When you click a Facebook “Like” button on other Web sites to tell your friends about a cool band, favorite political candidate or yummy cake recipe, you may know that you are also giving intelligence to Facebook the company, which makes money through targeted advertising.
But did you know that even if you don’t hit the button, Facebook knows you were there?
That’s because the “Like” and “Recommend” buttons Facebook provides to other Web sites send information about your visit back to Facebook, even if you don’t click on them. Since these buttons are now all over the Web — about 905,000 sites use them, the privacy-software maker Abine estimates — Facebook can find out an awful lot about what you do online even when you’re not on Facebook.
Facebook says data from the buttons is used to personalize Web content, improve its services, fix bugs and implement certain security features. It says it does not use the data to track users or target advertising to them, and that it deletes or anonymizes the data within 90 days.
But privacy advocates aren’t exactly comforted. Facebook is collecting a vast amount of data about the Web travels of some 800 million people worldwide with the buttons, unbeknownst to most of them. And other social networks are starting to do the same.
“We’ve been troubled by this for a long time,” said Peter Eckersley, technology projects director at the Electronic Frontier Foundation. With the buttons, “I know when I click, I’m giving up my privacy,” he said. “People don’t expect Facebook to know everything they do on every other Web site.” (The foundation has set the social buttons on its own site so they don’t transfer data unless a user clicks on them, Mr. Eckersley said.)
Even if the data is not used to profile users for targeted advertising, it could be used in ways people don’t expect, he said. For instance, the data could presumably be subpoenaed by governments or divorce lawyers. After multiple privacy flaps in the last few years, advocates like Mr. Eckersley have little trust in Facebook’s privacy promises.
Facebook’s power to track the habits and interests of its users is about to mushroom, as it continues to deepen its relationships with sites across the Web. New partnerships it announced last week with media and entertainment services like Spotify and Netflix will provide Facebook with detailed information about the online habits of users who authorize those services’ apps. TechCrunch said last week that Facebook could soon implement new “Read,” “Listened,” “Watched” and “Want” buttons that could let it gain more insights into user behavior, though these did not materialize at its F8 developer conference.
Those buttons would presumably work the same way as “Like” buttons, which phone home to Facebook with information about visitors to the third-party site — their IP addresses, browser and operating system versions and Facebook user IDs if they’re logged in — whether they’re clicked or not. The company also receives this sort of data when users visit a game, application or site that uses the Facebook Platform, according to Facebook’s privacy policy.
Until about a year ago, Facebook also used buttons to collect data about Web users who weren’t members of Facebook. Nonmembers don’t have user IDs, but Facebook collected data about their activity using cookies deposited by “Facebook Connect” buttons, according to Arnold Roosendaal, a privacy researcher at the Tilburg University for Law, Technology and Society in the Netherlands, who revealed this activity in a paper in November.
Facebook said a bug caused Connect cookies to be set accidentally, and that the problem was quickly fixed. It now only sets cookies when a person visits Facebook.com, and does not use cookies or IP addresses to create profiles of nonmembers.
But the questions about Facebook’s social buttons continue. Privacy officials in Germany and Scandinavia have been studying the matter, Mr. Roosendaal says. One state in northern Germany said last month that “Like” buttons infringed on German and European data protection laws, and ordered local site owners to remove the buttons by the end of this month or face fines of as much as 50,000 euros. Facebook has rejected the assertion that it is not compliant with Europe’s data protection rules.
Facebook users who are uncomfortable with this data collection can mitigate it by blocking all cookies, or logging out of Facebook and deleting their cookies before visiting other sites on the Web, Mr. Roosendaal says.
But a simpler and more foolproof approach is to install a browser plug-in that blocks social buttons. For instance, Abine recently began offering a button-blocking feature for Firefox that it says stops data transfers to Facebook, Twitter and Google+, which it is adding to its free and paid privacy-software products. A small company called Webgraph makes a plug-in called Facebook Blocker that entirely blocks Facebook buttons and works on Firefox, Chrome, Safari and Opera.
“Social networks are amassing about a thousand times more data about us then they were a year ago. We don’t really know what it means yet, or how it will impact us,” Rob Shavell, a co-founder of Abine, said. “What people don’t realize is that every one of these buttons is like one of those dark video cameras. If you see them, they see you.”