Lexum has recently conducted an analysis of the underlying technology behind Facebook Like, Twitter Tweet and other “social” buttons. The analysis revealed that, if used in the way prescribed by Facebook, Google, Twitter et al., these buttons create some significant privacy issues for Webmasters and their users.
Before we get to the privacy issues however, it is appropriate to explain how these buttons work. Adding a Facebook Like, Twitter Tweet, Google +1, LinkedIn Share or any other sharing button to one’s Web site is a relatively easy affair. The companies that distribute them have dedicated pages that explain how to do it. Typically, all a Webmaster has to do is to copy a snippet of HTML code into the appropriate Web pages.
The implication of this is that every time you visit Lexum’s home page, Google’s button code will cause your browser to contact Google’s server, send Google’s cookies along with the URL of Lexum’s front page and store new Google cookies, if Google requests it. This allows Google to, if it chooses to do so, track your movement on every Web site that has integrated a Google +1 button.
Let me repeat this. When you visit a site with third party buttons (Like, Tweet, etc.), whether you click on them or not, whether you have accounts with these third party or not, every one of these third parties can trail where you are.
It is unknown what these companies do with this information: they may do nothing with it, retain it for future use or add it to the behavioural data they collect about their users. Given their reliance on advertising revenues and the importance of accurate user profiles to advertisers, the latter seems the likeliest.
Recently, the German state of Schleswig-Holstein banned the use of Facebook Like buttons in their jurisdiction over privacy concerns (1)(2). In order to comply with the ban, Heise modified Facebook’s button implementation to inhibit user tracking by Facebook while still offering Like buttons on their Website. Facebook complained about the change to Heise, saying that it violated their policies governing the Facebook logo (3).
As of now, it seems that Facebook is much more aggressive in trying to prevent what Heise did than either of Twitter, LinkedIn or Google.
In order to deal with these privacy concerns, Lexum has created alternative versions of these buttons that do not contact third parties unless they are clicked. As far as we can tell however, we are a part of a very small minority of Webmasters who have taken the time to do so. Internet users who value their privacy should therefore be mindful that the vast majority of Websites with such buttons cause your browser to report your trail to the buttons’ owners.
[I would like to thank Daniel Shane who clued me in about these privacy issues.]