Is Facebook targeting conventional and social ads to the social network’s users and their connections, based upon visits to pages outside of Facebook that show Facebook widgets or use Facebook tracking pixels, while the Facebook users are logged out of Facebook?
On Sunday, Australian tech developer Nik Cubrilovic wrote a post titled, Logging Out of Facebook is Not Enough, which describes how cookies from Facebook are sent to Facebook everytime someone visits a page that contains a Facebook widget of some type, even after that person logs out of Facebook.
A Facebook engineer wrote the first comment to the post, explaining that the cookies in question are there for safety and security purposes, to provide customizations to users, and to help Facebook maintain and optimize their services. He notes that Facebook has no interest in tracking people, and, “We don’t have an ad network and we don’t sell people’s information.”
The Wall Street Journal picked up on the story yesterday, and did some exploring of their own, including contacting Facebook, who responded with a interesting statement.
In a statement, a Facebook spokesman said “no information we receive when you see a social plugin is used to target ads.â€
I noticed a patent application from Facebook published last week that I considered writing about, but put on the backburner. After reading the post from Nik Cubrilovic, I decided to take a second look. It apears to describe how Facebook could gather data from logged out users to use to target ads.
As the first claim in the patent states:
1. A method for tracking information about the activities of users of a social networking system while on another domain, the method comprising:
- Maintaining a profile for each of one or more users of the social networking system, each profile identifying a connection to one or more other users of the social networking system and including information about the user;
- Receiving one or more communications from a third-party website having a different domain than the social network system, each message communicating an action taken by a user of the social networking system on the third-party website;
- Logging the actions taken on the third-party website in the social networking system, each logged action including information about the action; and
- Correlating the logged actions with one or more advertisements presented to the one or more users.
Note that when the patent talks about “logged” actions, they aren’t talking about the actions of a logged in Facebook user, but rather the logging by Facebook of actions taken by that Facebook user on websites other than Facebook. The following section from the patent’s description makes that pretty clear:
[0099] In one embodiment, the third party website 140 and/or the social network system 100 determine whether the user is a user of the social network system 100. For example, the third party website 140 may access a cookie on the user’s computer, where the cookie is associated with the social network system 100.*
Since the social network system 100 and the third party website 140 are on different domains, the user’s browser program may include security features that normally prevent a website from one domain from accessing content on other domains. To avoid this, the third party website 140 may use nested iframes, where the third party website 140 serves a web page that includes a nested iframe in the social network website’s domain, thereby allowing the nested iframe to access the user information and send the information back to the third party website 140. Repeated nesting of iframes further allows the social networking site 100 to communicate information back to the third party website 140.
By using this technique, the third party website 140 and the social network system 100 can communicate about the user without sharing any of the user’s personal information and without requiring the user to log into the social network system 100.*
*My Emphasis
So, the process described in the patent tells us that a Facebook user who is logged out of Facebook can be tracked on third party sites with Facebook widgets on them because of a cookie from the social network. Actions taken on those sites outside of Facebook can cover a fairly wide range of “conversions,” including making a purchase, registering with a site, downloading from a site, posting about a product, becomig a fan of a product, emailing a link to a friend using the product’s website, installing an application from the site, giving a gift related to the product or service
The purpose behind such tracking and collecting information is clearly to determine advertisements to show to people tracked, and to connections of people tracked. Some of these advertisements would be more conventional ads, and others may be social ads to a person’s connections, such as a message, “Your friend Tom is taking a Cruise to the Carribean. Wouldn’t you like to go somewhere warm, too?” or “John Smith bought <something> at <Partner Site>”.
For the social ads, the patent notes that they would either show this message to the user first for confirmation that they agreed to have it sent, or would opt-in or opt-out to messages like that in advance.
If more conventional ads are shown that don’t have that social element that make them seem like a recommendation or endorsement by the person who took the initial action being shared, it doesn’t seem that a confirmation would be part of the equation.
