Saturday, March 26, 2011

roll off the grass and let the insects breathe

A few days ago, a column from Shamus Young's Twenty-Sided Tales blog was linked to me that I found extremely relevant, in the wake of the RedZone debate. I highly recommend that everyone reading this, go read that, but I'm doing something I don't normally do and quoting large bits of the original.

First understand that what made Shamus write that column was an unrelated comment to another column entirely, from a reader called Blurr:
"I am very much against Facebook integration on other websites. I know I can't be the only one. I tried a while ago to figure out how to block Facebook when I'm not on the main Facebook website, but couldn't find anything.

"My concern is that because this 'like' link appears on blogs all over the place, Facebook can get a pretty good idea of my browsing habits. I am against this on principle."
Now, I'd heard this before. And even having read the column, the first reaction my brain has to his words is Wau, he's a loony. But then I read on:
"If a page has a Facebook button on it, then Facebook knows you were on that page. We don't know what they do with that info, but we know they have it."
The hell.

From the embedded link originally in that quote:
"But data about the user is sent to Facebook regardless of whether the Like button is actually activated.
Which is all quite scary - but not too surprising, given Facebook's reputation for snooping on its registered users.

What becomes really scary is realising how Facebook can track your movements even if you haven't signed up to its fake-friend collection service for lonely teens and sad divorcees.

Even if you don't have a Facebook account, you are far from immune from prying eyes, as Roosendaal explains:

"When a user does not have a Facebook account, there is no cookie and no user ID available. In this case, an HTTP GET request for the 'Like' button doesn't issue a cookie.

"However, when a site is visited which includes Facebook Connect, this application issues a cookie. From that moment on, visits to other websites which display the 'Like' button result in a request for the Like button from the Facebook server including the cookie."

Which means Facebook has swiped another batch of valuable data without asking for permission."
And that article goes on to mention that, if we aren't assiduous in clearing our cookies, Facebook's cookies have a two year expiration date.

And every time you hit a page that has the Facebook "Like" button as an embed, does that add on another two years to the life of the cookie? Or does it just create a 'later expiration date' for the so-called "new" cookie--which uses the same data/user ID as the previous one? That, I don't know.

From that same link:
We'll assume that, as you're reading this rather than laughing at Lolcats, you know a thing or two about cookies. They are helpful to users and of immense value to marketeers, allowing them to bombard you with targeted advertising based on your browsing history.

But with an increasing proportion of sites turning to the likes of Facebook in order to increase traffic and revenue - and let's face it, 500 million people is a pretty attractive audience for anyone - isn't it time we started putting our collective foot down about the way in which our every move is monitored?
What's really ironic in all of that? That column has a 'Like' button.

Okay, so that's all kinds of unnerving and creepifying, but I should point out again--Google does this, too. They track where they've been to figure out what ads we may be most interested in. And they do it without consent or requiring permission, just like Facebook. So why do we not have just as many personal privacy issues with Google?

First, because they haven't gotten a lot wrong, while Facebook has. Second, the Google CEO has never come right out and called users of Google's services stupid for using the service. That's pretty damning, even if it's from Zuckerberg's immensely younger, Harvard-attending, spoiled self.

But I digress. Back to Young's original column:
"The problem is with web cookies. A cookie is a small text file created by your web browser. It stores 'name / value pairs', which is fancy programmer talk for stuff like this:

