First, I went to Amazon and bought a CD by the Carter Family, one I'd been meaning to buy for a while. I was already logged into Facebook. Nothing about my purchase showed up on Facebook.
Then I went to epicurious.com, and created a new account, using the same email address I use for Facebook. This is important; I use site-specific email addresses normally, so the email address I use at Amazon is different from the one I use at Facebook. As soon as I finished the account creation process, an Ajax popup came and went very quickly at the bottom of the screen. And when I went to Facebook, I had this in my personal news feed:
Nothing appeared in my public news feed, thanks to the changes Facebook made after the outcry I suppose. I clicked "Remove" and that was the end of that.
So the answer to the question I've been asking for more than a week ("How does Facebook know?") is not magic, it's not cookies, it's just a simple matching of email addresses on your various accounts. And at this point, I have no problem with what they're doing, since they placed a big honking notice at the top of my personal feed telling me what they were going to do, and requiring me to click "Okay" before they did it. Which I did not, so my privacy remains intact.
I gather that the original version of the program would have placed that notice in my public feed and required me to remove it. That is, indeed, unacceptable behavior, and much worse than what I had originally thought htey were doing. But to my mind they've sufficiently addressed the issue, and it's nice to see that public pressure can accomplish something.
In addition, it's a lesson once again that the less you spread around your email address, the better off you'll be. Using site-specific email addresses has saved me a tremendous amount of spam (I know who's sending it, and can turn off or ignore the address) but it also has a privacy benefit as well.