Facebook changes the norms for web purchasing and privacy: There’s no global opt-out - no ability to tell Facebook, “Please stop posting my purchase behavior from any third-party sites to my feed.” You’ve got to opt out from each new partner you encounter, either by clicking on the window on the purchase site, or by turning off this “feature” for each partner on Facebook.

I had two reactions when I saw a demo of this feature on Tuesday. One was “Well, that looks like a good reason to get off Facebook.” And the other, hearkening back to my days as the creator of ad-driven user-created-content websites, was “Hot damn, someone finally did it.” Because, of course, this is the sort of information that ad targeting companies would kill for.

For me, the overwhelming feeling was one of uneasiness - in my head, at least, this isn’t how the web works. When you’re doing business with a website, your interactions have consequences only on that site, not on a completely unrelated website, right? Of course, that’s not true - it hasn’t been for a while. HTTP supports the ability to load items from multiple sites on the same webpage - you’re loading this page from ethanzuckerman.com, but the badge of flickr.com pictures in the sidebar is loading from flickr.com. It’s pretty common on content websites to accept ad banners loaded from a third party, and cookies set in your browser that can be used to track your browsing behavior between different sites. (Here’s a useful tool that allows you to detect ad-tracking cookies installed on your browser and opt out of those networks.)

So why is this alliance between Overstock and Facebook any different? Well, technically, it does something that’s unfamiliar and uncomfortable for people who’ve written web programs that use cookies. A cookie is supposed to be a secret string of information written by one website to your browser and accessible only to that website. You shouldn’t be able to write a script that asks for information in a cookie set by another server. (There’s a form of cross-site scripting attack called “cookie theft” designed to do exactly this.) It looks like Overstock is somehow accessing your profile information on Facebook, which it shouldn’t be able to do.

Of course, what’s actually happening is that when you load Overstock’s “transaction complete” page, you’re also loading something from Facebook, likely an invisible image, and a script, which allows Facebook to access your Facebook.com cookie, which containts account information. Because Facebook and Overstock are cooperating in building a joint webpage, they can do something that seems… unheimlich… to those of us who’ve been playing on the web for the last dozen years.

(Read Original Article - Via Ethan Zuckerman's musings.)