The patent provides much more in the way of details on the advertising network involved, and how information may be collected and shared. The patent application is:
Communicating Information in a Social Network System about Activities from Another Domain
Invented by Kent Matthew Schoen, Gregory Luc Dingle, Timothy Kendall;
US Patent Application 20110231240
Published September 22, 2011
Filed: February 8, 2011
While the patent doesn’t say on its face that it belongs to Facebook, it is listed in the USPTO assignment database as being assigned to Facebook. It’s possible that Facebook isn’t using the process described in the patent, but it seems like the thing they’ve denied on Nik Cubrilovic’s blog, and to the Wall Street Journal is something they filed a patent for.
Interesting timing.
Thoughtful discussions related to this topic on the Wall Street Journal article and on Dave Winer’s article Facebook is Scaring Me over at Hacker News.
Well, this is unsettling. I realize this is just about advertisements which I mostly ignore anyway but a user should be given the choice by Facebook to be able to turn this function off. There is an extension available for download called ‘Facebook Disconnect’ which disallows Facebook from following your browsing. This is a third party extension so it seems the only option that Facebook gives users who don’t want their every movement followed is to deactivate their account. With privacy consistently decreasing, the deactivation option is sounding more and more like the wiser option.
Interesting that the main inventor of the patent you cite is listed as:
“Lead Product Manager, Monetization”
http://www.linkedin.com/in/kentschoen
Many users are not aware of that and doesn’t even care. They don’t even know about the adverts hanging on whatever and wherever they go on Facebook. Facebook is becoming more and more public.
Yes the timing is interesting. I did wonder whether they are looking to develop a portfolio of defensive patents. I suspect we’ll see companies claiming IPR in this area, as we are seeing in the mobile world.
This is disturbing for a number of reasons. What comes to mind is the ability to create individual psychological profiles of internet users and sell them things like war, GMO foods, hatred, etc, in a way that is even more sophisticated than the current methods (even though they are pretty effective), identify political dissidents. I don’t think it’s about determining whether or not you like popcorn ( a giveaway!).
This is one of many technologies today that are diminishing personal freedom and dignity. Soon, the question will not even have to be posed: ‘papers please’. Put them together and you have …
Kris
This is another worrying development with Facebook. I think people will start to feel social media fatigue but in particular the point of their privacy. Facebook is making a lot of changes right now which can only be described as creepy. Thanks
I’ve got mixed feelings about this one.
I’ve booked campaigns historically through one of the 7 companies that has access to the Facebook advertising API.
Effectively this allows an advertiser to target groups of people based on any information that they’ve inserted into Facebook. So if you’re searching for people specifically working in digital media, aged 25 – 35, male, live in New York City, Drive a BMW and checked into a bar in the last 24 hours – then this isn’t a problem at all.
There are problems with correlating against socio-demographic groupings as defined by mosaic profiles because you can’t input your earnings or whether you consider yourself to be a type B2 “suburban comfort”.
Whereas most above-the-line campaigns will identify the core audience using this methodology (Suburban Comfort – why don’t you sponsor “Desperate Housewives?”)- even most websites brokering direct deals (Yahoo boasts that they are not only the single largest portal online but that they have a high propensity of ABC1’s) will translate their audience into a mosaic profile to get onto the media schedule.
One core benefit that Facebook has is that they can change the ad copy creative based on behaviour. So the adverts that appear on the right of the facebook page usually have three elements, – picture, copy, and call to action.
So if your creative has 10 pictures to choose from, 10 different types of copy and 10 different calls to action – or 1000 permutations of creative.
If we’re targeting our BMW driving, NYC based digital marketer and we notice that after some testing that a single ad choice is working out well we can prioritise that ad-choice. If there is a second ad-choice which works out well after a certain time – the adverts can change, if people in a relationship respond better to a certain creative than those that are single – then each group can see the preferred advert for their situation.
The problem arises when we track post impression – if the person visits the site without clicking on the advert or clicks on a non-facebook advert – after a certain period the tracking is lost.
