Facebook and spam: a race to the bottom

On June 6, Facebook announced a set of “new” policies forbidding various forms of deceptive behavior by apps. Many of the tactics that Slide & RockYou have employed to build their forbidding positions on Facebook would be outlawed in these new policies. What’s astonishing, however, is:

1) most of these tactics were already violations of the rules. Instead of creating new rules to clarify the old rules, why not simply enforce the rules?

2) the new policy declares a potential system for punitive action, including temporarily handicapping an app or even permanently removing it. The big question is, what happens to the big guys who became big by breaking the rules for the past year?

The new rules take effect on June 17th, three days from now.  Might this actually succeed in cleaning up Facebook?  Will Facebook actually take action against the biggest violators?  Don’t hold your breath.

Ok, we’re now officially moved to wordpress.com. For those of you who patiently waited through the old system, this works much nicer as we’ve been growing in readership and contributors. I heart WordPress. Fortunately it was very easy to import the existing content. Please change your bookmarks and RSS readers!

The latest move by Slide is to compete directly with Facebook’s user profile page. Having successfully built the fastest-spreading viruses on Facebook’s platform, Slide is now using its position of power to build its own user profile pages (built on top of Facebook’s data), but with tactics to keep the traffic within the Slide apps and driving greater spread of Slide.

Until recently, the Top Friends module on user profiles was a useful navigation tool, providing a handy set of links from your profile to those of your top friends. Now, however, the new Top Friends module links to Slide’s alternate profiles for each of your friends, filled with Slide’s own actions (eg Moods, FunWall, Drinks, etc) instead of Facebook’s (Status, Wall, Gifts, etc).

If you try to click to see a user’s profile and you don’t have Top Friends added yet, instead of seeing the user’s profile you’re instead prompted to add the Top Friends application yourself. What’s worse is even if you are a Top Friends user, clicking on a friend’s picture will prompt you to invite that friend if they don’t have Top Friends installed, and will then simply redirect you back to your own Top Friends page.

How does Slide’s userbase react to the change? It’s no surprise.

Can Facebook do anything about it? Sadly, no, because it’s not breaking the rules. Besides, when was the last time they did anything to enforce the rules! The user reviews clearly tell a story (20 pages of non-stop complaints), but if history is any indicator, Facebook will probably find a way to reward this application.

Here’s a neat trick from RockYou’s quiz application, Likeness. The basic flow is that you get invited to take a quiz, you click to choose from 10 answers, and then submit your answers.

However, check out the sneaky little checkbox in the upper right area, a space normally occupied by banner ads that you’ve learned to ignore. If you leave that box checked (it’s checked by default), RockYou proceeds to spam all your friends on your behalf, notifying them that you’d like them to take this quiz too. Nifty, eh? That’s probably how you got invited in the first place.

Facebook recently announced and rolled out new limits on apps’ ability to send email to their users.

The idea is – if a lot of users are clicking the links to disable email from your app, then your emails will have the disable link moved to the top. Also, apps are getting limited on how many emails they can send on behalf of each user.

I see two problems with this:

1) Limiting how many emails apps can send on behalf of each user doesn’t actually do anything useful. When Joe Average accidentally spams all his friends while using Likeness, FunWall, Superwall, etc, these apps are sending each recipient an email using the RECIPIENT’s credentials. Even if these apps are limit to send “max 1 email per user”, they can still spam all of Joe Average’s friends. That sort of spam can’t be stopped using technology unless you take away from apps their ability to notify their own users, which, of course, would be ridiculously over the top. Why doesn’t Facebook just ask the bad apps to shape up or kick them out?

2) I am signed up for emails from FunWall, TopFriends, SuperWall, Likeness, and many more of these spammier apps. All of them have the “disable emails” links at the bottom of their email. If those apps aren’t considered spammy enough, then something is wrong with Facebook’s filter. What I think is happening is they simply changed their email sending logic to trick Facebook’s filters. I heard from another app developer that the smart spammy apps are either emailing only to younger users, or emailing their active users even more than before, or stuff like that just to mix it up and change the spamminess reading. Just because Facebook’s measurements think these apps are less spammy doesn’t mean the userbase agrees. Just look at the application review pages (previous blog post).

Below is a screenshot of user reviews of Facebook’s most “popular” application, FunWall (by Slide). The same sort of reviews also apply to the number 2 application, SuperWall (by RockYou). It begs the question: how can it be that something so universally disliked can also be so “popular”?

