Facebook Takes Action Against "Black Hat" Apps

Some of the most popular Facebook applications are using highly questionable tactics to spread themselves virally. Users have noticed and complained, and Facebook took action today to put stop the most egregious behavior.

There are two ways application developers are breaking the rules to get new users. The first: When a user looks at an application on his/her profile the application can show something different than when other users view the profile. So a user adds an application that looks nice to them. But everyone else sees, say, a big yellow box with an advertisement that says the user wants you to add this application, too.

The second and more devious scheme is being used by many of the largest application developers. They all involve some sort of notification fraud. Generally, you add an application. Then, every one of your contacts is notified that you’ve “written on their wall” or “have asked them a question,” even though you never did. To view the content the contact must add the application. They then find out there is no wall comment, or its a canned question like “is it ok to kiss on the first date?”

Super Wall (RockYou, 4.5 m installs), My Questions (Slide, 6.9 m installs) and FunWall (Slide, 3.6 m installs) all do this (and users complain loudly in the comments area to the apps – see here and scroll down).

Facebook Hits Back

Facebook took measures today to stop these kinds of activities. The first is dealt with in the new release (1.1) of FBML, the markup language used to build Facebook applications. Developers will no longer be able to show a different profile to friends than the one the user sees him/herself:

One of the key parts of the success of the design of the Facebook profile is that the user is always aware of exactly what their profile looks like to their friends who stop by to view their profile. This enables users to understand exactly how they are expressing themselves to others by simply deciding whether or not they like an application’s profile box and the content that the developer has decided to put into the box.

Right now, we have made a few FBML tags available that are causing users to not trust the content in the profile box. Tags such as: fb:if-user-has-added-app, and other fb-if tags. These tags are currently being used to deliver content to profile boxes which users are unaware of. Content such as big yellow boxes which say “ADD THIS APPLICATION!” or “ADD SOME OTHER APPLICATION!”.

Starting today, these tags will no longer be available for use in profile boxes. We will be migrating FBML to version 1.1, and adding a new set of tags called fb:visible-to-. They are:


Facebook also notified developers today that they will be blocked from sending misleading notifications to users. This will stop Slide, RockYou and others from mass spamming users with false notifications:

Over the last few weeks we have noticed several developers misleading our users into clicking on links, adding applications and taking actions. While the majority of developers are doing the right thing and playing by the rules, a few aren’t – and are creating spam as a result. Going forward, if you are deceptively notifying users or tricking them into taking actions that they wouldn’t have otherwise taken, we will start blocking these notifications. The bottom line is that if the notifications you send are the result of a genuine action by a Facebook user and that action is truthfully reported to the recipient so they can make an informed decision, you should have no problems. If you do find some notifications blocked, it was probably because this wasn’t the case and we will be happy to inform you of some best practices by other developers that have prevented this issue.

Facebook has done a great job in managing their platform since opening it up to developers of applications. They have had to accommodate application developers while at the same time protect users interests and the general security of the site. The changes that Facebook have made today, while they may inconvenience some application developers, have clearly been done to protect users from spammy tactics that some applications have employed.