I recently saw this paper: “Facebook Tracks and Traces Everyone: Like This!”
(download the PDF)
Every time you merely visit a site that displays a Like button, data is sent to Facebook which includes the address of the site you are visiting. Assuming you’ve also logged into Facebook, they have all the information they would need to associate these external page views with your Facebook identity.
What are they actually doing with this data? Possibly nothing, but I don’t see any statement saying “Don’t worry, we don’t store web page URLs you view, even though we could“. The usual guff about ‘anonymized’ data and cookies being required for functionality doesn’t quite cut it with me. This is Big Brother stuff, and they need to be crystal clear about what they could do and what they are doing.
I can’t say I’ve thought about this until now, and it’s nothing particularly new on the surface anyway. Banner ads have historically been able to track your browsing history. Each advert sets a cookie in your browser, (just a simple identifier). When you visit another site with ads served by the same provider, this cookie will be sent back with the referring URL.
Bingo! The ad provider knows a portion of your browsing history. Of course the ad serving company may have no idea who you are – you’re just a number. But the same can’t be said of Facebook.
This privacy leak with display advertising is easily plugged by your browser refusing third party cookies. It knows that the ads aren’t what you’re really visiting for – these cookies probably don’t enable any useful functionality, so they may as well be blocked – no harm done.
So all good then, just block third party cookies and Facebook can’t track you? Not quite!
The Like button is different to dumb display advertising because the ‘third party’ is a site you’re actually going to visit. As a Facebook user, even if you’re blocking third party cookies, you’re still going to be sending back this data.
Here’s a bit of techie explanation of how Facebook gets around third party cookie blocking –
The third party cookie loophole
If you visit facebook.com directly (nevermind logging in – just visit) the tracking cookie will be set in your browser, because it isn’t [in this instance] third party. To avoid this, you’d have to set your browser to completely reject all persistent cookies. This is problematic and most browsers don’t provide very good options for this.
The upshot of this is that after visiting Facebook, the tracking cookie will still be sent to Facebook when any Like buttons are loaded on other sites, regardless of third party cookie blocking settings. This actually makes sense, because this is exactly what cookies are designed to do.
I tested this in Chrome, Safari and Internet Explorer and they all render third party cookie blocking useless once you’ve visited facebook.com. Interestingly, my version of Firefox seems to be extra strict – it recognises that this cookie was originally third party and refuses to send it. (This actually breaks the like button, because it doesn’t know when you’re logged in to Facebook).
Even if you log out of Facebook, the tracking cookie is still sent, because the cookie has a two year expiry. The only way to avoid this is to delete all Facebook cookies from your browser, or surf in your browser’s incognito/anonymous mode.
First of all, I wouldn’t be surprised if we started seeing Facebook-served advertising outside of Facebook.com. This would give Google AdWords some serious competition. (I’d welcome that in itself). They just got a nice bit of pocket money to get cracking on a project like that.
But there’s still this invasion of privacy to deal with. We can debate the small print all day, but I don’t see any clear statement from Facebook that they aren’t associating passive browsing data with specific Facebook accounts, and I doubt very much that the average Facebook user is aware they have this power.