At recent its recent F8 conference, Facebook announced the extension of the Like button beyond Facebook site itself to 3rd-party sites: Part of the announcement were as well as Social Plugins to publish back on these same sites the "likes" generated via this new button and other recommandations made directly on Facebook .
I elaborate below on the technical details of Like button and the social plugins to demonstrate the imbalance of the deal between Facebook and the sites implementing those widgets. The very clever implementation of Like button clearly is a resurgence of what we all know for at least a decade as a common practice for advertising networks: the use of Internet cookies to track (anonymously) people across all page impressions within the network sites that they visit.
But, in the case of Like button and Social plugins , there is a MAJOR EVOLUTION: users get not only tracked as a anonymous profile but they are IDENTIFIED IN PERSON for each of those page impression on the 3rd party sites!
This very personal tracking by Facebook is made possible by the double fact that a very large majority of Facebook users are members under their very real identity and because they don't log out before leaving Facebook for another site.
Consequently , the spreading of these new social components over the Internet - bringing back the user id of each page impression - delivers tremendous data-mining and targeting capabilities to Facebook for advertising and other purposes.
Privacy implications are huge! Especially, when you consider that a few days only after F8, more than 50'000 sites have already implemented those new widgets: do the 400+ millions of Facebook users know that they get personally identified whenever they visit any page of those sites having the widgets? I doubt it: most of them will contribute to the delivery of all details about their various visits without even knowing and realizing it.
Additionally It seems to me that the "contract" between individual users, 3rd party sites and Facebook is extremely one-sided!
Here is the mechanism of this contract for the Like button (equivalent path for the other Social Plugins):
- Publishers are attracted by a very attractive and efficient deal : "Instantly engaging social experiences with just one line of HTML" as Brett Taylor says in the announcement by Facebook. Who does not want to get social so easily nowadays?
- For this one line of HTML provided by Facebook (easily customizable on-the-fly to suit each page if inserted in the generic page template of the site) and with no other legal contract elaboration or development hassle,.the publishers get a publication on Facebook user's news wall of the URL of the page hosting the Like button just pressed.
- Then, the publishers hope for viral spreading of their content by this digital word-of-mouth. It's very important for them: recent studies showed that Facebook is getting more efficient than Google News for this spreading
- What the publisher gives to Facebook in exchange for those "free" advertisements on the walls of users is a trigger (via a URL call) to Facebook's site on each and every page impression including this Like button (and not only those where the Like button is clicked....). Through the cookie mechanism described below, Facebook can then put a name,face and user profile on each of those page impressions when done by a still logged-in Facebook member
- The Facebook user visiting the page and that is still logged in on Facebook (do your log out when you leave Facebook? I personally never do....) does then not realize that he just delivered all personal infos about his visit on site X to Facebook through the cookie stored by Facebook in his browser!
- the imbalance of the deal comes from fact that Facebook is the only party in the deal to obtain this nominative informations: the 3rd party site has no access to them (see explanations about iframe tag and SOP protection below). So, this site delivers invaluable informations on himself and his users to a partner whereas he himself does not have access to this personal tracking of his users as Facebook does not share back this information. Is that really the wish of the publisher?
- the imbalance is even bigger when you realize also that the "Like" links themselves as displayed on the 3rd party site are not computationally accessible to him because of same iframe tag and SOP protection described below. They are visible on the page but cannot be stored or analyzed by the publisher. From the site perspective, it's only a "visual effect".
- Most probably, lots of those sites implementing Like button and social plugins don't even realize the above implications.Else they would maybe not use Like button or minimally they would warn their users about privacy consequences for them before they figure out by themselves and get the impression of being fool. The continuing user loyalty to their site is at stake!
The Like button will have to go through major adaptations to reach a better balance between Facebook, its users and the 3rd party sites implementing Like button or Social Plugins
Some senators and the EFF (see their post "Facebook evil interfaces") just wrote about their concerns on similar issues brought by the new Facebook features. Expect more from them and others when a larger group of users realize what's happening with their very personal profile stored on Facebook.
I believe we live today only the first episode of a long saga....
Technical details on how Facebook acquires user identity for page impressions of 3rd party sites:
- go to http://www.facebook.com
- logout from Facebook to get back to the login page if you were already logged in
- you get a long string of obscure characters: it's the string of cookies used and stored automatically by Facebook in your browser. These cookies will then be sent back to Facebook by your browser each time you call a page part of the Facebook domain (i.e whose URL is http://something.facebook.com/xyz)
- log on to Facebook with your userid and password.
- you will discover an interesting new cookie in thes string after the login. It is named "presence" (search for presence= in the string). its value is the hashed / encrypted representation of your Facebook member id.
- The url of each Like button is something like "http://www.facebook.com/like.php?p1=v1&p2=v2 etc." ((p,v) are couples of parameters with their value among which one in the URL of the liked page. Go to Like Reference page on Facebook Developper Site and generate examples some if you want to analyze by yourself. This long URL calling like.php is encapsulated by the Facebook code generator in an HTML iframe tag when implemented on the site. The very solid "Same Origin Policy" implemented in all the modern browsers and applicable to the generated HTML with the iframe makes the information brought back into the by the call to www.facebook.com/like.php inaccessible to the calling site even though its present on its page.
- now, call the url mentionned above i.e http://www.facebook.com/like.php (no parameters needed) from the same tab or even a new tab in your browser to simulate what the Like button does when displayed on a page.
- what did Facebook do with it ? It just computed exactly WHO YOU ARE! How to prove it ? Just do a "view HTML source" of this page and you will discover both your facebook id and your facebook user name: search for string "user:" in the page, the large number following it is your facebook user id and search for string "window.presence", you'll find your facebook user name right after it. Why are those infos here and hidden ? They will be displayed on the page if you click on the Like button.
- Proof is made.
Source: blog Media & Tech (par didier durand)