Tuesday 30 November 2010

Facebook's 'Like This' button is tracking you | THINQ.co.uk

A researcher from a Dutch university is warning that Facebook's 'Like This' button is watching your every move.

Arnold Roosendaal, who is a doctoral candidate at the Tilburg University for Law, Technology and Society, warns that Facebook is tracking and tracing everyone, whether they use the social networking site or not.

Roosendaal says that Facebook's tentacles reach way beyond the confines of its own web sites and subscriber base because more and more third party sites are using the 'Like This' button and Facebook Connect.

facebook-thumb

The researcher provides three examples of how the 'Like This' button on any web page can gather user browser data and send it back to Facebook.

The first scenario involves users who already have Facebook accounts:

"When the account is created, Facebook issues a cookie containing a unique user ID," writes  Roosendaal. "This cookie facilitates the display of a username in the login field at returning visits. When accessing Facebook from another device, a temporary cookie is issued, which is replaced by a cookie with the same ID after logging into the account."

This allows different devices to be connected to one account carrying the same ID cookie. Every time the user visits Facebook, the cookie is sent together with the HTTP request for the site. As a result, Facebook knows who wants to log in before the login has taken place.

But the cookie is not only sent when a member wants to log on to Facebook, it is also sent  every single time a web site which includes the 'Like' button is visited.

"Facebook receives the information concerning the user, including his unique ID, via the cookie. When the user actually clicks the button, he has to provide his Facebook login details and a message about the 'Like' is posted on his profile page," writes Roosendaal.

But data about the user is sent to Facebook regardless of whether the Like button is actually activated.

Which is all quite scary - but not too surprising, given Facebook's reputation for snooping on its registered users.

What becomes really scary is realising how Facebook can track your movements even if you haven't signed up to its fake-friend collection service for lonely teens and sad divorcees.

Even if you don't have a Facebook account, you are far from immune from prying eyes, as Roosendaal explains:

"When a user does not have a Facebook account, there is no cookie and no user ID available. In this case, an HTTP GET request for the 'Like' button doesn't issue a cookie.

"However, when a site is visited which includes Facebook Connect, this application issues a cookie. From that moment on, visits to other websites which display the 'Like' button result in a request for the Like button from the Facebook server including the cookie."

Which means Facebook has swiped another batch of valuable data without asking for permission.

When you consider that 40 million unique visitors ended up on a site using Facebook Connect in a single month in March 2009, and that these particular cookies have a two-year expiry date, that ads up to a lot of user data flying around looking for a home.

"Based on the cookie, the entire web behaviour of an individual user can be followed," says Roosendaal. "Every site that includes some kind of Facebook content will initiate an interaction with the Facebook servers, disclosing information about the visited web site together with the cookie."

So you find yourself dragging all of this invisible data round with you like a piece of toilet paper stuck to your shoe, even though you have never even been to Facebook, let alone signed up.

So what happens if you do eventually take the plunge and join the other half a billion lost souls with nothing better to do than describe the minutiae of their tedious lives to virtual strangers?

On signing up, the 'toilet paper' cookie, as we have now decided to name it, is sent to Facebook as part of the the request for the web page to be loaded. The server responds and issues some new session cookies and when the account is actually created, a unique ID number is issued and sent in another cookie.

"The connection between this ID cookie and the old cookie is made behind the scenes by Facebook's servers," explains Roosendaal. "This means that the entire historical information of the user can be connected to the newly-created Facebook account. From this moment on, all subsequent requests for Facebook content go accompanied with the cookie including the unique user ID."

We'll assume that, as you're reading this rather than laughing at Lolcats, you know a thing or two about cookies. They are helpful to users and of immense value to marketeers, allowing them to bombard you with targeted advertising based on your browsing history.

But with an increasing proportion of sites turning to the likes of Facebook in order to increase traffic and revenue - and let's face it, 500 million people is a pretty attractive audience for anyone - isn't it time we started putting our collective foot down about the way in which our every move is monitored?

If every time you walked past a shop on your local High Street someone stuffed an advertising flyer into your pocket without asking your permission, there would soon be a trail of leaflet distributors clutching black eyes and broken noses.

So why do we keep letting Facebook get away with it?

We definitely don't Like This.