Note: I haven’t yet published some trekking posts since Feb. But this couldn’t wait. So they’ll be up soon.

By now, everyone must have been aware of the recent Facebook announcement of the universal Like button. As probably talked about all over the web, this one button is like giving too much of power to one company. By now the Like button should have appeared on thousands of websites already. Famous press blogs running wordpress should have had the Like button along their standard ‘share this’ toolbar. Facebook’s 400 million+ user base is a huge audience to showcase your content to & everyone wants a piece of the pie!

However, this like button reopens an old problem in a new way… User Privacy. Few years ago, when doubleclick.net installed tracking cookies for sending customized advertisements, it created a huge uproar. Similar stuff happened when Google History came about. But now, Facebook uses a clever way to track users that, you cannot even opt out if you don’t like the process. It makes of full use of the way how the web and ultimately, HTTP(S) works.

I’m not even talking about the case where you are logged in to Facebook and click on a ‘Like’ button on a website. That’s voluntary. You like a piece of content and you spread it to your friends and fans on Facebook. I’m talking about the case where you just visit a certain website containing the Like button and that data will be harvested by Facebook.

Like this on Facebook to understand how it works: [sniplet fblike]

How it works

Let us take it step by step:

  1. Clear cookies on your browser. If you are using Firefox or Chrome, press Ctrl+Shift+Del.
  2. Visit www.facebook.com
  3. Login to Facebook.
  4. Visit other websites to be tracked. So simple isn’t it?

When you first visit Facebook.com, it sets a cookie called “datr”, whose expiry is two years from now. So, if you visit Facebook.com today and never clear your browser’s cookies, you will be tracked for the first two years with “datr”. When that period expires, it will be replaced with a new cookie 🙂 and you will continue to be tracked. After you login to Facebook, it sets some more cookies on your browser along with a cookie called “xs” which is the session cookie for your Facebook session. If you remove this cookie, you will be redirected to Facebook’s login page. After login, “datr” and “xs” cookies will be refreshed.

Sunrise

When you embed the Like button on your website, it loads in an iframe in the Facebook.com domain. When a request is sent to any website by clicking on a link or by typing it on the browser’s address bar, the browser sends all the active (non-expired) cookies to the domain. So, when the Like button loads on a website, it makes a request to http://www.facebook.com/plugins/like.php. Along with this request, it will send the “datr” and “xs” cookies. It will also set the HTTP ‘Referer’ header to the originating website. For example, if you click on a Facebook.com link from my website, the Referer header will be set as ‘www.aswinanand.com’. This is used by other websites to determine where the user is coming from.

Now, when the ‘Like’ button loads on a website inside Facebook’s iframe, the Referer header will be set to your website’s page, “datr” cookie will be sent and if you have already logged in to Facebook, “xs” cookie will also be sent. So, just by loading Facebook’s Like button, Facebook will know what websites you had visited. Since the expiry for “datr” is set to two years, it will associate your Facebook logins to this cookie… which means, even if you logout of Facebook, it will know who the user is. Moreover, when you are logged in and move from one place to another, Facebook will know during what times of the day you are active and during what times you are inactive. When you are active, it will know from where your web browsing occurs and by being able to find location from IP address, they will know where exactly you are moving. Don’t worry, all this data will also be combined with your Facebook mobile usage and a final stat will be arrived at! That’s scary because it could reveal so much about a user & all privacy is gone with the wind.

Targeted Advertisements

This kind of tracking is something the user cannot opt out because sending cookies and setting HTTP Referer headers are part of the protocol. That means, you are tracked by default. Without your knowledge, your online behaviour and all the websites you visit (assuming they have added the Like button) after logging into Facebook are tracked by Facebook. This is useful for a lot of cases. Say you visit IMDB after logging in to Facebook. Each of the movie pages will have the like button. So Facebook will know which movies you are visiting. When you click on the ‘Like’ button for a certain movie, it gets to know your tastes and offer more movies along similar lines when you visit IMDB next. This same technique could also be used by spammers to trick you in to ‘liking’ some random link of their choice.

