I've Been Mugged Blog

Last week a friend, Bill, asked me via email what was going on at the Boston Globe newspaper website. Bill sent this image of the Boston Globe Sports landing page:

Bill was alarmed that the Boston Globe website knew who his Facebook friends are. You can see the name of Bill's friend name next to the Facebook "Like" button. He felt that the Boston Globe shouldn't know who his Facebook friends are since he had already opted out of the Facebook Instant Personalization program, which he thought would prevent stuff like this.

Bill wanted to know what is going on and I promised him I'd try to find some answers.

First, I signed into Facebook.com and visited the Boston Globe site using a second browser window. I wanted to see if I could replicate Bill's experience. Like Bill, I did not sign into the Boston Globe website, and I saw this:

The Facebook "Like" button appeared but it didn't mention any of my friends. I felt a little better about that, but I still had plenty of unanswered questions.

To find some answers, I read the Globe's Privacy Policy and FAQ page about browser cookies. Perhaps, these pages would explain what was happening. Maybe this was browser cookie-driven information. Neither Globe website pages mentioned Facebook, nor explained this new Facebook "Like" feature.

Next, I called the Boston Globe and spoke with Benny DiNardo, a Multimedia Editor at the newspaper. I shared my concerns. DiNardo confirmed that if a person first signs into Facebook, and then visits the Globe website, and then clicks the Facebook "Like" button on the Globe website, their name will appear as having "Liked" the Globe on both the Globe website and on the Facebook.com website. If the user isn't signed into Facebook, then the Boston Globe website won't display any of this.

DiNardo also said that the Boston Globe home page also had a Facebook "Like" button. So, I went looking for that and found this:

I haven't seen that Facebook module before. It displayed actual Facebook status messages by my friends. Each status message contained a link to content within the Globe website. Like Bill, this was a surprise because I, too, had already opted out of the Facebook Instant Personalization program, when Facebook changed its Privacy terms in May 2010. I thought that opt-out would have stopped stuff like this. Obviously not.

Next I clicked on the "Facebook social plugin" link in the module. It took me to a Facebook site page that explained what social plugins are:

"Experience the web with Facebook friends. Social plugins let you see what your friends have liked, commented on or shared on sites across the web. All social plugins are extensions of Facebook and are specifically designed so none of your data is shared with the sites on which they appear."

So, a Facebook Social Plugin is a small amount of HTML code that a website operator can include on a page in their website to display Facebook content they don't have access to. I have no way to verify this, so I have to take Facebook's word on that. I was able to verify this: if you signed into Facebook first and then visit a website with a social plugin, then that site's plugins will display whatever Facebook information those plugins were designed to display.

This Facebook module on the Boston Globe home page module is one type of social plugin. The Facebook "Like" button on the Boston Globe Sports landing page is another social plugin version. Facebook provides 8 different social plugins today, and that number will probably increase in the future. According to TechCrunch, more than 100,000 websites had already installed Facebook Social Plugins by May 2010. I am sure that number is far larger today. So, the Boston Globe has plenty of company using social plugins.

If you don't sign into Facebook and then visit the Boston Globe home page, this is what you see in the Facebook social plugin module:

But nobody is going to do that because part of the fun of Facebook is sharing links with your friends, and you have to be signed into Facebook to do that.

I had heard about social plugins, but sometimes you don't understand a thing until you see it work. I doubt that any of my Facebook friends realize that their Facebook posts and information are displayed on many sites around the Internet. Now, I had some questions answered, but many new questions:

• How safe are social plugins?
• How do I prevent others from seeing my Facebook status messages on sites across the web?
• What protections does Facebook provide its members from shady website operators who abuse social plugins?
• Does the Instant Personalization opt-out really work?
• Are Instant Personalization and Social Plugins two separate programs?

Next, I read the Facebook Social Plugin FAQ page, which answered some of my questions. Some of the answers on this page I found to be, at best favorable to Facebook. Other answers I found to be, at worst, vague and misleading:

"What personal information is shared with sites that use social plugins?
None of your information -- your name or profile information, what you like, who your friends are, what they have liked, what they recommend -- is shared with external sites you visit with a plugin."

Huh? In the image above, the Facebook social plugin clearly displayed my friends' status messages, names, and profile photos at the Boston Globe site. That seems pretty personal to me. The FAQ page explains that the privacy settings for my account apply to these social plugin modules. So, if you allow "Everyone" to see your Facebook status messages and information, everyone can see it here, too. I set my privacy to "Friends Only," but I have no way to verify that Facebook complies with this with its social plugins.

Another section from the Social Plugin FAQ page:

"What information does Facebook receive about me when I visit a website with a Facebook social plug in?
When you visit a partner site, Facebook sees the date and time you visited, the web page you are on (commonly known as the URL), and other technical information about the IP address, browser, and operating system you use... If you are logged into Facebook, we also see your user ID number. We need your user ID to be able to show you the right social context on that site. For example, when you go to a partner website, we need to know who you are in order to show you what your Facebook friends have liked or recommended."

