I recently discovered something very surprising (perhaps even a little disturbing) while reading an article on Mashable about Twitter. What I found, however, had nothing to do with Twitter or anything to do with the article itself. What concerned me was what I saw in one of the advertisements.
I admit, as a Firefox user, one of my favorite Add-ons is one that suppresses advertisements so I never even see them rendered on the page. This, however, was *technically* not an advertisement, so it showed up. But before you assume this is another raving blog post about the scourge of intrusive on-line advertising, hogging bandwidth and cluttering up the Internet with stuff most people read around or closed as soon as they find and click on the ‘X’, let me assure you, this is not one of those.
At the same time, I won’t be extolling the virtues of on-line advertising either. Despite the fact that Google’s innovations in providing “just-in-time” ad results have turned the entire on-line advertising business model on its head (while making Google a few billion dollars in the process) what I found had nothing to do with Google either. The only reason I mention Google is to make a clear distinction between what Google does, targeting ads based on context related search results, and what I discovered to be happening on Mashable (and quite likely many other places as well) which is VERY different.
Allow me to explain with a demonstration.
To test this for yourself you must be a Facebook user and know someone who is both 1) a Facebook ‘Friend’ to you and 2) a fan of Mashable on Facebook. Granted, this likely true for only a small percentage of you reading this post. Guess I’m one of the lucky ones! If neither of these is true for you, just scroll down to where I will explain “WHAT I FOUND”.
For this demonstration, start by ensuring you’re logged completely out of Facebook. Then point your browser at the Mashable website.
Along the right-hand side of the site if you scroll down you’ll find an *advertisement*/*banner*/*link* (what have you) to become a fan of Mashable on Facebook.
Look closely at the 10 Facebook profile photos just below it. These 10 pictures represent a small sampling of the 52,000+ (at the time of this post) Mashable fans.
See anyone familiar? Probably not.
Now try this.
If you’re using a browser supporting tabs, open a new tab and log into Facebook (single-pane browser users log into Facebook keeping the same browser session.) Then switch back to the Mashable tab and refresh it (single-pane browser users simply click the ‘Back’ button till you reach the Mashable site and refresh after logging into Facebook.)
See anything different???
I was SHOCKED!!!
Okay, for those of you who were unable, or for lack of curiosity, chose not to try this out for yourself, let me tell you . . .
WHAT I FOUND.
When I visited the Mashable website a few days ago I happened to notice, beneath the Mashable fan ad, the profile picture of a Facebook friend of mine. ‘What an amazing coincidence,’ I thought. To see someone I knew in a list of 10 out of 52,000+ random fans. I even grabbed a screenshot (there were only 51,500+ then) to show my friend later. (Incidentally, he’s going to find out I saw him here by reading this blog post instead, but I don’t suppose he’ll mind the unsolicited shout out even if I don’t say who he is!)
Well, no sooner had I saved the image on my PC then my skepticism began to kick in. What were the chances of this truly being a coincidence anyway? Out of curiosity, I refreshed the page and scrolled down to the ad again. My friend’s picture was still there, but it had moved in it’s random place among the 10. Third time’s the charm so I refreshed again. Same result.
Now my curiosity was really piqued. Clearly something else was going on here, but I didn’t want to spend too much time with it. On a whim, I opened a different browser (IE instead of Firefox) and went to Mashable. My friend didn’t show up.
Still not satisfied that my friend’s appearance was pure chance, I went back to the initial browser and noticed (I had forgotten) that I was also logged into Facebook in that one. Could that really have made a difference??? After all, I was looking at an advertisement hosted by a non-Facebook URL. Right?
To scratch that itch once and for all, I logged out of Facebook in the first browser and into Facebook in the second then refreshed Mashable on both. My friend now disappeared from the ad in first browser, but he appeared the second one.
I confirmed this using Internet Explorer, Firefox, Google Chrome and Safari. Same result every time!
Now if you have any familiarity with presence indicators (as with the Microsoft Office Suite) you’ll understand that’s not what’s happening here. And if you wondering if Mashable is somehow reading a browser cookie or using a web beacon to see that I’m a Facebook user, understand that neither possibility would explain why the behavior is different when I’m *actually* logged on to Facebook vs. using a browser where I’ve *ever* logged on. Or for that matter why it behaves differently when Facebook is open, but I’m not logged into it. Finally, neither a browser cookie, nor a web beacon, can store my friend list or keep track what my friends using their own browsers are fans of.
The ONLY explanation (that I can see) is that Mashable is taking advantage of existing session variables inside the browser (possibly with the knowledge/assistance of Facebook???) not simply to check that I’m logged into Facebook, but to query information from Facebook, (based on my user name pulled from that session variable) both about me and about my Facebook friends all before rendering the ad.
Consider the implications.
We’ve always known that session variables are useful when opening multiple windows (or tabs) onto the same site, like eBay, so you don’t have to log into each and every new window independently. And even though eBay owns PayPal, PayPal forces you (for good reason!) to log in when hitting it’s URL even if your registered email address in both systems is the same.
But this simple, seemingly innocuous, demonstration shows that ANY website, where the site creators have knowledge of how another site’s session variables are named, stored or accessed, can use those variables WITHOUT your knowledge once you’ve logged in using the same browser session. This includes potential phishing sites that are always crafting clever links for you to click on – links that *look* like they’re from someone you know, because it may actually be using information about someone you DO know!
So what does all this mean?
Well, anyone who’s spent any time on-line knows a certain amount of common sense is required to keep yourself (and your personal data) out of trouble on the Internet. With the emergence of Web 2.0, social networking sites are collaborating and sharing more information about you. Some is good for you and some is good for them. More and more 3rd party websites are coming onboard looking for better and more effective ways to sell you things based on the wealth of information you give them.
Their use of this information is growing faster than most people using the tools are aware that they are even giving it out to them.
What’s more, I don’t use Mashable. I’m not a Facebook fan of Mashable, nor have I registered on Mashable to post there. But I use Facebook, obviously, and clearly Mashable has a partnership of sorts with them. That partnership alone was all Mashable needed to query my Facebook friends list and then to query the memberships of those friends to see which of them, if any, had linkages back to Mashable and to me.
I wrote this post, not to decry to evils of social networking. I happily belong to a number of such sites, but I AM careful about the sorts of information I reveal about myself to them. Anything from filling surveys, to logging your birthday in Facebook CAN and IS be being used to target advertising to you (possibly more than advertising). Hopefully this is NOT news to you. If it IS, you may want to consider ratcheting up your knowledge of the user agreements you probably blew past when you signed up for some of these sites in the first place.
Now I may be completely wrong about how this is actually working behind the scenes, but I don’t think so. (Feel free to post comments!!!) The difference here is that we know Facebook and others are using the information we provide to them. I simply wasn’t that aware I might be potentially (in this case actually) enabling two *unrelated* websites to collect and share information about me, that I had exclusively given to only one site or the other, without my knowledge, simply because I logged into both in the same browser session.
Just imagine all the potential website combinations where you WOULDN’T want your information from one site exposed to the other. There’s no easy way to know all the places where this is happening, but it IS happening.
Something to be aware of. . . When in doubt, log out.