Pandora & Facebook vs. you

[azurelunatic]

If you do not have a Pandora.com account, this message is not for you.

If you have a Pandora account, and have a Facebook account, or have logged into Pandora on a computer that's logged into someone's Facebook account, go check your profile settings.

If you have a Pandora account, the profile is public, and your Pandora name is not the same as your Facebook name and you need to keep them separate, go now.

http://www.pandora.com/#/account/privacy

Facebook integration with websites allows the website to pull publicly accessible information from your Facebook profile, such as the profile picture, your friends, and things you have "liked".

On most websites, this is used to show you things that your friends have liked, along with their pictures in case you know their picture faster than you know their name. Crucially, this is shown to you, and perhaps to their ad server and statistics people. Most services asking for a stronger connection to Facebook will ask you first, and tell you what they're going to put where.

On Pandora, they added a new setting: "Allow Pandora to import my profile photo, music favorites, and friends list from Facebook." This setting was automatically turned on.

The profile photo imported from Facebook is prominently displayed on the Pandora user profile. If a person has a different Facebook name from their Pandora name, this can be used to link the two profiles. If a person has reason to not connect the two services, they are now at risk.

[Edit: It does not matter if you never ticked a box on Pandora to connect you to Facebook. They created the box already ticked, and it does not use the familiar Facebook "please connect me" dialog. It looks at your cookies or some such. Based on that, it then accesses public information from the logged in Facebook account to show on the Pandora profile.]


I am sitting here breathing slowly, and I feel a high-blood-pressure headache forming. I really don't have words to express the depth of my emotion that can also be said in polite society. I am strongly considering writing up a stiffly worded letter of complaint, taking BART across the Bay, and hand-delivering it. Why write a letter when I am thinking of marching in to the office? Well, for one, a letter is less ephemeral than a person in one's lobby, as a person will eventually leave, and for two, a person in one's lobby is more likely to be asked to leave prematurely if that person is screaming obscenities, and I would really rather be taken seriously.


Facebook has now lost its privileges of running in any non-isolated browser on my machines, and it should have lost them three years ago. EA should feel happy, because I had to think twice about deleting my Facebook account because I've been playing games, and once I thought twice I did remember that I do have friends on Facebook who I still like to keep in contact with.

Comments

[foxfirefey]

I'm a paid member of that service and just wrote them a complaint letter.

[azurelunatic]

Excellent.

I already wrote an upset note to their support before I found how to turn it off.

[foxfirefey]

Fortunately, I do not stay logged in to Facebook, so I doubt they got linked. It wouldn't be a big deal if they did, but geez mateez, they could have at least asked in a pop up.

[azurelunatic]

Do you nuke all the Facebook cookies after you log out (or have something nuke them for you), or do you trust the logout? Because the cookies that remain after you log out will identify you to most sites with integration. On most tentacled-up sites it shows me something like "$YOURWALLETNAME and X other friends liked us!"

[foxfirefey]

I don't, but maybe since my profile is private it didn't integrate? That's a possibility. I also don't tend to allow FB JS to run in my main browser.

[cleverthylacine]

I have adblock set up to kill some of that, you might have done the same.

[foxfirefey]

Another factor is FB has a blocked applications page, and when I heard that they were letting some applications do this without a by-your-leave, I made sure to go block them on the FB side, and Pandora was included.

[dreamatdrew]

Logged-out makes for jack-shit with the new fb bullshit. If there's a FB cookie there, and they have the FB integration code on the page you look at, it sees it and can automagically get your FB data even if you are logged-out.

Nuke it* from orbit.. it's the only way to be sure.


* Substitute "Facebook" or "the Facebook cookie" for "it" as is your preference.

[ilyena_sylph]

AUGH, Pandora, AUGH.

I have PandoraOne, but I have never had a facebook account, so at least I didn't get caught in this latest shenanagin.

