Plugin Warning: The Facebook Fans Generator

A few days ago this gem of a plugin landed in the inbox of one of our developers. Barry runs WP Plugins, one of our sister sites – a place for developers to sell their plugins. The description is as follows:

Facebook Fans Generator is a simple module through which your visitors will be automatically added to your fans on Facebook. Suppose your website is visited 1000 people per day of which 75% of visitors (according to statistics), has exactly in the same moment an open Facebook, you gain in one day 750 fans!

Wow! Nice! How about that? You can get all of your visitors to be your fans on Facebook!

Sounds a big fishy, right? How does someone get all of your website visitors to become your fans? With a minor tweak Barry was able to show us how it worked, in action. Check it out:

Everyone was all like “ZOMG! That’s dreadful!” Everyone except me who was like –“ I dunno how that works….. seems like voodoo…. “

But through the magical powers of explanation, I learned something. Here is how the Facebook Fans Generator gets all of your visitors to be your fans:

  1. The plugin creates an iFrame and writes it to the body of the page. The frame, which is built using PHP, contains this URL 
  2. Facebook like button exampleThe opacity of the frame is set to 0. This makes it invisible but still clickable
  3. An event timer is added. If nothing is clicked within a certain amount of time the iframe is removed (in this instance the event timer is set to 10 seconds)
  4.  An event listener is added to the movement of the mouse – the top left coordinates of the iFrame are just to the top left of the mouse pointer. So the Like button follows your mouse around all over the page.

That’s basically it – surprisingly simple. An invisible like button is under your mouse so the first time you click on the page you Like the website’s Facebook page. How sneaky is that?

You can change the settings yourself to include your own Facebook page. This is where you set the opacity on the like button as well.

Facebook Fan Generator Plugin options telling use to set opacity to 0 if they want an invisible like button

Here’s a link to the plugin page. I didn’t want to put it earlier as the plugin is active on the site.

As a Facebook user I’d be pretty suspicious if something I didn’t know that I had liked started appearing on my stream. I’d probably think my account had been hacked or some sort of other nefarious activity.

tos iconFacebook’s Platform Policies

We all guessed that this must be breaking Facebook’s Platform Policies, let’s see how.

Principles

Create a great user experience

  • Build social and engaging applications
  • Give users choice and control
  • Help users share expressive and relevant content

Be trustworthy

  • Respect privacy
  • Don’t mislead, confuse, defraud, or surprise users
  • Don’t spam – encourage authentic communications

Looking at the principles there are two obvious ones being broken right there.

  • The Facebook Fan Generator plugin does not give users choice and control as it forces them to Like a page (even if they hate it!)
  • It also misleads, confuses, defrauds and surprises users. It misleads them into Liking a page, confuses and surprises them by inserting stuff they haven’t signed up for into their stream, and defrauds them by signing them up for something that they didn’t intend to sign up for.

Policies

Check out point 6:

IV Application Integration Points

Platform integrations, including social plugins:
a. Your advertisements must not include or be paired with any Platform integrations, including social plugins such as the Like button, without our written permission.
b. You must not sell or purchase placement of a Like button or Like box plugin.
c. You must not incentivize users to Like any Page other than your own site or application, and any incentive you provide must be available to new and existing users who Like your Page.
d. You must not obscure or cover elements of our social plugins, such as the Like button or Like box plugin.
e. Ad networks, ad exchanges, and data brokers must not use Facebook’s Platform, logos, and trademarks (including, but not limited to, Platform APIs, social plugins, the Share button, and the F logo).

That’s pretty clear right there. Obscuring or covering the Like button directly violates Facebook’s Platform Policies for Developers.

What About Website Owners?

So those are the Platform Policies as they apply to developers. Surely you, as an innocent installer of the plugin, are not liable for breaking the policy.

Not so. Facebook’s Terms of Use for operators of websites state the following:

Special Provisions Applicable to Developers/Operators of Applications and Websites

If you are a developer or operator of a Platform application or website, the following additional terms apply to you:

1. You are responsible for your application and its content and all uses you make of Platform. This includes ensuring your application or use of Platform meets our Facebook Platform Policies and our Advertising Guidelines.

That means if you are dumb enough to install the Facebook Fan Generator you are breaking Facebook’s Terms of Service and you are just as liable as the developer.

This exposes you to point 14 of the Terms of Use:

Termination

If you violate the letter or spirit of this Statement, or otherwise create risk or possible legal exposure for us, we can stop providing all or part of Facebook to you. We will notify you by email or at the next time you attempt to access your account. 

Just One More Thing

Just in case you are still a teeny weeny bit tempted. Say a user lands on your page who isn’t logged in to Facebook. The first time they click this will pop up:

website asking visitor to log into Facebook

You don’t need to be Columbo to realize that something suspicious is going on if a popup appears asking for your Facebook login details.

Now that is one definite way to alienate your visitors.

Still think it’s worth it?

Oh yes, and there’s a version for Joomla! too.