The part that scares me is that we, as web designers/developers/owners, are complicit in this. We are the ones who are putting social buttons on every page. We love this functionality, but they aren't giving it to us for free. We are trading them our user's information and browsing habits.
I'm not worried about the ethics of Facebook. I don't think a site like Facebook should be prevented from doing this openly. I'm worried about whether I can ethically include all these social plugins knowing that they will, in my opinion, invade my users' privacy.
Proud to not be a part of this "we". These social buttons are a plague on the web. They take something which is beautifully decentralized, and then create a single point of failure, and allow companies to create massive databases of private information from it as well.
You can host an image locally, and create a link using it. You don't need to hand over the browser of all of your visitors to one or more AD companies by letting them execute arbitrary JavaScript on your pages.
I think your parent post was talking about the Facebook Like/Google+ +1 buttons. In order for those to work, I believe they need to be loaded on the page via an iframe.
Things like Facebook's "share" and Twitter's "tweet" buttons don't execute any arbitrary (i.e. not specified by the developer) JavaScript.
Um...ad networks have been doing the same thing with 1px images since the mid 90s. The social buttons are not a new concept in tracking; it's just visible to users now.
Use one of those proxy buttons which only load the actual Facebook button when the user clicks/hovers. Unfortunately I can't find it right now, but I think it was posted here on HN a while ago.
EDIT: Here is a Slashdot discussion[1] about a German newspaper who did that, and here's[2] the link to their jQuery plugin who does just that: only load FB code when the user clicks on the button. It's in German, but translation services are good enough nowadays.
I'm not a web dev so I'm a bit puzzled by the social buttons everywhere. How often do people actually click them? To what extent can they drive traffic to your site? I've often wondered if they're a bit like QR codes in that a small portion of people are enamored with them but few people actually use them.
They serve a few purposes - I'll try and illustrate from various points of view.
* As a site operator, particularly if you're keen on 'organic' and free traffic, you need to keep on top of the latest in search engine and social marketing. Facebook and other social networks are becoming more important as traffic sources, as 'recommendations' from friends become more trusted. Bing and Facebook reached a deal to prioritize some results based on social recommendations ('likes'), and Google is rolling their own solution, so site owners have incentives to include the links.
* As a user, you generally want to see the most trusted results you can, and occasionally may want to recommend sites to your friends. Facebook's verbs 'like' and 'share' work well here - Google's '+1' is a little more opaque to most web users I'd suspect, but they're trying to convey the same intention.
* As Google/Facebook, you want as much data as possible about the behaviour of web traffic - search, engagement/interaction, conversion rates, even raw traffic figures. Even if people aren't interacting with these widgets, they are still often served up by AJAX from the source. This implies that Google/Facebook/etc see an incoming HTTP request, and sometimes associated cookies/referers. Add a little GeoIP and other user analysis, and you have very valuable data on aggregate.
All these generally seem like 'wins' for the parties involved - and that's usually the sign of good business taking place. For me, the main concern is that all this data belongs not to the general public, but to the widget providers, and large information disparities in any situation can be abused.
Definitely. I rarely bother with Facebook any more, but when I want to share something, copy and paste is not hard. The "social buttons" don't solve a problem, IMO.
actually, what started the decline was the very subject of this article. I don't like Facebook watching where I go, and I started putting Facebook in another browser; naturally, I'm on Facebook less because it's harder to get to.
In theory, using a separate browser is not adequate protection from tracking. The Flash Player's "Shared Objects" (aka Flash cookies) are stored in a common directory, so the same Flash data is accessible from any browser running as the same user. I do not believe Facebook's tracking is this nefarious, but the method would be quite easy to implement.
Yup. You are making your own future. As the enablers, your choices are guiding what these companies can do. Zuckerberg's ethics (lack thereof) are well-known. But the upper management of Facebook, their lawyers, their financiers, the folks who buy access to the personal data, they cannot write code. You are not just some code monkey drone, following instructions from your boss or taking feature requests from naive end-users, _your_ choices, _your_ ethics, make a difference.
