The Latest Wellpoint Breach Affects 470,000 Nationwide
Insider Identity Theft And Fraud at Bank of New York Mellon

Boston Globe Website Displays Your and Your Friends' Facebook Likes And Status Messages

Last week a friend, Bill, asked me via email what was going on at the Boston Globe newspaper website. Bill sent this image of the Boston Globe Sports landing page:

Boston Globe Sports landing page viewed by my friend, Bill.

Bill was alarmed that the Boston Globe website knew who his Facebook friends are. You can see the name of Bill's friend name next to the Facebook "Like" button. He felt that the Boston Globe shouldn't know who his Facebook friends are since he had already opted out of the Facebook Instant Personalization program, which he thought would prevent stuff like this.

Bill wanted to know what is going on and I promised him I'd try to find some answers.

First, I signed into and visited the Boston Globe site using a second browser window. I wanted to see if I could replicate Bill's experience. Like Bill, I did not sign into the Boston Globe website, and I saw this:

Boston Globe Sports landing page viewed by me when signed into

The Facebook "Like" button appeared but it didn't mention any of my friends. I felt a little better about that, but I still had plenty of unanswered questions.

To find some answers, I read the Globe's Privacy Policy and FAQ page about browser cookies. Perhaps, these pages would explain what was happening. Maybe this was browser cookie-driven information. Neither Globe website pages mentioned Facebook, nor explained this new Facebook "Like" feature.

Next, I called the Boston Globe and spoke with Benny DiNardo, a Multimedia Editor at the newspaper. I shared my concerns. DiNardo confirmed that if a person first signs into Facebook, and then visits the Globe website, and then clicks the Facebook "Like" button on the Globe website, their name will appear as having "Liked" the Globe on both the Globe website and on the website. If the user isn't signed into Facebook, then the Boston Globe website won't display any of this.

DiNardo also said that the Boston Globe home page also had a Facebook "Like" button. So, I went looking for that and found this:

My friends' Facebook status messages displayed in a content module on the Boston Globe home page

I haven't seen that Facebook module before. It displayed actual Facebook status messages by my friends. Each status message contained a link to content within the Globe website. Like Bill, this was a surprise because I, too, had already opted out of the Facebook Instant Personalization program, when Facebook changed its Privacy terms in May 2010. I thought that opt-out would have stopped stuff like this. Obviously not.

Next I clicked on the "Facebook social plugin" link in the module. It took me to a Facebook site page that explained what social plugins are:

"Experience the web with Facebook friends. Social plugins let you see what your friends have liked, commented on or shared on sites across the web. All social plugins are extensions of Facebook and are specifically designed so none of your data is shared with the sites on which they appear."

So, a Facebook Social Plugin is a small amount of HTML code that a website operator can include on a page in their website to display Facebook content they don't have access to. I have no way to verify this, so I have to take Facebook's word on that. I was able to verify this: if you signed into Facebook first and then visit a website with a social plugin, then that site's plugins will display whatever Facebook information those plugins were designed to display.

This Facebook module on the Boston Globe home page module is one type of social plugin. The Facebook "Like" button on the Boston Globe Sports landing page is another social plugin version. Facebook provides 8 different social plugins today, and that number will probably increase in the future. According to TechCrunch, more than 100,000 websites had already installed Facebook Social Plugins by May 2010. I am sure that number is far larger today. So, the Boston Globe has plenty of company using social plugins.

If you don't sign into Facebook and then visit the Boston Globe home page, this is what you see in the Facebook social plugin module:

The default Facebook content module on the Boston Globe home page

But nobody is going to do that because part of the fun of Facebook is sharing links with your friends, and you have to be signed into Facebook to do that.

I had heard about social plugins, but sometimes you don't understand a thing until you see it work. I doubt that any of my Facebook friends realize that their Facebook posts and information are displayed on many sites around the Internet. Now, I had some questions answered, but many new questions:

  • How safe are social plugins?
  • How do I prevent others from seeing my Facebook status messages on sites across the web?
  • What protections does Facebook provide its members from shady website operators who abuse social plugins?
  • Does the Instant Personalization opt-out really work?
  • Are Instant Personalization and Social Plugins two separate programs?

Next, I read the Facebook Social Plugin FAQ page, which answered some of my questions. Some of the answers on this page I found to be, at best favorable to Facebook. Other answers I found to be, at worst, vague and misleading:

"What personal information is shared with sites that use social plugins?
None of your information -- your name or profile information, what you like, who your friends are, what they have liked, what they recommend -- is shared with external sites you visit with a plugin."

Huh? In the image above, the Facebook social plugin clearly displayed my friends' status messages, names, and profile photos at the Boston Globe site. That seems pretty personal to me. The FAQ page explains that the privacy settings for my account apply to these social plugin modules. So, if you allow "Everyone" to see your Facebook status messages and information, everyone can see it here, too. I set my privacy to "Friends Only," but I have no way to verify that Facebook complies with this with its social plugins.