How is it that Facebook allows an application with almost unanimous 1-star ratings to achieve the number one spot of popularity? It certainly isn’t for lack of trying to build technology to reduce the spamminess of these applications. Facebook has changed the rules of its platform almost two dozen times in the last 6 months, and yet the spammiest applications can continue to spam away at Facebook’s userbase, undermining the Facebook user experience and trust, and devaluing Facebook’s much-hyped platform.

Why? Because each time one of these apps finds an exploit to grow at ten times the pace of other apps, Facebook knowingly lets them get away with it. The exploit may be stopped, but the application keeps the spoils.

As one venture capitalist confessed to me: “Imagine a stock market where illegal/insider trading isn’t punished: Each time somebody is caught insider-trading, they are asked to stop, but they can keep whatever money they took. Would that market see more illegal and insider trading, or less? That is the world of Facebook Platform.”

It’s no surprise that the most “popular” applications are those who have developed the greatest expertise at breaking the rules. But what is surprising is that Facebook has watched this story play itself out, over and over again, dozens of times, without recognizing the pattern.

Facebook’s profile redesign appears to be a massive flushing of the Platform ecosystem, effectively removing all application boxes from user profiles. According to Facebook: “up to five profile boxes can appear on the About tab… we aren’t providing a tab for all applications”. In other words, nobody can have more than 5 application boxes ANYWHERE on their profile?

Is Facebook reconsidering the value of applications to their overall user experience? Clearly the rise to power of spammy applications has made the Facebook experience worse, not better; it may even be part of the reason behind the recent slowdown in Facebook’s growth.

Instead of finding new policies to reduce the spamminess of the abusive apps, Facebook is choosing a more all-encompassing change, a dropping tide that will sink all boats: simply removing applications from user profiles. The net effect: a giant instant drop in visibility and traffic for all applications. On the plus side, for users who dislike applications, this will make user profile pages much simpler, cleaner, and faster.

However, what happens to the spam messages and notifications from applications? As long as FunWall and SuperWall retain the ability to send email or notifications to their unfairly-gained userbase, and as long as Facebook allows deceptive buttons like “Post” or “Forward” that are ostensibly synonymous with “send-to-all-my-friends,” absolutely nothing will change.

In fact, in a world where apps receive less traffic from clicks on profile pages, they will instead focus their efforts to get even more traffic via these spammy methods.

Well, it’s a great thing that Facebook is finally preventing the spammiest of games and scams like “invite all your friends to get poker chips”. This is among the first times we’ve seen Facebook issue policy to fight abuse (as opposed to trying to come up with clever technology). Go Facebook!!

Really, it’s great to see actual policy. In the past the Facebook tech nerds seem to have won the argument, i.e. “We can only police things with technology. Once we have 10 million app developers on this awesome cool Platform I wrote, how can we police stuff scalably?”

It appears as if there is a new Voice of Reason at Facebook, i.e. “Um, with all the crappy spam in the Platform we’re not going to see 10 million app developers anytime soon. Besides, the top 10 spammiest apps are probably 80% of the problem, let’s just police them, that will take 1 manager and a few admins, and be much easier”

Hooray for Mr. Voice of Reason, whoever you are. The only missing piece – why not publicly punish the most abusive of these spammers? Take away their notification privileges altogether, or simply remove them from the Platform ecosystem, and let them serve as an example so others don’t try to find new loopholes!

Seriously, the good applications in the world **WANT** to see a bad, scummy app get punished and wiped out of the system.

Yay! Two months after we documented this exploit, Facebook has finally announced that you cannot issue newsfeed stories on behalf of recipients of an action.

So if you have been wondering why your profile minifeed has a dozen stories saying “Jack received a video”, “Sally received a message”, or “George was invited to a quiz”, all things that YOU didn’t choose to do, well that’s about to end. You also will stop seeing newsfeed stories like “23 of your friends received FunWall posts” (which really means, one of your friends accidentally spammed 23 others of your friends).

This is great news. The sad news is, as usual, the spammy apps that doubled their userbase using these tactics will of course continue to stay on top.

Thousands of variations of this chain letter have been spread through millions of FunWall/SuperWall users, and probably contribute to almost a billion different “posts” that users have sent or received from each other.

It’s unclear who originates these posts. What’s clear is that Slide and RockYou are benefiting tremendously (and knowingly) from many, many, many variations of these messages. It’s great when you can say that your users are to blame for spamming each other, especially when it helps you grow to over 20,000,000 users.

