dimanche, mai 02, 2010

Social plug-ins and Like Button: Facebook gets personal user identity for each page impression on 3rd party site and the publisher itself does not

[Go to the bottom of this post to access directly the technical demo showing how Facebook puts a username and id on each page impression of a page with Like button]

At recent its recent F8 conference, Facebook announced the extension of the Like button beyond  Facebook site itself to 3rd-party sites: Part of the announcement were as well as Social Plugins to publish back on these same sites the "likes" generated via this new button and other recommandations made directly on Facebook .

I elaborate below on  the technical details of Like button and the social plugins  to demonstrate the imbalance of the deal between Facebook and the sites implementing those widgets. The very clever implementation of Like button clearly is a resurgence of what we all know for at least a decade as a common practice for advertising networks: the use of Internet cookies to track (anonymously) people across all page impressions within the network sites that they visit.

But, in the case of Like button and Social plugins , there is a MAJOR EVOLUTION: users get not only tracked as a anonymous profile but they are IDENTIFIED IN PERSON for each of those page impression on the 3rd party sites!

This very personal tracking by Facebook is made possible by the double fact that a very large majority of  Facebook users are members under their very real identity and because they don't log out before leaving Facebook for another site.

Consequently , the spreading of these new social components over the Internet - bringing back the user id of each page impression - delivers tremendous data-mining and targeting capabilities to Facebook for advertising and other purposes.

Privacy implications are huge! Especially, when you consider that a few days only after F8, more than 50'000 sites have already implemented those new widgets: do the 400+ millions of Facebook users know that they get personally identified whenever they visit any page of those sites having the widgets? I doubt it: most of them will contribute to the delivery of all details about their various visits without even knowing and realizing it.

Additionally It seems to me that the "contract" between individual users, 3rd party sites and Facebook is extremely one-sided!

Here is the mechanism of this contract for the Like button (equivalent path for the other Social Plugins):
  •  Publishers are attracted by a very attractive and efficient deal : "Instantly engaging social experiences with just one line of HTML" as Brett Taylor says in the announcement by Facebook. Who does not want to get social so easily nowadays?
  • For this one line of HTML provided by Facebook (easily customizable on-the-fly to suit each page if inserted in  the generic page template of the site)  and with no other legal contract elaboration or development hassle,.the publishers get a publication on Facebook user's news wall of the URL of the page hosting the Like button  just pressed.
  • Then, the publishers hope for viral spreading of their content by this digital word-of-mouth. It's very important for them: recent studies showed that Facebook is getting more efficient than Google News for this spreading
  • What the publisher gives to Facebook in exchange for those "free" advertisements on the walls of users is a trigger (via a URL call) to Facebook's site on each and every page impression including this Like button (and not only those where the Like button is clicked....). Through the cookie mechanism described below,  Facebook can then put a name,face and user profile on each of those page impressions when done by a still logged-in Facebook member
  • The Facebook user visiting the page and that is still logged in on Facebook (do your log out when you leave Facebook?  I personally never do....) does then not realize that he just delivered all personal infos about his visit on site X to Facebook through the cookie stored by Facebook in his browser!
  • the imbalance of the deal comes from fact that Facebook is the only party in the deal to obtain this nominative informations: the 3rd party site has no access to them (see explanations about iframe tag and SOP protection below). So, this site delivers invaluable informations on himself and his users to a partner whereas he himself does not have access to this personal tracking of his users as Facebook does not share back this information. Is that really the wish of the publisher?
  • the imbalance is even bigger when you realize also that the "Like" links themselves as displayed on the 3rd party site are not computationally accessible to him because of same iframe tag and SOP protection described below. They are visible on the page but cannot be stored or analyzed by the publisher. From the site perspective, it's only a "visual effect".
  • Most probably, lots of those sites implementing Like button and social plugins don't even realize the above implications.Else they would maybe not use Like button or minimally they would warn their users about privacy consequences for them before they figure out by themselves and get the impression of being fool. The continuing user loyalty to their site is at stake!
Is that mechanism really in its current form sustainable over the long term? I doubt it.
The Like button will have to go through major adaptations to reach a better balance between Facebook, its users and the 3rd party sites implementing Like button or Social Plugins

Some  senators and the EFF (see their post "Facebook evil interfaces") just wrote about their concerns on similar issues brought by the new Facebook features. Expect more from them and others  when a larger group of users realize what's happening with their very personal profile stored on Facebook.

I believe we live today only the first episode of a long saga....

Technical details on how Facebook acquires user identity for page impressions of 3rd party sites:
  • go to http://www.facebook.com
  • logout from Facebook to get back to the login page if you were already logged in 
  • when on the Facebook login homepage: type "javascript:alert(document.cookie);" (remove the double quotes) in the address bar of your browser
  • you get a long string of obscure characters: it's the string of cookies used and stored automatically by Facebook in your browser. These cookies will then be sent back to Facebook by your browser each time you call a page part of the Facebook domain (i.e whose URL is http://something.facebook.com/xyz)
  • log on to Facebook with your userid and password.
  • type again "javascript:alert(document.cookie);" 
  • you will discover an interesting new cookie in thes string after the login. It is named "presence" (search for presence= in the string). its value is the hashed / encrypted representation of your Facebook member id.
  • The url of each Like button is something like "http://www.facebook.com/like.php?p1=v1&p2=v2 etc." ((p,v) are couples of parameters with their value among which one in the URL of the liked page. Go to  Like Reference page on Facebook Developper Site and generate examples some if you want to analyze by yourself. This long URL calling like.php is encapsulated by the Facebook code generator in an HTML iframe tag when implemented on the site. The very solid "Same Origin Policy" implemented in all the modern browsers and applicable to the generated HTML with the iframe  makes the information brought back into the by the call to www.facebook.com/like.php inaccessible to the calling site even though its present on its page.
  • now, call the url mentionned above i.e http://www.facebook.com/like.php (no parameters needed) from the same tab or even a new tab in your browser to simulate what the Like button does when displayed on a page.
  • type again "javascript:alert(document.cookie);you can see that the same cookie "presence= " is still there
  • what did Facebook do with it ? It just computed exactly WHO YOU ARE! How to prove it ? Just do a "view HTML source" of this page and you will discover both your facebook id and your facebook user name: search for string "user:" in the page, the large number following it is your facebook user id and search for string "window.presence", you'll find your facebook user name right after it. Why are those infos here and hidden ? They will  be displayed on the page if you click on the Like button.
  • Proof is made.
This is for me an extremely clever combined implementation of cookies and SOP leveraged by the high power and depth of user profile information. Hats down to the Facebook engineers!

Source: blog Media & Tech (par didier durand)

6 commentaires:

Matthieu a dit…

Very interesting and well explained.
As you said, I find the deal pretty much one sided : huge win for facebook but for the publishers and the users?

Be Meo a dit…

i visited your site, it's very nice. Wellcome to my blog: http://www.tech24h.us
thank you so much!

Lisa a dit…

Thanks for the info. As a FB user, I confirmed what FB does despite my privacy settings.

Facebook will track you to any site you visit that participates in the Like program. Whether you are logged into Facebook or not. Regardless of your privacy settings. *All you have to do is be a member of FB and FB will get some of your surfing habits.*

To test your steps above, I just visited a Like-enabled website called www.holycaw.alltop.com and read "10 vital views of planet earth". I was NOT logged into Facebook; my privacy settings are as restrictive as possible. My FB cookie showed my ID and the holycaw website info. I *did not* click Like. But since holycaw has installed the Like button, Facebook knows I went there.

So Facebook, how do we opt out of this?!?

Anonyme a dit…

Very interesting to acknowledge for my research! I am very curious to know if it is possible to disable this presence tracking by removing the 'like' buttons with this userscript: http://userscripts.org/scripts/show/76037. What do you think?!

Marc Stumpel

Unknown a dit…

Hi Marc,

It's nice to remove the button from the page but it's not sufficient for me: the way you do it, the button is removed after the call to FB url kike.php has been done anyway

It means then that the goal for FB is reached: they got the trafic data that they were looking for their analytics anyway. So, your remove the value for the publihser (its link can no longer be promoted on Facebook) but you kept the value of the deal for FB (rich & wide analytics)

Do you agree ?

Anonyme a dit…

I found this :) Maybe you will find it interesting :)