Another section from the Social Plugin FAQ page:

"What information does Facebook receive about me when I visit a website with a Facebook social plug in?
When you visit a partner site, Facebook sees the date and time you visited, the web page you are on (commonly known as the URL), and other technical information about the IP address, browser, and operating system you use... If you are logged into Facebook, we also see your user ID number. We need your user ID to be able to show you the right social context on that site. For example, when you go to a partner website, we need to know who you are in order to show you what your Facebook friends have liked or recommended."

Reread this closely. The social plugins track your web usage at partner sites, whether or not you are signed in to Facebook. The page didn't explain if I could opt-out of this tracking. Perhaps most importantly:

"How do I opt-out of viewing social plugins?"
No data is shared about you with the website when you see a social plugin on an external website... If you would not like to see what your friends recommend or have shared on a website, simply log out of Facebook."

That is a partial answer. That answer tells me how to stop viewing my friends' Facebook information in sites with social plugins. It does not answer how I prevent others from seeing my Facebook information at sites with social plugins. To find the answer to this, I devised a little test.

I posted a couple of Facebook status messages that had links to content at the site. If the Instant Personalization opt-out mechanism at the Facebook site worked, my Facebook friends shouldn't see these posts in the social plugin module at the home page. Sadly, Bill and Michelle were able to see my Facebook status messages in the social plugin. Bill sent this image to me:

Boston Globe home page with my status message, as viewed by my friend, Bill.

Yes, that's my personal Facebook status message above -- the one with the "Boycott BP" profile image. This confirmed for me that the Instant Personalization opt-out mechanism does nothing to stop Facebook from displaying my information in its social plugin modules around the web. As best I can tell, Facebook members cannot opt-out of social plugins.

What all of this means for Facebook members:

  • The Instant Personalization opt-out mechanism does nothing about social plugins. The two are separate Facebook programs. It's easy to confuse the two programs because social plugins deliver content (e.g., Facebook status messages, "Likes," etc.) many consumers consider personal information
  • Facebook doesn't provide a Social Plugin opt-out mechanism so you can prevent others from viewing your Facebook status messages and Like information in social plugins modules at sites around the Internet. The only options are to deactivate your Facebook account or stop posting information to your Facebook account

What responsible company creates a program that its customers can't opt out of?

I can see the appeal of social plugins to website owners. It's a way for them to capitalize on the popularity of Facebook, and see if social plugins will bring them additional website visitors. In my opinion, the Boston Globe should have announced this feature or asked its readers if they really wanted it. The Globe website should have provided an explanation somewhere in its privacy and website usage policies.

Moreover, I have not and will not visit any websites other than to read my friends' status messages. Seeing some of their messages at sites like the Boston Globe doesn't do anything for me. It's a negative Boston Globe brand experience.

I spent two days researching, understanding and writing this blog post about Facebook Social Plugins. No company marketing program should be this complicated and convoluted = difficult to understand by users.

Next, the Facebook site needs to provide real, substantive FAQs. The questions seem made up and not real ones that consumers submitted. The answers need to be less vague and more accurate. If you can't opt-out of social plugins, then say so clearly. Also, consumers need to know how long their Facebook status messages are archived for display in social plugins. If the content is months old, it is useless. And, the program should be opt-in based. If it's that good, people will opt-in. If it's that bad, and few opt in, then Facebook shouldn't be doing it.

Moreover, the whole social plugins program seems slimy:

  • You Facebook status messages with links and Like information is already being used at sites with social plugins installed. Facebook doesn't provide a list of participating sites so there's no way to know unless you stumble upon a site, as Bill and I did. What's the big secret, Facebook?
  • Today, sites with social plugins installed seem to publish only those status messages that include links to the same site. Facebook could easily change that tomorrow.
  • There's no real, easy way for Facebook members to verify that social plugins perform as promised, and only display information consistent with their Facebook account privacy settings. What responsible company builds features its customers can't verify?
  • When you set your Facebook privacy settings, you have to do so knowing that (thanks to social plugins) people will see your Facebook status messages and Likes at both the Facebook site and at many sites around the Internet. Was that distinction clear to you when you set the privacy settings for your Facebook account? I'll bet it wasn't -- and you may want to change them now that you know this.
  • Facebook has built a feature where any website can install social plugins. Any. And the website doesn't have to tell you. How open, honest, and transparent is that?
  • The Social Plugins FAQ page doesn't address what happens when abuses occur. A key thing I've learned since I started this blog, is that there are both reputable and shady website operators. Facebook says that websites don't have access to the content in social plugin modules, but who is watching or verifying that? What happens when abuses occur?
  • For some bizarre reason, Facebook includes FAQ content about Instant Personalization and Social Plugins on the same page. It gives the impression that the two programs are connected, but they aren't. I'll bet that this gave many consumers, like Bill, the mistaken perception that opting out of Instant Personalization would prevent their content from displaying in social plugins. Why the rope-a-dope with FAQ content Facebook?