The most common example of this chainletter is this one: “click Forward to see who views your profile the most” – this message is mostly seen on FunWall, and has probably alone seen a hundred million “sends”:

In general, this style of message (“click Forward to see what happens”) is now appearing in many many variations, some involving nudity and other obscene images to urge users to click Forward, only to realize that they have spammed all their friends. Screenshot from SuperWall:

Both Slide and RockYou have realized that users don’t always want to send stuff to all their friends, but can be tricked into doing it if they don’t know exactly what is happening.

The latest trick: using words like “Post”, “Forward”, or “Forward (fast)” as names for buttons, instead of the more accurate “Send this to all my friends.” Naturally, more users are likely to click “Fast Forward” out of curiosity, which is great for FunWall and SuperWall, much to the chagrin of the user’s friends.

SuperWall’s “Forward (fast)” – one click to spam all your friends, regardless of all Facebook limits on application messaging:

FunWall’s “Forward”, again, one click to spam all friends, regardless of Facebook limits on application messaging:

Both FunWall (Slide) and SuperWall (RockYou) have implemented aggressive techniques for their new-user flow.

Both applications prompt new users to create a “Post” – either a drawing, a greeting card, or a video. The new user is never told that clicking “Post” actually means “Send this to all of my friends”. While Facebook typically limits how many messages can be sent on behalf of one user, Slide and RockYou’s largest apps can work past this limit as described previously, because they message their existing app users directly, without the sender’s credentials. The result – every new user sends nuclear spam throughout the FunWall and SuperWall network.

In both examples below, the screen below is shown to a new user. The user is led to believe they are posting content to their own wall. But clicking “Post” will send whatever has been selected to all friends.

From Slide’s Funwall: (note that this screen has no skip button whatsoever. The only way out is to click the grayed “My Funwall” text in the upper-left)

From RockYou’s SuperWall: (this screen has a tiny skip button if you scroll 3 pages down)

Facebook has enabled application newsfeed stories to be seen by “non-app-users”, ie by potential new users. Another important new rule for newsfeed: if a particular action was done by lots of users in the same period of time, the aggregate story “20 of your friends did X” had a much higher likelihood of being displayed in the newsfeed.

This has inspired the obvious abuse: to publish newsfeed stories for actions that people never took, that is, on behalf of action recipients. Slide and RockYou already get repeat-viral activity from users who intentionally (or unsuspectingly) click buttons to send messages to all friends. (For example, a video posted to SuperWall as part of the new user signup is sent to all of that user’s friends, or somebody sending a sheep using SuperPoke accidentally forgets to unselect-all before clicking send)

The new multiplier: the app issues newsfeed stories for EVERY recipient. Users who have never before tried SuperPoke, FunWall, SuperWall, are now seeing newsfeed stories such as “28 of your friends received a video”. These 28 friends didn’t actually do anything. One of their friends simply signed up to use SuperWall, and probably didn’t even realize that when using SuperWall, the very first button to “Post” to the wall would actually send notifications to every friend. And these friends, who have not actually taken any action, get stories published on their behalf by Superwall — these stories appear on their minifeed, and are aggregated to the friends of the friends of the original SuperWall new user.

Playing a supporting role in this scene is the Movies app (by Flixster), which seems to be just as flagrant in issuing newsfeed stories for actions that you were the recipient of rather than the initiator (“Julie was challenged to a movie quiz by George” or “Julie became movie friends with George”).

This tactic has fueled powerful growth for any application that offers an aggressive “send to all” flow, particularly Slide’s FunWall, RockYou’s SuperWall, Flixster’s Movies, and Slide’s SuperPoke.

Through progressive so-called “crackdowns” by Facebook, Slide and RockYou have learned one thing: Facebook is not willing to remove an application’s right to message its own users. Why not? Because messaging these users is presumably the “hard-earned” right of the application. Indeed, this is true — for applications who actually earned their users fairly. If you take away an app’s ability to message its users, the value-proposition for developers disappears. Basic messaging from app to user is a critical cornerstone of the Platform.

However, for the applications who have been allowed to seize the largest userbases unfairly (by sending deceptive viral spam), the ability to message those users even after the crackdown is going to be the ultimate position of power. Why? Because now they can use it to circumvent any new spam-throttling techniques Facebook puts in place. How? Via aggressive tactics to get users to consent to sending something to all friends, then using the app credentials of the recipient to deliver the message.

Facebook may limit how many notifications an app can send on behalf of a given user. But a powerfully-established app like FunWall or SuperWall can work past Facebook’s limits. To send messages to UserA’s friends who are already app-users, the app creates a message that looks like it’s coming from UserA, but in reality the app uses the recipient’s credentials to deliver the message, and Facebook doesn’t get to see that the app is sending notifications that “look like” they’re coming “from” UserA. The only time the app needs to use UserA’s credentials is to send messages to non-app-users, who are potential new users. This gives a massive advantage to the apps with the most users.

By limiting how many notifications an application can send on behalf of one user, Facebook has effectively increased the power of the apps with the most existing users. Since the spammiest and most aggressive applications have so far been allowed to keep their massive userbases, this means they’re now the most powerful – they are the ones who can deliver the broadest “send to all” messaging techniques despite new limits created by Facebook.

Here’s a new deceptive trick invented by RockYou (and quickly copied by Slide) to use one app to cross-promote another: in the “profile action” link that an app gets to add under a user’s profile photo, RockYou provides a completely unrelated action from a different app, driving the user (and any visitors to their profile) to add a completely different application.

In the screenshot below, the action for “send Beer to Mike” is added to Mike’s profile (and from Mike’s perspective, the profile of all of his friends as well), when Mike installs RockYou’s Likeness application.

As a result: anytime Mike visits a friend’s page (or when a friend visit’s Mike’s page), they see these beer-related profile actions that belong to the XMe application. If Mike tries to “Send Beer” to a friend, both Mike and the friend are then prompted to install XMe, when otherwise neither friend may have ever used or installed XMe before.

Via this method, RockYou is leveraging the Likeness userbase to grow the Xme userbase, and vice versa. Slide has quickly copied this method to cross sell users from MyQuestions to FunWall and so on.

[ADDED] Two weeks later, Slide and RockYou have apparently stopped this practice. Presumably Facebook discovered it and told them to stop. I guess that means nobody else can use this technique from now on, and Slide & RockYou keep the spoils.

Well, it didn’t take long

An important section from the official Facebook policy:

Going forward, if you are deceptively notifying users or tricking them into taking actions that they wouldn’t have otherwise taken, we will start blocking these notifications. The bottom line is that if the notifications you send are the result of a genuine action by a Facebook user and that action is truthfully reported to the recipient so they can make an informed decision, you should have no problems.

To enforce this policy, Facebook needs to put themselves in the editorial position of deciding whether or not a sender’s action “is truthfully reported to the recipient.” Slide and RockYou have immediately started pushing the boundaries. How? By pre-filling messages from users to their friends – if the sender doesn’t know to actively erase the message, then a default message is sent to their friends.

For example MyQuestions (Slide) is still using its existing pre-fabricated questions, but now it’s giving users the option to edit this question. In the past, a question was posted on your behalf and you had no aility to stop it. To comply with the new policy from Facebook, users are now given the option to erase this question — if they are astute enough to figure out what the app is doing. If you don’t know to delete the pre-fabricated question that has been authored for you, your friends might still get spammed.

SuperWall (RockYou) has begun a new technique: the new-user experience on SuperWall guides the user through a path that sends the following message to all his friends: “hey, post video, photos, etc here!” This message is pre-selected as a message from every new user to all friends they invite. SuperWall delivers the message to friends as “Mike has posted to your SuperWall.” It’s virtually the same thing they were doing before, but the only difference is: Mike has the option to erase this message (so none is sent), or to edit it and provide a more personal message. As we all know, most users aren’t clever enough to edit their defaults.

[ADDED LATER] This technique has helped RockYou add another 1-2 million users until eventually people caught on. And it seems Facebook hasn’t done anything about it… I guess these types of deceptive tactics fall within the new rules?

Facebook’s so-called crackdown on MyQuestions, FunWall, SuperWall (3 of the top 10 largest apps) has sent a clear message to application developers: spam away, you won’t be punished! This is best expressed in today’s TechCrunch story by Michael Arrington:

Facebook is still a young platform, and it’s good that they are taking steps to reduce abuse of the user base. But they don’t seem to be taking any remedial action against past abusers, meaning those applications get to keep the millions of users they’ve racked up using questionable practices.