[batrachian]

Same here. Well, I _have_ a Facebooger account, but never linked it to, well. Anything, and definitely not my Pandora acct. Starting to be glad that I made that decision...

[azurelunatic]

This does not require active linking. This requires a browser that is logged into Pandora and Facebook. Pandora has already assumed your response of "sure, link me up", and is just waiting to snag a Facebook cookie to figure out who you are.

[batrachian]

JFC. Now I'm _really glad_ I've not logged in to my Facebook account on this computer. Ever.

*borrows a completely different computer to sow said account with fire & salt*

[emceeaich]

Any active facebook cookie can be used to correlate activities between sites.

All a site has to do is reference a resource (image or script) hosted on facebook, if you have an active facebook cookie, it will be returned with the request, along with the site referring the request. Now facebook is aware you are on the other site.

The only secure way to prevent this is to actively remove their cookies (and facebook can always set a cookie regardless of if you are logged in, all you have to do is load a resource hosted on facebook, they send a cookie back in the response headers.)

Cookies persist after logout, and there are other techniques to track you such so-called flash cookies, and newer storage APIs.

[wibbble]

Tracking users is great - there's cookies, there's cookies across multiple domains, there's Flash cookies, there's the HTML5 storage options, and then you get the REALLY sneaky stuff - using etags and browser caching to assign a known ID to a visitor.

It's all but impossible to stop a determined website which has JS or images included on other sites from tracking you. Even 'privacy' mode in your browser might not be enough to stop it.

[emceeaich]

Actually, you can through defense in depth.

1. Block facebook and fbcn.net/.com at the router.
2. Run ghostery plugin with blocking turned on
3. On my macs I run cookie.app which removes cookies, flash cookies, and HTML5 persistent storage api cookes.

[stromatolite]

Can you give me more details about cookie.app? Googling only gets me food-related results.

[emceeaich]

http://itunes.apple.com/us/app/cookie/id415585910?mt=12&ls=1

[wibbble]

If you're blocking all access to Facebook, then you probably don't use Facebook so they have no account to tie you to and there's no major privacy threat.

If you're not, the etags tracking approach will get around steps 2 and 3 and sounds pretty simple to implement. The solution there would be to use a proxy server that strips out etags headers for known-bad domains. (You don't want to do it for all domains, since it's essential for proper caching and can really screw up some websites.)

But even then, the EFF's Panopticlick reckons I'm unique, and the more steps you take to customise your browsing the more likely you are to be unique too: http://panopticlick.eff.org/

The only effective solution is to not use/have accounts with Facebook or any other site which has content embedded in third-party websites. That includes Twitter and Google.

[emceeaich]

But any request to facebook will still leave a log record, and that would return a long-lived tracking cookie.

I've been using ghostery to block any requests from known tracking domains, rather than running an etag stripping proxy, but if I were to put a proxy behind my router for everything on the home network, that would be interesting.

I do use twitter, but I use an app for it, and never log in or keep cookies unless I'm doing account management. Otherwise ghostery's blocking any twitter includes.

[wibbble]

If you don't have an account, there's no value in tracking you as you're not one of their saleable users.

Also, under EU rules regarding cookies/tracking, tracking you without permission (which can be implied by creating an account, maybe) is probably illegal.

In a technical sense, I think the etags trick is almost certainly illegal in the EU unless your users have specifically opted in to tracking.

[ilyena_sylph]

This is good stuff to know, thank you.

*is yet more grateful my response to FaceBook has always been 'kill it with fire, kill, kill!!'*

[cme]

Thank you for posting this.

I have given my FB friends 48 hours notice to ask me where else to find me before I kill the account, because I am sick of playing this kind of whack-a-mole.

[azurelunatic]

You're welcome.

Whack-a-mole indeed.

[triadruid]

May I repost on FB, or is that pushing the boundaries for you? I have friends who would likely want to know this stuff, but you've already explained it eloquently.

[azurelunatic]

Repost, so long as it's Azz you mention when linking Azz's stuff.

