Social sharing buttons — Facebook “Like” buttons and their ilk — are ubiquitous, but that doesn’t mean they’re a good idea.
Designers tend to hate them, calling them “Nascar” buttons since the can make your site look at little bit like a Nascar racing car — every available inch of car covered in advertising. Others think the buttons make you look desperate — please, please like/pin/tweet me — but there’s a much more serious problem with putting Facebook “Like” buttons or Pinterest “Pin It” buttons on your site: your visitors’ privacy.
When you load up your site with a host of sharing buttons you’re — unwittingly perhaps — enabling those companies to track your visitors, whether they use the buttons and their accompanying social networks or not.
There is, however, a slick solution available for those who’d like to offer visitors sharing buttons without allowing their site to be a vector for Facebook tracking. Security expert (and Wired contributor) Bruce Schneier recently switched his blog over to use Social Share Privacy, a jQuery plugin that allows you to add social buttons to your site, but keeps them disabled until visitors actively choose to share something.
With Social Share Privacy buttons are disabled by default. A user needs to first click to enable them, then click to use them. So there is a second (very small) step compared to what the typical buttons offer. In exchange for the minor inconvenience of a second click, your users won’t be tracked without their knowledge and consent. There’s even an option in the preferences to permanently enable the buttons for repeat visitors so they only need to jump through the click-twice hoop once.
The original Social Share Privacy plugin was created by the German website Heise Online, though what Schneier installed is Mathias Panzenböck’s fork, available on GitHub. The fork adds support for quite a few more services and is extensible if there’s something else you’d like to add.
Twitter has jumped on the “Do Not Track” privacy bandwagon.
The company recently confirmed that it supports the Do Not Track header, a user privacy tool originally created by Mozilla that is in the process of becoming a web standard. That means if you visit Twitter in any web browser that supports the Do Not Track header, you can opt out of the cookies Twitter uses to gather personal information, as well as any cookies set by third-party advertisers.
And it’s not just advertisers tracking your movements, social networks like Facebook and Twitter also follow you around the web. You may not realize it, but Twitter has been tracking your every move for some time. The company doesn’t make a secret of it either. In a blog post announcing Twitter’s new “tailored suggestions system” Twitters Othman Laraki writes, “we receive visit information when sites have integrated Twitter buttons or widgets.”
To be clear, not only is Twitter able to set cookies any time you visit its own domain, whenever you visit a website (like this one) with a “Tweet This” or similar button Twitter can see you there as well. This practice is hardly unique to Twitter; Facebook, Google+ and others are doing the same thing.
The problem with such tracking is that it’s necessary for features we want, like smart, targeted suggestions — new users to follow, music you’ll likely enjoy, books you might want to read and so on — but it can also be used for decidedly less friendly purposes. As awareness of the downsides to such tracking become more well known a growing number of people are opting out of the tracking. The Mozilla Privacy blog reports that “current adoption rates of Do Not Track are 8.6 percent for desktop users of Firefox and 19 percent for Firefox Mobile users.”
To take advantage of Twitter’s new Do Not Track feature you’ll need to be using a web browser that supports the header. Currently that means Firefox, Opera 12+, Internet Explorer 9+ or Safari 5.1+. Chrome has pledged to add support for Do Not Track, but doesn’t just yet. For more information on protecting your online privacy, including tools like Ghostery, which go even further, blocking all tracking cookies, see our earlier post, Secure Your Browser: Add-Ons to Stop Web Tracking.
Yahoo has announced it will soon support the Do Not Track privacy header across its sprawling network of websites. Supporting Do Not Track means you will soon be able to easily tell Yahoo to stop tracking your movements around the web.
Much like the Do Not Call registry, the Do Not Track system offers a way to opt out of this third-party web tracking.
The Do Not Track header now works in every major desktop browser except Google Chrome, though none of them turn it on by default. Still, for privacy-concerned users savvy enough to enable Do Not Track, the header offers a quick and easy way to tell advertisers that you don’t want to be followed while you browse the web.
Numerous online advertising groups already respect the Do Not Track header and refrain from tracking users that enable it. Today’s announcement means that, starting this summer, you can add Yahoo to the list of companies that will stop tracking you if you’ve enabled Do Not Track in your web browser.
Of course, there are still many advertisers and websites that don’t yet support Do Not Track. If you’re concerned about your online privacy and don’t want to rely on the goodwill of advertisers, there are other, more aggressive steps you can take to limit how your tracked on the web. See our earlier post on browser add-ons that help stop web tracking for more details.
There are some not-completely-foolproof ways to hide from Google, but first let’s talk about what’s changed. Prior to today, Google had more than 70 privacy policies for its various products. But with the company trying to create a seamless experience across search, Gmail, Google+, Google Docs, Picasa, and much more, Google is consolidating the majority of its policies down into just one document covering most of its products. This will make it easier for Google to track users for the purpose of serving up personalized ads.
