Facebook Tracking Through Social Plug-ins
Technical report prepared at the request of the Belgian Privacy Commission in the context of its Facebook investigation.
About
The technical report presented here provides a technical description of Facebook tracking through social plug-ins such as the "Like Button". The report was written by KU Leuven and iMinds researchers Güneş Acar (COSIC), Brendan Van Alsenoy (ICRI/CIR), Frank Piessens (DistriNet), Claudia Diaz (COSIC), Bart Preneel (COSIC) at the request of the Belgian Privacy Commission.
The technical report is prepared as an annex to the general report titled "From social media service to advertising network" prepared by ICRI/CIR (KU Leuven), SMIT (VUB) and COSIC (KU Leuven). All three entities are part of iMinds.
Overview of findings
Please consult to the technical report for our methodology, scope and detailed findings.Tracking cookies
Table 1: List of uniquely identifying cookies sent to Facebook when a site with Facebook social plug-ins is visited. The table gives a partial overview of the cookies used by Facebook. See the technical report for more details.| Cookie | Contains1 | Purpose1 | Lifespan | Logged-in | Logged-out | Deactivated2 | Non-user | |
|---|---|---|---|---|---|---|---|---|
 |
datr |
Browser ID | Site security and integrity | 2 years | Sent | Sent | Sent | Sent3 |
|
c_user |
Facebook ID | Authentication | 1 month / Session4 | Sent | Not sent | Not sent | N/A5 |
|
fr |
Encrypted Facebook ID and Browser ID | Advertisement | 3 months | Sent | Sent | Sent | N/A |
1: The descriptions are taken from Irish Data Protection Commissioner's 2011 audit and 2012 re-audit. 2: Deactivated also means logged-out. 3: If the non-user already has this cookie, e.g. if she has visited a Facebook page. 4: Cookie's lifetime depends on the “Keep me logged in” checkbox. If the box is checked, cookie will expire in 1 month, otherwise it will be removed at the end of the session. 5: Not applicable, the cookie in question is only set for Facebook users.
Frequently Asked Questions
Tracking of non-users
Q: How does Facebook use social plug-ins to track non-users?
A: Facebook sets a tracking cookie (datr) when a non-user...
Once the cookie is set, all the later visits to sites that include Facebook social plug-ins can be tracked and linked by Facebook using that cookie.
Q: Can Facebook track me even if I don't click the social plug-ins?
A: Yes. Visiting a page with social plug-ins is enough for being tracked once you have the cookie (see above).
Q: Does Facebook only set cookies on Facebook pages (when it's a first-party)?
A: No. For example, Facebook sets a tracking cookie (datr) on certain sites that use Facebook Connect (e.g. myspace.com, mtv.com, okcupid.com).
Facebook also sets the same tracking cookie on the European Digital Advertising Alliance website if you try to opt-out.
Q: Do Facebook social plug-ins set cookies?
A: Mostly no. But on a small number of sites, Facebook social plug-ins do initiate a request to a URL starting with pixel.facebook.com/si/kappa/ which then sets a tracking cookie (datr).
Q: In the report you say Facebook sets a tracking cookie on the European opt-out site, but not on the US & Canadian site. Why the difference?
A: We have no idea.
Tracking of Facebook users
Q: Is logging-out enough to avoid Facebook tracking through social plug-ins?
A: No. When you log-out, Facebook still receives cookies (fr, datr)
that uniquely identify you and your browser.
Q: Does deactivating my Facebook account stop Facebook tracking through social plug-ins?
A: No. When you deactivate your account, Facebook still receives cookies (fr, datr)
that uniquely identify you and your browser.
Q: Are social plug-ins the only Facebook component which track Facebook users on the Web?
A: No. For example, many sites use Facebook's Audience pixels to add their visitors to custom segments and retarget them on Facebook with Facebook Ads.
Q: Does Facebook stop tracking me when I opt-out on the sites suggested by Facebook?
A: No. Facebook will still receive the same information about your visits to external sites containing Facebook social plug-ins. Facebook only promises to no longer use this information for the purposes of interest-based advertising.
Defense
Q: I'm an end user, how can I easily protect myself against social plug-in tracking?
A: You may use browser add-ons that block tracking such as:
Q: I'm an online publisher/blogger/webmaster. How can I prevent tracking of my visitors without removing my social plug-ins?
A: Use Social Share Privacy. In this case, the plug-ins will not connect to the third-party servers of social plug-ins until the user clicks on them.
Q: I use Wordpress/Joomla. Is there a plug-in I can use to enable privacy friendly sharing on my website?
A: Check the following Wordpress and Joomla plug-ins
Screen captures
The following videos are some of the screen captures we saved during our experiments. All the browsing session starts with a clean virtual machine and no cookies. Please check the Methodology section of the report to get more information about the technical setup.Non-Facebook user - European opt-out site
An individual who doesn't (yet) have a cookie from Facebook visits the European Digital Advertising Alliance opt-out site in which Facebook participates. Facebook sets a long term identifying cookie (datr) during the status check.
Non-Facebook user - US opt-out site
An individual who doesn't have a cookie from Facebook, visits the US opt-out site in which Facebook participates. Unlike the European site (see above) Facebook does not set any long term identifying cookie.
Facebook user - Logging out
A user logs out from Facebook and visits a site that includes a social plug-in.
Facebook still receives cookies (fr, datr)
that uniquely identify the user and her browser.
Facebook sets cookie as a third-party
An individual visits mtv.com with a clean profile.
No visible presence of any Facebook plug-in.
Facebook sets a tracking cookie (datr).
The videos are licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Version History
| Version Number | Release Date | Changes |
|---|---|---|
| Version 1.1 | 24 June 2015 | |
| Version 1.0 | 27 March 2015 |
Contact
gunes.acar@esat.kuleuven.be |
PGP key |
facebook.icri-cir@law.kuleuven.be |