Facebook's Plan To Automatically Share Your Data With Sites You Never Signed Up For

In anticipation of a slew of new features that will be launching at f8, today Facebook announced that it was once again making changes to its privacy policy (you can see our post outlining these changes here). One of the biggest changes that Facebook is making involves applications and third-party websites. We’ve been hearing whispers from multiple sources about these changes, and the announcement all but confirms what Facebook is planning to do. In short, it sounds like Facebook is going to be automatically opting users into a reduced form of Facebook Connect on certain third party sites — a bold change that may well unnerve users, at least at first. Here’s how Facebook is describing the change in its blog post:

Today, when you use applications such as games on Facebook.com or choose to connect to Facebook on sites across the web, you are able to find and interact with your friends. These applications require a small set of basic information about you in order to provide a relevant experience. After feedback from many of you, we announced in August that we were moving toward a model that gives you clearer controls over what data is shared with applications and websites when you choose to use them.

In the proposed privacy policy, we’ve also explained the possibility of working with some partner websites that we pre-approve to offer a more personalized experience at the moment you visit the site. In such instances, we would only introduce this feature with a small, select group of partners and we would also offer new controls.

So what does that mean? We’ve heard that select Facebook partners will now be able to look for your existing Facebook cookie to identify you, even if you never opted into Facebook Connect on the site you’re visiting. Using that, the third party site will be able to display your friends and other key information. It’s possible that these sites will also be able to display any data you’ve shared with ‘everyone‘, which is of course now the default option on Facebook.

Facebook’s draft privacy policy states that you’ll be able to opt-out of these sites, and you’ll also be able to opt-out of these ‘pre-approved’ experiences entirely. But by default, you’re all in. How convenient.

Here’s the langauge from the draft privacy policy itself. Note that the ‘About Platform’ page does not yet include a list of approved partners:

Pre-Approved Third-Party Websites and Applications. In order to provide you with useful social experiences off of Facebook, we occasionally need to provide General Information about you to pre-approved third party websites and applications that use Platform at the time you visit them (if you are still logged in to Facebook). Similarly, when one of your friends visits a pre-approved website or application, it will receive General Information about you so you and your friend can be connected on that website as well (if you also have an account with that website). In these cases we require these websites and applications to go through an approval process, and to enter into separate agreements designed to protect your privacy. For example, these agreements include provisions relating to the access and deletion of your General Information, along with your ability to opt-out of the experience being offered. You can also remove any pre-approved website or application you have visited here [add link], or block all pre-approved websites and applications from getting your General Information when you visit them here [add link]. In addition, if you log out of Facebook before visiting a pre-approved application or website, it will not be able to access your information. You can see a complete list of pre-approved websites on our About Platform page.

Here’s how Facebook defines the term ‘General Information’:

The term General Information includes your and your friends’ names, profile pictures, gender, connections, and any content shared using the Everyone privacy setting. We may also make information about the location of your computer or access device and your age available to applications and websites in order to help them implement appropriate security measures and control the distribution of age-appropriate content.