The Facebook Like Button is a Web Bug
The Facebook like button is the most interesting product Facebook publishes. After asking numerous people what they think the Facebook button is for and hearing their responses, I realize not many people know what Facebook actually gets from having their like button distributed all over the Internet.
Most people think the like button is a way for advertisers to have a continual channel for pushing content to their users. This is true and what Facebook sells to the general population. But, the like button is really a cleverly disguised web bug.
In the early days of websites, there were web bugs. Although not in common use, some services like Mailchimp still use web bugs to track how many people "open" emails they send.
Privacy concerns around web bugs hit epic proportions at one point but never got the same mass hysteria in conspiracy theory circles as cookies and knowledge and privacy concerns about web bugs died.
A web bug is a 1x1 image which is included in a piece of HTML code. When your browser accesses any web site all of the images on the page can either be loaded from the page you are visiting or from external sources. When your browser makes an external source request, the site receiving the request knows where the request originated.
For example, when you visited this page your browser made a request to Flickr to access the image at the top of this page. When your browser made this request a header is attached which says where the request originated. This is called a referrer header. The request to Flickr looks like this.
GET /2192/2058198168_fac0e21ee1.jpg HTTP/1.1 Host: farm3.staticflickr.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20100101 Firefox/15.0.1 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://bretthard.in/2012/10/the-security-and-developer-passion-dilema/ Pragma: no-cache Cache-Control: no-cache
From the host header you'll notice your browser is making a request to farm3.staticflickr.com. When farm3 receives this request they will know the following just from the referrer header.
- Someone has visited http://bretthard.in
- What page they visited.
- Which of their resources was used on the page. In this case /2192/2058198168_fac0e21ee1.jpg
The Facebook Like Button
The like button works exactly like the Flickr image. The difference is additional header is sent. A cookie is sent along with the request. This cookie states who you are and is required for any site which requires authentication.
What makes the like button so interesting is even if you don't "click" the like button Facebook knows what site and page you visited. When your browser visits the page, it makes a request to Facebook asking for the resource.
This of course relies on the like button being on the page accessed and if you are logged into Facebook. Oh wait! You don't have to be logged in for Facebook to track you. Nik Cubrilovic noticed logging out of facebook doesn't destroy all the cookies, only the authentication cookies. So Facebook can still track you across the Internet.
This means Facebook has a nice history of sites you visit and articles you read whether you are or are not logged out of Facebook. The only solution seems to be using an incognito window. Even then, Facebook still knows the IP you are coming from so logging out may not be enough.
Value the Data
So what? So Facebook knows where I have been and what I have been reading. If you aren't a privacy advocate, not a problem. In fact, I argue the concept of privacy is changing and people don't care about it anymore.
Written: October 18, 2012