Home » Blog » Geekery » Facebook changes the norms for web purchasing and privacy

Facebook changes the norms for web purchasing and privacy

If you’ve got a Facebook account, try this experiment: Go to overstock.com and buy something. (I recommend Kwame Appiah’s “Cosmopolitanism” if you’re really stuck for something to purchase.) As you complete the purchase, a window appears in the bottom right of your browser window, announcing “Overstock.com is sending this to your Facebook profile”.

Okay, let the window disappear – on my browser, it takes only about ten seconds for it to disappear. Now log into Facebook. You’ve got a new item in your mini-feed, the message “Overstock.com is sending a story to your profile.”

There’s a check-off box to allow you to hide this message in the future – i.e., let Facebook post this “story” without warning to you – to turn it off, it requires you to click “See More”, then “Edit Settings”, then tell Facebook that you don’t want Overstock.com to post stories to your profile.

There’s no global opt-out – no ability to tell Facebook, “Please stop posting my purchase behavior from any third-party sites to my feed.” You’ve got to opt out from each new partner you encounter, either by clicking on the window on the purchase site, or by turning off this “feature” for each partner on Facebook.

I had two reactions when I saw a demo of this feature on Tuesday. One was “Well, that looks like a good reason to get off Facebook.” And the other, hearkening back to my days as the creator of ad-driven user-created-content websites, was “Hot damn, someone finally did it.” Because, of course, this is the sort of information that ad targeting companies would kill for.

For me, the overwhelming feeling was one of uneasiness – in my head, at least, this isn’t how the web works. When you’re doing business with a website, your interactions have consequences only on that site, not on a completely unrelated website, right? Of course, that’s not true – it hasn’t been for a while. HTTP supports the ability to load items from multiple sites on the same webpage – you’re loading this page from ethanzuckerman.com, but the badge of flickr.com pictures in the sidebar is loading from flickr.com. It’s pretty common on content websites to accept ad banners loaded from a third party, and cookies set in your browser that can be used to track your browsing behavior between different sites. (Here’s a useful tool that allows you to detect ad-tracking cookies installed on your browser and opt out of those networks.)

So why is this alliance between Overstock and Facebook any different? Well, technically, it does something that’s unfamiliar and uncomfortable for people who’ve written web programs that use cookies. A cookie is supposed to be a secret string of information written by one website to your browser and accessible only to that website. You shouldn’t be able to write a script that asks for information in a cookie set by another server. (There’s a form of cross-site scripting attack called “cookie theft” designed to do exactly this.) It looks like Overstock is somehow accessing your profile information on Facebook, which it shouldn’t be able to do.

Of course, what’s actually happening is that when you load Overstock’s “transaction complete” page, you’re also loading something from Facebook, likely an invisible image, and a script, which allows Facebook to access your Facebook.com cookie, which containts account information. Because Facebook and Overstock are cooperating in building a joint webpage, they can do something that seems… unheimlich… to those of us who’ve been playing on the web for the last dozen years.

My colleague David Weinberger has an excellent piece in the Huffington Post where he argues that Facebook is breaking social defaults on how privacy works with this new feature. “Our expectation is that our transactions at one site are neither to be made known to other sites nor made known to our friends. We may well want to let our friends know what we’ve bought, but the norm and expectation is that we will not,” he argues. This is especially important, because Facebook is huge and powerful – Facebook may change the social default on this topic, and it may become the norm to advertise your purchasing behavior to your social network of choice.

The web’s a lot more complicated than it used to be. My instinctive response to this new behavior was to turn off cookies in my browser. Of course, that also means turning off Facebook, which won’t let you log in with cookies turned off. The proper technical response may be some new sort of security alert in Firefox: “The site you’re visiting wants to send information to another site – do you want to allow this to happen?” Of course, as the wonderful Mac “security” ad points out, most of us just want to ignore these warnings. The truth is, if Facebook users don’t rebel against these new kinds of features, they’ll simply become the new default for interactions between commerce sites and social networks.

Pardon me while I switch all my embarrasing purchasing behavior over to another browser that doesn’t know anything about my social networking sites.


My colleague Wendy Seltzer has some useful thoughts on this new feature as well.