Like this, through the iframe based ‘Like’ button, Facebook funnels all required data to create a customized and scary experience.

Why not Google?

Ideally speaking, this was something that Google should have done a year or two ago. Most people I know are logged in to Google all their day and web browsing happens simultaneously. Just think of what would would happen if Google had done this. With their already powerful search tracking user behaviour and statistics, adsense would use this data to send specific advertisements to users. Google analytics is already deployed on tons and tons of websites all over the web. This one ‘GLike’ button could also be used to track statistics so easily. Now all of that happens on Facebook. Facebook is luring developers and users alike with its huge user base 🙂 . Combining a utility like ‘Like’ button with Google’s powerful anti-spam, anti-phishing and other anti-* mechanisms, it would indeed become a formidable force on the web.

What if you don’t want to be tracked?

If you don’t want to be tracked without your explicit approval, I would suggest browsing Facebook in Incognito browsing mode in Chrome, multiple profiles in Firefox or InPrivate browsing mode in Internet Explorer. All these modes will clear cookies and other history data when you close the browser window. So you might not be tracked as efficiently as possible.

I hope Facebook addresses this privacy concern. Facebook, please don’t be evil 🙂 with our data. I wouldn’t be surprised if Facebook launches a general purpose search engine in the next couple of years!

10 Responses to “The Facebook Funnel called the ‘Like’ button”

  1. Vasanth Govind Says:

    Interesting cookies investigations with covering all other related stuffs like backend tracking, surely deserves a great strong applause !!
    Claps !!

  2. Ramesh Says:

    1. Disable Third party cookies. Almost all browsers have this option.

    w.r.t Google associating the AdSense and analytics to the Google Identity I think it is still doable for them by using your digital finger print like your browser agent, ip and all other stuffs.

  3. YesSukumar Says:

    Great study and great post. But your mobile network know much more about you. With whom you spoke what you spoke and all the messsages you sent. Over and above this it tracks all your movements all over India. Can you do anything about this ?
    Dont you think this privacy issue is carried too far ? What do you think FB can do with all these data other than throw more ads at you ? Can they steal your wallet or date your girl friend. Neither. So why worry so much about it. Or am I too ignorant ?

  4. Aswin Anand Says:

    @Vasanth: Thanks 🙂

    @Ramesh: Facebook isn’t setting any third-party cookies. Loading a page in an iframe is like loading a new browser tab. If there are cookies *in that domain*, they will be sent automatically.

    @Sukumar: With respect to ads, it’s probably not a big deal. My mobile network knows so much about me because I know its implications and I subscribe to it. But who knows what Facebook will be doing with that data? Even if they don’t do anything, the very fact/knowledge that a 3rd party is watching over me is uncomfortable.

  5. Ramesh Says:

    @Aswin: When the domains of the iFrame page and the parent window are not matching then the cookies will be treated as Third party cookies.

    We ran into the same problem for a widget we were working and cookies are not sent back to our page (which is loaded in iFrame) when third party cookies are disabled.

    The thing I am not sure is whether the browser is not accepting cookies set by it or not sending the cookies which it already has or both.

  6. Siddharth Goyal Says:

    There is a simpler way.

    Instead of surfing in the Incognito mode, always log into Facebook in the incognito mode.

    Thus facebook will track your surfing footprints but never come to know who are you 😀

  7. Aswin Anand Says:

    That’s exactly what I meant Sid 🙂 . I will modify the text to convey the same in a better way.

  8. KrishnaPrasaad Says:

    Good read and Google should catch up with Facebook for the face off…

  9. Sibin Says:

    Just reeling from this article -> http://www.bspcn.com/2010/05/04/top-10-reasons-you-should-quit-facebook/

    Then I read your article – seems like FaceBook is definitely an evil application.

  10. hawkeye Says:

    dude.. this is so scary.