The Facebook Like Button, and how it is following you around the web

There has been a lot of hype and talk around the Facebook Like button, and I do understand that the issues I raise in this blog post have been addressed before, I will cite some relevant literature at the bottom of this post.

In short, I fear that Facebook via the Facebook Like button which you can find on many high volume, mainstream sites, such as imdb, rottentomatoes, cnn, etc, is tracking you even if you are not logged into Facebook from your browser.

So, I have no solid evidence to say that they are DEFINITELY doing so, but I will explain why it is technically possible for them to do so. And well, the cynic in me thinks that if it is technically possible for facebook to log that my facebook id is on a given page, it will, regardless of whether or not I am logged in or not.

From this point onwards, I will be referring to all of various versions of the Like button, i.e. Like, Recommend, Fan, etc as the Facebook Like button.

So, the Facebook Like button can be implemented in one of two ways, using facebook’s XFBML or via the inclusion of a Facebook iFrame. FWIW, all of the instances of the Like button I have come across have been implemented using the iFrame approach, but I will look into the XFBML method of doing things soon and will blog about it then (he says …)

So, if you are a facebook user, and you have visited facebook
since the last time you cleared you cookies, you will have a facebook cookie in your browser. It is this cookie which allows facebook to inform you of how many of your friends have liked the page your browser is currently pointing to. An example of functionality can be seen in the below screenshot.

fblike

I am aware that if you are signed out of facebook you wont see your list of friends which are have already clicked the like button, you will end up seeing something like:

not logged in

So, given that the Like button is an iFrame, i.e. it is actually hosted on www.facebook.com, it means that facebook can read your facebook.com cookies, and they can tell whether you are logged in (to show you which are of your friends have “liked” the page before you). And well, technically this implies that they know who you are which enables them to tell whether you are logged in or not.

Dan Brickley created a neat drawing of the what a iFrame is actually doing (thanks Dan, and see below). The illustration highlights the fact that a page which seems to be coming from a given web address, if it includes an iFrame, is actually coming from multiple web servers.

This is danbri’s illustration of what an webpage which includes iFrame’s is actually doing

Dan Brickley's drawing of an iFrame
Some Right Reserved

This makes me class the Facebook Like button in the same category as ad tracking sites, insofar as the fact that if you turn up to a page with a Like iFrame, and you have a facebook cookie, you are in theory being tracked, regardless of whether or not you choose to click the Like button or not.

So, why do I class this in with ad trackers, I do this because of the fact that you are being tracked passively, i.e. regardless of whether or not you choose to like something, facebook is theoretically logging the fact that you have been to that website.

So, now to give an example :

Let’s say that you turn up to cnn.com can you visit the below article:

http://www.cnn.com/2010/US/07/29/wisconsin.roush.crash/

The page them subsequently loads up the following iFrame and serves it to you, it renders the Like button on the page, the iframe revolves to a url on facebook.com

http://www.facebook.com/plugins/like.php?action=recommend&…

By going to the first URL, you are also hitting the second one. Your user-agent, which based on http://panopticlick.eff.org/, is kinda uniquely identifiable, and is therefore in facebook’s logs. Given that the iFrame (second URL above) is hosted on facebook’s site, they CAN read your facebook cookies, am NOT saying that they do as I can’t prove that in anyway, but my guestimate is that if they are not, they will be in the future.

So, I can see three scenarios, which are relevant to this

  • A user is logged into facebook in their browser, and then visits a site in a different tab, not even knowing that the site has a facebook “like” button, because you will only become aware of the “like” button upon arriving at the page and having it in loaded in your browser, which is too late from my POV. This happened to me last night, and happened to me recently when I went to imdb (sighes).
  • A user is not logged into facebook, but has facebook cookies in their browser, they go to cnn.com, facebook knows (with a high probability) that a given facebook ID has visited a given site, by virtue of cookies and stuff
  • User has no facebook cookies, and then facebook will only get the user’s user-agent in their access logs, which I bet they store (even though once again I have no proof of this.

Ok, so solutions:

Solution 1 :

You can delete all of you facebook related cookies from your main browser (firefox being browser of choice), and then you can download another browser which you use for facebook’ing, so that you are no longer given facebook the option to track the pages you read on the web.

Solution 2 :

Which is the solution I am going for at the moment is that you can install Adblocker Plus and you can block all of the Facebook Like endpoints, using custom filters.

This is an export of my Facebook Like button filters, it is probably far from complete, and I will put it up a service which you can subscribe to in Adblocks Plus, and will update the list of URLs as and when I come by them (will blog post when I am done with this.)


[Adblock]
! Checksum: 1+81iD/9dKSZiqqW6WtQxA

http://www.connect.facebook.com/widgets/likebox.php?*

http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php?*

http://www.connect.facebook.com/widgets/like.php?*

http://www.connect.facebook.com/widgets/fan.php?*

http://www.facebook.com/plugins/fan.php?*

http://www.facebook.com/widgets/likebox.php?*

http://www.facebook.com/plugins/likebox.php?*

http://www.facebook.com/plugins/like.php?*

http://www.facebook.com/widgets/fan.php?*

http://www.facebook.com/widgets/like.php?*

The following screenshot, shows what my current step looks like in Adblocker plus:

Adblock

My colleague Vaidas Jablonskis (who is awesome), pointed me to Adbocker Plus which is also totally awesome :)

Finally, it is worth mentioning that I am not sure whether or not all of these sites which have facebook like buttons are explicit about the fact that their users CAN be tracked passively by facebook. Or whether reputable brands like CNN have any form of agreement with Facebook regarding whether or not their users are being track. Are any of these big companies, breaking their terms and conditions ?

I will post an update on step by step instructions regarding how to subscribe to my Adblock filter list of facebook like buttons endpoints soon.

So, I suggest people download and install Adblock and block facebook like buttons, and subsequently install the Facebook Like plugin , so that they are no longer being passively tracked by Facebook, and so that they are in control of when they tell Facebook that they like a given web page.

Finally, links to existing literature in this space:

http://techcrunch.com/2010/04/23/like-buttons-evil-facebook-not-open/

http://philosophicalzombie.net/post/540799211/has-facebook-just-become-the-evil-empire-whats-wrong

Comment, corrections, or a simple “you are wrong because …” are very welcome :)

Happy Interneting People

12 comments

  1. Chris Bailey · July 30, 2010

    Hi there Mischa,

    Interesting article but let’s not point a finger at FB too quickly when Google are still way ahead in the dangerous enemy stakes.

    Their widely used api and analytic scripts runs directly inside the webpage (not another iframe) and so not only can they track you but they also have access to all your browser cookies for each domain!

    Chris.

  2. Mischa Tuffield · July 30, 2010

    Hi Chris, you are 100% correct, Google are still way ahead of the pack on this. But at least they are extremely explicit out the fact that the analytic network is a tracking, advertising one.

    My main issue with the facebook like button is that is masquerading as a social component which one may add to a site, when I am not convinced that this is their true intention. And secondly, on a similar note, I am not sure that service providers which host the facebook like button are being transparent with their users regarding the fact that they are being tracked by another company profiting by serving ads based on the pages which you visit.

  3. npdoty · July 30, 2010

    I don’t think there’s any speculation necessary: Facebook states clearly in their help pages that they track which external pages you view that contain social plugins and that such history is associated with your Facebook account for 90 days. They say such information isn’t shared or used for targeted advertising. It’s also clear from the documentation that they provide no way to opt out and don’t believe you have any reason to.

    http://www.facebook.com/help/?topic=socialplugins

    Thanks for pointing it out, I hadn’t looked into this particular tracking mechanism before and it seems particularly egregious (associating with real names, no opt out).

  4. Mischa Tuffield · July 30, 2010

    Fair enough, thanks for the link, my next course of action was to trawl through their documentation. I will have a thorough read of it now. Given that they are so forward about their intentions, I now strongly believe that people which serve up the “like button” on their pages, should be explicit about this in their terms and conditions, and that they should at bare minimum point to the page you linked to above. Thanks for the link !

    At this point I am going to state that I am well aware that Google is tracking me, and trust me I do my best to stop it from happening (will blog post in the future), and that I am not simply having a go at facebook for the heck of it. I have a facebook account, and do use it like a locked down social networking site, as per its behaviour when I signed up (FWIW they are kinda good at it), but I just don’t want them to track around the web.

    I wonder whether the page above is linked to from their privacy policy, I should have a look at the change log :

    http://www.tosback.org/policy.php?pid=39

    I will look out for changes occurring around the time of the release of the social graph api stuff at f8 this year.

    Thanks for the link :)

  5. Steve Harris · July 30, 2010

    I don’t believe they’re using the User-Agent: thing for one moment. It’s inpractical, and would be very easy to detect.

  6. Pingback: Wilted buttercup, grey skies, and geek» Blog Archive » HTTPS: Making more use of SSL
  7. Hugh Glaser · July 30, 2010

    Thanks guys, very helpful.
    I’ve been wondering for a while what to do about finding Like buttons, so the suggestions are helpful.
    Any intelligence for Safari?

    Mind you, not only may CNN etc. be confronting some of the issues above, I sort of wondered whether FB might be paying them to do it (or vice versa).
    Call me a cynic, but there is possible value for both parties.

    • Mischa · July 30, 2010

      Hi Hugh,

      No sadly not, I basically don’t use Safari that often, I have it as my “stateless” browser, where I run it in “private browsing” and have cronjobs continuously killing caches [1]

      Yeah, I too can see how both parties would be extracting value from the Like button. A part of me sees the humour that one of the larger deployments of RDF to the web could be Facebook’s opengrapthprotocol RDFa, which is about as proprietary as one could imagine. Nonetheless, it is a still pretty innovative, and clever of facebook.

      [1] http://mmt.me.uk/blog/2009/11/15/private-browsing-with-safari/

  8. Pingback: Wilted buttercup, grey skies, and geek» Blog Archive » Disabling Referer Headers in Firefox
  9. Pingback: Wilted buttercup, grey skies, and geek» Blog Archive » NHS.uk allowing Google, Facebook, and others to track you
  10. haxftw.com/ · July 30, 2010

    awesome blog Mischa! keep up the great work :)

  11. Pingback: UK National Health Service — using Facebook as a tracker | Piracy Network