54 thoughts on “Facebook changes the norms for web purchasing and privacy”

  1. Pingback: Wendy’s Blog: Legal Tags » Facebook: Privacy versus cross-context aggregation

  2. Requiring cookies to sign in is the thing that gets me. Wow. Enforcing the Facebook cookie in order to use the service. They are really walking the line and in this case they are definitely crossing some.

  3. It seems the only difference between this and a cross-site scripting attack is that my privacy is now violated by corporations rather than by random-hacker.

  4. Matt, I’ve seen a couple of Facebook protests regarding the new contextual advertising services on Facebook, but nothing specific about cookie-sharing between Facebook and Overstock (and, we suspect, more sites in the near future…) Sounds like a good opportunity to start one up – invite me if you do.

    Jack, I think you’re on the right track there, but I think the difference is that the script isn’t injected using a XSS bug but is a choice by the cooperating companies who believe, on some level, that they’re providing a service for their users. And some of their users may well see it that way…

  5. Pingback: contentious.com - links for 2007-11-15

  6. While it isn’t as nice as a global opt-out, you can at least say no thinks on the little pop-up to opt out of it without ever having to go to Facebook to do so.

    I think it’s really a secret plot to make people stop buying embarrassing items. Imagine the hilarity that could ensue if they partnered with an online adult store.

  7. The thing to keep in mind is that some people are going to love this feature. Do you think it’s possible to do this correctly, in a way that makes it possible to preserve privacy in a way that you’re comfortable with. Let’s keep in mind that initially many people were very uncomfortable with per-site cookies and now we’re all used to that. If Facebook’s mechanism were always opt-in instead of opt-out would that be sufficient to make enough people feel comfortable?

  8. It’s a great point, Natalie. I think a lot of people are going to enjoy the feature. It made me very uncomfortable, but I’m totally open to the idea that I’m likely to be in the minority. Making it entirely opt-in would satisfy a lot of my concerns – I can imagine voluntarily finding ways to sync my iTunes with Facebook so people can see what music I’ve recently added to my library, for instance. But it strikes me as very, very easy to miss what’s going on with this feature and simply ignore your way into the loss of privacy…

  9. Pingback: rexblog.com: Rex Hammock’s weblog » Blog Archive » links for 2007-11-16

  10. Pingback: Changing the norms for web purchasing & privacy « Project Kali

  11. Pingback: Facebook Beacon: A Test of Web Users - The Unofficial Facebook Blog

  12. Pingback: Facebook discloses its users to 3rd party web sites » alexander kirk » Blog Archive

  13. Pingback: Linkit 16.11.2007. at Ilja Suvanto

  14. Ethan,

    Would you see this differently if this were not implemented via cookies– which would be fairly trivial via IP/time log or another mechanism? Or would it be worse to have these companies tracking us by data exchanges… which they already are, of course?

    What if I purchase a server slot at Qwest’s SLC facility and record IP address and unencrypted traffic for Overstock, correlate with Facebook and other sites, — which essentially will give me very close to your purchase history, and more– and sell the data? Being done…

    Also, how about the likely, and likely essentially undisclosed, use of personal survey/preference/demographic data from AskVille by Amazon…?

    Alexa ? Google?

    This is why I would never have a FaceBook account…

  15. Pingback: Adam Crowe - links for 2007-11-17

  16. Pingback: Rants, Raves, and Rhetoric v4 » Blog Archive » links for 2007-11-17

  17. A Facebook group against is a little absurd. If you think this is an invasion of privacy, just quit Facebook! That’s what I did. But I wasn’t that enchanted with it to begin with.

    Unfortunately most people are lazy, and I think Ethan is right that this may become the new norm. But it sounds pretty terrible.

    Imagine the outcry if Amazon was selling your purchase history to Google, and Google was selling the keywords from your GMail account to Amazon.

    I wonder if the deluge of product promos from people who aren’t really your friends will drive people away from the service.

    Thanks Ethan, for the clear breakdown of how the new ad system works.

  18. Thanks for the eye-opening info. I tried to delete my facebook account but I couldn’t quite do it. I hope we will get rid of these criminals.

  19. Surely this can’t be by cookie alone? If that was the case what about shared computers? I might end up buying something but it would send that information to the facebook profile of another user of the PC.