Reread this closely. The social plugins track your web usage at partner sites, whether or not you are signed in to Facebook. The page didn't explain if I could opt-out of this tracking. Perhaps most importantly:

"How do I opt-out of viewing social plugins?"
No data is shared about you with the website when you see a social plugin on an external website... If you would not like to see what your friends recommend or have shared on a website, simply log out of Facebook."

That is a partial answer. That answer tells me how to stop viewing my friends' Facebook information in sites with social plugins. It does not answer how I prevent others from seeing my Facebook information at sites with social plugins. To find the answer to this, I devised a little test.

I posted a couple of Facebook status messages that had links to content at the Boston.com site. If the Instant Personalization opt-out mechanism at the Facebook site worked, my Facebook friends shouldn't see these posts in the social plugin module at the Boston.com home page. Sadly, Bill and Michelle were able to see my Facebook status messages in the Globe.com social plugin. Bill sent this image to me:

Yes, that's my personal Facebook status message above -- the one with the "Boycott BP" profile image. This confirmed for me that the Instant Personalization opt-out mechanism does nothing to stop Facebook from displaying my information in its social plugin modules around the web. As best I can tell, Facebook members cannot opt-out of social plugins.

What all of this means for Facebook members:

• The Instant Personalization opt-out mechanism does nothing about social plugins. The two are separate Facebook programs. It's easy to confuse the two programs because social plugins deliver content (e.g., Facebook status messages, "Likes," etc.) many consumers consider personal information
• Facebook doesn't provide a Social Plugin opt-out mechanism so you can prevent others from viewing your Facebook status messages and Like information in social plugins modules at sites around the Internet. The only options are to deactivate your Facebook account or stop posting information to your Facebook account

What responsible company creates a program that its customers can't opt out of?

I can see the appeal of social plugins to website owners. It's a way for them to capitalize on the popularity of Facebook, and see if social plugins will bring them additional website visitors. In my opinion, the Boston Globe should have announced this feature or asked its readers if they really wanted it. The Globe website should have provided an explanation somewhere in its privacy and website usage policies.

Moreover, I have not and will not visit any websites other than Facebook.com to read my friends' status messages. Seeing some of their messages at sites like the Boston Globe doesn't do anything for me. It's a negative Boston Globe brand experience.

I spent two days researching, understanding and writing this blog post about Facebook Social Plugins. No company marketing program should be this complicated and convoluted = difficult to understand by users.

Next, the Facebook site needs to provide real, substantive FAQs. The questions seem made up and not real ones that consumers submitted. The answers need to be less vague and more accurate. If you can't opt-out of social plugins, then say so clearly. Also, consumers need to know how long their Facebook status messages are archived for display in social plugins. If the content is months old, it is useless. And, the program should be opt-in based. If it's that good, people will opt-in. If it's that bad, and few opt in, then Facebook shouldn't be doing it.

Moreover, the whole social plugins program seems slimy:

• You Facebook status messages with links and Like information is already being used at sites with social plugins installed. Facebook doesn't provide a list of participating sites so there's no way to know unless you stumble upon a site, as Bill and I did. What's the big secret, Facebook?
• Today, sites with social plugins installed seem to publish only those status messages that include links to the same site. Facebook could easily change that tomorrow.
• There's no real, easy way for Facebook members to verify that social plugins perform as promised, and only display information consistent with their Facebook account privacy settings. What responsible company builds features its customers can't verify?
• When you set your Facebook privacy settings, you have to do so knowing that (thanks to social plugins) people will see your Facebook status messages and Likes at both the Facebook site and at many sites around the Internet. Was that distinction clear to you when you set the privacy settings for your Facebook account? I'll bet it wasn't -- and you may want to change them now that you know this.
• Facebook has built a feature where any website can install social plugins. Any. And the website doesn't have to tell you. How open, honest, and transparent is that?
• The Social Plugins FAQ page doesn't address what happens when abuses occur. A key thing I've learned since I started this blog, is that there are both reputable and shady website operators. Facebook says that websites don't have access to the content in social plugin modules, but who is watching or verifying that? What happens when abuses occur?
• For some bizarre reason, Facebook includes FAQ content about Instant Personalization and Social Plugins on the same page. It gives the impression that the two programs are connected, but they aren't. I'll bet that this gave many consumers, like Bill, the mistaken perception that opting out of Instant Personalization would prevent their content from displaying in social plugins. Why the rope-a-dope with FAQ content Facebook?

Previously, my trust in Facebook was low to zero. Learning all of this kept it there. My overall impression is that the latest privacy controls for consumers from Facebook don't really do much, as the company is working hard elsewhere to counter those new controls. A key example is the social plugin program. Skepticism abounds.

I would like to continue reading and to continue trusting the Boston Globe website, but unannounced features like this -- with no user control -- make trust difficult. DiNardo also mentioned that the New York Times website plans to introduce this Facebook "Like" feature soon. I hope not.

What is your opinion? Do other news websites you read have social plugins? Do you like it? Why or why not? If you read the Boston Globe online, what's your opinion? Should the New York Times site add social plugins?