username=PresidentSkroob
password=12345
last_visit=March 24, 2011
mobile_user=no"
And before anyone sneers at the password? What we learned from the whole Gawker debacle is that people pick some pretty dumb passwords. The top three on the analyzed list, after all, are "123456", "654321", and "password". Yeah.
"It lets websites store information on your computer. These files are keyed to the domain name. So, Facebook can only read cookies created by your visit to Facebook.com and The Escapist can only see inside of cookies created by your visit to escapistmagazine.com. The information contained in a cookie is sent when you visit a site. So, if I previously visited Facebook on this computer, it will send my Facebook cookie, which will let Facebook have my name and (if I so choose) password. That way I don't have to log in every time I visit the site, and it can know ahead of time if I want the lightweight mobile version of the page or the all-singing, all-dancing, graphic-heavy full version. If I go to another computer, it won't have a Facebook cookie on it, and so I'll have to type in my name & password to log in."
Which, frankly, is as it should be, in my book. But we are creatures of habit. We don't want inconvenience, we want comfort (occasionally, and usually, to our detriment). People (and I am one of these people), when given the prompt to save a username/password combo, will generally choose to do so. (Were I on a shared computer, I might not be so blithe about this, but I'm on my own computer. I have this feeling, false and intangible as it might be, that because it's my home computer, that I'm the only user who will see these saved password prompts. (Which is as may be, depending, but some people forget and hit the save option on shared computers, simply out of habit. But again, I digress.)
"Even if I tell FB not to save my password, it still saves my username. That username gets sent when I load the page, even if I'm not logged in. See, that little button at the bottom of this page is actually a little sub-webpage. It's a little window with a Facebook page inside of it. (Same goes for the ads on the right. That's a sub-window with a Google page inside of it.) When you visited this page, your Facebook.com cookie (assuming you have one) was sent to Facebook. Facebook sees your username, and because of how HTTP headers work, it also sees that you visited from shamusyoung.com. Ergo, Facebook knows you were here. Of course, this only applies to webpages with Facebook features. Facebook has no way of seeing where else you might go."
Except...yeah, they kind of do. Why? Well, assume I went from shamusyoung.com to that UK link...which also has a 'Like' button. Say I went from there to a link a friend sent me, and rather than spawn a new page, I just popped in the URL and went from there. If that one also had a 'Like' button, while in the main three different cookies were created to send back to Facebook, in the specific if anyone's looking at the aggregate data at some point, they will see that my chain went, unbroken, from site 1 to site 2 to site 3.

As long as I am traveling from sites with 'Like' buttons to OTHER sites with 'Like' buttons, Facebook knows everywhere I've been.

And remember, I'm not even sure how my cookies are showing up to Facebook, because you can't kill a Facebook account once opened. (And I opened one for the purpose of getting what is now an incredibly worthless piece in an armor set for Runes of Magic, got creeped out within a scant few hours, waited out my eight days until the I had documented delivery of the piece of armor code, and then got out. And while I've never been back, and have no intention of going back...any cookies generated at sites with the 'Like' button may just track back to my former Facebook account, and not as 'future user' placeholders.

(Which is creepy enough just on its own.)
"It's important to point out that this is not some nefarious new thing Facebook is doing. Everyone uses cookies. This site remembers the name you use in the comments because that stuff is stored in a shamusyoung.com cookie on your computer. Google uses them. Battle.net uses them. Blogger.com. My Space. Youtube. The Escapist. Google. Yahoo. Blogspot. Wikipedia. Twitter. Anywhere that you log in knows at least your username and the last time you visited."
As I said with the Google example, yeah--a lot of places does this. In fact, secondlife.com does this, because I've set it up to remember my username and password. Just like the Second Life forums (or at least the old ones--I haven't sent in a comment on the new system, and...I'm not sure I'm going to). Just like a lot of places I go to...and most of which, to be honest, have Facebook 'Like' buttons.
"The reason people get worked up about Facebook is because it's so ubiquitous. (And because the founder of Facebook is reportedly a complete douche.) Nobody cares about Yahoo cookies because Yahoo isn't lurking in the corner of every page on the web. The problem isn't that Facebook is more hostile to privacy than other sites, it's that Facebook naturally has access to data that other sites don't, because they're less popular."
I hate to have this come down to some sort of popularity contest, but he's right--Facebook goes farther because Facebook has a lot of users. It's akin to CBS getting the highest-rated show on the airwaves in a certain time slot--they can then take those numbers to the advertisers, and say "See? If you buy ad time for this program, more eyes will see your ad."

