November 15, 2007

Facebook: Privacy versus cross-context aggregation

Filed under: law — wseltzer @ 12:10 pm

Over at Huffington Post, David Weinberger posts a critique of Facebook’s new “social advertising”: Facebook’s Privacy Default.

The new ad infrastructure enables Facebook to extend their reach onto other companies’ sites. For example, if you rent a copy of “Biodome” from, Blockbuster will look for a Facebook cookie on your computer. If it finds one, it will send a ping to Facebook. The Blockbuster site will pop up a “toast” (= popup) asking if you want to let your friends at Facebook know that you rented “Biodome.” If you say yes, next time you log into Facebook, Facebook will ask you to confirm that you want to let your friends know of your recent rental. If you say yes, that becomes an event that’s propagated in the news feed going to your friends.

Yet, I find myself creeped out by this system because Facebook gets the defaults wrong in two very significant areas.

When Blockbuster gives you the popup asking if you want to let your Facebook friends know about your rental, if you do not respond in fifteen seconds, the popup goes away … and a “yes” is sent to Facebook. Wow, is that not what should happen! Not responding far more likely indicates confusion or dismissal-through-inaction than someone thinking “I’ll save myself the click.”

Further, we are not allowed to opt out of the system. At your Facebook profile, you can review a list of all the sites you’ve been to that have presented you with the Facebook spam-your-friends option, and you can opt out of the sites one at a time. But you cannot press a big red button that will take you out of the system entirely. So, if you’ve deselected Blockbuster and the Manly Sexual Inadequacy Clinic from the list, if you go to a new site that’s done the deal with Facebook, you’ll get the popup again there. We should be allowed to Just Say No, once and for all.

Why? Because privacy is not just about information. It’s all about the defaults.

In one sense, what Facebook is doing is merely a progression from what credit card companies and loyalty card programs already do. In another sense, though, it seems like a breach of the norms of the Net.

If you want to be unaggregable in the real world, you pay in cash at stores large enough or far enough from home that the cashiers don’t recognize you. If you pay by credit card, Amex learns your purchase history across merchants, and can sell targeted lists to advertisers or advertising space in its billing statements. If you use a “partner” card, such as an airline rewards card or affiliate card, the partner gets access to your information while the credit card issuer learns one more piece of your profile. It’s as though American Airlines gets to tag along to watch all your purchases.

Facebook’s cookie mechanism puts that into web browsing, except instead of using a credit card to trigger it, you do nothing, just keep using your web browser. So it’s as though Facebook has dropped clerks (with incredible powers of recognition and infallible memory) into every store that you might visit, giving you no indication up-front.

The possibility of generating multiple profiles and of visiting sites without leaving trails from one to the next has led us to expect that the Net is less like using a credit card and more like paying cash: we can keep activities distinct online. Facebook has thrived on that, offering a space in which many participate because they think they can say there what they wouldn’t say in their neighborhood bar or the pages of the New York Times.

But new features tamper with sense of place, aggregating information brought in across contextual boundaries. The upside is that Facebook is doing this visibly: so pushing information about your commercial behavior into a social space can trigger user backlash. (Browse with a plugin like noscript to see who else is trying this with less warning.) Based on the similarities this “toast” behavior has to cross-sites scripting attacks, I hope it prompts browser or plugin developers to offer finer-grained viewing and control.

Update: Ethan Zuckerman gives detail on the sequence and some privacy thoughts of his own.

Update2: Thomas Roessler adds some ideas for policy hooks in code.


  1. [...] colleague Wendy Seltzer has some useful thoughts on this new feature as [...]

    Pingback by …My heart’s in Accra » Facebook changes the norms for web purchasing and privacy — November 15, 2007 @ 1:04 pm

  2. [...] David Weinberger’s critique of Facebook’s privacy defaults provides a good description and analysis of what Facebook is doing. More good analysis in this vein appears in Ethan Zuckerman’s Facebook changes the norms for web purchasing and privacy and Wendy Seltzer’s Facebook: Privacy versus cross-context aggregation. [...]

    Pingback by Juxtaprose - The world of advertising and the web — November 15, 2007 @ 8:10 pm

  3. use session cookies for fb, yo

    Comment by joe — November 15, 2007 @ 8:52 pm

  4. Has Facebook Stepped In It with Beacon?…

    In another example of its Better to apologize than ask permission approach, Facebook launched Beacon, a system that allows participating merchants to notice when a purchaser is a Facebook user and send alerts back to the Facebook newsfeed announcing th…

    Trackback by Christopher Herot's Weblog — November 22, 2007 @ 2:09 pm

  5. [...] Wendy Seltzer: Facebook: Privacy versus cross-context aggregation [...]

    Pingback by EU ser kritisk på Facebook - dSeneste — November 25, 2007 @ 10:52 am

  6. [...] Beacon. Or, so it would seem, anyway, with Doc Searls, Dave Winer, and Jason Calacanis (and a few others) making some good ol’ impassioned pleas To Do The Right Thing, as this kind of default opt-in [...]

    Pingback by Deep Jive Interests » Facebook’s Billion Dollar Evaluation Hinges On Apathy. *Our* Apathy. — November 25, 2007 @ 7:55 pm

  7. The major difference is that the Credit Card companies are well regulated, but Facebook is working in a space that is not so well regulated. On top of that, they seem to be willing to do anything that they can think of to make a buck off of their users. Another major difference is that the way in which Credit Card companies interact with people is much flatter - there are fewer layers and interdependencies.


    Comment by Bob — November 26, 2007 @ 3:01 pm

  8. [...] chief privacy complaint with the initial beacon model was the loss of context, a concern others raised as well . While you might have known that your [...]

    Pingback by Wendy’s Blog: Legal Tags » Facebook Founder Sees Contextual Privacy — when it’s his records decontextualized — December 3, 2007 @ 2:32 pm

  9. Hi, you might want to check out our new video, “Public is the New Private,” about how social networking sites have become forums for young people to post their personal business for everyone to see.

    Comment by Youth Radio — August 12, 2008 @ 6:24 pm

  10. [...] caused a huge outcry, reported throughout the traditional media and throughout the blogosphere. This outcry only intensified when began a petition to make Beacon an opt-in [...]

    Pingback by the Library Channel » Blog Archive » Big Brother is watching you on Facebook? — February 18, 2009 @ 3:43 pm

  11. [...] A different blogger, Wendy Seltzer, wrote a related post back in November involving how uses Facebook to share customers’ rental history with friends: Facebook: Privacy versus cross-context aggregation. [...]

    Pingback by Are Companies Sharing Your Purchase Habits With Your Friends? — May 27, 2009 @ 3:01 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress