Facebook (again) tracking non-Facebook users: says its a bug

Facebook (again) tracking non-Facebook users: says its a bug

26th April 2011

Remember “Beacon”? It was Facebook’s ad system which became instantly controversial when it became clear that Facebook was tracking all users in third-party partner sites, including people who never signed up with Facebook or who had deactivated their accounts. It got Facebook in a lot of trouble.

You would think Facebook would have learned something from this but apparently they haven’t. A research performed by a Dutch Doctoral Candidate and Researcher as Tilburg Institute for Law, Technology, and Society shows that Facebook has been tracking non-Facebook users by using the “Like” button. Facebook admits to it but claims it was a bug.

The research was done in November 2010 and since then reporters from the Dutch TV show “reporter” have been all over it. Last Saturday they revealed this in a program on Dutch National Television. They contacted Facebook themselves who admitted they had been placing tracking cookies on computers of non-members who visited websites that integrated Facebook Connect.

In an e-mail to Hamburg’s Data Protection Authority Facebook said:

“what was described in the publication was the result of a bug. Some Connect websites were inadvertently using an old Software Developing Kit (SDK), where a cookie would be set. We fixed the bug as soon as we were made aware of it and we now run a test every day to ensure that no cookies are being set”.

How does it work?

The key to how it works is Friendfinder. This tool allows you to invite friends who are not yet on Facebook to come to Facebook. That combined with the Like button made it possible for Facebook to track the non-members.

Once a non-member is identified via Friendfinder (for example their e-mailadress) they were being tracked. And they didn’t even have to click on the “like” button. The like button would send back data to Facebook.

From the research:

“A visit to Techcrunch.com includes an HTTP GET request for the Like button. However, when the button is provided there is no cookie issued. Thus, it seems that the Like button itself is not used to issue cookies. However, when a site is visited which includes Facebook Connect (for instance Gizmodo.com) this application issues a cookie (fig. 2). From that moment on, visits to other websites which display the Like button result in a request for the Like button from the Facebook server including the cookie.”

According to the TV show, research shows that some of the cookies that were placed are still active. Facebook didn’t respond to that.

You can say at least that Facebook is on a grey area here. We’ll see how this develops further.

You can download the research here (pdf)

Written By
Bas van den Beld is an award winning Digital Marketing consultant, trainer and speaker. He is the founder of State of Digital and helps companies develop solid marketing strategies.
  • This field is for validation purposes and should be left unchanged.