
Facebook doesn't like privacy countermeasures - xentronium
http://www.jwz.org/blog/2011/09/surprise-facebook-doesnt-like-privacy-countermeasures/
======
rickmb
Facebook better wake up and realize that especially thanks to companies like
them and their failure to self-regulate and respect privacy values outside the
US, using Like-buttons for tracking is likely to become illegal in the EU and
many other places in the next five years.

Technically, one could argue that they already violate existing laws, but
incidents like these will make absolutely sure that these practices will be
explicitly outlawed very soon.

It keeps surprising me how companies like Facebook and Google seem to be
oblivious to the way privacy is perceived elsewhere, and are actively
provoking stricter legislation than would be the case if they showed some
respect. There is absolutely no question about these tracking practices being
perceived as ethically unacceptable in many countries, so why provoke both
negative publicity and legislation that is likely to handicap less intrusive
solutions as well?

~~~
mypov
I would like to add that contrary to your impression we too value privacy in
USA.

~~~
beagle3
Consider the massive usage of Facebook and Twitter, the lack of outrage over
the warrantless wiretapping scandal (running for 10.5 years now), easily
available voter records (see e.g. the backstory behind Latanya Sweeney's
original identifiability study), and lack of public comments about requiring
ISPs to store all session information for a long time - I would say that is
strong evidence that USA as a nation does not actually value privacy.

edit: wireless wiretapping scandal -> warrantless wiretapping scandal, silly
me.

~~~
old-gregg
Lack of outrage is the phenomena here, not the lack of respect for privacy.
It's not that Americans don't value privacy, I think we do. Rather, it is the
general attitude against outrage or, perhaps, against complaining, what
differentiates the US from Europe.

The country doesn't have a healthcare system for citizens outside of the
military, and there's no outrage. Does this mean "there is strong evidence
that USA as a nation" doesn't value not dying?

"Don't seek government help, work harder, smile more and make more money"
appears to be the answer/advice to those who complain/express outrage. Then
you can buy yourself healthcare, privacy or anything you wish.

~~~
beagle3
I beg to differ. You may tell that to yourself and feel better (and many
Americans do), but in the grand scheme of actions-speak-louder-than-words
world we live in, there is no evidence for the American respect for privacy.

> Does this mean "there is strong evidence that USA as a nation" doesn't value
> not dying?

No, but it does mean that the country does not value a social safety net as
much as it values monetary profit for the few at the top of the healthcare
insurance industry.

> "Don't seek government help, work harder, smile more and make more money"
> appears to be the answer/advice to those who complain/express outrage. Then
> you can buy yourself healthcare, privacy or anything you wish.

If you believe that, you are naive. Here are some facts for you (you can
google them if you want, I don't have time)

* 75% of people who file for bankruptcy because of medical expenses (and there are a lot of them) HAVE health care insurance. That doesn't happen in any country with socialized health care.

* 40M americans are on food stamps; that is, they seek and receive government help, and unlike other government perks (like extended unemployment), these will never go away because that's what is stopping blood from flowing in the streets.

* Senators and Congressmen are, on the average, millionaires (unlike military people). They can afford the healthcare they want. And they want state sponsored health care, for life (as long as they've served two terms); what's not good for the goose is apparently excellent for the gander.

* The government takes money from you -- taxes -- essentially at gun point. You might believe it is only on income, but by debasing the currency (which the Fed has been doing very diligently since 2008, and slightly less diligently since 2000, and only just diligently since 1971), they rob the value of money you already have -- and if you hold only anything like gold that retains its value -- why, that's taxed as capital gains; you can't win.

* What the government does with this money is -- among other things -- give it to their friends on Wall Street. To the tune of trillions of dollars.

You know, I remember in 2004 I was arguing with an American friend about how
americans can re-elect Bush, and his reply was "we're not stupid, it's just
apathy". I see this apathy as stupidity.

And you know what? It's not that it can't be changed. It's just the everyone
prefers cheap iPods to actually facing things that matters. In general, that
only delays the arrival of the bill - but it is coming.

~~~
comex
Why the contempt? For each of these issues, a decent fraction of the
population will make a reasonable argument for change, and a similarly sized
fraction will make a reasonable argument against change, or at least against
the type of change proposed by the other side (dissatisfaction itself is
universal enough).

In the case of socialized health care, especially, a majority of the
population is violently against it, and while I disagree with most of the
arguments, they are neither unreasonable nor apathetic.

~~~
beagle3
> a decent fraction of the population will make a reasonable argument for
> change

That's how it works in theory. In practice, there is one party (Lobbyists)
with two representations, Democrats and Republicans. This guarantees that
everyone keeps arguing about supposed merits (mostly about things like gay
marriage and legal abortions, which make little difference overall, but
occasionally also about things that do matter like health care), but little
gets done on any argued front, while in the meantime wars and patriot acts
happen.

I'm sure reasonable arguments can be made for both sides, e.g. on the health
care debate. But I've listened and looked for them, and never heard them (on
either side). I'm familiar with reasonable arguments on the "for" side for
socialized health care. I haven't managed to find a reasonable argument for
the "against" side. (By reasonable, I mean based on facts and comparison to
other countries who have implemented similar programs ..... e.g. the entire
western world except the US).

> a majority of the population is violently against it, and while I disagree
> with most of the arguments, they are neither unreasonable nor apathetic.

I remember reading about >50% support FOR one-payer system (the way Canada and
the UK run theirs), before the rulers (eh, sorry, "leaders") decided it's not
even on the table.

I would really like to hear some of these reasonable arguments against.

The contempt is from actually living in the US, talking to people daily who
believe that they live in a democracy, or that their government is working to
benefit them in any way.

------
yuvadam
Friendly reminder, blocking all and any of Facebook's pre-click tracking
measures can be implemented easily in AdBlock Plus (or any equivalent ad
blocker) with the following rules:

    
    
        ||facebook.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
        ||facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
        ||fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
        ||fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

~~~
mike-cardwell
Also worth noting that Firefox users who prefer the idea of whitelisting
cross-site requests rather than blacklisting them, can install RequestPolicy.

~~~
divtxt
Does anyone know the equivalent Chrome extension?

~~~
nikcub
I am working on it here:

<http://www.github.com/nikcub/parley>

I will have a new version out at the end of this weekend

I think it is time to kill all third-party requests. If you want to show users
an ad, host it from your own server.

~~~
waqf
Thanks! The only reason I am still using Firefox instead of Chromium is the
availability of RequestPolicy.

~~~
nikcub
I have heard that a lot - which is why I want to get a release out asap

~~~
divtxt
Don't burn out for asap. We'll still be here. :)

------
slowpoke

      If it hadn't occurred to you yet that Facebook cares far
      more about the "Like" buttons that you don't click than
      about the ones that you do -- there you go.
    

I've been telling this to people since ages. These stupid Like buttons are an
infestation, and exactly the reason why I care so much about Facebook's
privacy policies despite not being registered on it - it's just not as simple
as "not having an account". This goes for the other networks, too, by the way.

Besides, this solution with the two clicks is very clever, and privacy
friendly. In addition, it speeds up page loading. It speaks for itself that
the only measure Facebook has is trying to sue with a very broadly formulated
policy, which I doubt applies in this case anyways:

    
    
      if such use could confuse users into thinking that the
      reference is to Facebook features or functionality.
    

Well duh, _it is_ a Facebook feature/functionality.

------
cletus
This is a non-story for the reasons stated but a story for other reasons.

It's standard that widget publishers require to use their widget "as is".
That's basically what Facebook is saying. Not only do you not know what any
custom modifications will necessarily do but it's a completely valid argument
that you want a consistent user experience with your widget.

As for user tracking, this is basically an inevitable byproduct of Facebook
hosting the widget, a situation I'm sure they're not unhappy about, but this
really isn't a big deal in the context of how the Web works.

The story here (IMHO) is trust. Most pages have a Google Analytics tracking
script on them. Do you trust Google? I do (disclaimer: I work for Google).
Protecting user data and privacy are key priorities here. It's why Google+ has
relatively simple privacy controls and allows you to export your data at any
time.

Do you trust Facebook? I don't. Then again, there aren't many companies I do
trust. But Facebook's track record seems to be to befuddle the user and trick
or opt them into sharing things wider than they understand or want.

~~~
orijing
> Facebook's track record seems to be to befuddle the user and trick or opt
> them into sharing things wider than they understand or want.

Are you saying that the product designers at Facebook want to design
interfaces and settings that intentionally confuse users into laxer privacy
settings? Turning this discussion into a rather presumptuous smear at Facebook
in the face of many privacy failures by Google is rather childish.

Perhaps you're saying Google's privacy missteps were accidental, and thus
tolerable. But what makes them more accidental than Facebook's? Bugs are
accidental, sure, and are addressed as quickly as possible (last summer my
mentor was locked in a room with a bunch of people for a week trying to fix
the bugs that came up, and come up with long term solutions). As a result all
privacy settings are as explicit as possible--especially with the most recent
launch, the privacy settings of every single item is clear.

It is unfair to claim that Google values privacy and demonize Facebook for its
privacy-related product decisions. If anything, privacy nuances are what
prevented the new privacy features from launching for multiple months, as we
iterated on details that an organization that cared less about privacy would
have overlooked.

Here's an interesting comparison: Everything Facebook knows about me is
something I or my friends entered (i.e. via tagging). In contrast, Google
knows so much more about me than I told it. How did it automatically link my
Quora, Twitter, etc accounts without my knowing or permission?

~~~
rhizome
Has Facebook (or Google) ever had a "privacy misstep" that was an error on the
side of too-tight privacy?

~~~
freakwit
Yes, but nobody knows about it.

~~~
rhizome
Is that a "misstep," then? It seems to me that the logic of a too-tight
misstep would be that the information simply does not get out. What would be
the reason for FB (or whoever) to notice that too little of my information is
getting out? I suppose the "misstep" is in the eye of the beholder. :)

------
kragen
The most important update, from Aristotle: "Tina Kulow of Facebook Germany has
spoken again. In a tweet, she wrote: “To clarify: a 2-click button is not
ideal – but not a problem. Only a Like button that merely visually pretends to
be one is not OK. That’s all.” Since heise online changed the design of the
button for the first click that activates the Like function, there should now
be no obstacles on Facebook’s part to further use of the 2-click button by
heise online and other websites."

------
jeza
Apparently it's more of a copyright issue than the 2-click process. They don't
like their logo being used on a locally hosted image. So heise.de made the
button more generic and it's all good now.

~~~
gurkendoktor
Are you pointing out that this is what they are saying, or do you believe
that? The worst thing that could happen before is that Facebook would change
their CI and the button would be outdated, looking dated. Now the button looks
crappy from the start.

~~~
jeza
That's my interpretation of the following update posted by the original source
(heise.de):

"[2. Update: Mittlerweile äußerte sich erneut Tina Kulow von Facebook
Deutschland. In einem Tweet schrieb sie: "Um es klar zu stellen: 2-klick-
Button ist nicht ideal - aber kein Problem. Nur ein Like-Button der grafisch
so tut als ob er einer ist, ist nicht ok. Das ist alles." Nachdem heise online
dem Button für den ersten Click, der die Like-Funktion aktiviert, ein
verändertes Design gegeben hat, sollte demnach der weiteren Nutzung des
2-Click-Buttons durch heise online und andere Websites auch von Seiten
Facebooks nichts mehr im Wege stehen.] (ju) "

So it says the two click button is not ideal, but not a problem. Though the
graphic on the Like-Button is not okay, and so on.

------
bryogenic
A simple solution to this would be to not use facebook icons for your first
click image. So maybe a simple 'social share' icon that brings up all the
sharing options and at the same time loads the traditional facebook like
button.

------
hayeah
I think the 2-clicks "like" button is super smart. I am going to implement it
as a Chrome extension, what do you guys think? I've created a repo on github:

<https://github.com/hayeah/FaceOff>

------
Xuzz
Before we spend too much time attacking Facebook over this, let's try and
think of possible reasons why this _might_ be not an "evil" move. No need to
go out of our way to conclude "omg they're evil stealing our privacy".

Firstly, what if they just don't want to confuse users? I see people confused
all the time of when you need to click and when you need to double-click,
every time I see someone using the computer — I'm sure I do this myself, too.
What does allowing someone to introduce uncertainty as to what's required here
do, especially when their click-through buttons look just like Facebook's
normal ones on other sites? I'd say it'd just confuse people. I don't have an
issue with Facebook doing that, I'd actually _rather_ have them enforce, this,
so you _know_ what is going on when you see a standard Like button.

(As a few other comments have noted, just replacing the button with a custom-
styled one would solve this issue. It'd also solve user confusion, since it no
longer appears to be Facebook requiring a double click.)

So, _maybe_ they're not just after destroying privacy, after all? Maybe?

