What is Facebook tracking for God's sake?

[Hecubas]

Keep in mind, every page you pull up in today's WWW is generated from a multitude of sources, not just the base site you see in the URL. Try loading up Firefox with the NoScript plugin for a taste of getting a handle on that.

Also, I seem to recall a recent article about FB which explains that they also keep all the text you might have posted or shared, but cancelled. So if you were about to send a scathing reply to your ignorant brother-in-law but closed it out after considering your sister's feelings, that info is still in FB somewhere.

 

[Skwinty]

Web sites can't look at the cookies stored on your machine like that.

But facebook can.

https://www.facebook.com/help/441197859229066?sr=1&sid=0tWy6ZWDLTvL4nTcQ

When might Facebook read the cookies on my computer or device?

"Sometimes we will work with websites, apps, and their partners so that we can place or read Facebook cookies on your browsers or devices.This allows us to do things like read and reference cookies from more than one device or browser that you use so we can provide you Facebook services across all of your devices and improve and understand the products, ads, and services we offer to you and others. Your browser or device may allow you to block these technologies, but you may not be able to use some features on Facebook if you block them."

 

[Childlike Empress]

I think phunk meant that third-party websites aren't able to read facebook cookies, which is true. But because the like "button" is content loaded from the facebook servers, it can read the facebook cookies and track you across the third-party websites.

 

[Morrigan]

Everything that remotely has a Facebook button. Facebook is a huge, huge, huge data mining operation, really.


It's funny how a few years ago there was this whole hysteria about spyware. They're mostly gone now (replaced by other forms of malware), but the spying still continues, just through more legal and more subversive ways.

 

[Skwinty]

I think phunk meant that third-party websites aren't able to read facebook cookies, which is true. But because the like "button" is content loaded from the facebook servers, it can read the facebook cookies and track you across the third-party websites.

If I understand correctly, websites and apps who work with or partner with FB can read these cookies.

I may however be wrong, but this is how I interpret what FB states in their help files.

 

[Childlike Empress]

If I understand correctly, websites and apps who work with or partner with FB can read these cookies.

I may however be wrong, but this is how I interpret what FB states in their help files.

No, the cookie delivery mechanism is extremely simple. It just looks at the URL you load and delivers the cookies that originally came with this URL. The "working together with other websites" means that the other websites embed the "button" code into their own site. And the "button" code comes from the facebook server, so your browser delivers the cookies that originally came from the facebook server. It's like a website in a website. The "partner websites" themselves can't read the facebook cookie.

 

[Skwinty]

Cookies are not the only mechanism being used.

https://www.facebook.com/help/360595310676682/

We or others (like your friends in their posts or the Pages or Apps you visit or use) may integrate third party features like maps or videos to provide you with better services. The providers of those integrations may collect information when you view or use them, including information about you and your device or browser. They may do this using cookies, pixels, or other similar technologies.

 

[phunk]

But facebook can.

https://www.facebook.com/help/441197859229066?sr=1&sid=0tWy6ZWDLTvL4nTcQ

When might Facebook read the cookies on my computer or device?

"Sometimes we will work with websites, apps, and their partners so that we can place or read Facebook cookies on your browsers or devices.This allows us to do things like read and reference cookies from more than one device or browser that you use so we can provide you Facebook services across all of your devices and improve and understand the products, ads, and services we offer to you and others. Your browser or device may allow you to block these technologies, but you may not be able to use some features on Facebook if you block them."

It's poorly worded, they can't read the cookies from your browser. There it literally no part of the http protocol that allows a server to request a cookie, especially from another domain.

The way cookies work is that you request a web page (or image or anything else) from a webserver, and it sends back the reply with a little bit of data called a cookie, that your browser is expected to save and send along with any future requests to that site. It relies on your browser sending the cookie on its own, there's no way for the site to request info from your cookies. Most often they are used to store a session id so the site knows all requests with that id are from the same person.

Tracking generally works by having you load some embedded resource (like a banner ad image) from an external site, which sends it's own cookie back with the response. Then when you visit some other site with ads from the same advertiser, your request for another banner ad includes the cookie and they can say "ah, this is the same guy who was looking at X earlier, let's send him a banner related to X." But the advertiser never sees facebook's cookies, and vice versa.

Keep in mind I'm just talking about the cookies, there is a lot more to tracking than just that. For example facebook could use a unique url for each ad, so that the hit on the external server can be traced back to you without any cookies at all (and then it can then give you a new cookie that it is tied to your identity). Or they can look at the referer to see what page you were coming from when you loaded the banner ad, which could include things like your facebook id. Etc.

 

[Skwinty]

I am not versed in this arcane world of http and the ways of the internet, so I can only go by what I have read in FB help files.

When I signed up to FB and google + etc I knew I would relinquish any notion of privacy. I knew that the only way to maintain online privacy was not to be online.

Hence, whatever I put online I am fully prepared for others to know and to solicit my business.

 

[DrDave]

Also, I seem to recall a recent article about FB which explains that they also keep all the text you might have posted or shared, but cancelled. So if you were about to send a scathing reply to your ignorant brother-in-law but closed it out after considering your sister's feelings, that info is still in FB somewhere.

I read an article on that study today. The claim was that they could tell that you had typed something (and I think the number of keystrokes), but not what was typed.