Previously, my trust in Facebook was low to zero. Learning all of this kept it there. My overall impression is that the latest privacy controls for consumers from Facebook don't really do much, as the company is working hard elsewhere to counter those new controls. A key example is the social plugin program. Skepticism abounds.

I would like to continue reading and to continue trusting the Boston Globe website, but unannounced features like this -- with no user control -- make trust difficult. DiNardo also mentioned that the New York Times website plans to introduce this Facebook "Like" feature soon. I hope not.

What is your opinion? Do other news websites you read have social plugins? Do you like it? Why or why not? If you read the Boston Globe online, what's your opinion? Should the New York Times site add social plugins?


Feed You can follow this conversation by subscribing to the comment feed for this post.

Bill G


Terrific research. Thanks for the effort.

It's seems like the only short term workaround would be to keep two different browsers running (IE | Safari | Firefox | Chrome) and keep Facebook quarantined in one and do all your other surfing in the other.




That's how I have used FB. I visit FB using MSIE and go everywhere else in Firefox. This approach won't prevent others from seeing your FB Likes and FB status messages in social plugins around the web. There's no opting out of that.


c. m. cato-louis

Excellent Job, George!
I have had similar Q's, but no time to research.
Thanks for keeping us informed & up-to-date!
PS: what happens if I share/sign in on FB from this site?!?!


It's an IFRAME. The provider (Boston Globe in this case) cannot see the content. The content comes directly from Facebook to your browser; they just put markup in the page to designate a rectangular area as a Facebook area with a backing URL that resides on Facebook. It doesn't expose anything to anyone that can't already see it on Facebook.


Antibozo: thanks for the comment. I do realize it is an iFrame. That misses the point. It is not about the technology. It is about the fact that many consumers want notification and control... and they feel they are getting neither with Facebook (and other companies).

And, the average user should not have to be a web developer to understand things.



I disagree with your point of view. Average users should have Facebook in their face everywhere possible in order to hammer home the fact that when they share things on Facebook they are exposing the information. If it falsely appears to users that they're also sharing info with the Boston Globe, that's all the better. It helps to dispel the apparently widespread myth that sharing things on Facebook is somehow compatible with any form of privacy.


Nice post, George! Even though I knew about this issue it's nice to read all the research you've done.
Apart from the privacy issue, i'm not sure what value this is adding on's site because the way I see it when I visit FB I get to see what you've shared with your friends, so then the same info being displayed on is plain redundant and an annoying waste of real estate. Just my 2 cents.



One one thing we seem to agree on: the sooner all Facebook members realize that they have no privacy with Facebook, the better off they will be -- and can adjust their behaviors on Facebook accordingly.

About iFrames: in my experience, consumers don't buy technology. They buy benefits. Some will like the benefits they believe social plugins may provide (with their Facebook posts published all over the web). Some won't like it and will see more disadvantages than advantages.

We shall see which view dominates among Facebook members as they begin to realize what social plugins are. Using my group of friends (some of whom have replied to me privately via email), most don't know what social plugins are, are discovering its privacy implications, and are deciding whether it has any benefits.

Hopefully, more readers will share their opinions below.



Just experienced a social plug-in.

I signed a petition about the Gulf oil spill. A pop-up appeared with an offer to say "join me in signing this petition." It included my FB photo! My FB profile has a different last name and email address than I use for public, political and professional venues.

I wrote to the petition distributor and told them what happened. I told them that I found this to be so violating that I would unsubscribe, remove their cookies and let everyone I could know what happened.

Facebook is out of control and this is more than unacceptable.


Huffington Post has had this same social plug in for months now. It shows me what articles my friends have read and vice versa.

My motto is, don't do or say anything in social media that you don't want shared. If you want to share info privately with your friends and collegues, do it the old fashioned way by sending an email or god forbid, snail mail.


Check out


Thanks for sharing the link. Perhaps you work for Facebook, or maybe you don't. A couple points:

1) Users have no control over what gets displayed via social plugins in these sites. FB **says** consumers have control but it is all or nothing. Either you share it or you don't.

2) There is no guarantee or filtering that the FB posts by your friends will be relevant to the pages viewed at the site. That's why I used the Boston Globe example above. There is such a wide variety of content at the Globe site, that the few FB posts that the social plugin displays are bound to be IRrelevant.

3) I am not so vain that my FB posts need to be displayed in social plugins on thousands of sites. If my friends want to find me, they easily can on FB. If they have a question about a site, they'll ask me directly, and don't need a FB social plugin as a go-between.

Frankly, this FB feature and the video are a load of bulls---. I want much more and more finer control than the crumbs of control FB provides. That's why I am reducing the amount of content I share via FB. Once, a solid alternative launches, I'm switching.


The comments to this entry are closed.