Facebook has introduced a new Like Button together with some other “social plugins” at their f8 conference last week. Everybody can put it on their website so that visitors can “like” a page and add it to their Facebook profile without leaving the site.
This button actually allows Facebook to track all visitors of the external site, no matter if they click it or not (as long as they are Facebook users – but who isn’t?). Facebook can do that because they use an iframe to display the button. An iframe is something like an embedded browser window within a page. The difference between using an iframe and a simple image for the button is that the iframe contains a complete web page – from Facebook. There is not much going on on this page, except for the button and the information about how many people have liked the current page. Click here to open a like button page in a new window.
So when you see a like button on cnn.com, you are actually visiting a Facebook page at the same time. That allows Facebook to read a cookie on your computer, which it has created the last time you’ve logged in to Facebook. The cookie remains on your computer for months, even when you didn’t check the “keep me logged in”-option in the login form. It contains your Facebook user-id. A fundamental security rule in every browser is that only the website that has created a cookie can read it later on. And that is the advantage of the iframe: it allows Facebook to read your Facebook-cookie even when you are visiting a different website. That’s how they recognize you on cnn.com and display your friends there.
What I don’t like about this is that it is not opt-in. You’re not asked to be tracked on external sites by Facebook, and there is also no opt-out in the Facebook privacy settings. Honestly, you can’t blame Facebook for that, because there is no way they could check your privacy settings before they know who you are. The only way you can avoid being tracked by Facebook on other sites is to logout of Facebook before visiting any other site. That will delete the cookie.
(If you have a website or blog and want to include the like button, but do not want it to track the users without their consent, have a look at this post where you can see how to make a like button with opt-in)
I never knew Facebook did this. Very interesting, I don’t mind being tracked by them though. It’s not like they’re using this knowledge for evil.
does this mean that uk websites, which include the like button, need to notify users of cookie usage?