Facebook & Washington Post behavior I cannot explain

I was looking at some local news on Washington Post’s website. I happen to notice that there in the right gutter along with miscellaneous ads which my brain filters out of my awareness, was a blue box. In the blue box was a list of things my Facebook friends have “liked” on WaPo recently.

And this took me by surprise.

I opened a different browser and headed to Facebook. First, I checked my Application Settings to see if a Washington Post application had slipped into my profile. I had this happen – Gizmodo and some other sites appeared in my authorized application list without getting my authorization. See this article for more. There was no Washington Post application. Next up, I checked my Privacy Settings to verify once more that I disabled Instant Personalization. And yes, that was still the case.

So, wtf?

I clicked on the big red X that WaPo had so kindly put in the blue box with my friends activities. Instead of removing the widget, it brought me to my Washington Post account. (At some point, I registered an account with the Post so I could actually read what they wrote – I know, crazy eh?) And there was a setting called Network News. Sure enough I was opt’ed in to that. This Network News setting enabled the Facebook social activity widget to appear on the pages I saw.

Here’s the million dollar question – How did Washington Post link to my Facebook profile? I certainly never used Facebook Connect, nor have I ever “Liked” something on the Post.

The best guess I’ve got at this point is that the Post used my profile email address to match with Facebook. But this is a pretty weak theory as I have my privacy settings cranked down tight on such things at Facebook, for what that is worth. I check the Post’s privacy policy and no mention of Facebook anywhere.

Anyone have an idea on this? Anyone seeing the same behavior?

BTW – if you want out of the Post’s Network News, go here to change your preferences.

20 Replies to “Facebook & Washington Post behavior I cannot explain”

  1. While not answering your question … thought you might be interested by this note from Facebook developer area:

    “Starting June 1, 2010, all applications will be able to access only a user’s public data unless the user grants your application the extended permissions it needs. Read the upgrade guide for details.”

    So some recognition that the mechanisms in place today are too open.

  2. Same here; the CNN.com one could not initially be disabled until I tried again this AM. Also was able to easily disable the Post one. I suspect it’s just an iFrame that’s embedded in their page, but pretty creepy nevertheless.

    – Scott –

  3. @paul – I knew that about applications. But since there was no Washington Post application, I am still a little stumped as to how it matched my profile.

  4. @scott – definitely an iFrame trick and that weirds me out. There’s no malware vector like an iFrame. And there’s no productivity suck vector like an iPhone.

  5. Ian, my understanding is that it’s not your Post account at all. It’s your FB account. If you weren’t logged into FB, it wouldn’t work. The switch on/off is at:

    Account > Privacy Settings > Applications and Websites > Instant Personalization Pilot Program

    I believe they need to be a FB partner in order to make this work, so not every joe schmoe site can leverage your FB account to personalize information. After I read about it, I actually left it enabled. I’m going to enable the experiment and see if I can get any valuable personalized experience out of it.

    Here’s the help link:
    http://www.facebook.com/help/?page=1068

  6. @Matt

    I knew about Instant Personalization and I disabled it the day it came out. So what i cannot figure out is if I.P. was the culprit and Facebook shared data with WaPo before I had time to disable things or if something else was afoot.

  7. Sounds like it’s not working as advertised if you disabled it and it still functions. …unless these ‘social plugins’ are different than IP.

    The code for them definitely pulls from FB, so I still don’t think the partner sites have any of your info. In fact, you don’t need an account at CNN.com to see the personalized FB content. But you DO need to be logged into FB. When I log out, I don’t see any personalized FB content, which again confirms that it’s coming from FB and not stored locally.

  8. The exact same thing happened to me. It’s because you did not explicitly log out of Facebook. Want to see something scary? Open two browser tabs. The first one, Facebook (logged in). The second one, Washington Post. Unless you’ve explicitly turned off Network News in your WP profile, you’ll see the list of your friends. Now, switch to the Facebook tab and log off. Notice how your WP tab has changed simultaneously, without you doing anything in that window? Nice, huh?

  9. I have to confess that much of what you write is over my head, technology-wise. That said, I appreciate the heads up. Reading your article really prompts me to sign off on FB permanently. I have found it annoying, and felt co-opted to join in the first place by a kind of adult peer pressure, especially from those that I work with in the communications industry who say you HAVE to do it to not look like a dinosaur. This is really outrageous. From now on I will shut down FB completely when I’m done using it. That’s one step. I also disabled the personalization on WaPo. I’m now going to check my FB settings for the 18th time this month to make sure they are tight enough. Ugh. This is simply not worth it. Thanks again.

  10. I was highly creeped out by this and so I tried to cancel my WaPo account. I apparently failed. I tried to cancel several times, and then I created a new WaPo account using a different email address- and my facebook friends’ links still show up when I’ve got facebook open in an incognito window in Chrome. Creeeeeeeepy.

  11. Hey Ian,

    Found this article through the Greenwald link, and I just wanted to clear up a misperception. The Washington Post still has no idea what your Facebook account is – the blue box is an iframe onto facebook.com, and it’s served entirely by Facebook. No information is transferred to the Wapo, and none of the rest of your activity on Wapo is linked back to Facebook, unless you explicitly choose to (by clicking the “Like” plugin, for example).

  12. Hey Luke –

    Thanks for the clarification – I figured this out a while ago but never posted the follow-up. What threw me was two things – how FB does session management and that WaPo had a defaulted me in to their personalization without informing me.

  13. FWIW, I became suspicious when a Los Angeles paper’s site, dailynews.com, linked my anonymous (nor not logged-in) article comments with the small city I call home. I never identified my city; nor did I have any account with the Daily News. But their comments provider, Topix, sure had my number – and linked my comment to my town. At first I suspected the IP – but my IP never registers as my town because my IPs servers are not located here.
    Incidentally, there was no disclosure on the site about Topix, their 3rd party comments host. I found out only when demanded that my now-identifying comment be taken down. They couldn’t because Topix controlled it.
    Something to think about when we believe we’re commenting anonymously. Not so.

Leave a Reply