Since application developers aren’t penalized for finding the weaknesses in the Facebook platform, expect them (and their venture dollars) to continue to focus on finding the next hole to exploit. If Facebook were to slap a few of the worst offenders on the wrist, perhaps others would lose the incentive to engage in bad behavior.

User comments on the TechCrunch post agree with the sentiment:

This [Facebook's crackdown] is a good call, but it has the perverse effect of helping the people who did this stuff in the first place. Slide and RockYou and Social Media have a huge benefit by being first to market and getting to spam away….now they use those networks to charge new apps for visibility. They will still be allowed to monetize their user base, while these new apps have to pay the incumbents for advertising rights. By locking out new apps from these techniques, Facebook has entrenched the power structure… Far from being able to rise up the app curve by just being good, we are going to see new apps have to cough up large fees to the triopoly that runs the apps business (RockYou, Slide, Social Media) to get themselves discovered.

The message from Facebook is clear: the best way for an app to succeed is to find a loophole in the Facebook technology or in the rules — or frankly just to break the rules! — and trick users into spreading your app unintentionally like a virus. We now have a clear precedent that Facebook will let you keep all the “users” that you can trick into adding your application no matter how flagrantly you abuse the rules.

Given what they’ve been allowed to get away with so far, I shudder to think what new tactics the Slide and RockYou apps are going to try next.

It is a sad day indeed for Platform. Facebook has spoken, and if their actions today are any indication, we can expect the platform to continue slipping into a spammy wasteland controlled by Slide and RockYou.

Over the past few weeks, the technique of fraudulent notifications has become standard across apps by Slide and RockYou: MyQuestions, FunWall, SuperWall, and others. (For example, “Sally wrote on your SuperWall” – both Slide’s FunWall and RockYou’s SuperWall have been sending messages like this on behalf of users, to all their friends, when no such action had occured.)

Lo and behold, as reported on TechCrunch today, Facebook Takes Action Against ‘Black Hat’ Apps. Specifically, Facebook published new rules that say that apps cannot send deceptive notifications on behalf of users. About time! But guess who the big winners are?

Over the last few weeks we have noticed several developers misleading our users into clicking on links, adding applications and taking actions. While the majority of developers are doing the right thing and playing by the rules, a few aren’t – and are creating spam as a result. Going forward, if you are deceptively notifying users or tricking them into taking actions that they wouldn’t have otherwise taken, we will start blocking these notifications. The bottom line is that if the notifications you send are the result of a genuine action by a Facebook user and that action is truthfully reported to the recipient so they can make an informed decision, you should have no problems.

Well, apparently nobody can engage in such behavior going forward. But guess who the winners are? Slide and RockYou. Not surprisingly, after a few weeks of insane spammage, Slide and RockYou’s apps now dominate the top 10 list. These two companies have been asked to stop this particular deceptive growth tactic, but they get to keep their massive audience! FB has done nothing to punish the offenders, and more importantly, nothing to deter them from exploiting new deceptive tactics next week.

Responses from other developers can be seen in the comments on TechCrunch:

Good thing they are stopping others from doing this……after Slide and RockYou got 20 million installs using these tactics. Seems fair, right?

Basically, this means they were able to spam to get to critical mass, but now everyone else will be blocked. It’s amazing to watch Facebook make stupid moves like this again and again. This just shows the lack of maturity over at Facebook.

Sure it’s good that FB has updated their API to help prevent spamminess, but they should really do more than simply slap these guys on the wrist. Make a freaking example out of these people. Delete all these applications from the FB network immediately without notice, and ban the companies from further development on FaceBook, permanently. What they have done will accomplish nothing to deter this type of behavior in the future.

Anything more like this and the application should be swiftly deleted.

I am glad they are doing something about it.. it is really discouraging to legitimate developers like me (Free Gifts) and the Graffiti guys and the majority of app developers. We don’t do any of that slimy spam crap and we maintain Top 10 positions, but companies like Slide don’t think twice about spamming their way ahead. I find it kind of ridiculous and a little strange that Facebook didn’t do anything about this within a day of My Questions getting nearly 25k users per hour…

If Facebook doesn’t crack down on it hard, it puts pressure on other developers to do it in order to stay competitive. If devs are going to work their butts off to create good apps, they don’t want their work eclipsed by someone willing to lower their standards of user-friendly interaction. If app spamminess continues, I fully blame Facebook, not the developers. I look at their close relationship with Slide as motive for being soft on crime.

Deleting applications by Slide & RU is a really interesting thought. Dont you think the 2 application providers have the ability to hold FB hostage now, especially Slide.