Without trying to tie order information to the individual facebook profile it’s impossible to accurately predict the effectiveness of the advert. Which means that advertising campaigns remunerating on an action result in hugely expensive but very conversions for the client.
By tracking logged out users – if the conversion occurs after the person has left facebook then the remuneration can still take place. Effectively making Facebook a commercially viable entity for advertising.
Sorry for the super long post – but as long as Facebook are honest and clear in their intentions – I can’t see an issue…
I guess now its more then just prying into our social life, now facebook is spying on our entire digital life.
Its going to be interesting to see how far companies can push the envelope in tracking site visitors before they suffer a backlash regarding privacy concerns. It seems like many are testing the waters so to speak- and when the cancellation rate or maybe even congressional hearings start to surface, they will know where the line is?
the data mining and tracking issues have been there for years, and it isn’t just facebook doing this. 90% of digital advertising business relies upon such tracking. but facebook’s arrogance in introducing “frictionless sharing” (which is an outright and out-front attack on privacy of its users), combined with this news of “frictionless data mining” is killing the spell facebook has over people (and the media digerati, which is significant). i’m astonished the speed that this is all unraveling. and, it’s gaining speed.
“So, the process described in the patent tells us that a Facebook user who is logged out of Facebook can be tracked on third party sites with Facebook widgets on them because of a cookie from the social network.”
Hang on, it doesn’t say that at all – it describes how the Facebook content will be served in an iframe, so that the user already logged into Facebook is identified, and doesn’t need to log in again for the frame to know who they are..
Hi Corey,
It is a little unsettling, but it’s something that many are starting to take for granted without making much of an outcry over it. Perhaps we need stronger data privacy protection acts in the United States.
Thanks for bringing up Facebook Disconnect. I haven’t read through the entire page yet, but it sounds interesting enough to provide a link to, so here it is:
Hi JN Gross,
It is always pretty interesting to look for more information about the inventors of a patent, and interesting that Kent Schoen’s title at Facebook is “Lead Product Manager, Monetizationâ€
A fairly recent Google patent described a know-how brokering system that Google could possibly set up which allowed for private usernames and log-ins. The people using the system still had to use their Google Accounts to access it, but the system allowed for anonymous names to be used with the system. What was fascinating about that was that one of the inventors of the patent was Google’s head of privacy engineering. I was wondering what he was doing lately when the ongoing debate about people using real names for their Google Plus accounts has been happening.
Hi Allen,
I agree that most users of a system like Facebook aren’t aware of the privacy implications of their use of that system, and aren’t very concerned.
They probably should be given more information about how a system like Facebook might gather information while they aren’t on the system, so that they can make more informed decisions when it comes to using something like Facebook.
Hi Brian,
Not sure that I would classify this particular patent as a defensive one, in that it describes a clear revenue model that Facebook seems to be interested in pursuing, rather than a patent that Facebook would use to keep other social networks from collecting information in a way that might not be very clear to its users to use in targeting advertisements. As you note is happening in the mobile marketplace, I could see others claiming a right to use a model similar to this one, however.
Hi Kris,
Good points. Profiling based upon a wide range of information provided by users of the network directly, and by their interactions on other sites on the Web is one of the aims of the patent application. It does seem pretty much tied to commercial interests at this point, but could include advertising targeted at more than just things like favorite sports teams, or preferences in types of music listened to.
Hi Brian,
Very interesting phrase you’ve used, “social media fatigue.” It can be hard not to get drawn into conversations and connections on the Web to the detriment of other things that you might be doing in your life, and I image that it can be overwhelming at times. Privacy in that arena is one of the things that we might sacrifice for the ability to reach out to others over great distances, without really noticing how much of it we might be giving away, and at what cost.
Hi Tom,
Thanks. An alternative viewpoint is always welcome.
I do understand the desireability to be able to do things like track actual conversions, which is what something like this system would allow. Being able to have a tracking pixel or some other tracking method attached to a confirmation page would allow you to tell how effective your advertising has been on Facebook.