What was it that Dennis Ricthie said about his move to Bell Labs? Something like "It was 1968 and working on military projects just didn't feel right." He went on to make an enormous contribution and, we hope, preserved his peace of mind at the same time. You will never regret taking the high road. Just an opinion.
It is becoming more and more obvious that we are nothing more than a pile of data to facebook, they don't look at us human beings who have a need for respect and privacy, but as potential data and revenue. I have always gotten the feeling that they think we are 'too dumb' to catch on, it's only a matter of time until the bubble bursts. They may still be a billion dollar company but the respect and loyalty will shift when something greater is envisioned and realized.
Facebook has said that it's rooting for an "open web", but it can't even be honest about what data it's collecting, how much tracking is done, and how that data is used by the company.
A scary aspect of Facebook is that most users are completely unaware and care-free. Their friends are on there, so why should they leave? A lot of my friends are leaving for Twitter because of the recent porn spam and the ticker nonsense, but that's a tiny chunk of the userbase (maybe a few hundred at the most).
> Bejar acknowledged that Facebook could learn where specific members go on the Web when they are logged off by matching the unique PC and browser characteristics logged by both the session cookie and the browser cookie.
> He emphasized that Facebook makes it a point not to do this. " We've said that we don't do it, and we couldn't do it without some form of consent and disclosure," Bejar says.
A better title would be "Facebook /could/ track users via the Like widgets, but doesn't do it yet"
Yep. It blocks the Like buttons and other stupid widgets, which is how the cookies get sent. That also has the pleasant side-effect of drastically decreasing load times.
I highly recommend it. Be aware that it does block disqus by default, I usually whitelist that one.
I had a few problems with the blocking when actually going to the sites in question. I believe I had to unblock Google Plus, Google Analytics and Facebook when actually visiting those sites.
However, I'm happy that most of the time it prevents the annoying features of a page from loading.
Yes. Ghostery is much more targeted however, it blocks scripts based on a blacklist (of trackers) rather than blocking ALL scripts. Ghostery is much more user/non-techie friendly; the only time you need to mess with it is:
a) You want to allow some service (I allow disqus, for example): disable blocking for the service
b) A site requires facebook/twitter to log in, or you trust the site: whitelist the site (allows all tracking scripts)
I do wish it had a "allow by domain" so I could allow e.g. just facebook on just turntable.fm so I can log in, but not allow all of ttfn's other trackers.
I'd like to think that developers wouldn't implement this kind of functionality on ethical grounds -I bet there are some at facebook who refused- but I also bet there are some there who will do anything for buck no matter how questionable it is.
Google Analytics seems somehow less harmful than AdSense. Almost every big website has some kind of analytics running. I assume that GA data isn't sold to advertisers, but I'm not sure.
This combo makes your browsing a little frustrating, but very educational. Try it, even for a day and be amazed at how many sites load content and scripts from 8, 10, or more unrelated domains.
I gave up trying to keep an up-to-date host file for all the web beacon/scam urls. I just vet requests now as they occur. You wanna believe it has changed my surfing habits.
I would recommend making a Facebook VM if you really want to get on. This helps on two fronts:
1) You must REALLY want to get on facebook if you go through the extra step of booting up a VM
2) They can track all they want inside your VM since you use it ONLY for facebook.
/s/facebook/any other social service you intend to use.
Better yet, use Fluid[1] and create a single site browser for Facebook. Make sure you use the paid version of Fluid App, so you get separate cookie storage for each SSB you set up.
There is not much use switching browser.
They tracks you using cookies even if you dont login(like button and other plugins)
You need to block/remove all the facebook related cookies.
Cookies do not cross browsers. If he's using a second browser, Facebook cannot read the cookies set in the first browser. They could use some IP matching logic or something, but it would be prone to a lot of false positives.
I believe this isn't always the case. If you're using multiple browsers in OS X all built on Webkit for instance, they share the same cookie store.
Firefox and multiple firefox profiles isolate cookie storage and I also use Fluid on OS X to build site-specific browsers. The paid version offers a feature to isolate cookie storage within each app.
