Hacker News new | past | comments | ask | show | jobs | submit login
Scribd Facebook Instant Personalization Is a Privacy Nightmare (wired.com)
35 points by bcl on Oct 2, 2010 | hide | past | favorite | 23 comments

Given Scribd's dodgy reputation (for example, http://blog.ericgoldman.org/personal/archives/2010/09/scribd...) I was curious to see what they'd do with Instant Personalization which has a high creepiness factor even on a good day. True to form, they didn't disappoint.

I've been tracking the security/privacy problems with Instant Personalization for a while; my recent post might be relevant: http://33bits.org/2010/09/28/instant-personalization-privacy...

I'm also curious to see how things will turn out when a whole bunch of YC startups get Instant Personalization access, as YCRFS7 promises.

I think a lot of us realize the privacy concerns and are very carefully weighing the cost/benefit tradeoff, especially from a user perspective. Instant Personalization has a distinct air of "evil" about it, but it can be very beneficial to users and a great experience in the right hands.

Why do sites insist on default opt-out? Everyone here seems to be blaming Facebook. Certainly, Instant Personalization is a Facebook tool that Scribd used but the core of the matter is Scribd created yet another feature that is opt-out.

I consider opt-out a special case of bait-and-switch. You offered X and I signed up for X. Two months later you added Y and change my settings so now I am signed up for X + Y. Since X != X + Y, I consider X + Y to be a new product Z. I signed up for X, you switched me to Z. Bait-and-switch as far as I'm concerned. Doesn't matter to me if Z = 99% of X. Z != X and the switch happened without my prior consent.

I'm sure in the short-term numbers game, opt-out wins opt-in by far. Grab as many eyeballs as you can in the cheapest way possible. In the long term, people stop using your services. There's a reason I'll never use RealPlayer even though the company has completely changed since the early 2000s. I just don't trust them anymore. Same with Facebook. I just don't trust them with my data. Same with Google Buzz. Even though I'm comfortable with Google managing emails, I can no longer trust the Buzz team. Privacy loss doesn't have to directly happen to me in order for me to feel violated.

Since X != X + Y, I consider X + Y to be a new product Z. I signed up for X, you switched me to Z.

This is absolutely unreasonable to apply in general, because it would devastate the pace of change for web applications, and it is actively harmful to the users as well. You're going to be routinely asking them to make decisions which a) they do not want to make b) they have no information to make and c) they are incapable of making. It will merely confuse and annoy them, and the best possible resolution is that they do what they do any time people put up meaningless repetitive dialogs and click Next Next Next until you stop asking such stupid questions as whether to format C:\ or not.

("Attention, non-technical elementary school teacher in central Kansas. You signed up for Bingo Card Creator revision 1,550. Since you last logged in yesterday, we have made 5 changes to the service. These are summarized as: $INCOMPREHENSIBLE_COMMIT_NOTES. Do you want to consent to these changes, or should we keep a Rails application stuck to r1550 spinning for you until the end of time? Pretend this does not sound scary and that you understand that sentence. It is not scary and you don't understand that sentence, but you have no good way of knowing that.")

I should have clarified what X and Y mean in this instance. They do not correspond to individual software features but rather the set of expectations that both parties have agreed to beforehand with regards to privacy, access, security, and overall functionality. Every site has terms of use that basically say "you agree to the condition that we can change anything anytime and you cannot do anything about it." So as far as I am concerned as a user, X stands for the entire site experience regardless of the terms or privacy policy. I don't care that your 45 page document said you can add Y anytime. If Y was not there when I signed up and it affects my security, privacy, or accessibilty in a way that I value, you should tell me about it before you opt me in.

Personally, you would be the last person I would think of as pulling such shenanigans. Your work and words have shown that you care about your users more than making some extra cents in the short-term. I can't say I feel the same about others.

Nice answer, but I don't see what argument it's in response to. If the $INCOMPREHENSIBLE changes don't affect the data the user exposes to the world, there is no need to ask permission, and the Pace of Change for Web Applications can continue unimpeded.

This is a huge reason that I do not use Facebook to login to any site -- pretty much every site that offers that functionality asks to be able to post items for you (in your feed), to send emails, etc.

It seems like some site owners' dreams are to turn you into a bot for their own promotional purposes, or to just use your voice as their personal bullhorn.

I'll stick with registering to sites using a "plain" login (or OpenID, where available) -- at least that way, I have a bit more control over the way my online identity is used.

This is about instant personalisation, where you don't have to log in for any of this stuff to happen.

It should be a huge reason to log out of Facebook after every visit (or not use it at all), but 99% of users are never going to do that.

It's actually easier than that. Just turn off Instant Personalization in your Privacy Settings.

I guess it is good that I had done that too -- I assumed you actually had to "connect" to Facebook because I visited the Scribd page as described in the article, and I didn't see any fancy Facebook stuff happening (although I did see my browser hit Facebook).

I had forgotten that I had turned off instant personalization (likely due to some TC article or something). So this works without even logging into the site? Jesus, it is worse than I thought!

Until they change the privacy settings, and it's defaulted to On again.

I use a different browser for social networks, no kidding. Maybe I should look into my browser's profile options and use seperate profiles instead.

I don't use Facebook as much, but I follow a similar strategy for other things, like GMail. Instead of a different browser, I set up a 'site-specific-browser', like Fluid[1], for each such website.

Aside from the benefit of not staying logged in to your email/FB/Twitter when browsing random websites[2], this also lets you treat constantly open web-sites as legitimate apps in your switcher, frees up those permanent tabs on your browser, and provides for features like an unread count badge on the application icon when you switch apps.

[1] http://fluidapp.com/

[2] Obviously, this means that features that rely on you being constantly logged in to FB/Twitter (those Like and Tweet buttons) won't work.

Instant Personalization or not, this is why i login to sites using my twitter account and not my facebook account. The twitter account is more detachable for me when it comes to day-to-day life, Facebook on the other hand is a lot more involved ...

This is the reason why I stopped using Facebook once instant personalization and the embeddable like buttons were added.

The risk of unknowingly spamming people was too big for me and I just quit. I don't even care as much about the privacy issues as I care about these services doing things and post stuff in my name without any way to stop it or even just indication that they are doing it

Same here. First I thought I was just going to have a bit of a time-out, but I haven't been back and don't miss it one bit. The previous privacy flaps were stuff to deal with, annoying but manageable, the 'like' buttons (incidentally it was a fellow HN'ers name popping up on a third party website) did it for me, end of FB.

Sometimes I feel like I'm the only person in the world who actually likes features like this.

As long as I'm given more relevant content, feel free to use my publicly posted information.

>As long as I'm given more relevant content, feel free to use my publicly posted information.

Doesn't that way of putting it, though, make it sound a bit like you are actually making the decision to opt in?

I'm opting in by posting anything on Facebook, yes. I assume that using the service opts me in.

I suggest installing the FacebookBlocker extension:


Whether we like it or not, Facebook is as much a part of the web ecosystem as Google. Instead of trying to fight it, just embrace it.

Instead of trying to fight it, just embrace it.

Why? Facebook provides no value to me; if Facebook disappeared from the face of the earth tomorrow, my life would change in absolutely no way.

No need to embrace it.

There's a difference between a symbiote and a parasite in an ecosystem.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact