Update: Yahoo! has published an Op-Ed response to this article here.
So last night, I was cruisin' the socmeds. I came upon the new viral video, "Happy Birthday David" for Ridley Scott's "Prometheus" Science Fiction movie which is coming out in in June. If you're a fan of the "Alien" series and "Blade Runner" this is a flick you definitely are going to want to see.
I was intrigued about certain plot elements, so I started doing some Google searches. One of the entries that came up was on one of the Yahoo properties. I clicked on the link in the search results.
It was late, I was in my office, the lights were out, and I was squinting at my monitor. What came up was a dialog like the one above. (Note: Do NOT click on "Okay, Read Article")
I must have glazed right over the verbiage. As first glance, it looks rather innocuous. Instead of the usual "Authorize" on the upper right you get for most Facebook-connected apps, you get a "Okay, Read Article" prompt.
That's pretty scummy social engineering, because if the verbiage was "Authorize Yahoo" I might not have done it.
However, It's the verbiage on what's on the lower right that is completely insidious.
As I explained in an earlier piece, I have really crappy vision. On a 27" monitor, the verbiage on the lower right essentially is invisible unless I blow it up pretty big. I suspect plenty of people with good eyesight would probably glaze over it as well.
Should you click "Okay, Read Article" the following appears on your Facebook Timeline activity profile:
Once you've authorized Yahoo that first time, all future reads of articles on their web sites are also posted to your profile, whether you like it or not. The only way to stop it is to remove the app authorization in your Facebook privacy settings. Which I promptly did after one of my friends alerted me as to what was going on.
Now, broadcasting to all my friends that I read about an upcoming SF blockbuster film is really not a big deal. Status updates, likes and app activity on my Facebook profile is limited only to my friends, and nobody in the outside world can see any of it or share it.
However, I really do not want my friends seeing everything I'm reading on the Yahoo properties, regardless of subject matter. The story could have been about, I dunno, much more controversial stuff. It may have been about political candidates, human sexuality, terrorism, or any number of things I don't wan't people inferring I think about one way or another.
If I want to share a story or a link, I'll do it on my own terms.
Keep your damn purple tentacles off my Facebook profile, Yahoo!
Now, it just so happens that I caught and understood exactly what Yahoo did because it was exploiting the Facebook Open Graph API to its own advantage. Your average user might not have caught this, though.
In some degree of fairness to Yahoo, they aren't the only company which is exploiting Open Graph in this way, and it is really Facebook that is providing the tools to these partners for "Molesting" your timeline. The company has been doing this at least since fall of last year, when the Open Graph API partnerships with 17 initial partners was launched.
Other content partners are doing the same type of "Oversharing" apps, and this has come under a great deal of criticism in the past months.
Had I not locked my profile down to be visible only to my friends, that activity of reading an article would have been broadcasted to everyone.
Anyone who clicked on an unsecured profile could have seen that article reading activity -- a potential employer, a stalker, anybody.
Beware of Yahoo and its purple Open Graph tentacles. And review your app permissions and read the fine print on all app requests, with extreme vigilance.
Has Yahoo or another one of Facebook's Open Graph partners molested your Facebook profile lately? Talk Back and Let Me Know.