Does it not seem like a better idea to ban an app developer entirely who has violated the spirit of Facebook rather than to take measures to make certain features no longer possible to a developer who might use them for “white hat” purposes? For the Facebook team, this is a completely controllable environment for them. It seems lame to let a couple bad apples spoil the bunch.

Yeah, it is bullshit that Facebook does not punish the apps who use shady tactics. Instead, they just stop the ability for others to use the same tactic. This is unfair because RockYou, Slide and others have already reaped the benefits and now it is even harder for others to compete with them.

One of the f# %@&! things that pisses me off is that FB bans channels after Slide and RockYou abuse them, but don’t penalize Slide and RockYou for having done that.

Well, the spammy behavior of the My Questions application has made it to the mainstream consumer press! From the Newsweek cover story “Facebook Grows Up“:

David Rodnitzky, 35, a San Francisco marketing executive, was having a fine time on Facebook until he installed a widget called “My Questions.” Unbeknownst to him, it sent out a query to people on his friend list, specifically: “Do you kiss on the first date?” “Here I was, asking some of my company’s venture capitalists, along with some of my guy friends, if they kiss on the first date,” says Rodnitzky.

It begs the question, is this behavior that Facebook wants from apps?

Platforms like Windows or MacOS also have malicious software that spreads like this: they’re called viruses. On desktop platforms you need anti-virus tools because there’s no central way to identify, track, or stop viruses. But Facebook, on the other hand, has exactly those central capabilities. Why haven’t they just pulled the plug on this malicious app?  Hopefully they’re thinking about it, and with press coverage like this, they’ll act soon.

The all-time fastest-growing app on Facebook is the MyQuestions application by Slide, growing by a sheer 200,000 new users every day.

How is MyQuestions achieving such phenomenal growth? It’s simple. As soon as you add the MyQuestions app, Slide promptly (a) sends messages from you to all your friends, saying “John has asked you a question,” and (b) posts a completely fabricated question on your user profile, for friends to come answer. Your friends see the notification, “John has asked you a question”; they click innocently to see what you’re asking; and before they know it, MyQuestions had spammed all their friends, and so on.

Most users don’t even realize that their friends never asked these questions. Slide invented 20 or so questions to send on behalf of unsuspecting users. If you try the MyQuestions app you see absolutely nothing that explains to you that a question “from you” is being sent to your friends.

Users are beginning to figure this out, but only after Slide has spammed all their friends on their behalf. Take a look at the application review wall: 20 out of 20 posts are complaints by users who’ve been tricked into spamming their friends. It’s a clear signal of a broken platform that the fastest-growing application, growing 200,000 users a day, receives a completely unanimous response from its userbase. I have to imagine Facebook won’t let this app keep all the users it’s registering this way, although their policy (or lack thereof) so far hasn’t been very comforting.

Andreas Silva:
It’s really BAAAD that you suddenly get an email telling you someone has answered a question you never asked!!

Allix Harrison-D’Arcy:
Why does MyQuestions seemingly just ask an undeleteable question when you install it and broadcast it to all your friends? Isn’t it profoundly obnoxious? I believe this goes against the spirit of facebook apps – I’m removing, blocking and reporting this app.

Lizel Adendorff:
I had the same problem. i’m trying to get rid of the app but it’s still sending questions on my behalf and it still says people asked me questions…this sucks. stop the app….

Click here to read more reactions from the 200,000 users per day who were exposed to this virus. Here is a nice screenshot of a sampling of user complaints.

RockYou has found a new gold mine for viral user growth: completely fabricating user actions.

The basic concept: Joe adds an app; the app sends messages to Joe’s friends on his behalf, with a catchy call to action that Joe didn’t actually have anything to do with.

This is being thinly veiled with the user’s implied “consent”. If you try using the RockYou Music Videos app, when prompted to invite friends, you probably wouldn’t even know that the invitations you’re about to send include randomly-chosen music videos that you’re apparently sending to your friends. (As a user you can’t pick what music video to send all your friends. You only choose who to invite, and RockYou selects a music video to send your friends, and the only way you’d even know this was happening is buried on the subsequent confirmation screen.) I’m sure most users don’t notice the circled text, they just hit “Send it”, and the recipient is likely to accept the invite.

It’s against the rules to use a friend’s photo as the associated image for an application “request” or “invitation”. Why? Facebook doesn’t say, but I can only assume it’s so that recipients would not confuse these invites/requests with Facebook’s own native features (invitations for friendship, events, groups).

