Over at Huffington Post, David Weinberger posts a critique of Facebook’s new “social advertising”: Facebook’s Privacy Default.
The new ad infrastructure enables Facebook to extend their reach onto other companies’ sites. For example, if you rent a copy of “Biodome” from Blockbuster.com, Blockbuster will look for a Facebook cookie on your computer. If it finds one, it will send a ping to Facebook. The Blockbuster site will pop up a “toast” (= popup) asking if you want to let your friends at Facebook know that you rented “Biodome.” If you say yes, next time you log into Facebook, Facebook will ask you to confirm that you want to let your friends know of your recent rental. If you say yes, that becomes an event that’s propagated in the news feed going to your friends.
Yet, I find myself creeped out by this system because Facebook gets the defaults wrong in two very significant areas.
When Blockbuster gives you the popup asking if you want to let your Facebook friends know about your rental, if you do not respond in fifteen seconds, the popup goes away … and a “yes” is sent to Facebook. Wow, is that not what should happen! Not responding far more likely indicates confusion or dismissal-through-inaction than someone thinking “I’ll save myself the click.”
Further, we are not allowed to opt out of the system. At your Facebook profile, you can review a list of all the sites you’ve been to that have presented you with the Facebook spam-your-friends option, and you can opt out of the sites one at a time. But you cannot press a big red button that will take you out of the system entirely. So, if you’ve deselected Blockbuster and the Manly Sexual Inadequacy Clinic from the list, if you go to a new site that’s done the deal with Facebook, you’ll get the popup again there. We should be allowed to Just Say No, once and for all.
Why? Because privacy is not just about information. It’s all about the defaults.
In one sense, what Facebook is doing is merely a progression from what credit card companies and loyalty card programs already do. In another sense, though, it seems like a breach of the norms of the Net.
If you want to be unaggregable in the real world, you pay in cash at stores large enough or far enough from home that the cashiers don’t recognize you. If you pay by credit card, Amex learns your purchase history across merchants, and can sell targeted lists to advertisers or advertising space in its billing statements. If you use a “partner” card, such as an airline rewards card or affiliate card, the partner gets access to your information while the credit card issuer learns one more piece of your profile. It’s as though American Airlines gets to tag along to watch all your purchases.
Facebook’s cookie mechanism puts that into web browsing, except instead of using a credit card to trigger it, you do nothing, just keep using your web browser. So it’s as though Facebook has dropped clerks (with incredible powers of recognition and infallible memory) into every store that you might visit, giving you no indication up-front.
The possibility of generating multiple profiles and of visiting sites without leaving trails from one to the next has led us to expect that the Net is less like using a credit card and more like paying cash: we can keep activities distinct online. Facebook has thrived on that, offering a space in which many participate because they think they can say there what they wouldn’t say in their neighborhood bar or the pages of the New York Times.
But new features tamper with sense of place, aggregating information brought in across contextual boundaries. The upside is that Facebook is doing this visibly: so pushing information about your commercial behavior into a social space can trigger user backlash. (Browse with a plugin like noscript to see who else is trying this with less warning.) Based on the similarities this “toast” behavior has to cross-sites scripting attacks, I hope it prompts browser or plugin developers to offer finer-grained viewing and control.
Update: Ethan Zuckerman gives detail on the sequence and some privacy thoughts of his own.
Update2: Thomas Roessler adds some ideas for policy hooks in code.