Posted April 27, 2010 4:45 pm by with 1 comment

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page

Facebook has been making their own rules since they came on the scene. Although they’ve taken more and more heat for their almost-constant privacy changes, it seems like we find a new low every few months. Meanwhile, even the courts are beginning to side with Facebook on advertising issues.

Facebook gained a partial victory in the US District court last week in a case on click fraud. Judge Jeremy Fogel decided that advertisers could sue Facebook for charges resulting from “invalid” clicks&madsh;but not “fraudulent” ones. A clause in Facebook’s advertising contract, tentatively upheld by the court, actually protects them from any suits about fraudulent clicks.

A fraudulent click might include a competitor’s click campaign designed to drive up the advertiser’s costs. Click fraud is a felony in California (where the case was decided). This class-action suit was originally filed last July. The decision does mean that advertisers can subpoena click information to look for “invalid” clicks they were charged for, and sue Facebook for those.

The court did not agree with Facebook’s argument on invalid clicks, though it was quite similar to their argument for fraudulent ones:

Facebook argued that the litigation should be dismissed because all cost-per-click advertisers were required to agree to the company’s terms and conditions, which allegedly included the following language: “I understand that third parties may generate impressions, clicks, or other actions affecting the cost of the advertising for fraudulent or improper purposes, and I accept the risk of any such impressions, clicks, or other actions.”

Facebook’s latest new venture, a Like button for the whole Internet, may also bring them some serious grief. Developers have revealed that Facebook’s new Graph API had at least one serious privacy loophole: the API allowed developers to see and display all public events a person has said they’d attend, regardless of whether that person is a friend or not.

Ka-Ping Yee, a software engineer for (Google’s charitable arm, as the Guardian describes it), discovered the vulnerability. He was especially concerned that there was no way to block or opt-out of this setting, especially since respondents to events have no control over whether the event is listed as private or public.

Although you could see non-friends who have RSVP’ed to a public event on the event’s page, the API loophole allows everyone to see a full list of a single user’s public events, regardless of their connection to you.

This vulnerability may have actually been inherited from an old API. However, late last night, Facebook corrected the vulnerability.

Shades of Google Buzz, anyone?

Ultimately, I think the Graph API will probably face at least a few more privacy challenges, even before the watchdogs, federal government and litigators start in on it. What do you think?

  • Joshua Edwards

    In reference to the ‘new lows’ being reached, at least I can gain some consolation in not being the only Internet user disturbed by facebook and its third party developers their behavior in refence to privacy, policy and fraud.

    I recently had my facebook account disabled due to the fact that I had complained about fraudulent behavior from a third party developer hosting a game application on facebook. The developer concerned was charging money for an ‘upgraded’ version of the game without actually making secure the application, as a result, cheating was rampant, the whole game a waste of time and money, and no refunds were being issued to members who became aware of this fact.

    Within 4 hours of my posting a complaint on the developers facebook discussion board outlining the situation, both my own and my wife’s facebook accounts were disabled without explanation from facebook. Not even an email outlining cause or policy violation, due no doubt to there having been none.

    We are now required, at least according to facebook after having filed an appeal, to issue them with scanned copies of government issued ID in order for any appeal to be lodged. The underlying message to facebook users? Don’t complain or make public any dissatisfaction or fraudulent behavior otherwise we’ll simply delete your account and demand private and sensitive information from you via an unsecured email. If you fail to provide us with such information and don’t wish to trust us to delete it from our servers once we’ve received it then you can go jump in the nearest lake.