Is Facebook tracking your web browsing history?
I recently saw this paper: “Facebook Tracks and Traces Everyone: Like This!”
(download the PDF)
Short version
Zuckerberg's 'open' and 'connected' world
Every time you merely visit a site that displays a Like button, data is sent to Facebook which includes the address of the site you are visiting. Assuming you’ve also logged into Facebook, they have all the information they would need to associate these external page views with your Facebook identity.
What are they actually doing with this data? Possibly nothing, but I don’t see any statement saying “Don’t worry, we don’t store web page URLs you view, even though we could“. The usual guff about ‘anonymized’ data and cookies being required for functionality doesn’t quite cut it with me. This is Big Brother stuff, and they need to be crystal clear about what they could do and what they are doing.
Long version
I can’t say I’ve thought about this until now, and it’s nothing particularly new on the surface anyway. Banner ads have historically been able to track your browsing history. Each advert sets a cookie in your browser, (just a simple identifier). When you visit another site with ads served by the same provider, this cookie will be sent back with the referring URL.
Bingo! The ad provider knows a portion of your browsing history. Of course the ad serving company may have no idea who you are – you’re just a number. But the same can’t be said of Facebook.
This privacy leak with display advertising is easily plugged by your browser refusing third party cookies. It knows that the ads aren’t what you’re really visiting for – these cookies probably don’t enable any useful functionality, so they may as well be blocked – no harm done.
So all good then, just block third party cookies and Facebook can’t track you? Not quite!
The Like button is different to dumb display advertising because the ‘third party’ is a site you’re actually going to visit. As a Facebook user, even if you’re blocking third party cookies, you’re still going to be sending back this data.
Here’s a bit of techie explanation of how Facebook gets around third party cookie blocking -
The third party cookie loophole
If you visit facebook.com directly (nevermind logging in – just visit) the tracking cookie will be set in your browser, because it isn’t [in this instance] third party. To avoid this, you’d have to set your browser to completely reject all persistent cookies. This is problematic and most browsers don’t provide very good options for this.
The upshot of this is that after visiting Facebook, the tracking cookie will still be sent to Facebook when any Like buttons are loaded on other sites, regardless of third party cookie blocking settings. This actually makes sense, because this is exactly what cookies are designed to do.
I tested this in Chrome, Safari and Internet Explorer and they all render third party cookie blocking useless once you’ve visited facebook.com. Interestingly, my version of Firefox seems to be extra strict – it recognises that this cookie was originally third party and refuses to send it. (This actually breaks the like button, because it doesn’t know when you’re logged in to Facebook).
Even if you log out of Facebook, the tracking cookie is still sent, because the cookie has a two year expiry. The only way to avoid this is to delete all Facebook cookies from your browser, or surf in your browser’s incognito/anonymous mode.
What next?
First of all, I wouldn’t be surprised if we started seeing Facebook-served advertising outside of Facebook.com. This would give Google AdWords some serious competition. (I’d welcome that in itself). They just got a nice bit of pocket money to get cracking on a project like that.
But there’s still this invasion of privacy to deal with. We can debate the small print all day, but I don’t see any clear statement from Facebook that they aren’t associating passive browsing data with specific Facebook accounts, and I doubt very much that the average Facebook user is aware they have this power.
Rats…now Facebook knows I visited your blog and clicked your “Like” button…
How about professional networking sites like Linked in and Open BC? They appear to be more concientious about privacy etc and do seem to police people who try to use it to send spam.
I also just discovered that Firefox is MUCH more strict about 3rd party cookies, as you mentioned. It seems that if you disable 3rd party cookies in Firefox, when you’re accessing a page, any accesses to 3rd party servers won’t include existing cookies.
Therefore, as you’ve alluded to, this means that if you turn off 3rd party cookies in Firefox (version 5 is the one I’m using), things like the ‘like’ button simply won’t work, because they have no access to any cookies.
Very nice article! Apparently there still are good reasons to still use Firefox… But why do you include the Like button in your own blog if you don’t like what facebook uses it for?
Okay.. I’m seriously wanting to ensure my privacy. Not that I have anything bad going on, I just very much dislike this invasion – plus, on facebook today I was just notified of news articles my friends had read. I had thought I was so smart to disable third party tracking cookies… tsk tsk… thank you for the article! it was eye opening.
So surfing in Chrome’s incognito will ensure that my cookies aren’t tracked by Facebook?
What other things can I do to ensure that no cookies are tracked?
I will just one web browser for facebook ONLY and another for all other stuff so, I’ll use safari for facebook and nothing else and all other web stuff on chrome.
So all they will see from safari is that I’m on facebook
)))