Microsoft Subnet An independent Microsoft community View more

Facebook stalks users across 200,000 websites

Facebook calls social plugins on 200,000 sites a "landmark privacy innovation"

UPDATE: Thanks to a commenter named Ryan, I have learned that Facebook has now given us a way to disable social plugins.

The commenter writes: "Hi Jon,

I was able to disable Social Plugins by going to Privacy Settings, Applications and Websites (Edit your Settings), Turn off all Platform Applications. That button appeared last week with the new privacy page. It worked for me last week although I relented and re-enabled them eventually. If it's not working now then email them to fix it.

-Ryan."

I just tried this and it does work, which is excellent news. I could be wrong, but I do not think this was an option last week while I was researching this post. Feel free to read my post below, but remember there is a way to disable social plugins now. 

UPDATE APRIL 3, 2011: It seems that Facebook has now made it impossible to disable social plugins again. Turning off platform applications no longer prevents you from seeing Facebook "like" and comment boxes on other websites. This is disturbing because it seems there is no way to prevent Facebook from tracking which other websites you visit while you're logged in. If anyone has a solution please let me know.  

Original post:

I’m a loyal Facebook user. I’m not as obsessed as the FarmVille- and Mafia Wars-playing crowd, but I check the site every day and am not about to delete my account.

Like many other people, however, I am concerned about my privacy online. 

I have pored through Facebook’s privacy settings throughout the last few months, deleted content from my profile that Facebook made public without my permission during its various “privacy simplifications,” and taken myself out of nearly every group or page I have ever joined.

But my main concern – that Facebook is watching me as I surf other websites – remains. No matter how locked-down my privacy settings are, I continue to see Facebook content directed specifically at me all over the web, even though I have never given Facebook permission to follow me as I surf other websites.

I was hoping Facebook would solve this  problem once and for all with its most recent update, particularly when CEO Mark Zuckerberg wrote a column in the Washington Post promising “privacy controls that are much simpler to use” and “an easy way to turn off all third-party services.”

As far as I can tell, Zuckerberg has not delivered on his promise to give users an easy way to turn off all third-party services. If it were easy I would have found it. It turns out this “easy way to turn off all third-party services” simply doesn’t exist.

Log onto Facebook. Then open a new window or tab and surf the web. Eventually, you will come to a website where your Facebook profile picture pops up next to a picture, news article or video and you will be urged to “be the first of your friends to like this.” Or you will see pictures of your friends with a message telling you they have connected with the Huffington Post, CNN, Photobucket, or whatever website you happen to be viewing. 

This content, personalized for each of Facebook’s 400 million active users, extends to more than 200,000 sites across the Internet because of Facebook’s “social plugins.” The social plugins - and the associated “Like” button - let developers build integrations between their own sites and Facebook, allowing Facebook friends to share content with each other whether they happen to be on Facebook.com or some other site.

But when it comes to the social plugins, Facebook officials refuse to implement one feature – an off button. If they were going to do so, you’d think it would have happened two weeks ago when Facebook announced its latest privacy overhaul, which came in response to considerable protest from users, but Facebook left the feature as is. 

Just for fun, try closing the Facebook tab on your browser and continue surfing the web. If you expected the Facebook content on non-Facebook sites to disappear, then you will be disappointed. The social plugin Facebook content disappears only if you remember to log out of Facebook before closing the Facebook tab on your browser. 

Now, there should be an easy to turn this off. But there isn’t. In fact, there isn’t any way to turn it off, no matter how long you spend examining Facebook’s privacy settings. As long as you are logged into Facebook, you will see content directed specifically at you while you surf other websites. This, obviously, creates the impression that Facebook is collecting data about which websites you visit and when – which, scarily enough, is exactly what Facebook is doing. 

I exchanged several e-mails last week with Facebook’s public relations department, hoping to find out how to turn off social plugin content, so I could protect the privacy of my own account and hopefully pass on some useful information to readers who share my concerns.  

I figured there must be some hard-to-find checkbox on the privacy page that would allow me to disable all the personalized content I see outside of Facebook. I was surprised to learn that there is no way to disable the plugins. 

To avoid seeing personalized Facebook content on third-party sites, “all you have to do is log out of Facebook,” the company’s PR team told me. 

But not every user logs out of Facebook before closing a browser window or tab. I’d be surprised if even half of Facebook users do that. So whether users close their Facebook tabs or not, they will be presented personalized Facebook content when they run across any one of these 200,000 sites. 

A lot of the privacy concerns have focused on Facebook’s “instant personalization” feature, which is totally separate from the social plugins. Instant personalization is actually rather easy to disable in Facebook’s privacy settings, and only extends to three websites, those being Docs.com, Pandora, and Yelp. 

The instant personalization program proves that Facebook could easily allow users to disable integrations with third-party websites. But for the 200,000 websites using social plugins, Facebook has simply decided not to give users any choice. 

You can figure out the identities of at least some of the 200,000 sites by simply surfing the web and keeping your eyes open, or going to an aggregation site called Likebutton.me. 

But what other sites are on this list of 200,000, might you ask? Well, keep on asking. Facebook refused to give me a list of the 200,000 sites that use social plug-ins. Granted, a list of 200,000 sites would be pretty hefty, but Facebook even refused my request for a partial list.

Facebook spokesperson Andrew Noyes did, however, defend the social plug-ins. While it may appear to users that they are being followed by Facebook as they move from site to site, Noyes insists that no data is shared with Facebook’s partners. 

“The social plugins should be thought of as extension of Facebook,” Noyes writes. “These features are landmark privacy innovations, enabling something that wasn’t possible before—social experiences on websites across the Internet without sharing data with a third party. Websites have simply provided some space on their pages to show relevant activity of their Facebook friends to individual users. That activity is not shared with the partner site unless the user opts-in by logging into the site. Even after using these buttons, no user data —name or profile information, what they like, who their friends are, what they have liked, what they recommend—is shared with the sites they visit. We launched with about 75 partner sites and the program has grown to more than 200,000 sites offering personalization without data sharing.”

So, Facebook’s partners don’t receive any data. Great. What about Facebook itself? There are no promises that Facebook doesn’t track users’ surfing habits. Why should Facebook be allowed to know every time I visit another website?

I have no problem giving developers the ability to link their sites to Facebook, but I do think users should have the option of completely turning this feature off. When I visit a non-Facebook site and see my profile picture, it’s clear Facebook is tracking me as I surf the web, even if they promise not to do anything nefarious with the data. 

Facebook does admit it watches our web surfing habits in one of its FAQ pages about the social plugins.

“When you visit a partner site, Facebook sees the date and time you visited, the web page you are on (commonly known as the URL), and other technical information about the IP address, browser, and operating system you use,” Facebook says. “This is industry standard data that helps us optimize your experience depending on which browser you are using or letting us know that you are logged into Facebook. If you are logged into Facebook, we also see your user ID number. We need your user ID to be able to show you the right social context on that site. For example, when you go to a partner website, we need to know who you are in order to show you what your Facebook friends have liked or recommended. If you log out of Facebook, we will not receive this information about partner websites but you will also not see personalized experiences on these sites.” 

Facebook keeps your personal web browsing data for 90 days, the site explains. But why should Facebook keep it for even one day? If a user wants to disable social plugins and prevent Facebook from collecting browsing data, he or she should be able to do so.

I did find one little trick to avoid the social plugins. Open Facebook in the regular Google Chrome browser, and then open a new “incognito window,” and surf non-Facebook sites. The social plugins disappear. And I’m sure Google would never dream of violating my privacy as I surf the web. But that’s a blog post for another day. 

Follow Jon Brodkin on Twitter.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies