May 24th, 2010


One mark of a good manager is that they *get* it

May I just note how pleasant it is to have a product manager, who has been doing product management for 20 years, mostly in the traditional ways, who not only isn't fighting my push for the company to move to a more Agile approach, but is actually pretty much backing my play? At its best, Agile is just recognizing the realities of development and flowing with them; he's learned enough from experience to pretty intuitively grasp why the approach makes sense. This is, needless to say, making my life as de facto project manager much easier...

More details on the Facebook privacy "smoking gun"

The big news late last week was that Facebook had gone from mere stupidity about privacy to a true outrage: they were sending user's private information to advertisers. This article from Ars provides a much more nuanced view, describing what was really going on, which looks less like actively providing the information, and more like carelessness.

The upshot is that there isn't a lot of reason to believe that FB was deliberately furnishing user info to the advertisers; rather, the thing is that they *weren't* sending ads through the same hoops that apply to normal external links. It all hingers on the "Referer" feature that is built into the web: browsers generally tell webpages where the user got to them from. This is pretty useful in a lot of ways, but can leak information: if the URL you came from contains, say, your Facebook user ID, the page you are going to can find that out.

I gather from the article that FB goes to some effort to scrub that referrer information for normal links from the site (by forcing the link through an indirection), but wasn't doing so for ads. FB is claiming that this was accidental, and promptly fixed it. Frankly, I'm inclined to believe them, at least to some degree: in a company like that, it's not at all unusual for the left hand to not know what the right is doing, and it's quite plausible that the people running the guts of the site had little insight into how the ad program worked.

None of which lets FB entirely off the hook, mind -- the story still supports the notion that FB just hasn't *cared* very much about user privacy, and either doesn't have clear guidelines about it or hasn't been doing the sort of audits necessary to be serious. But it does sound like this was just another instance of that pattern (supporting lots of other evidence that's been coming out lately), rather than them deliberately passing the user info under the table.