Ari Steinberg who works on the Facebook developer platform has a blog post entitled New Rules for News Feed which states

As part of the user experience improvements we announced yesterday, we're changing the rules for how Feed stories can be published with the feed.publishTemplatizedAction API method. The new policy moving forward will be that this function should only be used to publish actions actively taken by the "actor" mentioned in the story. As an example, feed stories that say things like "John has received a present" are no longer acceptable. The product motivation behind this change is that Feed is a place to publish highly relevant stories about user activity, rather than passive stories promoting an application.

To foster this intended behavior, we are changing the way the function works: the "actor_id" parameter will be ignored. Instead the session_key used to generate the feed story will be used as the actor.

In order to ensure a high quality experience for users, starting 9am Pacific time Tuesday 22 January we may contact you, or in severe cases initiate an enforcement action, if your stories are not complying with the new policy, especially if the volume of non-complying stories is high.

If you are not a developer using the Facebook platform, it may be unclear what exactly this announcement means to end users or applications that utilize Facebook’s APIs.

To understand the impact of the Facebook announcement, it would be useful to first talk about the malicious behavior that Facebook is trying to curb. Today, an application can call feed.publishTemplatizedAction and publish a story to the user’s Mini-feed (list of all the user’s actions) which will also show up in the News Feed of the users friends. Unfortunately some Facebook applications have been publishing stories that don’t really correspond to a user taking an action. For example, when a user installs the Flixster application, Flixster not only publishes a story to all of the user’s friends saying the user has installed the application but also publishes a story to the friends of each of the user’s friends that also have Flixster installed. This means my friends get updates such as

being sent to my friends when I wasn’t actually doing anything with the Flixster application. I don’t know about you but this seems like a rather insiduous way for an application to spread “virally”.

Facebook’s attempt to curb such application spam is to require that an application have a session key that identifies the logged in user when publishing the story which implies that the user is actually using the application from within Facebook when the story is published. The problem with this remedy is that it totally breaks applications that publish stories to the Facebook News Feed when the user isn’t on the site. For example, since I have the Twitter application installed on Facebook, my Facebook friends get an update sent to their News Feeds whenever I post something new on Twitter.

The problem for Facebook is that by limiting a valid usage of the API, they may have closed off a spam vector but have also closed off a valuable integration point for third party developers and for their users.

PS: There might be an infinite session key loophole to the above restriction which I’m sure Facebook will close off if apps start abusing it as well.

Now playing: Silkk the Shocker - It Ain't My Fault


Wednesday, January 23, 2008 10:02:54 AM (GMT Standard Time, UTC+00:00)
I for one will be somewhat glad to see less Flixter spam in my news feeed. Re your twitter scenario, I've always thought that the general intention is that facebook and the receiving user should figure out which entries in your Mini Feed should be shown in each friend's News Feed (through ranking/relevance algorithm and the receiving user's previous "I like this"/"I don't like this" actions on similar entries.

The current behavior of some applications publishing 'unsolicited' messages to a users friends' Mini Feeds do seem to bypass this, hence the increase in 'spam'. Users do always have the option of declaring "I didn't do this" on any mini feed item but who wants to do that after the story has been posted/spammed to your friends news feeds?

Regarding storing user infinite keys and using them to subsequently send messages to those users news feeds, this would (and does) work - to a point. However, you are assuming that the users never log off/on from facebook (afaik login causes facebook to generate a new 'infinite' session key for that user, invalidating the old one which you app would be attempting to use)
Wednesday, January 23, 2008 4:53:13 PM (GMT Standard Time, UTC+00:00)
Just to clarify, we're not preventing apps like the Twitter application from doing what you want them to do. And the infinite session key thing is not a loophole - that's the intended behavior. This was admittedly a bit confusing, but there are basically two things going on here:

1) a new policy that says "don't do this" (where this is the bad scenario you describe).

2) an api change to make the api better reflect the policy.

#1 is a bit of a new thing for us - traditionally, we prefer to enforce our policy through purely technical/automated mechanisms (ie to make the annoying stuff impossible to do), but in this case, we're going to have a human judgement play a part of the enforcement process. If we find an app is maliciously abusing this, we will apply some kind of penalty, and we hope that the threat of a penalty will be sufficient to deter most people from abusing the system.
Wednesday, January 23, 2008 7:00:11 PM (GMT Standard Time, UTC+00:00)
About damn time! I was really, really getting annoyed with the amount of "This has been done by a stranger to X" crowding out the actually interesting "X has done this". I've actually removed several applications for doing that, and I've been marking such messages as spam in my own feed.
Comments are closed.