Facebook changes the norms for web purchasing and privacy

If you’ve got a Facebook account, try this experiment: Go to overstock.com and buy something. (I recommend Kwame Appiah’s “Cosmopolitanism” if you’re really stuck for something to purchase.) As you complete the purchase, a window appears in the bottom right of your browser window, announcing “Overstock.com is sending this to your Facebook profile”.

Okay, let the window disappear – on my browser, it takes only about ten seconds for it to disappear. Now log into Facebook. You’ve got a new item in your mini-feed, the message “Overstock.com is sending a story to your profile.”

There’s a check-off box to allow you to hide this message in the future – i.e., let Facebook post this “story” without warning to you – to turn it off, it requires you to click “See More”, then “Edit Settings”, then tell Facebook that you don’t want Overstock.com to post stories to your profile.

There’s no global opt-out – no ability to tell Facebook, “Please stop posting my purchase behavior from any third-party sites to my feed.” You’ve got to opt out from each new partner you encounter, either by clicking on the window on the purchase site, or by turning off this “feature” for each partner on Facebook.

I had two reactions when I saw a demo of this feature on Tuesday. One was “Well, that looks like a good reason to get off Facebook.” And the other, hearkening back to my days as the creator of ad-driven user-created-content websites, was “Hot damn, someone finally did it.” Because, of course, this is the sort of information that ad targeting companies would kill for.

For me, the overwhelming feeling was one of uneasiness – in my head, at least, this isn’t how the web works. When you’re doing business with a website, your interactions have consequences only on that site, not on a completely unrelated website, right? Of course, that’s not true – it hasn’t been for a while. HTTP supports the ability to load items from multiple sites on the same webpage – you’re loading this page from ethanzuckerman.com, but the badge of flickr.com pictures in the sidebar is loading from flickr.com. It’s pretty common on content websites to accept ad banners loaded from a third party, and cookies set in your browser that can be used to track your browsing behavior between different sites. (Here’s a useful tool that allows you to detect ad-tracking cookies installed on your browser and opt out of those networks.)

So why is this alliance between Overstock and Facebook any different? Well, technically, it does something that’s unfamiliar and uncomfortable for people who’ve written web programs that use cookies. A cookie is supposed to be a secret string of information written by one website to your browser and accessible only to that website. You shouldn’t be able to write a script that asks for information in a cookie set by another server. (There’s a form of cross-site scripting attack called “cookie theft” designed to do exactly this.) It looks like Overstock is somehow accessing your profile information on Facebook, which it shouldn’t be able to do.

Of course, what’s actually happening is that when you load Overstock’s “transaction complete” page, you’re also loading something from Facebook, likely an invisible image, and a script, which allows Facebook to access your Facebook.com cookie, which containts account information. Because Facebook and Overstock are cooperating in building a joint webpage, they can do something that seems… unheimlich… to those of us who’ve been playing on the web for the last dozen years.

My colleague David Weinberger has an excellent piece in the Huffington Post where he argues that Facebook is breaking social defaults on how privacy works with this new feature. “Our expectation is that our transactions at one site are neither to be made known to other sites nor made known to our friends. We may well want to let our friends know what we’ve bought, but the norm and expectation is that we will not,” he argues. This is especially important, because Facebook is huge and powerful – Facebook may change the social default on this topic, and it may become the norm to advertise your purchasing behavior to your social network of choice.

The web’s a lot more complicated than it used to be. My instinctive response to this new behavior was to turn off cookies in my browser. Of course, that also means turning off Facebook, which won’t let you log in with cookies turned off. The proper technical response may be some new sort of security alert in Firefox: “The site you’re visiting wants to send information to another site – do you want to allow this to happen?” Of course, as the wonderful Mac “security” ad points out, most of us just want to ignore these warnings. The truth is, if Facebook users don’t rebel against these new kinds of features, they’ll simply become the new default for interactions between commerce sites and social networks.

Pardon me while I switch all my embarrasing purchasing behavior over to another browser that doesn’t know anything about my social networking sites.


My colleague Wendy Seltzer has some useful thoughts on this new feature as well.

This entry was posted in Geekery, Media. Bookmark the permalink.

54 Responses to Facebook changes the norms for web purchasing and privacy

  1. Bluemashi says:

    I simply wished to let you understand that your blog doesn’t present up properly on the BB browser, I added it to my bookmarks and have simply checked from the desktop

  2. Tammy Edmond says:

    i think facebook will make our life different.
    Guccioli Charm

  3. Pingback: Facebook Beacon: A Test of Web Users - AllFacebook

  4. Pingback: Facebook’s Brilliant but Evil design

Comments are closed.