How Facebook buttons track you when you’re on other sites

You’re being followed online. Trackers follow you across the web, collecting and selling personal information like the articles you read, your favorite sites, your Facebook friends, your buying habits, and the videos you watch to build super-detailed profiles about you. Companies use these profiles for things ranging from merely annoying, like targeted online ads, to scary, like determining your creditworthiness or hireability. Trackers are invisible, but they’re there.

Think about how uncomfortable you’d be if this type of tracking happened in real life. Imagine a complete stranger hovering over your shoulder as you search the web, monitoring all of your online behavior: taking notes on the pictures you upload, the things you like on Facebook, the sites you visit most, the things you like to buy, where you live, and more. This person will take your personal information and sell it to another complete stranger, making money off something that you never agreed to share in the first place.

How does online tracking work? The details.

Most social networking tracking occurs through Javascript. That’s what builds the social buttons you see across the web, like Like and Tweet buttons. A “tracker” is a connection that your browser makes when it loads a webpage that’s intended to record, profile, or share your online activity. Usually these connections are made to entirely different companies than the website you’re actually visiting. 

More than a quarter–26.3%–of what your browser does when you load a website is respond to requests for your personal information, leaving the remaining 73.7% for things you want your browser doing, like loading videos, articles, and photos. Google makes 20.28% of all tracking requests on the web, while Facebook makes 18.84% of all tracking requests on the web. (These numbers come from our research of the top 5,000 websites in the US, as determined by Quantcast).

Here’s how the Facebook Like button, for example, can track people as they browse the web (so we’re not talking about tracking on Facebook.com itself, which has a higher level of tracking).

First, you connect to the Internet and open your web browser. While you browse, cookies from various websites are stored on your machine. Cookies help sites remember you: that you visited, your preferences, your login information, items in your shopping cart, etc. However, they’re also used for targeted advertising, especially third party cookies. When we talk about tracking, the first party is the website you’re intending to visit–like if you’ve typed in CNN.com, the first party is CNN. The third parties are all the invisible tracking companies that are also present on the first party website, but that you probably wouldn’t expect to be there: advertising and analytics companies that have a relationship with CNN, but not directly with you. The only reason you might know they’re there is if you carefully read that site’s privacy policy.

Tracking isn’t only done by cookies: in fact, the vast majority of online tracking occurs through Javascript code that instructs a webpage to take certain actions. For example, Javascript could instruct a page to open a series of URLs or download cookies. Another tracking technique is called a web beacon, otherwise known as a 1-pixel image. These tiny image files are invisible to users, but encountering them them transmits information back to advertisers. They’re commonly used in emails, which is why many email services block images by default unless a user clicks “show images,” and can relay information back about whether a person opened an email, where they’re geographically located, whether they clicked anything in the email, how far they scrolled down, and more.

The most common types of trackers are:

    • Javascript: 43%
    • Images, such as 1-pixels: 14%
    • iFrames: 14%
    • Flash cookies: 5%

Tracking can relate many specific details about a person’s website activity. When these details are combined, they paint a detailed picture of that person’s interests, demographic info, and personal/contact info. Tracking can get information as detailed as where your mouse has been on a page to your sexual orientation. A recent WSJ study examined 1,000 top websites and found that approximately 75 percent of them featured social networking code that can match users’ online identities with their web-browsing activities, and nearly 25% of the web’s 70 most popular sites shared personal data, like name and email address, with third-party companies.

When you visit a website, your browser constructs web pages from files on the first party’s server, as well as from other third party servers. When your browser is downloading and assembling CNN.com, for example, CNN sends you an HTML file that your browser translates into the web page you see. All source tags (like an image tag, for example) require your browser to make requests, some of which go to tracking companies.

Your browser requests Javascript files from Facebook to construct any Facebook buttons or widgets you see. The Facebook button is merely a more visible, more popular equivalent of any other kind of tracker on a web page. Google also has its own tracking mechanisms: Google Analytics tracking code is across the web because many sites embed it to learn more about their visitors’ actions and activity, and Google’s +1 buttons are widespread.

Your web browser makes a request to Facebook to get the button, among other requests. The literal request is something like “Hey Facebook:  give me this Javascript file.” This is the only time your browser talks to Facebook. The information provided in this request, which comes from your machine to Facebook, includes your IP address (showing your geographic area), browser type and version, the page you’re on, any Facebook cookies on your machine (which include your unique Facebook user ID), and potentially more information. This exchange happens regardless of whether you’re logged in to Facebook at the time, regardless of whether you click the button (because remember: it doesn’t exist on the page yet), and used to happen regardless of whether you were even a member of Facebook (they claim that’s been fixed).

Facebook then provides the Javascript file, and your browser runs the file and creates the button.

When you log into Facebook, you’re setting at least 2 types of cookies: 1), a session cookie (which is temporary); and 2), a more permanent cookie that stays on your machine unless you manually clear your history. Even if you’re not logged in to Facebook while you browse the rest of the web, that second type of cookie can still exist and provide a greater amount of info on you than without it.

Luckily, you can block secret online tracking for free with DoNotTrackMe.

DoNotTrackMe (DNTMe) helps protect user privacy by preventing your browser from ever making tracking requests to companies or ad networks, like Facebook and Google, when you’re on websites. If a user wants to share using these buttons, she can do so, but she gets to choose when to enable sharing (and thus tracking). DNTMe replaces social buttons with safe, identical placeholders that don’t track users; if users want to share, they simply click the button once to re-enable tracking and a second time to share like usual.

You wouldn’t be okay with someone peering over your shoulder in real life, so why should you put up with it on the internet? Stop giving advertisers, identity thieves, and spammers the advantage by blocking online tracking with DNTMe! It’s a simple yet effective browser tool that blocks the tracking capabilities of advertisers, social networks, and data collection companies. It installs in one click, blocks over 600 trackers, and makes web pages load faster.




Join in the discussion

Leave a Reply

Your email address will not be published.

Comment

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>