Waves

Note: I haven’t yet published some trekking posts since Feb. But this couldn’t wait. So they’ll be up soon.

By now, everyone must have been aware of the recent Facebook announcement of the universal Like button. As probably talked about all over the web, this one button is like giving too much of power to one company. By now the Like button should have appeared on thousands of websites already. Famous press blogs running wordpress should have had the Like button along their standard ‘share this’ toolbar. Facebook’s 400 million+ user base is a huge audience to showcase your content to & everyone wants a piece of the pie!

However, this like button reopens an old problem in a new way… User Privacy. Few years ago, when doubleclick.net installed tracking cookies for sending customized advertisements, it created a huge uproar. Similar stuff happened when Google History came about. But now, Facebook uses a clever way to track users that, you cannot even opt out if you don’t like the process. It makes of full use of the way how the web and ultimately, HTTP(S) works.

I’m not even talking about the case where you are logged in to Facebook and click on a ‘Like’ button on a website. That’s voluntary. You like a piece of content and you spread it to your friends and fans on Facebook. I’m talking about the case where you just visit a certain website containing the Like button and that data will be harvested by Facebook.

Like this on Facebook to understand how it works: [sniplet fblike]

How it works

Let us take it step by step:

1. Clear cookies on your browser. If you are using Firefox or Chrome, press Ctrl+Shift+Del.
2. Visit www.facebook.com
3. Login to Facebook.
4. Visit other websites to be tracked. So simple isn’t it?

When you first visit Facebook.com, it sets a cookie called “datr”, whose expiry is two years from now. So, if you visit Facebook.com today and never clear your browser’s cookies, you will be tracked for the first two years with “datr”. When that period expires, it will be replaced with a new cookie 🙂 and you will continue to be tracked. After you login to Facebook, it sets some more cookies on your browser along with a cookie called “xs” which is the session cookie for your Facebook session. If you remove this cookie, you will be redirected to Facebook’s login page. After login, “datr” and “xs” cookies will be refreshed.

When you embed the Like button on your website, it loads in an iframe in the Facebook.com domain. When a request is sent to any website by clicking on a link or by typing it on the browser’s address bar, the browser sends all the active (non-expired) cookies to the domain. So, when the Like button loads on a website, it makes a request to http://www.facebook.com/plugins/like.php. Along with this request, it will send the “datr” and “xs” cookies. It will also set the HTTP ‘Referer’ header to the originating website. For example, if you click on a Facebook.com link from my website, the Referer header will be set as ‘www.aswinanand.com’. This is used by other websites to determine where the user is coming from.

Now, when the ‘Like’ button loads on a website inside Facebook’s iframe, the Referer header will be set to your website’s page, “datr” cookie will be sent and if you have already logged in to Facebook, “xs” cookie will also be sent. So, just by loading Facebook’s Like button, Facebook will know what websites you had visited. Since the expiry for “datr” is set to two years, it will associate your Facebook logins to this cookie… which means, even if you logout of Facebook, it will know who the user is. Moreover, when you are logged in and move from one place to another, Facebook will know during what times of the day you are active and during what times you are inactive. When you are active, it will know from where your web browsing occurs and by being able to find location from IP address, they will know where exactly you are moving. Don’t worry, all this data will also be combined with your Facebook mobile usage and a final stat will be arrived at! That’s scary because it could reveal so much about a user & all privacy is gone with the wind.

Targeted Advertisements

This kind of tracking is something the user cannot opt out because sending cookies and setting HTTP Referer headers are part of the protocol. That means, you are tracked by default. Without your knowledge, your online behaviour and all the websites you visit (assuming they have added the Like button) after logging into Facebook are tracked by Facebook. This is useful for a lot of cases. Say you visit IMDB after logging in to Facebook. Each of the movie pages will have the like button. So Facebook will know which movies you are visiting. When you click on the ‘Like’ button for a certain movie, it gets to know your tastes and offer more movies along similar lines when you visit IMDB next. This same technique could also be used by spammers to trick you in to ‘liking’ some random link of their choice.

Like this, through the iframe based ‘Like’ button, Facebook funnels all required data to create a customized and scary experience.

Why not Google?

Ideally speaking, this was something that Google should have done a year or two ago. Most people I know are logged in to Google all their day and web browsing happens simultaneously. Just think of what would would happen if Google had done this. With their already powerful search tracking user behaviour and statistics, adsense would use this data to send specific advertisements to users. Google analytics is already deployed on tons and tons of websites all over the web. This one ‘GLike’ button could also be used to track statistics so easily. Now all of that happens on Facebook. Facebook is luring developers and users alike with its huge user base 🙂 . Combining a utility like ‘Like’ button with Google’s powerful anti-spam, anti-phishing and other anti-* mechanisms, it would indeed become a formidable force on the web.

What if you don’t want to be tracked?

If you don’t want to be tracked without your explicit approval, I would suggest browsing Facebook in Incognito browsing mode in Chrome, multiple profiles in Firefox or InPrivate browsing mode in Internet Explorer. All these modes will clear cookies and other history data when you close the browser window. So you might not be tracked as efficiently as possible.

I hope Facebook addresses this privacy concern. Facebook, please don’t be evil 🙂 with our data. I wouldn’t be surprised if Facebook launches a general purpose search engine in the next couple of years!