So, to sum up — Facebook’s Beacon program sends information to Facebook about your purchases, even if you opt-out, even if you’re not logged in at all. Which is what I just assumed from the beginning, since Facebook Beacon is a form of conversion tracking, and that’s just how conversion tracking works. The general fuss over this leads me to believe a primer on conversion tracking’s in order.
Conversion tracking is used by many different parties for many different reasons. Performance-based advertising networks use it for ‘cost-per-action’ (CPA) ads, where the advertiser only pays the publisher when a view clicks through and performs an action (aka ‘converts’) This could be anything – viewing a page, completing a form, or making a purchase. Sites selling impressions or clicks also often offer it as part of their ‘ROI trackers’ – ROI stands for return-on-investment, and ROI trackers show advertisers just how much revenue their advertising spend brought in. Some behavioral-targeting-based advertising networks also use conversion tracking as a way to track and profile users – if you buy widget A, maybe you’ll be receptive to ads for widget B.
Enough about what conversion tracking’s for – on to how it works. At a super high level, conversion tracking ties together two pieces of information to come to a third conclusion. “The person who filled out this web form also clicked on an ad for that webform on such-and-such a webpage – therefore the publisher of that page must get paid.” Or, in Facebook’s case, “the person who made this purchase or took this action is also an identifiable Facebook user, and therefore it’s time to pop-up the opt-out box.” How’s this done? Well, some information is stored in the user’s cookie (although it can also lurk in Local Shared Objects, if you’re using Flash.) For instance, an ad network that’s doing CPA advertising will record every time a user sees one of their advertisements, along with where it was seen and a timestamp – either in the user’s cookies or in a server-side database with the ID in the user’s cookies. Facebook keeps a user identifier of some sort in their cookies. Now, when a conversion occurs, there’s a snippet of code on that page – maybe a script call, maybe an image call – that’s dynamically constructed, and contains all the relevant information about the conversion event in the variables. This could be as simple as a boolean ‘yes, the user completed this form’ or as detailed as ‘this user bought product X for $9.99 and product Y for $12.50′. Because of the way cookies work – a site can’t read another site’s cookies – the snippet of code has to be from the same domain as the cookie. So if the cookie was set by the yardley.ca domain, the snippet of code on the conversion page has to call yardley.ca. If the cookie is set by facebook.com, then the snippet of code has to call facebook.com. Something server-side then puts the call and the info in the cookie together to draw the appropriate conclusion – ‘hey, this user clicked on our ad and then converted, time to bill the advertiser.’
So what if the user doesn’t in fact have the appropriate cookie – if they ‘convert’ but the original action (ad view, Facebook member, etc.) didn’t take place? Well, the snippet on the conversion page is still called, the variables in the call are still dynamically filled out, and if there’s any cookies associated with that domain, they’re still sent. So even if only one out of a hundred people is actually eligible to convert (by virtue of having the appropriate cookie), a hundred out of a hundred people have their information sent to the ad network. Every time you make a purchase on-line you’re likely tipping off a half-dozen separate parties, even if you’ve never clicked on an ad in your life.
Of course, actually doing something with all this information is a hell of a lot harder than people assume it is, and individuals are generally a hell of a lot less interesting than they assume they are, so this data is usually simply chucked away. Which is exactly what Facebook’s doing with it – dropping it on the floor. Standard operating procedure.
It cracks me up that people still assume they have privacy online. None of us do – everything you do is tracked. Hell, your ISP is probably selling your complete history to a data-miner right now. But it cracks me up even more to see Facebook take a publicity hit for something that’s standard practice everywhere. Sending data behind the scenes without the user’s knowledge is so common it’s boring. But do it in a way that the user can see it, and all hell apparently breaks loose. That’s not to say that Facebook Beacon’s opt-out policy doesn’t suck – but that’s a separate issue. Here they’re getting raked over the coals for something innocuous.
Don’t really know why I’m writing this – most of the people who read this site know how this works already. 
{ 1 comment… read it below or add one }
Innovators are always going to face these types of problems — cookies and beacons are really old technologies, but in this type of data-filled environment, connecting the dots across sites in a public way is going to raise a lot of concerns; the optics are different. I’d argue their approach to all of this was naive / foolhardy. Not that that is wrong, just that they shouldn’t be surprised at the uproar (and hey, maybe they cultivated it a little bit… not the worst tactic in the world either).
{ 2 trackbacks }