a little east of reality

Monday, January 07, 2008

why i will never be on facebook

200,000 or so people join Facebook every day. Here's why I won't be one of them.

An interesting flash presentation on the subject of Facebook and the way they treat user information.











By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing.
Basically, you are giving them the right to publish anything that you publish on Facebook, and not merely in its original form. Note that this appears in the Terms of Service, not the Privacy Policy, even though it specifically pertains to privacy and the use of your information.

Facebook may also collect information about you from other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation of the service (e.g., photo tags) in order to provide you with more useful information and a more personalized experience.
I hate this in particular. Firstly, while I'm aware that whatever I put on the internet can be found by someone else, a site which gathers all of the seperate pieces of information I may post on very disparate sites and puts them all in one profile is giving people a much more complete picture of me and my life than they would otherwise have had. When this starts to include where I shop and what I buy there, it becomes even more intrusive. If that is going to happen, shouldn't it be a choice I deliberately opted-into, rather than one I have to opt-out of site-by-site? But Facebook doesn't want to offer that option, in spite of user feedback demanding it. Secondly, they are also including non-electronic sources such as newspapers. WTF?

From a Nov 30, 2007 article on Facebook's Beacon online ad system:

A CA security researcher [Stefan Berteau, senior research engineer at CA's Threat Research Group] is sounding the alarm that Facebook's controversial Beacon online ad system goes much further than anyone has imagined in tracking people's Web activities outside the popular social networking site...

Beacon tracks certain activities of Facebook users on more than 40 participating Web sites, including those of Blockbuster and Fandango, and reports those activities to the users' set of Facebook friends, unless told not to do so. Off-Facebook activities that can be broadcast to one's Facebook friends include purchasing a product, signing up for a service and including an item on a wish list...

But Berteau's investigation reveals that Beacon is more intrusive and stealthy than anyone had imagined.

In his note, titled "Facebook's Misrepresentation of Beacon's Threat to Privacy: Tracking users who opt out or are not logged in," he explains that he created an account on Conde Nast's food site Epicurious.com, a site participating in Beacon, and saved three recipes as favorites.
He saved the first recipe while logged in to Facebook, and he opted out of having it broadcast to his friends on Facebook. He saved the second recipe after closing the Facebook window, but without logging off from Epicurious or ending the browser session, and again declined broadcasting it to his friends. Then he logged out of Facebook and saved the third recipe. This time, no Facebook alert appeared asking if he wanted the information displayed to his friends.


After checking his network traffic logs, Berteau saw that in all three cases, information about his activities was reported back to Facebook, although not to his friends. That information included where he was on Epicurious, the action he had just taken and his Facebook account name.

"The first two cases involve the transmission of user data despite 'No thanks' having been selected on the opt-out dialog, and are causes for deep concern. They pale, however, in comparison to the third case, where Facebook was receiving data about my online habits while I was not logged in, and was doing so silently without even alerting me to the cross-site communication," he wrote in the research note.

If a user has ever checked the option for Facebook to "remember me" -- which saves the user from having to log on to the site upon every return to it -- Facebook can tie his activities on third-party Beacon sites directly to him, even if he's logged off and has opted out of the broadcast. If he has never chosen this option, the information still flows back to Facebook, although without it being tied to his Facebook ID, according to Berteau....He repeated the Epicurious experiment with Kongregate.com, another Beacon-affiliated site, and got similar results.

In e-mail correspondence with Facebook's privacy department, Berteau was told, among other things, that "as long as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook." [Obviously a lie, given his test results.]

Some good news to finish with:
  • If you happen to be a Firefox or Opera user, it's possible for you to block Facebook Beacon traffic to and from partner sites.
    If you use Firefox, install the AdBlock Plus add-on and add the following URL: http://*.facebook.com/beacon/*.

  • If you use Opera, go to Tools Advanced Blocked Content and add the same URL there.
If you use Internet Explorer, and plan to use Facebook, you're out of luck. IE will change the URL to simply *.facebook.com, which effectively blocks all active content from the site. Which isn't a bad thing for those of us who don't use Facebook, but would be an issue for those who want to use it within IE.

Labels: ,