 

[Childlike Empress]

I read an article on that study today. The claim was that they could tell that you had typed something (and I think the number of keystrokes), but not what was typed.

That's nonsense. If such a thing is seriously build there is no more difficulty in knowing what you typed than in knowing how much you typed. Would be just an "ABC" signal instead of a "+1" signal.

 

[DrDave]

That's nonsense. If such a thing is seriously build there is no more difficulty in knowing what you typed than in knowing how much you typed. Would be just an "ABC" signal instead of a "+1" signal.

Maybe you're right, here's what I read

Data scientists can determine that a status or comment has been typed by tracking code in the HTML form element of each page.

This form element is made up of HTML code that controls the boxes Facebook users type in to, including the status update box.

Each time characters are entered into one of these boxes, scientists can track the changes in the HTML code. The researchers were also able to track typing in the comment box on statuses, photos and other posts.

To be clear, Facebook can’t track the exact keys pressed, and it doesn’t monitor keystrokes. This means the code doesn’t reveal what is being typed.

However, Facebook can track when characters and words are typed, how many are typed, and if the typed characters are deleted or abandoned.

Here's the study (in which I don't see the quoted claim at first glance):
https://autoblog.postblue.info/auto...edia/801702b3.self-censorship_on_facebook.pdf

 

[marplots]

Web sites can't look at the cookies stored on your machine like that. The browser will automatically send cookies associated with the site you're connecting to, but there's no way for the site to request any data about cookies from other sites.

Except... if javascript is enabled, you are connecting to those other sites.

This forum, for example, connects to:
Google analytics and Yahoo apis. Those domains are sent their native cookies automatically.

Some sites (particularly news media sites) connect you to 50 or more third party sites - all behind the scenes.

I don't give permission for that, my browser does it automatically through Java.

 

[marplots]

Ad serving is one thing, but you guys haven't mentioned one of the most disturbing trends - changing prices based on browsing data. For instance, if you are shopping at my online store and the tracking tells me you are affluent or very likely to purchase, guess what? My shopping cart software presents you with a higher price than it would for other categories of shopper. Even something as simple as a zip code for your IP could trigger this mechanism.

Powerful technique.

 

[RecoveringYuppy]

That's nonsense. If such a thing is seriously build there is no more difficulty in knowing what you typed than in knowing how much you typed. Would be just an "ABC" signal instead of a "+1" signal.

Assuming they want to know what you typed and threw away and they really aren't interested. Knowing that you typed something could just be a side effect of the "changes pending/are you sure you want to abandon changes" logic.

 

[Childlike Empress]

Maybe you're right, here's what I read


Here's the study (in which I don't see the quoted claim at first glance):
https://autoblog.postblue.info/auto...edia/801702b3.self-censorship_on_facebook.pdf

Just taking a brief look and searching for "keystrokes", it seems that those limitations were due to whatever they were investigating, not due to any limitations facebook might have. It should be understandable regardless of the mechanism that if you can detect a keystroke, you can also detect the key that was sss..tricken?

 

[phunk]

Except... if javascript is enabled, you are connecting to those other sites.

This forum, for example, connects to:
Google analytics and Yahoo apis. Those domains are sent their native cookies automatically.

Some sites (particularly news media sites) connect you to 50 or more third party sites - all behind the scenes.

I don't give permission for that, my browser does it automatically through Java.

Right, the browser sends cookies to sites it connects to. But it only sends each of those 50 individual sites the cookies specific to each one. None of them have any way to read the other ones' cookies (of course, they can share info with each other behind the scenes, but that is not them reading all of your cookies).

 

[Skwinty]

Question for Phunk. You mentioned that http had no mechanism for a server to request cookie data. Isn't http just a protocol and html the code? Ie, the protocol is the transport mechanism and html the code that executes operations. So http would have no need to request data and would only need to favilitate the transfer of the requested data?

 

[marplots]

Right, the browser sends cookies to sites it connects to. But it only sends each of those 50 individual sites the cookies specific to each one. None of them have any way to read the other ones' cookies (of course, they can share info with each other behind the scenes, but that is not them reading all of your cookies).

Practically, sharing doesn't matter. Randi.org uses google analytics and I connect through this site to that. Google analytics has enough penetration (along with other Google products) that they can see where I've been as each site, in turn connects to them. And sites want to do this because they also want the information Google has to offer.

Same with Facebook. Anytime you see that little logo (and perhaps when you don't) your browser is connecting with facebook and the cookies are updated, along with whatever data they are keeping on you. Doesn't matter if you click the like or not, sites that use Facebook software send info anyhow. And, just like with Google analytics, sites have an incentive to do it.

I'm not trying to imply anything nefarious is going on. It only seems so to those who don't know about it or don't understand the reasons for it.

I run software to look at what's going on (all free, anyone can do this) and currently, after a day online, I have 543 cookies in firefox. Typically, when I get around to clearing everything out, it's closer to a thousand.

 

[Childlike Empress]

Question for Phunk. You mentioned that http had no mechanism for a server to request cookie data. Isn't http just a protocol and html the code? Ie, the protocol is the transport mechanism and html the code that executes operations. So http would have no need to request data and would only need to favilitate the transfer of the requested data?

There is no need to request a cookie as there is the simple automatism that your browser sends cookies it has for the domain it requests. That automatism is part of the http protocol.