Last month, Facebook announced a number of new features, including “personalization” (which generated significant controversy) and “social plugins.” The plugins are described as follows:
Social plugins let you see what your friends have liked, commented on or shared on sites across the web. All social plugins are extensions of Facebook and are specifically designed so none of your data is shared with the sites on which they appear.
According to M
ashable, over 50,000 plugins have been installed since the rollout. Seeing one’s Facebook friends suddenly start showing up on third party sites has raised privacy concerns, which Facebook quickly addressed in a blog post, stating “Because [third party sites] have given Facebook this “real estate” on their sites, they do not receive or interact with the information that is contained or transmitted there.”
Here’s the rub. By giving “real estate” to Facebook, third party sites have created a one-way mirror, allowing Facebook to peer in on what we’re doing. If you’re logged in to Facebook, and you visit a third party page with a social plugin, Facebook knows where you’ve been. The mechanism is simple – cookies and referrals – and it will allow Facebook to create personalized behavioral profiles that, combined with the information we articulate in Facebook, will be tremendously valuable.
To explore the privacy implications of Facebook’s social plugins, I visited the websites of the top 15 U.S. online news destinations (based on some 2009 Nielsen data), and a few honorable mentions. I then selected a news story from the front page, and loaded the page. I checked to see if social plugins were enabled, if the Facebook cookie was called, and if the referring page was sent to Facebook (basically, did the site identify you to Facebook, and share the page you were on).
I found that of the top 15 online news destinations, 9 were sharing information with Facebook (MSNBC, CNN, CBS, ABC, Fox News, Washington Post, and the Tribune, McClatchy and Gannett Companies[1]). Notably, The New York Times, BBC, Yahoo News, AOL News, and Google News did not share information. I then checked a few favorites of mine: NPR (yes), Drudge (no), Huffington Post (yes), and Politico (no). I’ve included all of the details on a spreadsheet, embedded below or html version.
According to Nielsen, the 9 news organizations sharing information with Facebook account for over 177,161,000 monthly unique visitors. Granted, not all of these views will go to social plugin enabled pages, and not all visitors will be logged-in Facebook users. But with 400 million users, it is safe to assume that a substantial proportion of that information will go to Facebook. If you stay logged in to Facebook, it is increasingly likely that Facebook will know what news you read.
My beef here isn’t necessarily with Facebook; Google and other behavioral-targeting firms have very similar SOP’s. Rather, I’m uncomfortable that so many news organizations felt comfortable sharing the news-reading behaviors of their customers that just so happen to be logged in to Facebook. And really, what do they get for trading this tremendously valuable asset? I get to see that a random friend liked an article?
I think it is time that someone wrote a Firefox plugin that specifically manages the Facebook cookie, only allowing it to be accessed when someone is on Facebook proper. Clearly, we can’t trust third parties – even reputable news organizations – to protect our data. Here’s the spreadsheet from my analysis:
Note: For media conglomerates (Tribune, McClatchy, Gannett) I visited the flagship outlet (Chicago Trib, Sac Bee, and USA Today, respectively).
They’re trading our data, which they still get to see and keep with their own cookies anyway, for free traffic. FB is a huge traffic driver, so a like causes your friends to click onto the same article.
It seems like the Firefox TACO ( Targeted Advertising Cookie Opt-Out) plugin has potential to fight this. I am looking at this plugin now.
I suppose one could always simply pick a browser to dedicate to facebook usage.
One final idea, at least on Windows, would be to run a browser using the ‘run as’ option. Run it as a different user than you normally log in with. I need to do some testing, but it is possible this scheme would confine cookies set by facebook to only this browser session, and they would spill over.
@ceo – Right, of course. I guess what I find problematic is that news organizations are willing to give my information away just for that upside. I guess news organizations aren’t in any financial shape to justify a privacy-enhancing decision in favor of a bottom-line decision.
@John – What I’m doing is just using a secondary browser for Facebook. A nice side benefit is that I’ve also broken myself of reflexive FB checking.
[...] said about Facebook’s recent changes concerning the privacy of user data. Michael Zimmer and Fred Stutzman provide enlightening details and perspective, and concern is going “mainstream”: [...]
One final idea, at least on Windows, would be to run a browser using the ‘run as’ option. Run it as a different user than you normally log in with. I need to do some testing, but it is possible this scheme would confine cookies set by facebook to only this browser session, and they would spill over.
+1
[...] Fred Stutzman z University of North Carolina spenetrował drugie dno – a może pierwsze, polityki facebooka badając co się dzieje kiedy korzystamy z 15 największych serwisów informacyjnych w USA. “According to Nielsen, the 9 news organizations sharing information with Facebook account for over 177,161,000 monthly unique visitors. Granted, not all of these views will go to social plugin enabled pages, and not all visitors will be logged-in Facebook users. But with 400 million users, it is safe to assume that a substantial proportion of that information will go to Facebook. If you stay logged in to Facebook, it is increasingly likely that Facebook will know what news you read.” [...]