[torrilin]

So glad I didn't sign up for Facebook now...

[wibbble]

This is the new Open Graph thing. Expect to see it on half the websites you use in the near future.

[azurelunatic]

>:(

[caorann]

Thanks for this! I'm a PandoraOne member, and I'm planning on writing them an email about this. This is ridiculous. I hate FB so much, and if my family didn't insist on keeping in touch using it, I'd drop it in a heartbeat.

[cleverthylacine]

Clicking the privacy link now takes you to a page that says nothing but "PANDORA INTERNET RADIO". It might be different if you are logged in though. I just checked all the main emails I've used over the years using the forgot password link to make sure I hadn't created an account and forgot about it (I used to do that kind of a lot); fortunately I have not.

[foxfirefey]

I'm logged in, so it does forward correctly.

[starwatcher]

.
Thank you. I don't use either site, but I'm giving my friends a heads-up, and sending them here to get the down-low.
.

[vass]

At last, a reason to be glad Pandora doesn't offer its services to dirty foreigners. I used to use a proxy to listen, but I got tired of paying a monthly fee for the proxy.

Like you, I signed up for Pandora under a name I don't want searchably linked to my birth certificate name.

I've never used Pandora on this computer, so I should be safe. (And I just killed Facebook's cookie with extreme prejudice. I will now make a routine of doing so every time I log out, since they're such terrible internet citizens that this is necessary.)

Time to read TSN fanfic in which Mark Zuckerberg is put in the most humiliating and mortifying situations possible. If I can find a fic where someone takes his private data and does horrible things with it, I'll start with that.

[azurelunatic]

That last paragraph is an example of many of the things I absolutely adore about the internet. :D

[vass]

It was that or lolcats. (I don't know where I found that, but it makes me laugh every time. Poor little Eduardo Saverin Kitten.)

[azurelunatic]

Ohhh, sad little kitty! Poor kitty!Wardo!

(Also, ducklings.)

[majoline]

Thank you for the message. I went and logged off of and unclicked all the new settings I'd never noticed. :(

I stopped using facebook because I didn't know exactly what was going on when this started about a year ago (I noticed facebook trying to sign me into their site when I got linked to something from lifehacker) and I just am shaking my head at the sheer nerve of them to do something like this.

Oh yeah, and Cntl-shift-p in firefox brings up "private browsing" ie it doesn't permit cookies and anything that you have to allow to use the site gets deleted when you close the tab/window.

[snakeling]

I don't use Pandora, but I've been fed up with FB for some time now, and that spurred me into action. I deleted my FB account and blocked it at hosts level so that I can't accidentally log in again. Now I just need to find whether my smartphone has a hosts file to edit.

[attie]

Is this still the same thing that was announced something like a year ago? I remember reading about FB doing this automatic integration on other sites thing, with pandora and microsoft docs and a third site I can't remember. I never used either, but I was still all O NO YOU DON'T and tried to turn it all off (well, clicked on some things and hoped facebook would honor it. not that I trust them to.)

I use a separate browser for facebook, and have it blacklisted on both adblock and noscript in my main browser, and I'm still resigned to them inevitably finding out everything I do online. I'm curious to see what their algorithms are going to dig up when the new "show all the important moments of your life" profile goes online. If I weren't so incredibly lucky that I don't have any skeletons I'm afraid of facebook dragging out of the closet while I'm not looking, I would long have deleted all old content, or (now that you can) used the "change all old posts' maximum sharing level" to make everything visible only to me.

Time to go try and see if I can make a decent photograph of my passport with my iPhone, I really want to see their database dump of my account!

[azurelunatic]

Apparently this was active as of April '10. Very unhappy.

[elionwyr.livejournal.com]

May I cross post this, perhaps sans the last two paragraphs?

[azurelunatic]

Sure! Though it turns out that this bullshit has been around since last April, which, just, aaaa :(