In my limited understanding it's the difference between the webkit engine that OS X provides to developers to use, as opposed to Chrome which probably does something different in that regard. Besides site-specific browsers, there are plenty of makeshift OS X tools that implement their own built in browser, and these applications do indeed share cookies with Safari.
The easiest way to test this is with Safari and any of the OS X site-specific browser or http debugging tools.
The Flash Player's "Shared Objects" (aka Flash cookies) are stored in a common directory, so the same Flash data is accessible from any browser (running as the same user). I do not believe Facebook's tracking is this nefarious, but the method would be quite easy to implement.
Chrome, Chromium and Safari absolutely don't share the same cookies on Mac OSX. This is easily verifiable. Not sure about other browsers... (what other browsers?).
I think you're referring to other applications which embed Safari's rendering engine. I wouldn't really call those browsers.
If users must visit social websites like Facebook in privacy mode in separate browsers, perhaps they should rethink whether they should be using Facebook at all.
The convenience/security trade-off varies user to user, but for something as simple as FB, it might be considered overkill by most.
I would encourage browsers that support isolated profiles, multiple browsers that don't share cookie storage, or using a jailed site-specific browser approach.
The hypocrisy of news sites decrying Facebook's tracking while putting Like buttons on every page is palpable. (There are no less than five different Facebook widgets on this article's page, plus multiple Twitter and Google+ buttons.) The reality is that website owners are the ones sending Facebook this data.
Doesn't it seem like time for a browser to get involved in protecting privacy? Maybe that's a stupid question. This just leaves me thinking I'd really like it if my browser only shared my cookies when I'm actually visiting the site requesting them, else it'd ignore the requests altogether.
No doubt that's either dumb, not possible, or something someone already thought of.
This is why I keep facebook in a separate browser. The could technically still track me using flash cookies but as the site isn't on my "can play flash content" whitelist this is no issue either.
It means I can't comment on a growing number of sites that use fb for their comments system, but that is no loss to me in my not-so-humble opinion.
Question- Would people be more willing to let a platform track browsing activity if there was 100% transparency? Asking this question for the startup that we are working on, where we want to get permission from users to follow their certain activities- which is directly applicable to the platform value.
It's hard to say without seeing it. Implementation is everything, but opt-in-wise, it sounds like you're describing browser bars. Maybe it's time to resurrect browser bars for the social age? :) Good luck!
When you say 'browser bars' I am thinking of an address bar in browsers today. Is that what you are referring to?
I am thinking of something that does not interact with the user but captures some of their web usage based on their consent. Would love to share it with the community when its ready!
Nope, I mean browser bars from the early-mid 2000s. Comet Cursor, HotBar, and other adware companies that were the Groupon of their day. Lots of deal site plugins used these kinds of plugins to do a kind of rudimentary tracking. You got some..."thing"..and they would have this snippet of js that submitted your clicked urls to their servers. Same as it ever was.
Sure, Facebook can see sites you visit which use Facebook Connect in some form, but can they actually "create a running log of the web pages that each of its 800 million or so members has visited during the previous 90 days" like the article claims?
When your browser requests the like button from FB's servers, the request includes a session cookie, and the referer header indicating which page the like button was loaded from. Super easy to log, though it does generate a boat-load of data.
It sucks that Facebook can get away with this but services like KISSMetrics and ad networks get sued for tracking users...even though that's what the goal of analytics is, whereas Facebook's job is to provide a social network that protects its users' data.
Seems like a distinction without difference. If Facebook weren't doing this on their own they would very likely be working with someone like KISSMetrics.
solution is to install the adBlockPlus extension, open up any page, say, techcrunch.com, then open the extension dialog and block external domains like twitter, facebook, google, google-analytics, etc.
I'm not worried about the ethics of Facebook. I don't think a site like Facebook should be prevented from doing this openly. I'm worried about whether I can ethically include all these social plugins knowing that they will, in my opinion, invade my users' privacy.