Is SocialMedia Overstepping Facebook's Privacy Line?

SocialMedia is an advertising network which places ads within social applications such as those on Facebook and MySpace. SocialMedia claims to be more effective in this type of advertising, due to a patent-pending technology they’ve developed named FriendRank. SocialMedia CEO Seth Goldstein claims that SocialMedia ads can pay up to 2.5 times more than traditional ads within social networks and that early tests show people are 200 times more likely to respond to a “social ad”. See CNET’s coverage of SocialMedia’s FriendRank launch for more detailed information.

This sounds very compelling, but immediately raises serious questions around privacy and whether a Facebook user knows that SocialMedia is using their profile information in this way. While technology certainly makes this possible, are user expectations being set correctly? Facebook’s Beacon functionality faced an uproar at its launch earlier this year not for the technology it provided, but rather for upsetting expectations around privacy, information sharing, and ultimately ad targeting. So how is SocialMedia getting access to the type of information required to create such a compelling social advertising network?

Facebook provides a customizable public profile page for each user (mine is here) which by default makes your name, picture, and a few friends publicly available. SocialMedia could and most likely is using this public information, just like anyone else could too. Multiple sources including ValleyWag and others familiar with the ad platform say that SocialMedia doesn’t stop there. Rather they’re very quietly also accessing information from Facebook Platform applications directly. This was originally broken by The Social Times a few weeks ago:

So how does SocialMedia display these targeted ads outside of Facebook? Through a collection of data via applications in combination with images obtained via user public profiles and unique cookies they can piece together who you are and who some of your friends are. This is off of Facebook.

The question then is, are social applications properly disclosing the fact that they give your information to SocialMedia, and is that action covered by a clear privacy policy? This is not about the technology behind how SocialMedia might access this information, but rather making sure that the technological implementation matches user expecations. We can start by looking at the process of adding an application on Facebook which does not appear to use SocialMedia for advertising:

If you’ve ever installed a Facebook application, you’re familiar with this screen, which prompts you to grant explicit permissions to each and every application you choose to install. It should be noted that Facebook Platform does not have any affordance for allowing an application to share your information data with a third party. Facebook’s Developer Terms of Service explicitly prohibit such sharing, and the technological implementation of the Facebook Platform API make it extremely likely that sharing such data would sometimes involve sharing a developer’s secret key with SocialMedia as well. All of this is explicitly and strictly prohibited by Facebook’s Developer Terms of Service: (emphasis is mine for readability):

“Facebook Platform” means a set of APIs and services provided by Facebook that enable websites and applications (collectively, “Applications”) to retrieve data relating to Facebook Users made available by Facebook and/or retrieve authorized data from other Applications. The term “Facebook Platform” includes any data, images, text, content, code, APIs, tools or other information or materials provided by Facebook through or in connection with such APIs and services (collectively, the “Facebook Properties”).

5) You may not sell, resell, lease, redistribute, license, sublicense or transfer all or any portion of the Facebook Properties, or use or store any Facebook Properties for any purpose other than as specifically authorized herein.

The bottom line is that though this might seem like an obscure technical issue, sharing user activity and profile information with SocialMedia would be as objectionable as the worst behaviors ascribed to Facebook Beacon. With Beacon people were surprised that their actions from around the web were starting to be shared with their friends on Facebook. It wasn’t that everyone objected to this happening, but rather that it was implemented as opt-out which led to information being shared in ways that normal people didn’t expect. This in turn completely killed Beacon with participating brands such as Coke dropping support. A few weeks ago Facebook shut off access to Slide’s Top Friends application for “allowing access to non-friends’ personal information” as reported by Inside Facebook. The following week Facebook’s responded with a blog post Building Trust and Protecting User Privacy which started by saying:

Privacy is at the core of Facebook.

Because we provide users with rich privacy controls and respect their choices, users feel safe using Facebook to share their information with their friends. By opening up Facebook through Platform, developers have the opportunity to innovate on top of this information. In exchange, developers commit to treating user information with the same respect that users expect of Facebook. Our Developer Terms of Service strictly limit use of user data and serves as guidelines to these expectations.

But I truly believe that Facebook does try to protect user privacy and by doing so creates an environment promoting the creation of rich profiles tied to real offline identities and sharing more content between friends. Facebook has shown a history of learning from these situations over time. If Facebook learned so much about the dangers of surprise with Beacon, shut off Top Friends for sharing profile information, and continues to block access to Google’s Friend Connect for redistribution of profile information then why are they still permitting Platform applications to possibly share this data with SocialMedia? As technologists we must be extremely careful in making sure that our implementations match a normal person’s expectations. If we forget to do this, we could collectively end up killing something that might someday become great.

I’ve tried contacting SocialMedia to ask about how their advertising network works, though unfortunately while I’ve received replies have not had my questions answered. As full disclosure, I work for Six Apart which launched an advertising network for bloggers earlier this year, and has a privacy policy here. I’ll be at O’Reilly’s Open Source conference in Portland at the end of the month.

tags: , , , ,