I guess one of the issues here though is that people likely have the impression and expectation that when they are logged out of Facebook, and they aren’t on the pages of Facebook, that Facebook is no longer tracking their movements. I’m personally not very comfortable with the idea that Facebook might be checking out the contents of my shopping cart while I’m on a site other than Facebook, and that’s not because I would be embarassed by the things I shop for, but rather because it’s no one’s business but mine.
Hi Neeraj,
It may seem that way. I guess we need to educate ourselves on what companies are doing to track our movements on the Web. I suspect that most people don’t read through the privacy policies of sites that they visit, but maybe we should be paying a little more attention. When I site offers you the opportunity to log in via your twitter or Facebook log-in, exactly what does that mean, for instance.
As a digital marketing agency we love to find more ways to communicate, connect and of course sell to our key target audiences – however, we want to ensure we are acting ethically in all cases. I am afraid facebook have the upper hand here as people seem to be happy sharing all their personal data – maybe its time someone created a tool which allows you to see all your personal data that is freely available on the internet – I was shocked by the mobile phone numbers scandal, the privacy scandal and now this – when will people stand up and say no thanks
Hi Kevin,
Good points. At some point, the United States may seriously consider studying the European Privacy protection acts to see how well those are working, and what they entail, as well. Self-regulation by industries is going to mean that some businesses do push the line as much as they can.
Hi mms,
There have been times when some of these privacy issues have been more public than others, from public discussion of tracking bugs and pixels to sharing of information with third parties by large institutions. At some point, enough people may become aware enough and outraged for things to change. Maybe Facebook’s high visibility and usage may trigger that.
Hi Jason,
The snippet from the patent’s description that I’ve quoted above does describe the sharing of information via an iFrame, but there’s more to the patent itself than that.
The patent claims section doesn’t describe the particular method of transfering information from third party sites to Facebook, and the patent provides multiple possibilities as examples…
And the examples aren’t intended to limit how Facebook might receive information from third party sites.
One example involves the installation of a conversion tracking tag which could be a code snippet or segment that might be a combination of Java Script and HTML, which might make a call or trigger a message or request to the social network when someone receives a confirmation of a transaction performed on a third party site, such as the purchase of a product, or the download of some software, or the signing up to a newsletter, or some other action.
Another approach might involve a tracking pixel to be generated on a conversion page via an executable JavaScript code snippet.
Otherwise, an iFrame, <img> tag or other HTML might possibly be used to generate such a tracking pixel.
The patent filing covers more than just the use of an iframe to transmit information to the social network.
Hi Brian,
Good points. Facebook’s sharing of phone numbers surprised me as well. Facebook seems like it has always pushed some privacy boundaries in different ways throughout its existence, and maybe some of that is part of the nature of social networks considering that people often do share so much information upon them.
Being able to see how much information is online that you share, or that other people share about you, might not be a bad idea.
Some people have suggested that this application is intended to patent tracking of logged out users. Nothing could be further from the truth. Instead, a careful reading of the portion of the application that purportedly describes tracking of logged out users (Paragraph [0099] shows that this excerpt is actually describing a fundamental part of Facebook Platform—social plugins that create social experiences across the web without logging into Facebook repeatedly or third party sites at all.
Our social plug-ins allow Facebook users to go to any website with a social plugin and see what content their friends have liked without logging into that website. the user must, however, be logged into Facebook to see this social content on third party websites. What is being described in section [0099] of the application is the fact that you don¹t have to log into Facebook again at each third party site in order to see social plugin content. You just have to be currently logged in to Facebook when you visit the site. If you continue reading the application (i.e. paragraphs [0100] and [0101]), you¹ll also find it is consistent with our longstanding principles of notice, choice and control, and offers mechanisms and processes by which a person would be notified and could opt in or out.
There are other things mentioned in the patent application and, for many of those, it¹s important to understand how companies use patents. That is, technology companies patent lots of ideas. Some of these ideas become products or features and some don’t. As a result, current functionality and future business plans shouldn’t be inferred from our patent applications. — Andrew Noyes / Facebook Communications
@Brian,
Over here in the UK if you make a request to facebook then they have to send out a hard copy (The guardian article here suggests a CD) with all your personal information on it within 40 days.
