

Facebook Bots Are Not Stealing Your Ad Spend - kloncks
http://simplereach.com/blog/facebook-bots-are-not-stealing-your-ad-spend/

======
gwern
> The first is that the traffic coming in had JavaScript disabled. If this was
> the case then the JavaScript analytics software would not detect the
> incoming traffic and therefore would not be able to log the result at all.

Did you read their post? To quote:

> Here's what we found: on about 80% of the clicks Facebook was charging us
> for, JavaScript wasn't on. And if the person clicking the ad doesn't have
> JavaScript, it's very difficult for an analytics service to verify the
> click. What's important here is that in all of our years of experience, only
> about 1-2% of people coming to us have JavaScript disabled, not 80% like
> these clicks coming from Facebook. So we did what any good developers would
> do. We built a _page logger. Any time a page was loaded, we'd keep track of
> it_.

Emphasis added.

~~~
mikeryan
_If this was the case then the JavaScript analytics software would not detect
the incoming traffic and therefore would not be able to log the result at
all._

Most Javascript analytics packages also wrap an image call in a noscript tag
to capture hits for browsers which do not have JS enabled. So yes, you can log
the result with JS turned off.

~~~
MichaelApproved
That still won't detect bots. If you build a click-bot, you're probably only
going to click the link and download the source. You wouldn't care about
loading any images so the 1x1 pixel image still won't track the page load.

To track bots effectively, you need to check your server logs. In fact, you
could build a strong case for a bot click if the requesting IP pulled the
source HTML but didn't follow up with any image requests from the page. Not
loading images is typical bot behavior.

------
ryan_f
I was hoping the article would be a little more informative and definitive
according to the title. It is based on assumptions itself with a little theory
behind it.

As for the statement - "The first is that the traffic coming in had JavaScript
disabled. If this was the case then the JavaScript analytics software would
not detect the incoming traffic and therefore would not be able to log the
result at all." You can track incoming requests outside of javascript through
the server. That is possibly what they had wrote.

~~~
nakor
I can't believe someone who has 'delivered highly scalable solutions' actually
managed to write this line on his blog with a straight face. How were you not
able to deduce that the devs likely detected disabled javascript without the
use of javascript?

His whole post is devoid of content and nothing but statements without any
real substance or evidence.

~~~
devdazed
The point of my article was not on how the dev was detecting JS. So I didn't
want to go into detail on it. Even if he did that (which he never claims he
does) He would only see that people are coming in with JS turned off, not that
they came from facebook.

~~~
kordless
He does make the claim that 80% the clicks they were paying for had JS
disabled. That would imply the referrers were set on those requests to be from
Facebook and the IPs hitting the pages weren't registering in his JS based
analytics package. We know he's logging the hits to a file, so presumably that
data is there.

You claimed 'There were a few false assumptions made in the post. The first is
that the traffic coming in had JavaScript disabled.' Care to elaborate on how
it's a false assumption if the implied statement above is true?

I'll give you that he may be wrong, but I really don't see where there's
concrete evidence to support your claim he's making false assumptions!

------
allwein
Here's another possibility that popped into my head while reading this
article. What about browser prefetches? Is it possible that a browser, say
Chrome, is prefetching linked pages and that prefetching is being detected by
Facebook as an ad click?

I'll admit I know little to nothing about how prefetching works.

~~~
xentronium
If this worked like you think, bad things would happen. Think about all the
"?action=delete" or "/logout" links spread all over the internet.

~~~
vampirechicken
Bad things deserve to happen to web app operators who do not protect delete
and logout by putting them behind POST[1] request.

[1] pedantry - PUT, POST, DELETE implement it however you want. Just don't
change database state using GET.

------
learc83
So this article is claiming that 80% of people clicking on Facebook ads have
chosen to use https? Seems _way_ too high to me.

~~~
ceejayoz
Facebook has been strongly recommending people switch this on (a one-step
process, prompted in your news feed) for over a year now.
[http://www.insidefacebook.com/2011/06/02/https-secure-
browsi...](http://www.insidefacebook.com/2011/06/02/https-secure-browsing-
home-page/)

I'd be surprised if the number was as _low_ as 80%.

~~~
alainbryden
I've never received that prompt. If you read further down in that misleading
article you linked to, you would see that they don't show the prompt to all
their users:

> we're displaying this prompt when a user who has not enabled secure browsing
> (through the account settings option) manually changes their browser's
> address bar to <https://>, which does not fully protect their Facebook
> traffic.

I just had to go hunting through privacy and security settings for 5 minutes
to figure out how to enable HTTPS.

So no, I would guess fewer than 0.1% of Facebook users have this enabled.

~~~
ceejayoz
It's a year-old article. My company builds (among other things) Facebook apps
and we definitely receive this alert these days on test accounts that are
purely accessing via HTTP.

------
rfergie
All the Facebook campaigns I have run use url parameter tagging to track
clicks (i.e. for Google Analytics append &utm_source=facebook...) to the url.

I think this is fairly standard practice so it seems unlikely to me that
they'd have to use the referrer exclusively

~~~
devdazed
I've checked a handfull of the facebook ads and I didn't find any querystring
paramete attached.

------
bimr
Umm... the facebook post already stated that javascript analytics could only
verify 20% of the traffic. They also explained that they wrote their own
analytics sans javascript to verify that javascript was disabled.

How did he miss that? Self-inflicted black-eye for simplereach.com

