What the Facebook

This weekend I deactivated my Facebook account after six years of near-daily use. I was surprised that Facebook showed such disregard for their users’ privacy by making their new Instant Personalization features opt-out so soon after the Google Buzz backlash a few months ago and their own adventures with Beacon a couple years ago. My surprise turned to shock when, after I disabled these new features, I went to CNN.com and discovered it knew who I was.

screenshot of CNN.com social pluginIt turns out this is a “social plugin” from Facebook embedded in an iframe. As a (mostly former) web developer, I know that means CNN.com doesn’t actually know who I am; rather, that content is hosted on Facebook but embedded on CNN’s website in a way that CNN can’t access. But it’s ridiculous that I have to look at the source of a website and understand the DOM security model to know that. People see their friends’ activity on CNN.com and think the website knows who they are, and there’s no Facebook preference to turn that off.

Just to reiterate that, Facebook wants websites to embed iframes that can look just like their surroundings on the page and trick the user into thinking that website knows them and their friends, and didn’t bother including a way to turn that off. Maybe this iframe thing will catch on and my bank will start letting me log in from other websites too!

I considered these things and tried to think of any benefit of the Facebook service that came to close to outweighing its clear violation of my privacy. And then I deactivated my account. The answer was a definitive “no, I don’t even use the site that much anymore and don’t want to be involved if this is the direction they’re going”.

The first two days were rough; I had formed such a Facebook habit that I would go to click where my bookmark used to be and briefly hunt for it before remembering why it’s gone. But after that it got a lot easier, and today I didn’t really miss it or even think about it at all.

I’m not writing this post to try to convince anyone else to deactivate their accounts, though I know others who have for the same reasons. I understand that everyone values privacy differently (especially Facebook, apparently) and for some people the value provided really is worth the cost. I’m mainly writing it so that it’s public and I’ll be more likely to stick to my deactivation in case it gets more difficult to stay away. (ex-Facebook group therapy meetup, anyone?) Although, now that I’ve disabled third-party cookies in my browser, effectively turning off the “social plugins”, I might even consider reactivating my account down the road if they abandon this scary, scary direction they’re headed. But that seems pretty unlikely.

As the product manager of a website full of user-generated content, I try to keep up with what others solving some of the same problems are doing, and Facebook is certainly a leader in this space. That’s partly why I’m so disappointed that someone in a similar position made a conscious decision to make these new features opt-out and some parts not have an “off” switch at all. This is where I am reminded how awesome it is to work for a company that puts the user above everything else.

I guess Facebook and I will just have to agree to disagree on my privacy.

  • Dave Miller

    Setting NoScript to block connect.facebook.net seems to be effective at blocking this.

  • http://www.AccessFirefox.org Ken Saunders

    It’s all pretty creepy. I can’t find the article(s), but Google and others are getting together to go through your browsing history to serve up crap that they are just guessing that you MAY want or want to use (interacting with social networking sites etc). Like Facebook connect but I guess that Facebook didn’t want to be a part of that team..

    I’ve had 3rd party cookies blocked for a very long time (enable them for sites that I trust of course and need them like on AMO), and there are other steps that I take to try and keep prying eyes out, but should we really have to do that for well known and established sites? You know, the supposedly reputable ones?

    You’re absolutely right about Mozilla. They care about their users and Internet users overall because they are after all Mozilla product and services users and Internet users too.

    They’re looking out for us in our best interest, not looking us over for their own.

  • Tiago Sá

    Lol. Facebook is a farce, anyway. I don’t understand why anyone would waste their time using it, let alone put private stuff in there…

  • Pingback: Farewell, Facebook | Coffee on the Keyboard()

  • Lukas

    Justin,

    why isn’t Mozilla working on a decentralized social networking app? It would seem like the natural place to start such a project, given its commitment to an open Internet.

    What I’m up to is a system which stores the data in a decentralized, peer-to-peer manner using public key cryptography to ensure privacy. I’ve been kicking around this idea in my head for quite some time now and have been looking around for a company and/or open source project who is moving in the direction I’m thinking of, but to no avail as yet.

    I also looked at Mozilla Co.’s job openings, hoping that you may already have started working on such a product. Raindrop looks like it might eventually evolve into something along the lines of what I’m thinking of, but according to the Guiding Principles, it explicitly does not aim to become a social network.

    I think there’s tremendous potential in the market for an open, decentralized social network with strong privacy protection.

  • http://www.AccessFirefox.org Ken Saunders

    Lukas,
    Sounds like Mozilla Drumbeat is for you. You should start a Drumbeat project and you could perhaps get seed funding and other support from Mozilla.
    http://www.drumbeat.org/
    http://groups.google.com/group/mozilla.community.drumbeat/topics

  • http://paulrobertlloyd.com Paul Lloyd

    I deleted (and I mean deleted, not deactivated) my Facebook account about a year ago, and haven’t looked back since. Sure it was difficult at first, but I found myself no longer able to use a site where I was being used—encouraged to enter personal data to benefit the company’s vague advertising minded business model, rather than my own needs.

    I felt uncomfortable then, but that was before they rolled out ever more complicated privacy settings and looser defaults. I sometimes wonder if I should return to the service, but I’m soon stopped by more privacy (or worse, security) stories that remind me I made the right choice. Deactivation is just the first step 😉