Slide has figured out how to easily skirt this rule. With the rise of Top Friends, it’s become clear that adding “friend request” to any application invitation will automatically increase the likelihood that the recipient will “Accept”. Slide has taken this one step further: they’ve built a proxy for Facebook’s user photos, so Slide’s app requests now further confuse the recipient by making all app invites look more like ordinary friend requests.

While Facebook prevented urls to Facebook’s user-pictures to be used as the image for an application invite/request, they had no way of preventing a proxy-server (hosted by Slide) from doing the same thing.

Although Facebook’s rules clearly suggest that an app shouldn’t disguise their invitation/request as a friend request, Slide’s proxy-server trick (and their app name) does exactly that. Clever!

It seems getting app installs on Facebook has become harder in the Platform’s second month. Most users know not to invite a ton of friends when trying out a new app and Facebook limits apps to inviting only 20 friends max.

In response, RockYou has become more aggressive, making it increasingly harder to use their apps without sending at least one invitation to another friend, and “daisy-chaining” invites from multiple apps to circumvent Facebook’s limits.

For example, if you try the Likeness app, it first prompts you to invite the max of 20 friends (of course, no skip button). If you find your way past this screen, you’re immediately prompted to add the SuperWall app and invite friends using SuperWall (in case a user exhausted the max of 20 invites, RockYou thus convinces them to also send another 20 invites using SuperWall, thus getting a total of 40 invites out of the one user).

Note of course that again there’s no skip button (screenshot below). EVERY user who tries the Likeness app upon receiving an invite is immediately guided into inviting more friends (no skip), and then into the SuperWall app to invite more friends (again no skip). Worse yet, these screens don’t even make it clear that what you’re about to do is send invitations to 20 friends! I can imagine a lot of profiles are gonna get cluttered with apps that people never really intended to forward.

(thanks for the app developer who tipped me off to write about this. I’m going to invite other developers to contribute ideas to this blog)

Slide and RockYou have perfected a new technique.

Across their applications (RockYou’s Likeness application, Yahoo/RockYou’s Music Videos, Slide’s FunWall, RockYou’s SuperWall, and more) they present users with invite screens that have no visible skip button.

In the screenshot below from RockYou’s Music Videos application, the only way to proceed to the application without inviting friends is to first unselect the friends, and then to click the button for “Invite Friends” (and pray that nobody is being invited). There is no other way to skip this step.

Note also that RockYou presents the user with a nice teaser: “Who do you want to compare music tastes with?” (copied from iLike, the popular music app on Facebook), even though the RockYou app doesn’t provide the functionality for comparing music tastes or calculating music compatibility that iLike offers.

After a month of watching the new Facebook platform evolve, it seems clear that some of the app developers are willing to push the envelope and deceive users to grow.  This trend, if it goes unchecked, could massively undermine Facebook’s perception as a ’safe’ / ‘clean’ / ‘unspammy’ user experience.

I’m writing this blog to document this trend, in hopes of helping Facebook fix the problem.  While it’s easy to blame the app developers for the abuse, the true responsibility lies squarely on Facebook. It’s Facebook who sets and enforces the policies for the platform; they are the only ones who can reverse this trend; and they have all the tools they need to do so.

Perhaps the first deceptive experience I’ve had on Facebook is the following trick employed by Slide to get users to install their “Top Friends” app:

Using Top Friends, any user can choose which of their friends are “top friends”. Many other social networks (MySpace, Bebo, etc) already have a concept of “top friends”, but Facebook did not provide this native functionality, so Slide filled the void.

However, Slide’s implementation added viral hooks that are both unnecessary and deceptive. When you edit your Top Friends using the Slide app, each friend you add to the list receives a “Top Friends friend request.” The recipient is asked to “accept” or “ignore” this request.

Why is this deceptive? Because the recipient is fooled into thinking that they need to make a choice. In truth, the recipient has already been listed as a Top Friend of the sender; they have no choice in the matter (regardless of whether they “accept” or “ignore”). Naturally, most users click “Accept” – which has nothing to do with actually “accepting” anything, but rather leads them to add the Top Friends app themselves, and invite some new friends of their own, and so the app spreads.

By forcing every Top Friends user to send these unnecessary and deceptive requests to their Top Friends, Slide’s Top Friends has quickly become the fastest growing app on Facebook.