Follow-up on Facebook and The Washington Post

I’ve been getting a lot of comments on my post about Facebook and The Washington Post. I wanted to just write a brief follow-up on it. I had Luke Shepard of Facebook present at the Gartner Catalyst conference last week and through a bit of serendipity he found Tuesdaynight and my recent post. He kindly provided this clarification on what was going on:

The Washington Post still has no idea what your Facebook account is – the blue box is an iframe onto facebook.com, and it’s served entirely by Facebook. No information is transferred to the Wapo, and none of the rest of your activity on Wapo is linked back to Facebook, unless you explicitly choose to (by clicking the “Like” plugin, for example).

As I mentioned in my comment back to him, there were two things that threw me off. First, I didn’t realize how Facebook’s session management worked. FB sessions live on after you close the browser unless you explicitly log-off. This is no different than any other website. However, what is a bit different is that  sites with Facebook’s embedded iframe can take advantage of you departed-but-not-logged-out session and this is exactly what was happening on WaPo. Second, I have a problem with WaPo giving me a choice about Network News but not informing me about it. Furthermore, the default opt-in on the part of WaPo I think disrespects people’s desire for meaningful choice and control.

Thanks to Luke for providing a bit of insight and thanks to all of you how have commented on the previous post.

Waiter – there’s no (more) identity in my blog

Sorry to interrupt you attempting to set you Facebook privacy settings, but I have to tell you something. I’ve got me a new blog over at Gartner. You can get all my rambling goodness on identity management related stuff over there. As for the rants about privacy, they are likely going to stay here, but you never can tell.

Also, I am thinking of building a new version of Privacy Mirror to use the graph API. Any one have feature requests?

Facebook & Washington Post behavior I cannot explain

I was looking at some local news on Washington Post’s website. I happen to notice that there in the right gutter along with miscellaneous ads which my brain filters out of my awareness, was a blue box. In the blue box was a list of things my Facebook friends have “liked” on WaPo recently.

And this took me by surprise.

I opened a different browser and headed to Facebook. First, I checked my Application Settings to see if a Washington Post application had slipped into my profile. I had this happen – Gizmodo and some other sites appeared in my authorized application list without getting my authorization. See this article for more. There was no Washington Post application. Next up, I checked my Privacy Settings to verify once more that I disabled Instant Personalization. And yes, that was still the case.

So, wtf?

I clicked on the big red X that WaPo had so kindly put in the blue box with my friends activities. Instead of removing the widget, it brought me to my Washington Post account. (At some point, I registered an account with the Post so I could actually read what they wrote – I know, crazy eh?) And there was a setting called Network News. Sure enough I was opt’ed in to that. This Network News setting enabled the Facebook social activity widget to appear on the pages I saw.

Here’s the million dollar question – How did Washington Post link to my Facebook profile? I certainly never used Facebook Connect, nor have I ever “Liked” something on the Post.

The best guess I’ve got at this point is that the Post used my profile email address to match with Facebook. But this is a pretty weak theory as I have my privacy settings cranked down tight on such things at Facebook, for what that is worth. I check the Post’s privacy policy and no mention of Facebook anywhere.

Anyone have an idea on this? Anyone seeing the same behavior?

BTW – if you want out of the Post’s Network News, go here to change your preferences.

Facebook privacy revisited: Privacy Mirror version 2

Facebook’s recent changes to its privacy system has been garnering a lot of attention and not a lot of it is good. Both the EFF and Kaliya Hamlin (via ReadWriteWeb) have written up their takes on the matter and, all in all, I think they are decent assessments.

With all the supposed changes in Facebook’s privacy system, I decided to revisit my work with Privacy Mirror (you can catch the backstory: here and then here). Having retested PM with both friends and strangers, here’s what I’ve learned: Plus ça change, plus c’est la même chose.

The more things change, the more they stay the same.

Facebook’s inconsistent treatment of privacy still remains. In a nutshell, what a 3rd party developer can see in your profile, having been granted access to you via your friends, directly depends on whether you have the same application they do. If you and your friends use the same Facebook app, then the 3rd party developer will see your profile (and photos and posts, etc.) as if that developer was your friend. If you do not use the same Facebook app that your friend does, then the 3rd party application is subject to a different set of constraints.

I question whether the recent changes Facebook has instituted have even remotely satisfied Commissioner Stoddart’s concerns with Facebook, specifically 3rd party access to user information. Although users can control the scope of disclosure of their posts a bit better, defaulting settings to “Everyone” access as well as potentially making user’s social graphs public undermines any attempt to cast Facebook in a pro-user control light.

There’s also a nit I’d like to pick with the privacy settings system in Facebook – inconsistent save behavior. In some cases, Facebook automatically saves changed to privacy settings. In some cases, you have to press Save. This is a small point but it points to a larger issue. If service providers do not provide their users with meaningful, usable choices when it comes to controlling privacy and disclosure controls, but instead heap more controls in hard to find places, then these service providers have not aided their customers in the least. More user choices only equals more user control if those choices are clear, consumable, and centralized.

If you want to conduct some of your own testing of Facebook’s privacy system, feel free to play with Privacy Mirror. The following are new features I’ve added:

  • PM tests to see if the person your are pointing the Mirror at is a Privacy Mirror user. If they are you’ll get results based on their privacy settings with respect to you as a person. If they aren’t you’ll get results based on their privacy settings with respect to Privacy Mirror being a 3rd party application. This behavior is core Facebook Platform behavior which I feel is inconsistent and puts people at a disadvantage.
  • PM tries to find some photo albums that the person may have added
  • PM tried to find some photos that are tagged with the person in question
  • Added the ability to point the Mirror at a specific person better using their username
(Cross-posted from Burton Group’s Identity Blog)