Disclaimer: I’m certainly no expert on these matters, and I’d sincerely welcome some feedback from those who are more in the know — am I misunderstanding something on a technical level, being overly paranoid, or making a damned lot of sense? Or all of the above?
I’m very curious about this new “Like” button that Facebook have quietly rolled out in the last day or so. Across, oh, only the whole damn Internet! Superficially, this seems innocuous enough, but why do I have this uneasy feeling that Facebook has, this whole time, been building up a gigantic clone army and they’ve just given Order 66? Okay, so that’s a little towards the tin-foil-hat end of the spectrum, but it does seem something of a cause for caution.
Website admins, bloggers, etc. are now able (some might say encouraged) to implement the “Like” button on their sites, which they do so by adding a little bit of HTML code into their pages that loads a Facebook iframe. Have you seen it around the tubes yet? You will soon. The offender is described as pale blue, less than an inch wide, and is known to approach strangers with promises of love and adoration.
Now, there’s nothing particularly special about that, right? These kind of “Share” or “Follow” social-media links are all over the web these days. You’ll note that I have a selection of quick-share links at the bottom of this very article. So what’s the big deal? Well, there’s a fundamental difference — the majority of these sharing links are provided by a third party (in my case, Add This) or the blogging or web host. All they do is provide a mechanism to quickly send the pertinent link info to the social media platform in question, and so won’t make any connection for the majority of the people who just read the page and move on.
This Facebook one is potentially very different. Whenever a “Like”-enabled page is loaded in a visitor’s browser, a request is made to a Facebook server to serve the picture and other data such as how many others have “Liked” it. Now, I can only assume that the backend code allows Facebook to determine if the browser making the request (ie. the person viewing the page) is an authenticated Facebook user and therefore they have the opportunity to keep a record of sites that person visits when they’re not even using Facebook! The important thing to note here is that this doesn’t require the visitor to actually click the “Like” button. The mere act of loading the page passes information back to Facebook and, if you’re a logged in Facebook member, they now have a record of what you’re looking at.
I’ve never been too paranoid in the ongoing Facebook privacy controversies, as I lean towards the if-you’re-worried-about-Facebook-privacy-don’t-post-embarrassing-shit school of thought; not being an idiot helps, too.
But this seems a whole new level of privacy invasion, because it falls completely outside the control of the Facebook user to do anything about it. Normally, if you use the Facebook site, you’re doing so voluntarily on an opt-in basis, so I don’t really have a problem with Facebook collecting information about what you do on their site and using that information in a transparent and legal manner. You’re aware of what they are able to do, so you adjust your behaviour (and level of disclosure) accordingly. Similarly, clicking on a “Share” or “Like” link on a third-party website is an opt-in process, and you know full well that, by posting this link on Facebook, they will have a record of it. If you’re not happy about this, you don’t share such things on Facebook. But now, they seem to have given themselves the ability to log information about what sites their users merely visit without any consent whatsoever on the part of these innocent web surfers. That is just plain wrong.
I notice that IMDB have whole-heartedly embraced The Button, placing it on every Film Title and Person page. (Example.) Does that mean that Facebook will now be keeping a record of every movie I look up on there? Great. That’s bullshit. It’s none of their business what I choose to look at on the rest of the Internet, regardless of whether or not they have nefarious intentions for this information. It would be like if your bank was able to make a record of all the DVDs you rented at your video store; they may not have anything useful to do with that information, but the very fact that they were able to have it would be absurd, and troubling.
It seems to me that the only way to not have your browsing habits tracked in this way is to fully log-out of Facebook every single time before looking at other sites, which would be a major pain in the ass. And even then, I’m not 100% sure that would do it — there may well be other technical loopholes that are beyond my grasp.
And you know the most ironic thing about this whole business? It’s that Facebook have cunningly manoeuvred themselves in a position of such dominance on the social web, that everyone online seems only too happy to facilitate their dirty work. We’re all falling over ourselves to get a sexy “Like” button on our sites, meaning that Facebook will soon be in possession of the largest, accurate record of specific, identifiable individual’s online habits in the world. Scary stuff.
Sadly, even after writing all this, I still find myself foolishly wondering: it would be kinda cool and very handy for people to be able to quickly and easily “Like” my blog posts without even leaving the page. That is one amazing, magical button.
To paraphrase a great actress from a terrible film: So this is how online privacy ends. With thunderous applause…
This issue has (unsurprisingly) been generating a lot of discussion online. However, I’m surprised that everyone seems to be missing the most nefarious thing of all — the fact that Facebook will now be able to track its logged-in users everywhere on the web that has a “Like” button. Clicking on the damn thing to “Like” something is a red herring. Just having the button load in a user’s browser is enough for Facebook to make a record of the page that the user is looking at. The whole “Like” thing is just a ruse to get webmasters to install a user-tracker for them. It’s quite dastardly evil when you think about it.
Ha! I was right. And here’s how to prove it for yourself:
Make sure you are logged-in to Facebook (not actually on the site, just a persistent log-in will do). Then go to a site with a “Like” button. Here’s one. It should look something like this:
Now, ask youself, how could Facebook possibly know whether any of your friends have “liked” the page unless it knows who you are, and what page you’re looking at? The only explanation is that the “Like” button iframe is reading your Facebook cookie to identify you, so they now have a record of you visiting this page with no interaction or consent on your part.
Now try this: go to Facebook and log out. Then refresh the page with the “Like” button. See the difference:
Case closed. If you don’t want Facebook tracking your entire web-browsing habits then you have no choice but to actively log out before browsing other sites. It’s official — Facebook is “evil”!
Okay, it seems like there is a relatively straightforward way to disable this tracking. Thanks to Joonas’ comments below. You just need to make sure you browser is set to not accept third-party cookies, ie. cookies from a domain other than the page you’re currently browsing. In Firefox, you’ll find this on the “Privacy” tab of the Preferences. In Safari, it’s on the “Security” tab. All good, modern browsers should offer this feature.
One caveat, however: you’ll find that some sites will require third-party cookies in order to function correctly, such as the Comments on this very blog, as I’m using the Disqus comment system, which is hosted on their site. So you will need to add an exception to your cookie preferences. In Firefox, you’ll note the “Exceptions” button on that same “Privacy” tab. For this site, just add the domain “disqus.com” and click “Allow”. And you’ll need to keep an eye out for other sites that may require legitimate interaction with third-party services.
Sound like a hassle? Perhaps, yeah, which is why most browsers probably have third-party cookies enabled by default. Also, I don’t know that other browsers (I’m looking at you, Safari) allow you to add exceptions like this, so it’s all or nothing, which sucks. If anyone has instructions or advice for adding exceptions to other browsers, please post them in the comments below. And tell your friends. We can all do without Facebook keeping a record of our entire online life.
Yes, that’s right, that’s an actual, live “Like” button here on the page. Alas, it seems to be one of the only decent ways of getting promotion via social media. Hypocrite? Well, I wouldn’t do it if there weren’t a simple way to opt out of being tracked, which is detailed above. Just make sure you’re using a browser than can exclude 3rd-party cookies on a per-site basis.