Friday, December 16, 2011

Facebook is Tracking You (Even If You Don’t Use Facebook)

Occasionally when I rant about Facebook privacy a misguided friend will suggest that I simply delete my account if I don’t like it. Aside from the fact that deleting my account in no way makes Facebook privacy abuses go away, it also does not stop Facebook from stalking me or anyone who visits websites using certain Facebook technologies. You do not need a Facebook account for Facebook to be able stalk you.

Facebook uses a technology called a “Social Plugin” to track internet users and aggregate information about them, even if you don’t have a Facebook account. Facebook claims that it is not collecting personally identifiable information, but Facebook does not identify what information they are collecting, exactly how it is used, or what they define as “personally identifiable information”.

Here is how it works. The image below is from a web site that uses a Facebook social plug in.  I am logged into my Facebook account and in a different browser tab I look up “how to use an anonymizer” on

Down by the comments section I see the following:

Did Facebook just tell what my Facebook identity is? If you believe Facebook, the answer is no. According to Facebook ( “While social plugins appear on other websites, the content populating them comes directly from Facebook — so they're just an extension of your Facebook experience. Plugins were designed so that the website you are visiting receives none of this information.

Ehow simply gave Facebook a little space on their web site and told Facebook that you dropped in to visit them. Yes, in a contradictory privacy policy, claims they don’t provide third parties with personally identifiable information while admitting to providing your IP address, which in many cases is personally identifiable information.

Now, let’s look at a visit to the same web page when I am not logged into Facebook, and have deleted my browsing history and cookies (and HTML 5 information too).

Is this “anonymous”? Probably not. You see, Facebook also explains on the same help page I referenced above:

If you’re logged out or don’t have a Facebook account and visit a website with the Like button or another social plugin, your browser sends us a more limited set of information. For example, because you’re not logged in to Facebook, we don’t receive your user ID. We do receive the web page you're visiting, the date and time, and other browser-related information.

Your IP address is “browser-related information” and is personally identifiable enough to get you arrested if the police think you have been doing something illegal with your computer.

So, let’s say you do not have a Facebook account and land on a web page with a Facebook social plugin. What happens? According to Facebook:

“…we may use anonymous or aggregate data to improve ads generally”

In other words, Facebook is using your web browsing for advertising related purposes. Facebook is making money off of your browsing by spying on you whether or not you have a Facebook account.

Can you opt out? This is where Facebook refuses to give a direct answer to a direct question.


How do I opt out of viewing social plugins?

No personally identifiable information is shared about you with the website when you see a social plugin on an external website.

The Like action is similar to public comments or reviews you might write on a website and are shared back to your Facebook profile (timeline). You can choose who can see the things you like in your privacy settings. If you would not like to see what your friends recommend or have shared on a website, simply log out of Facebook.

The Send action lets you select specific people and send them a link and short note as a private Facebook message, Facebook Group post, or email.

You see, Facebook refuses to answer the direct question they publish on their website.

Facebook also lies…

If I visit a site that uses social plugins but don't interact with them, has any information been shared about me?

No. When you simply view a social plugin on another site, it's like a window into Facebook. It may appear personalized, but none of your information - your name or profile (timeline) information, what you like, who your friends are, what they have liked, what they recommend - is shared. Similarly, no personal information about your actions is provided to advertisers.
The correct answer is yes, the website just told Facebook that you visited them.

Now Facebook claims that they anonymize the data, but then delete doesn’t mean the same thing to Facebook as it does to reasonable people. Consider the “deleted data an Austrian man received when he requested the information that Facebook has about him.

Believe it or not, my concerns over Facebook’s privacy policies are not the paranoid delusions of a lunatic. There are a lot of us lunatics :)

Facebook’s privacy policies are not only bad, but the company is so distrusted that they must submit to audits by the FTC every two years for the next 20 years. In Europe where some privacy laws are significantly closer to actual privacy laws than in the USA, multiple countries are taking action or considering action against Facebook for illegal practices. Here are just a couple…

The incoming complaint focuses on how the ‘Like’ button allows Facebook to track the online activity of any web user – even those who are not among the social networking site’s 750 million members worldwide.

and “Thilo Weichert, who works for the data protection centre of the northern German state of Schleswig-Holstein, said the social network’s application allowing internet users to express their appreciation of something online, illegally cobbled together a profile of their web habits.” at

It really isn’t just Facebook, but the sites that grant Facebook the space on their web page to enable Internet spying by Facebook.

Currently the only ways I know of to thwart Facebook and other unscrupulous web entities is to use and anonymizer and ad blocking browser plugins. I’ll try to get around to writing more about those in a future blog.

I will definitely write about the “Do Not Track Online Act of 2011” which is being strongly opposed by anti-privacy organizations like the Direct Marketing Association (DMA).

Randy Abrams
Independent Security Analyst

1 comment:

  1. Randy, this is a great article and really addresses the gaping hole regarding online privacy.