Facebook scans private messages to inflate the “Like” counter on websites

Like buttonFacebook has confirmed that it’s scanning private Facebook messages to boost “Like” counters on third party websites.

Killswitch.me, described by The Next Web as a “Polish startup”, on Thursday posted a since-deleted YouTube video on Hacker News that showed that sending a link to a website via a private Facebook message increased that website’s Facebook Like counter by two likes.

And then by another two. And then another, and another, causing the Likes to steadily balloon.

In fact, one poster on Hacker News testified that people could pump it up by 1,800 Likes per hour.

The video, removed from YouTube, can still be viewed on Vimeo (possibly not safe for work).

When TNW’s Emil Protalinski checked with Facebook, company spokespeople confirmed that they had discovered a bug affecting Like counts.

But the bug didn’t relate to the actual private-message peeping.

Rather, the bug concerned inflating page counts by two Likes instead of one, as a spokesperson told TNW:

We did recently find a bug with our social plugins where at times the count for the Share or Like goes up by two, and we are working on [a] fix to solve the issue now. To be clear, this only affects social plugins off of Facebook and is not related to Facebook Page likes. This bug does not impact the user experience with messages or what appears on their timelines.

The fact that this is function is baked into Facebook code as opposed to being a potential fluke of privacy transgression is confirmed, as Protalinski noted, on the Facebook Developers page, which states that a websites’ number of Likes is the sum of:

* The number of likes of this URL

* The number of shares of this URL (this includes copy/pasting a link back to Facebook)

* The number of likes and comments on stories on Facebook about this URL

*The number of inbox messages containing this URL as an attachment.

Facebook message

Facebook’s scanning of private messages isn’t new.

The power of the social media mammoth’s data mining technology when applied to private messages came to light in March, when Facebook was credited with quashing potential child molestation between a 13-year-old girl and a man in his 30s who were having a private Facebook conversation about sex.

As Facebook described it at the time, its data mining technology scans postings and chats for criminal activity, analyzing relationships to find suspicious conversations between unlikely pairings: i.e., between people of widely varying ages who only have loose and/or newly formed relationships.

Private stamp, courtesy of ShutterstockEmail providers such as Gmail also have a long-standing practice of reviewing messages to weed out spam and to target ads.

Those are reasonable uses of data mining technology, but it’s disconcerting to find what might be yet more intrusive forays into allegedly private messages.

Thus, it’s a bit of a relief to learn that Facebook later clarified the privacy issue, saying that “absolutely no private information” is exposed in the private-message-derived Like inflation:

Absolutely no private information has been exposed and Facebook is not automatically Liking any Facebook Pages on a user's behalf.

Many websites that use Facebook’s 'Like', 'Recommend', or 'Share' buttons also carry a counter next to them. This counter reflects the number of times people have clicked those buttons and also the number of times people have shared that page's link on Facebook. When the count is increased via shares over private messages, no user information is exchanged, and privacy settings of content are unaffected. Links shared through messages do not affect the Like count on Facebook Pages.

At any rate, the integrity of the Facebook Like counter has been in question for a while.

It came up again last week, when well-Liked pages began to sag as Facebook swept out bogus Likes gained via malware, compromised accounts, duped users or purchased bulk Likes.

Unfortunately,the fact that Facebook registers URLs shared in private messages means that we’re now all potentially contributors of unintended likes.

It means that sharing a link that outrages, disgusts or appalls the sender will result in that website’s Facebook Like counter going up.

Researching hate groups? Discussing corporate malfeasance?

Be prepared to add to your subjects’ Facebook counter glow, whether you want to or not, if you send URLs via private Facebook conversations.

If you’re on Facebook, and want to learn more about security and privacy issues on the social network, consider joining the Naked Security Facebook page.


Private stamp, courtesy of Shutterstock