(I don't work for Facebook, or even know anyone who does. I just like to try
and see both sides of something like this.)

~~~
slowpoke

      I just like to try and see both sides of something like this.
    

While I can certainly agree to that general notion, in Facebook's case that's
simply a bit too stretched. I find it pretty hard - if not impossible - to
assume honest intentions regarding these cases from a corporations whose
founder openly opposes privacy and considers it "obsolete".

------
yason
What are web browsers doing by sharing this accidental data between 3rd party
sites anyway?

The default setting ought to be that connections to 3rd party sites are done
in incognito mode. This would disallow tracking by looking up the referer and
sites like Facebook couldn't also tell who's login cookies the browser is
storing. You could then whitelist connections on a per-site basis.

------
eloisius
Not sure how great it works because I only sought it out after reading this,
but here's Facebook Disconnect for Chrome.
[https://chrome.google.com/webstore/detail/ejpepffjfmamnambag...](https://chrome.google.com/webstore/detail/ejpepffjfmamnambagiibghpglaidiec)

------
blahedo
I'm glad this came up to make me think about it more; I'd already gotten in
the habit of logging out of FB except when actively viewing the feed, for
precisely this reason---I didn't want FB tracking me across browsing other
sites. (The FB-hosted comment systems were actually the proximate worry, as
well as the Like button.)

But that was my half-thought-through answer. Of course they're perfectly able
to track me even without being logged in.[0] So the real answer is I need to
be sure I'm not loading cross-site img and iframes... My Omniweb install I'd
already configured to do that, but setting up proper privacy countermeasures
on my Firefox install just jumped way up the priority list.

[0] <http://panopticlick.eff.org/>

~~~
spc476
I used to do that. I also started deleting any Facebook cookies before logging
into Facebook, and after logging out of Facebook. I then realized that was
stupid, because I have a static IP address (helps with my job, which requires
remotely logging into servers).

With Facebook cookies everywhere, you don't need to be logged in for them to
track you. And in my case, even if I used a different browser for logging into
Facebook, they could (in theory---I have no idea if they actually do this or
not) still track me based on the IP address alone.

Google is just as scary. A few months ago I did a few searches for local
casinos (I was helping a friend of mine get a job at one) and now, I see ads
for casinos on about a third of the webpages I visit. It's most annoying, and
quite scary when I think about it too much.

~~~
unfasten
>[...] and now, I see ads for casinos on about a third of the webpages I
visit.

You should be able to remove that from your ad targeting here:
<http://www.google.com/ads/preferences/> It lists all the categories Google
thinks you're interested in and allows you to add or remove categories.

------
thelovelyfish
Facebook, google, all these other giant technology firms... They will be
looked back on in the future as ruthless opportunists doing their best to take
advantage of the public with technology before anyone can figure out what
they're doing and stop them.

The world is not some cute friendly little place. It is equally as barbarous
today as it was in the dark ages. The TVs have convinced everyone otherwise it
seems. Evil people are using machines to take over the world.

[http://www.youtube.com/watch?v=z9RiRfMYVlQ&feature=chann...](http://www.youtube.com/watch?v=z9RiRfMYVlQ&feature=channel_video_title)

------
doki_pen
Is this really just a facebook problem? Isn't it a problem for any client side
service that is used across the web? Analytics packages, ad software, value
add stuff like disqus, etc.

------
thedjpetersen
I was surprised to find out that Facebook tracks not only what 'like' buttons
you have been clicking but also where you have been browsing. Is there a
privacy browser extension?

~~~
ordinary
For Firefox, RequestPolicy adds a whitelist for requests to third-party
websites. It's a hassle to set up, but it works. I don't know if an equivalent
exists for Chrome.

~~~
waqf
Re Chrome, see <http://news.ycombinator.com/item?id=2957201>

------
jaekwon
It's the visitor's choice to visit a webpage. It's the developer's choice to
choose widgets. Do you really think it's fair to say, "I want to use your
widget, FB, which happens through your servers, and I want to use them my way
without your consent." The default option (not choosing the widget) is always
fair.

My point is that to make such widgets illegal, widgets that service three
consenting parties, is completely retarded.

~~~
jaekwon
I take that back. If people don't understand the natural laws of the Internet,
it may stand to reason that blocking widgets is a matter of national security.

However, I think a better approach is to educate each other on how the
Internet works, so that blanket measures can be avoided.

