me into email communication or even facebook messages, I might be alarmed. Related: I generally trust things that I "like" to behave in a polite way... And know that if they don't they are going to quickly eat a social media backlash.
I can see some nice ways this could be used-- for example-- I "like" Bingo Card Creator and you say, "Thanks Tony! I see you just bought your copy of BCC a few days ago. Holler if I can help!"
I agree that this is an odd/dumb thing for FB to do, but I'm not sure it's that scary.
So I think that is not technically speaking impossible but you have to really, really contrive it to make Like facilitate a BCC-to-Tony narrowcast. You can create "groups of one" by altering the URLs being liked to make them unique, saving the association that "Tony" => "uniqueUserID" somewhere outside of Facebook, installing a callback function to let your website know when one of your unique URLs gets liked, and then broadcasting a Tony-pleasing message to Tony's group of one.
But what is actually going to happen is Tony is going to favorite the front page / the product / etc (those two aren't necessarily the same thing), and then the only option for talking to Tony is to take out Ye Old Megaphone and blast everyone who likes the front page / product / etc.
Kind of agree; also, I'm just not as possessive of my Facebook feed as I am of my mail spool. I really don't feel like I own my feed. Also, Facebook acts against its own interests if they allow random sites to pollute the feed.
I have to agree that it's against Facebook's own interests. If they let random sites spam away, then pretty soon it will turn into MySpace, and competitors will eat its lunch.
I clicked the "Like" button and did not see anything on my news feed. And then I opened up Facebook on my mobile device and it was plastered with notes from patio11's site...
I would argue this already being taken advantage of (though 'exploited' seems a bit strong). There are pages such as this one: http://www.facebook.com/pages/96-percent-of-people-cant-figu... that require the user to 'like' it before they can see whatever it is.
It would be interesting to see what sectors are targeting this new spam avenue. Facebook's anti-spam approach is largely effective though -- as a centralised service they have a lot of behaviour metrics to characterise misbehaviour.
Wow... I wonder how far we are from having a marketplace for widely Liked sites to sell their ability to post to their audience. (Unsavory startup idea!)
Given that widely linked sites are frequently bought after being abandoned and used by spammers (for link equity and direct traffic), I don't think that is far fetched at all.
A startup can reasonably achieve a metric truckload of likes (to the startup, to content, whichever), fail to achieve revenue, and fold in an N month period. The assets of a failed startup are worth close to nothing, and can probably be acquired for close to it. (Who at a shuttered company is in charge of re-registering the domain name, after all?)
All you have to do is one blaze-of-glory phishing scam, or something like "Save Twitrliciously! Donate $5 to help keep us open!", etc. (Not a unique risk, given that you could do that with just the web page, but it gets you instant distribution to a highly targeted audience and that is 90% of the battle.)
Facebook getting the memo and shutting down the site N hours later does not necessarily help all that much.
I think the problem is simply in the name of the button.
I ran this by some of my less technical friends who use Facebook and they said some variation of "yes, that's what it's for isn't it? It's just got a confusing name"
Something like "Follow" would be more descriptive.
EDIT: the problem stems from Facebook trying to switch from being a "person-to-person" social network to a Twitter-esque community network.
Is the publishing of updates automatic? As in if a user 'likes' a blog page and the blog publishes a new article, does that new page get pushed into the user's news feed automatically? Or does the blog have to do something extra to keep pushing updates?
This was obvious during the conversion of random lists and groups into data-ized Like graphs. They made it known this was possible. That's why I saw the blip from Futurama when they post a clip from their new episode, etc...
It's intended, and for all intents and purposes, desired. If you don't want to see the New Items from a band/artist/website, don't like it.
It astounds me that somebody thought making the Like button be silent opt-in to "permission" marketing was a good idea.
Added bonus points (not covered in article): this creates a security hole in every Liker's account, because it slaves the security of their News Feed to the security of every site they have ever liked. Pretend you like something published by Scrappy Startup A. Six months pass. Scrappy Startup goes out of business and their URL gets grabbed, or Scrappy startup gets their server owned, or Scrappy Startup merely permits defacement of the contents of their HEAD. This lets the attacker immediately assert publishing privileges for all connections created by Likes (6+ months ago), and then spam the connected Facebook News feeds with live URLs carrying an endorsement from Scrappy Startup.
Now pretend Scrappy Startup is, or purported to be, Obama. (Thumbnail sketch: you and 10,000 other people favorite a picture of Obama hugging two puppies titled "Obama Gives Constituents a Lift", six months later the Facebook login crowd sees "Obama Gives Constituents a Lift: Click here and put in your bank account details to receive your instant stimulus package".)