Facebook changes the norms for web purchasing and privacy
If you’ve got a Facebook account, try this experiment: Go to overstock.com and buy something. (I recommend Kwame Appiah’s “Cosmopolitanism” if you’re really stuck for something to purchase.) As you complete the purchase, a window appears in the bottom right of your browser window, announcing “Overstock.com is sending this to your Facebook profile”.
Okay, let the window disappear - on my browser, it takes only about ten seconds for it to disappear. Now log into Facebook. You’ve got a new item in your mini-feed, the message “Overstock.com is sending a story to your profile.”
There’s a check-off box to allow you to hide this message in the future - i.e., let Facebook post this “story” without warning to you - to turn it off, it requires you to click “See More”, then “Edit Settings”, then tell Facebook that you don’t want Overstock.com to post stories to your profile.
There’s no global opt-out - no ability to tell Facebook, “Please stop posting my purchase behavior from any third-party sites to my feed.” You’ve got to opt out from each new partner you encounter, either by clicking on the window on the purchase site, or by turning off this “feature” for each partner on Facebook.
I had two reactions when I saw a demo of this feature on Tuesday. One was “Well, that looks like a good reason to get off Facebook.” And the other, hearkening back to my days as the creator of ad-driven user-created-content websites, was “Hot damn, someone finally did it.” Because, of course, this is the sort of information that ad targeting companies would kill for.
For me, the overwhelming feeling was one of uneasiness - in my head, at least, this isn’t how the web works. When you’re doing business with a website, your interactions have consequences only on that site, not on a completely unrelated website, right? Of course, that’s not true - it hasn’t been for a while. HTTP supports the ability to load items from multiple sites on the same webpage - you’re loading this page from ethanzuckerman.com, but the badge of flickr.com pictures in the sidebar is loading from flickr.com. It’s pretty common on content websites to accept ad banners loaded from a third party, and cookies set in your browser that can be used to track your browsing behavior between different sites. (Here’s a useful tool that allows you to detect ad-tracking cookies installed on your browser and opt out of those networks.)
So why is this alliance between Overstock and Facebook any different? Well, technically, it does something that’s unfamiliar and uncomfortable for people who’ve written web programs that use cookies. A cookie is supposed to be a secret string of information written by one website to your browser and accessible only to that website. You shouldn’t be able to write a script that asks for information in a cookie set by another server. (There’s a form of cross-site scripting attack called “cookie theft” designed to do exactly this.) It looks like Overstock is somehow accessing your profile information on Facebook, which it shouldn’t be able to do.
Of course, what’s actually happening is that when you load Overstock’s “transaction complete” page, you’re also loading something from Facebook, likely an invisible image, and a script, which allows Facebook to access your Facebook.com cookie, which containts account information. Because Facebook and Overstock are cooperating in building a joint webpage, they can do something that seems… unheimlich… to those of us who’ve been playing on the web for the last dozen years.
My colleague David Weinberger has an excellent piece in the Huffington Post where he argues that Facebook is breaking social defaults on how privacy works with this new feature. “Our expectation is that our transactions at one site are neither to be made known to other sites nor made known to our friends. We may well want to let our friends know what we’ve bought, but the norm and expectation is that we will not,” he argues. This is especially important, because Facebook is huge and powerful - Facebook may change the social default on this topic, and it may become the norm to advertise your purchasing behavior to your social network of choice.
The web’s a lot more complicated than it used to be. My instinctive response to this new behavior was to turn off cookies in my browser. Of course, that also means turning off Facebook, which won’t let you log in with cookies turned off. The proper technical response may be some new sort of security alert in Firefox: “The site you’re visiting wants to send information to another site - do you want to allow this to happen?” Of course, as the wonderful Mac “security” ad points out, most of us just want to ignore these warnings. The truth is, if Facebook users don’t rebel against these new kinds of features, they’ll simply become the new default for interactions between commerce sites and social networks.
Pardon me while I switch all my embarrasing purchasing behavior over to another browser that doesn’t know anything about my social networking sites.
My colleague Wendy Seltzer has some useful thoughts on this new feature as well.
November 15th, 2007 at 1:15 pm
[...] Ethan Zuckerman gives detail on the sequence and some privacy thoughts of his [...]
November 15th, 2007 at 1:38 pm
OMG…
(great post, indeed)
November 15th, 2007 at 2:06 pm
Is there a Facebook group yet for protesting this?
November 15th, 2007 at 2:15 pm
Requiring cookies to sign in is the thing that gets me. Wow. Enforcing the Facebook cookie in order to use the service. They are really walking the line and in this case they are definitely crossing some.
November 15th, 2007 at 3:05 pm
It seems the only difference between this and a cross-site scripting attack is that my privacy is now violated by corporations rather than by random-hacker.
November 15th, 2007 at 3:58 pm
Matt, I’ve seen a couple of Facebook protests regarding the new contextual advertising services on Facebook, but nothing specific about cookie-sharing between Facebook and Overstock (and, we suspect, more sites in the near future…) Sounds like a good opportunity to start one up - invite me if you do.
