Another Facebook Scam: “Secret Crush”

This one with malicious “adware.”

One of the things about Facebook that has most concerned me is the proliferation of “apps” or “widgets,” those sometimes fun, sometimes annoying add-ons like “Scrabblicious,” “Six degrees,” and “Superlatives.”

Specifically, it bothers me that these apps ask you to hand over your entire profile and all its goodies in order for you to run them. Most people just blow through the installation process, blindly saying “yes” to everything in order to get to the app, not noticing that they are agreeing to let the app have unlimited access to all of the information they have ever put into Facebook, and essentially authorizing the app’s creators to do anything they want with that information.

Yesterday it was revealed that running the “Secret Crush” app (and at least a million people have already done so), installs an “adware” widget on your computer. The adware widget tracks your Web browsing (not just your Facebook activity) and launches annoying pop-up windows.

Here’s the story from Wired.

Here are a few excerpts from the Wired story:

According to an advisory from security software vendor Fortinet, the “Secret Crush” application prompts users to install ad-serving software from Zango, a company that was fined $3 million in 2006 by the feds for letting third parties install its adware without user consent.”

…the link to Zango’s software came through a sly iframe, a HTML code often abused by online scammers to attempt to install truly malicious code on people’s computer without their consent or knowledge.

Manky thinks such attacks will become more and more common on social networking sites, as users get accustomed to installing add-ons to their profiles and trust that sites like Facebook are safer than the larger internet.

This is exactly the kind of abuse of (badly-placed) trust that I’ve been complaining about when it comes to Facebook. More information about the Zango adware attack is available here, at ZDNet, in a blog article revealingly titled “The next hacker frontier: Social networking sites.”

To be fair, this is not an attack by Facebook, it is an attack by a company using Facebook as a vehicle. But the fact remains that Facebook was designed (by Facebook) expressly for this kind of thing.

What do I mean by that? I mean that Facebook was designed from the ground up to break down people’s fears and concerns. Instead of encouraging good privacy and online safety practices, it is designed to exploit the (false) sense of security people feel when they are surrounded by friends, and to encourage them to act recklessly. It is social engineering in which a facade of “fun” masks the real purpose, which is to monetize your every thought and move.

How To Turn Off Beacon in Facebook

As you probably already know, Facebook recently introduced Beacon, its latest privacy invasion and marketing crapola feature designed to look like a fun “sharing” thing when in fact it is just another monster in the Mark Zuckerberg “monetize everything” world of Facebook.

Here are a few reasons why Beacon sucks and should be banished from Facebook and the Web:

  • Beacon follows an “opt out” design, meaning it is on by default and you have to take action to prevent it from spamming your information around. Lesson number one in Web privacy and ethical marketing is that any sharing of information should be strictly “opt in” (meaning it only shares information if you actively choose to participate).
  • There is a high potential for embarrassment when Facebook tells everyone you know what books you are buying, what movies you are renting, what trips you are planning, and what comments you are leaving on various Web sites.
  • There are already reports of Facebook “ruining Christmas” by announcing (via Beacon) the purchases of people who had planned on using those purchases as surprise Christmas gifts.
  • Taking a bit of raw information (“Bob just bought a book from Amazon”) and arbitrarily turning it into a marketing pitch on behalf of the book, and of Amazon, is a misappropriation of people’s voices and authority. Just because I bought the book does not mean I endorse it or the retailer
  • Linking people’s online identities and their activities without their permission is just plain wrong, and should probably be considered illegal.
  • Facebook is already a noise machine. What possible value is there in announcing to everyone you know that you just bought Jean Cretien’s memoirs, or left a comment on Epicurious, or rated a movie at the New York Times. Do we really need to add more worthless information to the din? There’s sharing and there’s fogging. Crap like this turns the web (and our minds) into fog storms of mass, inconsequential data noise.

Dare Obasanjo posted an excellent article about Beacon and its abuses last week. I suggest you read it if you’re not absolutely clear on why Beacon is a problem. But one thing in particular caught my eye; he quotes Charlene Li, a Principal Analyst at Forrester Research, as saying “I put a lot of trust in sites like Facebook to do the right thing when it comes to privacy. After all, the only stuff that gets out into the public is the stuff that I actually put in. Until now.”