That's actually kind of the point in marketing and advertising--to get those numbers, so you'll be funded--through advertising, through direct contributions, through users signing up for subscriptions, whatever. In this breakdown, it doesn't matter a whit whether you're secondlife.com, yahoo.com, or chillygirls.com--your job is to get eyes on your work, the best ways you can. (And yeah, before anyone hunts it down? That last one's real. And really NSFW.)
"If you're really concerned about this, there are things you can do. You can set your cookies to be deleted every time you close your web browser. It will make it impossible for Facebook to see where you are, even when visiting sites like this one."
And he's right, we can, save...this is that comfort vs. security thing again. We can set our browsers to delete all cookies saved every time we close our browsers down. (And some people go farther.) But for most of us, we want that comfort and convenience--so we allow the cookies, we allow push messages on our mobile devices, we allow sites to remember our usernames and passwords--because it's just so much bother if we don't, right?
"For a blog like mine, word of mouth is life. You need a stream of new users just to replace the ones that wander off. Some people get mad and leave. Or lose interest when I change focus to something outside of their sphere of interest. Sometimes they just get tired of me. It happens."
Absolutely. Case in point: I adore Girl Genius. I adore Looking for Group. (Hells, I even have a Richard doll sitting in my bookcase.) But have I read either of those strips the last month? No, I have not. Will I get back to them? Absolutely, because I like both strips. But my attention wandered, I got busy, I lost the time for casual webcomics reading...it happens. To everyone.
"There is nothing I can do to directly draw in new readers, short of forum spam and link-begging on more popular sites – which is one of the most labor-intensive ways of wasting one's time. No, I need word of mouth, and the Facebook Like button is the perfect tool for the job. It's governed entirely by readers. People press it when I do something they like. That action will appear on their Facebook page and attract their friends, who probably share a lot of common tastes and interests. It takes my best material and promotes it to people who are most likely to enjoy it. Even if I was willing to pay money for an advertising campaign, I wouldn’t be able to find something as effective as that little button."
Which is Shamus Young's very polite way of saying, That Facebook 'Like' button isn't going away, people. Deal with it.

You can't please everyone all the time, and the truth of the matter is, this is the internet--so you're going to have people you purely can't please, because for whatever reason, their greatest thrills in life are contrarian ones--arguing dubious points, protesting change in any form, and demeaning anyone who doesn't agree with them. (And, save for the last, I fall into that camp, sad to say--because I protest a lot of things that aren't necessarily going to change--for me or for anyone else--and I do love a good argument.) And even counting those people, you're going to make decisions--as individuals, as companies, as corporate entities--that are designed to lose you people, sometimes. (Do I even need to say Dragon Age 2 at this point?)

So for a lot of bloggers, columnists, newspapers, companies, corporations and even world powers--getting those extra eyes in makes all the difference. And one of the best ways for people to get those eyes in? That 'Like' button.

Which is depressing, but I think Shamus Young is also speaking for Second Life by saying that 'Like' button is going to stick around. It's our choice how to deal with it on our end.

I want to mention one more thing before I close this entry, which is Rock Paper Shotgun's "No Oceans" campaign. I don't know if it will go anywhere, but I think it's a worthwhile goal--getting everyone, internationally, on the same page for game releases would cut down a lot of torrenting of games, and, more to the point, get everyone accustomed to playing together, and being able to play together--which would diminish some game piracy (not all, but even a little will help), and hey, while we're at it, maybe foster some stronger international friendships, what the hell. Spread the word.

(And yeah, on that column? There's a 'Like' button.)

2 comments:

Fogwoman Gray said...

*Like*
bwhahahahahah

Emilly Orr said...

*grins*

Y'know, for a while I was considering adding that string of little buttons to the blog. But every single way I found to do it meant adding the functional code bits at the bottom of all blog entries (cumbersome and time-intensive), or adding on a little 'package' option for the blog as a whole--which included the Facebook "Like" button.

Didn't want Facebook anything on the blog, so...yeah. Still no cute little easy click-throughs.