Is Facebook “Like” button tracking you?

Since I am using it on this blog also, I probably should not talk loudly, but I feel creepy about the Facebook “Like” button.

If you go to a site with the “Like” button when you are logged into Facebook, a Cookie like below gets sent1.

 csm=2;
 xs=3:2bPC2V....;
 datar=eVE7TanyekLi2UeCWqCdYaUo;
 fr=0PBQNPwSEhxk3vCRg.RVUkbgel9qAjCByqVqRQ0lSpntc;
 lu=The17FfNt9Yc_hqg8eoWG04B;
 s=Ba98fsjdlw-QWvPeofj.BP_Wqm;
 c_user=1048138174;
 act=134500423456/1:0;
 sub=1;
 p=16;
 presence=EM4fsodmnfkds...;
 wd=1195x859;

The c_user value is the Facebook userid. Try going to http://www.facebook.com/1048138174. You will see my profile page. That is, if you browse a page with a “Like” button while you are logged into Facebook, the information that I am looking at the page gets sent to Facebook. Is it not creepy? A friend of mine, who is a famous IT Analyst, told me that when he uses Facebook, he makes sure that he only uses Facebook and logs out when done and closes the browser a while ago. That’s the way how you should behave if you really care about their handling of your data, but then you will lose the capability to show who in your friend liked that article, etc. It is a trade-off.

Is it ok when I am logged out?

But then a next question comes to my mind. Is it really OK if I log out?

When you are not logged in, the cookie becomes like this:

datr=eVE7TanyekLi2UeCWqCdYaUo;
 lu=TBpxBfpK4qH--oB0N6yf2SsE;

Now you do not see c_user, which is good, but datr with the same value as before is still being sent. The same value is sent to different sites as well. 2

Then, I opened up another browser and accessed the page. Now, datr is set to another value. If you open the same page in Incognito mode, you will find that no cookie is sent until you log in to Facebook. It may be some kind of risk analytics or anti-XSRF mechanism instead of a tracker.

Facebook says they are not tracking users

Now, what is Facebook saying on this?

According to the Facebook FAQ, if you visit a site with the “Like” button, the above information gets sent to Facebook and will be stored for three months or less. (It is very long compared to Google, which is two weeks.) This information is used to show the information his friends “Like”ed as well as to find out more effective ways to attract traffic. On the other side, Facebook says that it does not use for the profiling or ad targeting purposes. I quote:

Regardless of whether you are logged in or not, we do not use the information we receive when you visit a site with the “Like” button or another social plugin to create a profile of your browsing behavior on third-party sites to show you ads.

It does not use the word “tracking” but according to The Wall Street Journal, Bret Tyler, the CTO of Facebook told the technology lets websites show visitors what articles their friends liked and that they do not use it for tracking nor it is for tracking.

We don’t use them for tracking and they’re not intended for tracking
— Bret Taylor, CTO, Facebook

While it looks like a user tracking from the data flow point of view, it seems that it is widely accepted in the industry that if it does not get used for the tracking purpose by their policy, it is not tracking, as more or less the same thing applies to Google’s +1 button.

The creepiness factor is probably due to the lack of transparency in their real data processing practice.  We have no way of attesting that they adhere to their word though experts like Mala tells me that they probably do as there are no incentives for them to rely on such an unreliable data to profile the users when they already have much better ways to do so. 3.

I probably consented to a ToS that I did not read

It also probably is the case that people have opted in (or did not opt out) in Facebook, Google, etc., but I doubt if they understood the implication, i.e., I am wondering if the ‘consent’ is really valid. I certainly do not remember clicking “YES”, but that’s probably because I do not read those ToS (Terms of Service). The current practice of bombarding the users with 30 pages ToS and privacy policy does not work. Do you really read them? I sometimes do, but that’s probably an exception 4.

Given the situation, it would probably make me feel better if there is a WordPress plugin that allows the users to opt-in to the social buttons when they first come to my site. This kind of on-the-fly, the layered approach makes the users much aware of what is going on, and would certainly help to ease the creepiness factor from the web.

Footnotes

  1. The values are changed except for c_user and wd.
  2. The value of lu does not change with the sites but depends on the time.
  3. More details here –> malaさんのサイト(Japanese).
  4. And even if they read it, they probably do not understand the implication. For example, do you have right to provide your friends data? Makes me wonder.