Don’t Worry About Selling Your Privacy To Facebook. I Already Sold It For You

Posted on October 21, 2011

One of the most interesting — and by interesting, I mean appalling — items to come out of last month’s Facebook F8 developer conference was Facebook’s move towards what the company calls “frictionless sharing.”

I have a rule of thumb: whenever someone invents a new term to explain something they’re doing, they probably did so because describing it using existing terms reveals how horrible it is.  “Frictionless sharing” does not disprove this theory.

What it boils down to is simple: in the old days, you used to share things you liked with your friends on Facebook; with “frictionless sharing,” you’ll share everything you do online with your friends on Facebook, automatically.  No more clicking a button or pasting a URL to share something with your friends; now everything you look at will be public by default, just because you looked at it.

This is, of course, an absolutely colossal violation of your privacy. Everybody — everybody — has looked at something online that they wouldn’t want to share with the world. Even putting aside the obvious stuff (*cough* porn *cough*), what if you’re looking at job ads?  Would you want your co-workers (or your boss) to know you’re doing that?  Or if you’re searching for an old flame who it turns out is married now?  Do you want that fact announced to the flame (and the flame’s spouse!)? It takes literally seconds to think of scenarios where “frictionless sharing” could burn you, even if what you’re doing is totally innocuous.

To date, Web users have had an expectation that their online behavior was private, unless they explicitly made it otherwise.  It might be saved in aggregate form in some database somewhere, but that database was privately held, and the data wasn’t specifically tied to their online identity.  “Frictionless sharing” turns that expectation on its head — it makes it so that you need to assume that everything you do online is publicly tied to you, unless you take steps to make it otherwise. And that’s unacceptable, at least to me.

“But how can Facebook do that?” you ask.  “How can they track what I’m doing when I’m not on their site?”  The answer is that they have enlisted an army of accomplices — including, it depresses me to say, me.  I have been Facebook’s confederate in this scheme to violate your privacy.  I gave them material assistance in making it happen.

I did that by embedding Facebook’s Like Button on my site.

At first glance, the Like Button seems like it shouldn’t have anything to do with “frictionless sharing.” You still have to click it to “Like” the page you’re reading, right? Well, not quite. To understand why, you need to know a little about how the Web works.

“C” Is For Cookie

The Web, as originally designed, was what nerds call a “stateless” system, which in English means that every request you make for a Web page is completely independent of the request you made before; no information is shared between them. When you click a link on page 1 that takes you to page 2, page 2 knows nothing about what you were doing on page 1.  This makes the system much simpler to implement than more complex, “stateful” systems that do pass that information along, and that simplicity is a key reason why the early Web was successful where other hypertext systems were not.

But as the Web grew, people started to want to do things on it that you just can’t do in a stateless system.  The biggest example is e-commerce: to have a shopping cart on your site, you need be able to keep track of when the user adds and removes items from the cart, and hold on to that information as they browse around until they go to check out. Without that ability, it’s impossible to run any kind of storefront on the Web.

This led to a great debate in the earliest days of the Web about whether these kinds of applications were appropriate for the Web at all, and if so, how one would go about building them. The solution that eventually emerged came from Lou Montulli, then a programmer at pioneering browser developer Netscape Communications. Montulli’s solution was to allow sites to set so-called “magic cookies” — small text files — in the user’s browser. Sites could store state information in cookies, so that page 1 could leave a note for page 2 telling it that you put a particular item in your shopping cart. Cookies turned the stateless Web of the early 1990s into the stateful Web of today.

In doing so, though they opened up new privacy issues that had never existed before. To guard against the obvious threat of sites snooping around in each others’ cookies, browser developers set things up so that the only cookies a site could read were ones that had been sent from that site’s domain. So you might think that when you load a page, you’re only sharing information with the operator of that page — but there’s an important caveat: when you load a Web page, it can contain resources like scripts that are pulled in dynamically from other domains. And those scripts can set their own cookies — called “third-party cookies” — which are visible to them anytime you hit a page anywhere that pulls in that particular script.

Up until now, the primary people who took advantage of this loophole were advertising networks; it gave them the data to customize the ads they show you to your interests, because every site that contained their ads also contained their scripts, which let them use a third-party cookie to build a profile of which sites their ads run on you visit.  From a privacy perspective this is somewhat troubling, but I never found it that troubling, for two simple reasons.  First, no ad network has enough global marketshare to place its ads on every site on the Web (though Google gets closer every day), so there’s little risk of one being able to watch you everywhere. Second, even if they could, their use for your information is internal — they use it to tune what ads you see, not to tell others what ads you have seen.

“Frictionless sharing” attacks both those reasons head-on.

The Social Panopticon

The threat it poses to the second one is obvious — its whole point is to announce to the world what you’ve been reading, or watching, or listening to. The threat to the first one is a little more nuanced. Facebook doesn’t run ads on external sites, I hear you thinking. So how could they use third-party cookies to track me around like an ad network does?

The answer is hidden inside that little “Like” button.

See, the thing is, the way you place the Like Button on your site’s pages isn’t by downloading an image or a script and running it from your own site.  The only way you can do it is by pulling in a script from Facebook, from their site.  Which means that every page that includes a Like button — or any other Facebook plugin, like Facebook Comments — also reports back to Facebook that you have viewed that page. Regardless of whether or not you click it.

And that’s a Big Deal, because unlike ads from one particular network, Facebook Like buttons are damn near omnipresent these days. And that’s why they are so troubling. The only way one company could ever build a truly comprehensive profile of your Web usage would be if they could convince every site on the Web to include a little snippet of their code. For a long time, that seemed like a highly unrealistic prospect. As Like buttons proliferate, it begins to seem less and less unrealistic every day.

(Not to mention that unlike with ad networks, if you’ve got a Facebook account, your tracked activity is now tied to a personally identifying profile. A profile that they require you sign up for with your real name.)

All of which is a long-winded way of explaining why I have removed all Facebook integration code from Just Well Mixed.* This site used to have Like buttons; it doesn’t anymore.

That’s because Facebook Like buttons are kind of like a bribe.  Facebook offered me something of value — a chance at increased traffic — in exchange for letting them keep tabs on which pages you read on this site, and how frequently, and for how long.  And by including the buttons on my pages, I took the bribe. I sold you out. I sold your privacy to Facebook.

That ends today.

* Real nerds will View Source and notice that I still have Open Graph metadata tags in the page headers. That’s because those do not require allowing Facebook to execute code remotely to generate, so they pose no privacy risk, and they’re useful for describing the site to anyone who cares to write code to parse them, not just to Facebook. So I left them in.