Thursday, April 22, 2010

Facebook doesn't care about your privacy

Today I pulled up a web page in my browser to read its article on Google Buzz links, which turned out to not be the info for which I was looking (why does Obi-Wan's Jedi mastery not imply mastery of English grammar?), and what did I see?

What the hell? How does it know that none of my friends already clicked the thumbs-up icon button to indicate that they liked that web page? If my friends had liked the web page that I was viewing, how does it know who my friends are?

Facebook's new "Personalization" web feature. The Personalization feature is a little bit of code that web authors and bloggers can put on their web pages.

This code "phones home" to Facebook every time you access that page. This is not very new. Trackers and web hit counters do this all the time and generate marketing information and ad success rates. But the key here is that Facebook knows exactly who you are and what precisely you are viewing on the web.

Sites accessing the Personalization feature have access to all your public Facebook information, which includes your name, profile picture, gender, and friend and fan page connections.

Considering that Facebook's Personalization code can be placed on any web page on the Net, it seems that this has some pretty broad privacy implications. I have turned off the feature in the privacy settings of my Facebook account. It was on by default, and the introduction page that was splashed on my profile announcing it's arrival did not explain how to turn it off.

Protect your privacy -- turn off Facebook's Personalization feature that tracks your activity on the web by following these steps:
  1. Go to your profile, and bring up the "Account" menu, and choose "Privacy Settings" from the drop-down.
  2. Click on the "Application and Websites" link.
  3. In the section "Instant Personalization" for "Control[ing] how select partners can personalize their features with my public information when [you] first arrive on their websites", click the "Edit Setting" button.
  4. Make sure that the check-box for on this page is unchecked. Apparently, once you have removed the check from this box, your setting will be saved.
There is still no guarantee that Facebook isn't keeping track of every partnered website that you visit.

The cookie used by the Personalization widget is your Facebook cookie. That cookie is stored in your web browser. So every time the Personalization code phones home it sends your user name to Facebook, along with the URL of the website making the request to access your information.

Do you see how easy it is for Facebook (and other sites) to keep a log of every single website that you visit? So long as their code is used often enough by people who write the websites that you visit, eventually Facebook can collect a pretty good profile of your web usage.

It's one thing for Facebook to know who all your friends are simply because they help you keep in touch with them. But now Facebook can know things about you that are well beyond information about your social connections. As of this post, this is the default setting -- their new feature defaults to spying on you.

Are you comfortable with that?