Huh? A grown-up, a principal analyst at a leading market research company, puts trust in Facebook? Facebook was founded, and is run by, a 23 year old hacker and alleged intellectual property thief!

Mark Zuckerberg has “apologized” for the fiasco on the Facebook blog. He also mentions that Facebook has put a new switch in its Privacy settings which (supposedly) turns Beacon off altogether. It’s very easy to do, as you’ll see below.

How To Turn Off Beacon in Facebook

First, go to the Privacy page (you’ll see a link to it in the upper-right corner).

On the Privacy page, click the “Edit Settings” link for “External Websites.”

On the page that appears, check the box next to “Don’t allow any websites to send stories to my profile. Then click “Save” and that should be it.

Note that it doesn’t explicitly say “Turn off Beacon,” but according to Zuckerberg’s blog post, that’s what it does. (But if you trust Mark Zuckerberg, then you’re a bigger idiot than he is.)

Incidentally, during all this furor over Beacon, a lot of people have attacked Facebook and Zuckerberg (rightly so, I would say), but hardly anyone has mentioned the dozens of companies that have partnered into the scheme. A few, such as Coca-cola, Travelocity, and Overstock, have backed out (or at least sidelined themselves) over the privacy concerns, but what about the rest of them? It’s not like Facebook is acting alone on this.

On Blogs, Blogola, and Media

Yesterday, Patrick at i.never.nu posted a passionate and erudite denunciation of the current trend towards the mainstreaming of blogs. He points out that until recently, many (most?) bloggers were happy to be apart from the mainstream; we revelled in our independence from the need to generate revenue streams and to follow marketing plans. It was all about the voice and the freedom of the format, not the business.

Nowadays we’re seeing more and more blogs created for commercial purposes. I’m not sure he, nor I, are against commercial blogs per se, but what he (and I) don’t like is the selling out of the blog format. The idea of link- and ad-farming your blog, SEOing it beyond recognition, and pandering for link love is rather distasteful for us “old school” bloggers.

On the other hand, are we just being cranky old purists, like the people who were outraged when Dylan picked up an electric guitar at the Newport Folk Festival in 1965?

Maybe. Or maybe not. Patrick’s manifesto is mostly about what happens when a blog and the person behind it become a brand, and in particular when the distinction between the person and the brand becomes lost. He really nails it.

Tangential to that discussion is the issue of the merchandising of blogs.

On some blogs I can easily tolerate a few ads here and there, or the odd commercial endorsement. Blogs like The Online Photographer deserve any rewards they can manage to get, because their creators put in a lot of effort and deliver excellent, honest content. What I look for in a blog is integrity; whether it’s a purely personal blog or one that is about a specific topic such as photography or technology, it’s the voice and the intention behind it that catches my attention. That’s what sets the tone of the blog. If the tone appears to be largely commercial, then I lose interest.

A while back I read an article on Marketing Profs (short for “professionals,” not “professors”) called “Blogging for Booty.” It talks about the phenomenon of “Blogola,” in which blog writers accept “gifts” in return for reviewing products, services, television shows, or other commercial goods. With the rising influence of some blogs in the blogosphere, big business is really starting to notice their potential.

Big mainstream media has long had integrity checks and balances in place to prevent unethical payments for dubious endorsements. Ever since the payola scandals in the music industry caused ethics laws and codes of conduct to be put in place, it’s become more difficult to buy favorable publicity and airtime. Big media has very strict rules about what its people can and cannot accept as “gifts” from sponsors.

But the blogosphere has no such laws or codes of conduct; at least not formalized ones. So now we have broadcasters flying big name bloggers out to Hollywood on “blog junkets” to promote movies and new television shows. Public Relations firms are grooming bloggers for positive spin whenever and where ever they can. The blogosphere is the wild, wild west of commercial publicity and promotions; there are no rules, only palms waiting to be greased.

I will confess to having been lightly greased myself. A couple of years ago The Food Network paid me to put a link on this blog to promote Iron Chef America. I’ve also gotten a handful of books from various publishers for me to read and promote, only one of which I have gotten around to as yet. However, in both cases I have not hidden the fact that the endorsement I provided was in exchange for “promotional consideration” as they say on game shows. After all, I do have a stated and published policy about endorsements and sponsorships. (Look for the link in the right-hand column, at the bottom of the “More Blork” section.)

I don’t feel bad about those small endorsements, and I don’t think they count as “blogola.” After all, I did not solicit them, I didn’t gussy-up my book review (it reflects my honest opinion of the book), and I clearly stated them as being what they are. And I don’t think it indicates a slide into decline, at least not in my case (in almost seven years of the Blork Blog I’ve gotten less than $300 worth of goods or cash; and that includes my 12-month experiment with Google Ads).

But I do feel like I’m standing at the edge of a cliff. How can I judge others for accepting payments when I have demonstrated a willingness to do so myself? What would I say if someone from season four of “Top Chef” offered to fly me to New York for the weekend, put me up in a swishy hotel, and have me be the “secret judge” on an episode of the show? (Don’t laugh; that was exactly the case with Andrea Strong in season three.)

Of course I would be tempted. I’m just a regular guy with a blog; why should I say no to a free trip? Who am I to bear the burden of the integrity of the whole blogosphere? I’m only responsible for my own integrity while the blogosphere as a whole is becoming a victim of its own free-form, unregulated success.

Ultimately, those who degrade their integrity do so at their peril; unfortunately all they probably stand to lose is the respect of the “old schoolers” and possibly a listing on the roll call of “those who ruined it.” What they stand to gain is financial rewards (insubstantial in most cases) and the possibility of high standing in the “new old-fashioned mainstream.”

Related links:

Worst commercial Web sites ever?

OK, maybe not ever, but I happened upon these two ghastly sites today and they’re both terrible but for very different reasons.

First there’s the Web site for Gasser’s camera shop in San Francisco. Forget about the lack of any sort of search tool or navigation scheme. Forget the broken links all over the place. Just look at the damn thing!

This screen shot of the “Digital Cameras” page was taken on a 1680×1050 monitor with the browser at full screen. Notice the scroll bar? There’s more to the right, right off the page! It looks like somebody cut a bunch of ads out of a magazine and then threw them on the floor and took a picture of it. It is mind boggling! And the fonts are all Zapf Chauncery and Comic Sans! Needless to say, I didn’t find anything I was looking for because I was so overwhelmed by all the visual noise.

At the other extreme are the various Web sites for Crumpler bags (one for Australia, for the U.S., Canada, etc.). Fun, hip, and irreverent, oh yeah! So goddam hip and irreverent that you want to scream and go running back to Gasser’s.

Screaming monkeys, gunshots, weird zombie talk, and endless waiting for Flash pages to load. That’s about all I got out of Crumpler. I eventually (after endless loading, waiting, and enduring all those unwanted sounds) found the shopping area, but it didn’t help much. The pictures of the bags are really small, and the descriptions are terrible. I don’t care if they have hip and irreverent names like “The Breakfast Buffet” and “The Dreadful Embarrassment;” descriptions like the following do not make me want to shell out a hundred bucks for a camera bag:

You are more embarrassing than a lizard without a tongue, chum, more embarrassing than Superman’s skidmarks, son, I’m gonna throw you reverse piking from the diving board with your costume up your three bum cheeks!

Thanks guys, that really tells me a lot. I did manage to find some tech specs, but by then I was so tired of waiting for pages to load and so distrustful of the site and the people behind it that I had no desire to buy.

I mean really. It’s like a bunch of rich trust fund kids hired some bag designers to create what look like decent bags, but then they threw it all away by smoking a whole lot of pot before they came up with their site design and marketing approach. The whole thing just stinks of “I’m like really stoned so I don’t care if you don’t buy the bag cuz I don’t need yer stinking money anyway and besides like if you don’t like the web site then don’t buy the bag cuz like I don’t care if you don’t buy the bag cuz I don’t need yer stinking money anyway and . . . hey, are you gonna eat that? What were you talking about? Heh heh. Donuts.