------
rudiger
Is there an open-source implementation of this two-click system for Facebook's
Like button (and others like Google's +1 and Twitter's tweet button)?

~~~
blauwbilgorgel
I often use a simple (button image) link to twitter.com/share or
facebook.com/sharer.php (now
<http://developers.facebook.com/docs/reference/dialogs/>). That is one-click
without javascript execution or, worse IMO, company custom html tags.

AFAIK Google+1 doesn't, as of yet, have such an URL where you can share.
Sharing seems to go through the +1 button. I'd really like a share url for
Google+ for technical and privacy reasons and keep everything one-click to
share.

I bet you could make a two-click system for the Google+1 button, now
asynchronous javaScript loading is enabled, but I don't know if that is within
TOS. Again I would love a simple share link (like Linkedin, Facebook or
Twitter) and be done with it.

I know that sharing on Facebook is different from liking, but I feel sharing
is more valuable from a marketing POV.

------
Sigi
A possibly related note: I use two browsers to browse the web in an attempt to
protect my privacy (as futile as it seems to be); one is logged in to google,
and the other is not.

When using the browser that is logged in, I get 15 "+1"s for google like-like
button. however, when using the other browser that's not logged in, I get 0
"+1"s.

Can anyone explain?

------
baby
I was doing it on my website, I never had any problems with facebook.

Actually, I had other problems with them, and what they did is just plainly
banned my application and blocked my website from using facebook API.

------
jcfrei
what about the like buttons on techcrunch? they only load if you hover over
them as well.

~~~
lukejduncan
techcrunch uses a custom image for their preloaded button

------
RexRollman
Facebook is detestable. Just like its founder.

------
maeon3
I forgot how when I click a like button on a foreign page, face book is
keeping data about what pages I am visiting and (who,what,when,where,how) and
is selling that click data about me to the highest bidder (and I cant turn it
off) to advertisers or worse government agencies doing warrent-less
surveillance.

I'm never clicking a facebook like button again until I can turn off user
website tracking.

~~~
rlpb
You don't even need to click the like button. Facebook get the information as
soon as you view the foreign page.

~~~
hbar
If you use Chrome(-ium), there's an extension for that. I believe there is an
equivalent FF extension out there as well.

[https://chrome.google.com/webstore/detail/ejpepffjfmamnambag...](https://chrome.google.com/webstore/detail/ejpepffjfmamnambagiibghpglaidiec)

------
pacemkr
Don't use the Like button.

There, problem solved.

If your startup isn't social and free, it isn't hip. If you don't have a
Facebook page and seven shades of "Like" buttons, you are destroying your
business. Just stop.

Stop putting that social media flare (crap) on your website. Your users don't
care, because sharing a link is not an unsolved problem.

------
calbear81
I love the privacy "oh no they're selling our data!" paranoia that people
still have without considering WHY and what legitimate reasons Facebook has
for sending back data when a Like button is implemented.

First, they are a SOCIAL network, this data helps them figure out the
engagement level with different brands that participate on the Facebook social
platform. Second, in this case, the use of 2-click solution creates a
disconnect with the expected behavior of the Facebook Like widget which means
users going across different sites will not know whether they need to make one
or two clicks to enable a "Like". Third, when you don't use the Facebook Like
widget, you don't get any insight into your connections with your social graph
unless you click on the Like button which defeats the purpose of being able to
see that "4 of your friends like this".

There are real privacy concerns that we should consider but I'm tired of
reading EU Privacy office statements that show a lack of understanding of how
the web works and without regard to the impact to the monetization ecosystem
which is the lifeblood of many web publishers. What bothers me more is that
there's a lack of consideration that there are legitimate reasons a certain
level of data is collected in order to make the web more social.

~~~
beagle3
> What bothers me more is that there's a lack of consideration that there are
> legitimate reasons a certain level of data is collected in order to make the
> web more social.

It isn't for making the web more social. It's for making (e.g.) Facebook more
all-knowing, which is a task on the way for more profit.

Just like the tobacco industry should be regulated against making cigarettes
more addictive, privacy should be regulated -- either by attaching a mouse-
over saying "warning: facebook tracks you on every page you visit that has a
like button", or by limiting what and how they can collect.

The copyright issue is a red herring. Facebook could create an official
"data:..." url like button that has the original image instead of linking to
their server. It would be better for everyone involved, including facebook's
bandwidth and the site's loading speed -- except that facebook would lose
their tracking data.