Jack, I think you’re on the right track there, but I think the difference is that the script isn’t injected using a XSS bug but is a choice by the cooperating companies who believe, on some level, that they’re providing a service for their users. And some of their users may well see it that way…
November 15th, 2007 at 6:23 pm
[...] …My heart’s in Accra » Facebook changes the norms for web purchasing and privacy “There’s no global opt-out to tell Facebook, “Don’t post my purchase behavior from any third-party sites to my feed.” You must opt out from each new partner by clicking on the window on the purchase site, or by turning this off for each partner.” (tags: social+media change privacy advertising business+models tidbits+fodder business problems usability) [...]
November 15th, 2007 at 7:24 pm
While it isn’t as nice as a global opt-out, you can at least say no thinks on the little pop-up to opt out of it without ever having to go to Facebook to do so.
I think it’s really a secret plot to make people stop buying embarrassing items. Imagine the hilarity that could ensue if they partnered with an online adult store.
November 15th, 2007 at 8:11 pm
The thing to keep in mind is that some people are going to love this feature. Do you think it’s possible to do this correctly, in a way that makes it possible to preserve privacy in a way that you’re comfortable with. Let’s keep in mind that initially many people were very uncomfortable with per-site cookies and now we’re all used to that. If Facebook’s mechanism were always opt-in instead of opt-out would that be sufficient to make enough people feel comfortable?
November 15th, 2007 at 9:35 pm
It’s a great point, Natalie. I think a lot of people are going to enjoy the feature. It made me very uncomfortable, but I’m totally open to the idea that I’m likely to be in the minority. Making it entirely opt-in would satisfy a lot of my concerns - I can imagine voluntarily finding ways to sync my iTunes with Facebook so people can see what music I’ve recently added to my library, for instance. But it strikes me as very, very easy to miss what’s going on with this feature and simply ignore your way into the loss of privacy…
November 16th, 2007 at 1:29 am
[...] Facebook changes the norms for web purchasing and privacy | Ethan Zuckerman Quote - If Facebook users don’t rebel against these new kinds of features, they’ll simply become the new default for interactions between commerce sites and social networks. (tags: business advertising facebook privacy identity socialnetworks) [...]
November 16th, 2007 at 2:46 am
[...] Changing the norms for web purchasing & privacy November 16, 2007 Filed under: Uncategorized — quangtran @ 6:46 am (via Ethan Zuckerman) [...]
November 16th, 2007 at 7:02 am
I think this one may go the way of the mini-feed. A minor protest then it will be accepted.
November 16th, 2007 at 12:17 pm
[...] Beacon was simply in beta and they were testing out the response of users. As Ethan Zuckerman has pointed out, the response may not be that great and ultimately their new Beacon service could ultimately [...]
November 16th, 2007 at 1:01 pm
[...] gist is this: when you buy something at a participating web site (Ethan Zuckerberg shows how it is done at overstock.com), Facebook discloses to that 3rd party web site, that you are a user of Facebook, and hands over [...]
November 16th, 2007 at 5:50 pm
[...] Facebook changes the norms for web purchasing and privacy - …My heart’s in Accra Ethan Zuckerman havaitsi Facebookin ja overstock.com:in harjoittavan kyseenalaista yhteistyt. Overstockista tehdyt ostokset ilmestyivt nkyviin hnen Facebook sivulleen, ilman Zuckermanin omaa valintaa. [...]
November 16th, 2007 at 6:55 pm
Ethan,
Would you see this differently if this were not implemented via cookies– which would be fairly trivial via IP/time log or another mechanism? Or would it be worse to have these companies tracking us by data exchanges… which they already are, of course?
What if I purchase a server slot at Qwest’s SLC facility and record IP address and unencrypted traffic for Overstock, correlate with Facebook and other sites, — which essentially will give me very close to your purchase history, and more– and sell the data? Being done…
Also, how about the likely, and likely essentially undisclosed, use of personal survey/preference/demographic data from AskVille by Amazon…?
Alexa ? Google?
This is why I would never have a FaceBook account…
November 16th, 2007 at 8:35 pm
[...] My heart’s in Accra - Facebook changes the norms for web purchasing and privacy “There’s no global opt-out - no ability to tell Facebook, “Please stop posting my purchase behavior from any third-party sites to my feed.” You’ve got to opt out from each new partner you encounter…” (tags: facebook beacon advertising privacy cookies scripting datamining surveillance backlash) [...]
November 17th, 2007 at 4:34 am
[...] Facebook changes the norms for web purchasing and privacy Alliances with shopping web sites can allow Facebook friends to see your shopping habits. (tags: facebook privacy) [...]
November 17th, 2007 at 9:05 am
A Facebook group against is a little absurd. If you think this is an invasion of privacy, just quit Facebook! That’s what I did. But I wasn’t that enchanted with it to begin with.
Unfortunately most people are lazy, and I think Ethan is right that this may become the new norm. But it sounds pretty terrible.
Imagine the outcry if Amazon was selling your purchase history to Google, and Google was selling the keywords from your GMail account to Amazon.
I wonder if the deluge of product promos from people who aren’t really your friends will drive people away from the service.
Thanks Ethan, for the clear breakdown of how the new ad system works.
November 18th, 2007 at 11:54 am
Thanks for the eye-opening info. I tried to delete my facebook account but I couldn’t quite do it. I hope we will get rid of these criminals.
November 19th, 2007 at 6:18 pm
Surely this can’t be by cookie alone? If that was the case what about shared computers? I might end up buying something but it would send that information to the facebook profile of another user of the PC.
Surely this must be a combination of cookie AND email address - i.e. the third party site uses the email address you logged in/registered with, in combination with the cookie.
If this is the case, couldn’t you just use different email addresses to unfox this?
November 20th, 2007 at 2:44 pm
All I know is that this sucks I ordered all my Christmas gifts and the next thing I know everyone knows what they are getting. I cancled the entire order with Overstock and will no longer order from them.
November 24th, 2007 at 12:43 pm
[...] Ethan Zuckerman explains, with screen shots. [...]
November 24th, 2007 at 4:47 pm
PNJ: So are you saying that every time a service that you like does something you don’t like, you should just quit instead of trying to do something about it?
I think you’ve hit your personal nail on the head — you don’t particularly like Facebook.
For those of us who do like Facebook, but would prefer that these things don’t get added as standard, default behaviour, there seems nothing wrong in trying to do something about it.
There’s an irony in starting a Facebook group about it, I agree.
I *really* hope the “most people are lazy” comment isn’t levelled at those of us who have found a social network on which a lot of our friends and colleagues reside, and don’t want to leave.
Yes, I could find another network and encourage all my contacts to come with me, and perhaps we wouldn’t be “lazy” then (though we could be accused of poor use of time, when there are so many more important things to do). But why should I? And who’s to say that the new network won’t violate privacy at some point in the future? Or that, some other service, online or offline, won’t (for those that simply say “don’t use social networking services”)
November 24th, 2007 at 9:32 pm
This is why I don’t mess with cookies. ALL cookies flush each time I quit the browser. See something weird? Cmd-Q and come back again with renewed anonymity.
Did you know some websites will charge you *more* if you are a repeat customer for a specific product? I’ve had that happen too when Safari changed where they were storing their cookies (you now have to change the cookies folder to read-only rather than locking a cookie file).
November 24th, 2007 at 11:55 pm
[...] a big ass long thing I was going to post about this on another site, but I’ll leave you with someone else’s words on it and let you figure it out for yourselves. Keep in mind it is more than just Overstock, it is also [...]
November 25th, 2007 at 2:02 am
Here it is:
http://www.facebook.com/group.php?gid=5930262681&ref=nf
November 25th, 2007 at 4:12 am
One way to deal with this is to refuse to buy from companies that partner with Facebook in this way and to drop a line to their support desk stating this. It may only take a few such complaints to get them to change their mind about implementing it. But then like most similar protests, it may have no effect at all.
November 25th, 2007 at 11:52 am
[...] Ethan Zuckerman: Facebook changes the norms for web purchasing and privacy [...]
November 25th, 2007 at 7:44 pm
[...] Zuckerman provides a good example of this. Ethan displays a wonderful rundown of what happens with the new Facebook Beacon Ad program. If you’ve got a Facebook account, try [...]
November 25th, 2007 at 9:12 pm
[...] Facebook changes the norms for web purchasing and privacy [...]
November 26th, 2007 at 1:51 am
[...] Ethan Zuckerman - Facebook changes the norms for web purchasing and privacy [...]
November 26th, 2007 at 5:51 am
[...] μια ιδέα για την κατάσταση: | Calacanis | Doc Searls | Dave Winer | Ethan Zuckerman | Jeff Jarvis | David Wienberger | Wendy Seltzer | Matt [...]
November 26th, 2007 at 8:21 am
[...] move by Facebook to team up with retailers and share information: automatically updating your Facebook profile with purchases you have made. I can see why people [...]
November 27th, 2007 at 2:50 am
[...] dem Titel ‚Beacon‘ betrachtet und vor allem kritisiert. Joshua Porter, David Weinberger und Ethan Zuckerman geben jeweils einen guten Überblick. Selbst moveon.org hat sich inzwischen eingeschaltet. [...]
November 28th, 2007 at 2:13 pm
[...] Ethan Zuckerman explains, with screen shots. “Pardon me while I switch all my embarrasing purchasing behavior over to another browser that doesn’t know anything about my social networking sites.” [...]
November 29th, 2007 at 12:26 am
[...] even more interesting, and here are couple of articles that explaining the issue a little better: Facebook changes the norms for web purchasing and privacy Facebook’s Brilliant but Evil [...]
November 30th, 2007 at 12:57 pm
[...] pare di capire, dal post di gone verbose del 24/11 che, da alcuni giorni è così (i tuoi acquisti vengono comunicati alle rete di tuoi conoscenti, e pare non ci sia modo di disinser…, anche se forse adesso ci [...]
December 19th, 2007 at 11:34 pm
[...] Today someone sent me a blog post that discusses how some e-commerce sites are automatically broadcasting information about your online behavior to the popular social networking site: Facebook: Facebook changes the norms for web purchasing and privacy. [...]