Facebook "Like" Buttons Sign You Up For Messages

Note: This is an archive of an old page back when Patrick McKenzie used to own this site. We're leaving this up for historical reasons 😄

If you click the below button, you will be spammed, repeatedly. Read first.

Facebook sometimes makes very curious decisions with respect to user privacy. Recently, one of them came to my attention, and it is so comprehensively wrong that I had to put up a public service announcement about it.

You've seen the Facebook "Like" buttons all over the Internet, right? Liking anything lets the owner spam you. No, really. If you doubt me, click the Like button on this page: you'll find a message from me on your News feed (the big list where you see updates from your friends) within 5 minutes, unless Facebook has shut down this tech demo since publication.

Facebook Knows This

As unlikely as this may seem, this is intended behavior and not a result of any Javascript abuse or similar trickery by this site. From the Facebook documentation for Like buttons:

[If your site uses a particular Facebook feature], when a user clicks a Like button on your page... you have the ability to publish updates to the user.

This is bad mostly because it violates user expectations. While Facebook never really told users "Hey guys, here is how we intend you to use Like buttons", the reasonable parsing of user intent is "Tell my Facebook friends I like this." (Many users probably don't know it does that, either, but there you go.)

It is unreasonable to expect that a user is affirmatively signaling their consent to receive marketing messages by clicking on a Like button. That is not disclosed in any prominent fashion: people who make a living writing applications for Facebook were shocked when I told them about this "feature", which prompted me to write this post.

Compare our well-developed procedures, laws, and industry guidelines for mailing list opt-in. To prevent people from receiving unwanted mail, we have them:

  1. Type out their email address.
  2. Check a box explicitly saying that they want to receive email.
  3. Switch to their email, read a mail saying they've just asked to receive email, and click a link in that email to confirm their consent to receive email.

By comparison, Facebook will sign you up to receive marketing messages if you:

  1. Click "Like", anywhere, once.

"Liked" Something Previously? You're Signed Up.

If you're not receiving spam from pages you've Liked yet, that is no guarantee you won't in the future. Understand that you are trusting the page owner every time you click Like: they can turn on the spam spigot (spagot?) at any time, in under ten minutes of engineer time. This tech demo took less than 10 lines to code. This will be exploited in the future.

In particular, look for "stealth" Like spam: you might Like your politician of choice today, but when the next campaign starts, expect to get hit up for fundraising every time you sign into Facebook. Additionally, since the UI doesn't really make it clear what you are liking ("this page", yeah, but the page owner can make that page represent anything), six months down the line you could get messages from someone you've never heard of just because you liked a LOLCat or similar disposable piece of culture.

Can My Friends See This?

You liking things today can't spam your friends tomorrow. It can only spam you. Your friends will see "Your Name Here liked Page Name Here" in their news feeds once, right after you click "Like" (bumped higher if you comment on it). This is the intended functionality of the Like button, from a user's perspective.

How Do I Stop This?

To stop getting spam from this page, either click Unlike right here, or mouse over the spammy message, click the X, then click either of the Remove buttons. (If this were actual spam I'd click the Report Spam button, but doing that here would be a hilarious example of shooting the messenger.)

There is another, longer way...

  1. Go to your Facebook profile.
  2. Click "Edit Profile" (under your picture, top right corner)
  3. Click "Likes and Interests" from left hand menu.
  4. Click "Other Pages" near the bottom of the right hand of the screen.
  5. Find the one titled "Clicking "Like" Buttons Signs You Up For Spam" and click "Remove Page" next to it.

Software designers in the audience who think this might not exactly count as user friendly are, well, right.

What Can I Do About This?

Spreading the word and causing a PR event for Facebook has previously caused them to find religion on user privacy issues. I'd suggest that -- link to this page, tweet it, whatever. But for heaven's sake, don't click the Like button.