    Surely this must be a combination of cookie AND email address – i.e. the third party site uses the email address you logged in/registered with, in combination with the cookie.

    If this is the case, couldn’t you just use different email addresses to unfox this?

  20. All I know is that this sucks I ordered all my Christmas gifts and the next thing I know everyone knows what they are getting. I cancled the entire order with Overstock and will no longer order from them.

  21. Pingback: Scripting News for 11/24/2007 « Scripting News Annex

  22. PNJ: So are you saying that every time a service that you like does something you don’t like, you should just quit instead of trying to do something about it?

    I think you’ve hit your personal nail on the head — you don’t particularly like Facebook.

    For those of us who do like Facebook, but would prefer that these things don’t get added as standard, default behaviour, there seems nothing wrong in trying to do something about it.

    There’s an irony in starting a Facebook group about it, I agree.

    I *really* hope the “most people are lazy” comment isn’t levelled at those of us who have found a social network on which a lot of our friends and colleagues reside, and don’t want to leave.

    Yes, I could find another network and encourage all my contacts to come with me, and perhaps we wouldn’t be “lazy” then (though we could be accused of poor use of time, when there are so many more important things to do). But why should I? And who’s to say that the new network won’t violate privacy at some point in the future? Or that, some other service, online or offline, won’t (for those that simply say “don’t use social networking services”)

  23. This is why I don’t mess with cookies. ALL cookies flush each time I quit the browser. See something weird? Cmd-Q and come back again with renewed anonymity.

    Did you know some websites will charge you *more* if you are a repeat customer for a specific product? I’ve had that happen too when Safari changed where they were storing their cookies (you now have to change the cookies folder to read-only rather than locking a cookie file).

  24. Pingback: FaceBook The New Spyware? : Smoke Rings, Coffee Stains

  25. One way to deal with this is to refuse to buy from companies that partner with Facebook in this way and to drop a line to their support desk stating this. It may only take a few such complaints to get them to change their mind about implementing it. But then like most similar protests, it may have no effect at all.

  26. Pingback: EU ser kritisk pÃ¥ Facebook - dSeneste

  27. Pingback: Fresh Vision Media - Blog Archive » Facebook vs. MoveOn.org

  28. Pingback: Das mit dem Datenschutz | gekow.net

  29. Pingback: » The Social Gene Pool : Whose Data Is It Anyway? Money.Power.Wisdom: Which Do YOU Want?

  30. Pingback: Î¤Î¿ Facebook, λίγο πριν το κλικ

  31. Pingback: Cross-web sharing between applications at Rage on Omnipotent

  32. Pingback: Sammelbecken 27.11.07 at Johannes Kleske - tautoko weblog

  33. Pingback: FreewareBB » Blog Archive » Digging into the latest Facebook privacy issue

  34. Pingback: Now I Simon › Facebook

  35. Pingback: E se facebook… « oh my marketing!

  36. Pingback: Webgrrls Wisdom » Are Companies Sharing Your Purchase Habits With Your Friends?

  37. This happened to me with overstock and facebook. I am so angry about it! I want to cancel my facebook account and I won’t buy from overstock ever again!!!!

  38. Pingback: Joshua Porter: Facebook’s Brilliant but Evil design « Scientia Potentia Est

  39. Pingback: think twice » Blog Archive » The things we take for granted (addendum)

  40. Pingback: wayneandwax.com » E-cologies & High Resolutions

  41. Pingback: the Library Channel » Blog Archive » Big Brother is watching you on Facebook?

  42. Pingback: …My heart’s in Accra » Bye, bye Beacon… and other bad ad ideas

  43. The guys who run FB need to come clean on exactly how intrusive the site can be. I understand they can use some pretty stealthy ways of tracking users when they are not even logged on

  44. Pingback: How your purchases could end up on FB. « myweku.com

  45. Pingback: Scuba-net.org » Blog Archive » Steve Fraser just purchased…

  46. The stories of Facebooks insane abuse of personal information always make me laugh. More so considering the sheer traffic that website has with a minuscule percentage aware of what Facebook is actually doing with all that data.

    The funny thing is, with that kind of traffic they could easily make good money without resorting to this horrible big brother style treatment.

Comments are closed.