Whether You “like” It or Not…

Lexum has recently conducted an analysis of the underlying technology behind Facebook Like, Twitter Tweet and other “social” buttons. The analysis revealed that, if used in the way prescribed by Facebook, Google, Twitter et al., these buttons create some significant privacy issues for Webmasters and their users.

Before we get to the privacy issues however, it is appropriate to explain how these buttons work. Adding a Facebook Like, Twitter Tweet, Google +1, LinkedIn Share or any other sharing button to one’s Web site is a relatively easy affair. The companies that distribute them have dedicated pages that explain how to do it. Typically, all a Webmaster has to do is to copy a snippet of HTML code into the appropriate Web pages.

Let’s use Google as an example. We’ll suppose that a Google +1 button is added to Lexum’s front page at in the way prescribed by Google at and that you happen to browse past our beautiful front page. When that happens, the Google code inserted in our front page causes your browser to load a JavaScript file from Google’s servers. This JavaScript code displays the Google’s +1 button in the appropriate location in our front page. It is important to understand that this happens whether you click the button or not.

The implication of this is that every time you visit Lexum’s home page, Google’s button code will cause your browser to contact Google’s server, send Google’s cookies along with the URL of Lexum’s front page and store new Google cookies, if Google requests it. This allows Google to, if it chooses to do so, track your movement on every Web site that has integrated a Google +1 button.

Let me repeat this. When you visit a site with third party buttons (Like, Tweet, etc.), whether you click on them or not, whether you have accounts with these third party or not, every one of these third parties can trail where you are.

It is unknown what these companies do with this information: they may do nothing with it, retain it for future use or add it to the behavioural data they collect about their users. Given their reliance on advertising revenues and the importance of accurate user profiles to advertisers, the latter seems the likeliest.

Recently, the German state of Schleswig-Holstein banned the use of Facebook Like buttons in their jurisdiction over privacy concerns (1)(2). In order to comply with the ban, Heise modified Facebook’s button implementation to inhibit user tracking by Facebook while still offering Like buttons on their Website. Facebook complained about the change to Heise, saying that it violated their policies governing the Facebook logo (3).

As of now, it seems that Facebook is much more aggressive in trying to prevent what Heise did than either of Twitter, LinkedIn or Google.

In order to deal with these privacy concerns, Lexum has created alternative versions of these buttons that do not contact third parties unless they are clicked. As far as we can tell however, we are a part of a very small minority of Webmasters who have taken the time to do so. Internet users who value their privacy should therefore be mindful that the vast majority of Websites with such buttons cause your browser to report your trail to the buttons’ owners.

[I would like to thank Daniel Shane who clued me in about these privacy issues.]





  1. It is nice to see a web developer treating this issue seriously, but web users who wish to make some privacy decisions for themselves cannot rely on web developers, on the whole, to respect those choices.

    As a Firefox user, I use add-ons like NoScript, Adblock Plus, and Ghostery to disable many tracking features across many websites, regardless of the choices made by the web developers involved. Similar add-ons or features are available for other browsers.

    Simply put, at the cost of some convenience some of the time, my web browser does not even attempt to contact many web tracker’s servers, and so those servers will not record my web activity.

    I do not pretend that I avoid all tracking, but there is a lot a web user can do for himself or herself.

  2. University of Washington has a “Share Me Not” extension for Firefox to block the tracking aspects of all these buttons from all sites.

    This page on Slaw has trackable links for Google and Twitter that were blocked by this extension.


  3. Indeed, Alan is correct about Slaw. We, too, have learned from Marc-André’s post and have asked Lexum for whatever help they can provide. We’ll make sure that we have as few leaks in our system as possible.

  4. Every website that has Google Analytics installed has relayed this same information back into Google’s hands for more than 10 years. And before that, companies were slicing and dicing server log files.

    What are you suggesting is any different?

    And to be clear, the Lexum website has both a Google Analytics tracker and a verified GWTools account in its underlying code; which is currently relaying visitor profile data back into Google. I’m presuming you’ll be removing both services immediately in order to protect your users privacy.

  5. Marc-André Morissette (Lexum)


    Although Lexum’s Website was used as an example, it is a simple corporate Website and we are not as invested in protecting the privacy and confidentiality of its visitors as we are for some of our clients, some of which publish primary and secondary legal information. People are obviously more sensitive to who records what they do when they are researching legal matters.

    Your point about Google Analytics being another information spigot Google can use to track people is quite valid however and one I hadn’t thought about. Thank you.