I’m not sure if there is an equivalent system exists in the US but it would be pretty interesting to seem the reaction people get when they find out just how much information they readily share.
Hi Tom,
I suspect that the United States will start thinking more about legislation involving the use of personal information sometime in the not too distant future. I don’t believe that we have a similar requirement in place at this point in the US.
Hi Andrew,
I appreciate your stopping by and leaving a comment here, even if it is a duplicate of the one that you posted at Uncrunched. 🙂
I’ve been reading patents for a few years now, and I think it’s important to understand how people who read patents from companies might interpret them. We see what you’ve described within the patents, the possible steps that you potentially might make, the assumptions that you base them upon, the fact that you’ve researched a particular topic even if you may have little intent to pursue that topic, and the fact that what is included within the patent might be something that you would pursue if it makes sense from a business perspective.
We can’t tell whether you would or wouldn’t actually pursue what is included within the claims or the description of your patent, but we can tell that whatever is covered was important to you for one reason or another.
A read through the actual claims of the patent, rather than the section of the description that I quoted in my post describes tracking facebook users on websites outside of Facebook primarily for the purpose of targeting advertising at them. The claims don’t distinqish between whether or not the users are logged into Facebook or not. This is the important part of the patent, rather than the description, since it’s the part of the patent that a patent examiner will decide upon when determining whether or not to grant the patent.
This patent application, like a percentage of patent applications, has headings for different sets of numbered paragraphs. The heading that paragraph [0099] falls under is “Social Ads Based on Actions on Third-Party Websites.”
Of the 20 claims listed on the patent filing, 18 of them contain the word “advertisement,” and none of them discuss the use of social experiences on those third party websites to see social content, such as how many friends liked a particular page. I’ll repeat that. None.
As for the description, there are a number of references to possible ways that Facebook might track the “logged actions” (not logged-in actions, but rather logged actions) possibly through java script, tracking pixels, and other features.
Those sections deal with the possible use of conversions or other “logged actions” (again, not logged-in actions) used as possible social advertisements, and I did appreciate that at least in some instances there was the possibility that the person being tracked would be asked first before their friends were presented with the social ads described in the patent filing. But, the patent also mentions the possibility that other types of advertising, including banner ads might be shown to a Facebook user’s connections rather than these opt-in social advertisements.
It does appear that one aspect of this patent does cover the Ad Conversion Tracking that Facebook experimented with in 2010, and seemingly decided not to pursue. It’s hard to tell from what I’ve read about that program if Facebook was tracking conversions regardless of whether or not the purchasers were logged into Facebook or not.
Again, that’s not really focused upon a social experience provided to Facebook users regardless of whether they are logged into Facebook or not.
When we come across a patent, we are going to read it, and try to understand how it might fit into the big picture.
Brilliant Bill!
Thanks, Tom.
Does facebook do anything ethical? I just read a good post here http://www.insidefacebook.com/2011/10/04/cookies/
I appreciate all the insights shared regarding this topic. I see this trend of gathering the data we share and connecting all the dots at best, being used for marketing purposes, and at worst, being used for political agendas and manipulation. It has definitely made me more conscious of how often I am on FB and what I share there. If it continues in this vein, I may consider leaving FaceBook altogether.
Nancy
Hi Akash
Good article, except for their misattribution of who came across that Facebook patent. Arrington hasn’t provided proper attribution in his post, and I suspect he probably never will.
Hi Nancy
Thanks. Between Nik’s article and the patent application, I’m thinking more about the data that sites collect about us as well.
This was a very interesting article to read, and its author replying to each comment individually is a really nice sight to behold.
I’m pretty much aware of all the tracking being done in the cyber-wilderness. ‘But what can you do about it’, right?
I’ve used pretty much all the major browsers (except Safari) but none came even close to level of privacy achievable with Firefox and its slew of community-made addons, especially: Ghostery, AdBlockPlus with ABP Popupblocker and ABP Element Hider. These addons, by themselves, automatically block all advertisements, pop-ups and tracking widgets, with the option to manually add new filters for whatever you do not want to see. This level of control over my browsing content is something I have yet to see paralleled.
My point is: become educated on what is going on and take control over your surfing experience. Don’t expect Facebook (or any other company for that matter) to do it for you – we’re in an technological era where information is gold. Of course they will collect and sell it.
I still use Facebook, just because I can chat with my friends, but I try to spend as little time as possible on it. I do, however, block all cookies when just surfing and I routinely delete all cookies each time I log out of a service, and after I read this, I will be deleting Facebook cookies with a vengeance.
The following quote from the referenced patent made my stomach turn:
“Since the social network system 100 and the third party website 140 are on different domains, the user’s browser program may include security features that normally prevent a website from one domain from accessing content on other domains. To avoid this(…)”
P.S. I’m using the above mentioned addons with Firefox 3.6.18
The newly-adopted rapid release cycle by Mozilla team broke a lot of addon compatibility, so I can’t guarantee they will work on FF 4, 5, 6 or 7.
Hi Greendestiny,
Thanks. I really appreciate the opportunity to interact with people who leave comments, and I personally like it when people respond to the comments that I leave on their blogs.
It is helpful to be aware of all of the options that we have to try to keep sites from tracking us across the Web, so thanks for sharing some of the tools that you use to do that.
I do think that sites like Facebook should try to live up to privacy policies and public statements that they make regarding protecting the privacy of their users, but as you note, it really helps to take as much of that into your own hands as possible.
Mozilla is making me dizzy with all of the updates they’ve been making, and I have a few add-ons that haven’t been keeping up with their rapid releases.
Hi,
it is scary if Facebook has this patent. Are more technical details are known? That would be quite a powerful effect on individual privacy. What about countries where the EU is a more stringent privacy?
Best regards Christian
Hi Christian,
The patent itself includes a number of possible approaches that Facebook might use from a technical stance, and if you follow the link at the top of my post to Nik Cubrilovic’s site, he has written a couple of followup posts as well.
I’m not sure how this approach might be impacted by the EU’s privacy protection acts, but I do know that if you are in the European Union, you can request a copy of the private data that Facebook has about you, and they are supposed to turn that over to you on a CD.
It is truly unbeliuvable the amount of data both Google and Facebook have aquired on us. Our friends, purchase habits, Gmail and everything we type and recive with that platform, PICASA logs GPS data from photodevices…I mean it doesnt stop. But here is the thing. The young generation remains disaffected. They are growing up with their life online, it will take a much more serious invasion of privacy before the leaders of tomorrow colelctively wake up.
Hi David,
When we or someone we know puts information about us online, chances are that someone is going to do something to collect it and use it. I’ve seen people like author David Brin describe changing attitudes towards privacy as a natural progression towards a more connected world, and it’s possible that he’s right. But I find it somewhat disturbing personally.
Bill this is pretty amazing that they are able to do this! It is just crazy how data is being mined from our computers without most people every knowing it is happening!
Hi Bill,
I don’t think most people are aware of how much information they do share when they browse the Web and go from page to page. That’s one of the things that inspired me to write this post in the first place.
I always log out now and my FB usage is around 1min a day. I hate the thing now, having once been an avid user.
It’s all about money and your privacy doesn’t matter. There was a documentary in the UK about FB and privacy and advertising. I think most people are either unaware of what goes on or don’t care. Me personally, I hope this kind of intrusive online behaviour is what brings these companies down.
Alas. Until bad things begin to happen it will just continue.
greendestiny – I shall be installing those plug ins now. I fall in the I have nothing to hide category and don’t really care but at the same time if I can stop it I will…
Hi Darius,
I don’t spend too much time on Facebook everyday, but I do have more family members there than on other social networks, including a fair amount of cousins. I’ve actually communicated more with many of them on Facebook than I have in person in the past year or so.
But yes, I am concerned about the privacy issues around Facebook.