An example? Google search results can already bring up Google+ posts or photos that have been shared with the user. “But there’s so much more that Google can do to help you by sharing more of your information with … well, you,” Google said. “We can make search better—figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too. For example, it’s January, but maybe you’re not a gym person, so fitness ads aren’t that useful to you. We can provide reminders that you’re going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends’ names, are accurate because you’ve typed them before.”
Today, Google’s official blog reminded users of the change, saying it had been the subject of “a fair amount of chatter and confusion.”
The updated policy can be read online, and describes how Google collects device information, search queries, cellphone-related data, location information, and collects and stores information on users’ devices with the use of HTML5 technology, browser storage, application data caches, and cookies and other “anonymous identifiers.”
Google recently promised to follow Do Not Track guidelines in an agreement with the White House, but those changes won’t take effect until sometime later in the year. With Google’s expanded ability to serve up personalized ads, the company makes certain privacy promises. For example, “when showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.”
So what else can you do? Most browsers today have private surfing modes that you can select. You can visit Google’s “Data Liberation Front” website for instructions in exporting data out of Google products. The Electronic Frontier Foundation also has instructions on removing your Google search history from your account. However, even this is not as simple as it sounds. Disabling Web History in your Google account “will not prevent Google from gathering and storing this information and using it for internal purposes,” the EFF notes.
Google does hand over user data in response to government requests on a regular basis, as noted in the company’s Transparency Report. The EFF notes that disabling Web History “does not change the fact that any information gathered and stored by Google could be sought by law enforcement.”
If your account has Web History enabled, Google will keep the records indefinitely. “With it disabled, they will be partially anonymized after 18 months, and certain kinds of uses, including sending you customized search results, will be prevented,” the EFF states.
For those who are really willing to put some work into staying anonymous, downloading a Tor client may be the right step. Tor encrypts your web traffic and sends it through a randomly selected series of computers, preventing shadowy third parties from learning what sites you visit or where you’re located. The Tor Project even played a role in helping Iranians get back online after a recent government crackdown on Internet usage.
This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.
Ever wonder who’s tracking your online movements — watching the sites you visit, the links you click and the items you buy? Unless you’ve already taken active steps to stop the tracking, the answer is just about everyone.
Privacy advocates have been working to help raise awareness of the extent to which we are all tracked online. Browser makers like Mozilla have also been working to make consumers aware of what’s happening behind the scenes on the web. Mozilla created and popularized the Do Not Track header, which has now been adopted by all the major browsers. Firefox’s parent company also recently showed off its Collusion add-on as part of the TED 2012 conference.
Collusion is a Firefox add-on that helps you see exactly who is tracking your movements online. It doesn’t stop sites from tracking you, but after Collusion shows you what happens when you browse the web without any tracking protection, you’ll probably want to find something that can stop sites from tracking you.
Not all web tracking is bad. Some services rely on user data to function. For example, if you use Facebook and want to use the company’s ubiquitous Like buttons, Facebook needs to set cookies and keep track of who you are. The problem Mozilla wants to address with Collusion is the fact that most tracking happens without users’ knowledge or consent.
The screenshot below shows the number of websites Collusion found tracking me after I visited the top five most tracker-filled websites according to Privacy Score, namely The Drudge Report, El Paso Times, ReadWriteWeb, TwitPic and Merriam Webster. As a result of visiting just those five sites, according to Collusion, a total of 21 sites were made aware of my visit.
Collusion visualizes who's tracking your web browsing.
That sounds bad, and it is, but it may not even be the full picture. For comparison’s sake I loaded the same five sites and used the Do Not Track Plus add-on, which counted 47 sites with tracking bugs. Want another number? I repeated the test using the Ghostery add-on, which blocked 37 unique sites looking to track me. The variation in number of tracking elements detected is due to several factors, including what each system considers tracking. (Collusion for example, does not seem to count analytics or social buttons, while the others do.)
Even at the low end the numbers remain startling. Visiting five websites means somewhere between 21 and 47 other websites learn about your visit to those five.
If the extent of tracking bothers you there are some steps you can take to stop the tracking. The first would be to head to your browser preferences and turn off third-party cookies. Unfortunately, while that’s a step in the right direction (and you won’t lose any functionality the way you might with the rest of these solutions), some less scrupulous advertisers, including Google, have been caught circumventing this measure.
For a more complete solution you’ll need to use an add-on like Ghostery or Do Not Track Plus, both of which are available for most web browsers. The chief drawback to both of these solutions is that you may lose some functionality. To stick with the Facebook example used earlier, if Ghostery is blocking Facebook scripts then you won’t be able to use Like buttons. Fortunately both Ghostery and Do Not Track Plus allow you to customize which sites are blocked. I recommend blocking everything and then when you encounter something that isn’t working, click the Do Not Track Plus icon and edit the blocking options to allow, for example, Facebook so that Like buttons work (or Disqus so that comments work, etc.). That way you remain protected from the vast majority of invisible tracking, but can still enjoy the web services you choose to trust.
One final note about Webmonkey.com: There are 11 external scripts on this page. Four of them are for the social network buttons at the bottom of most posts. A fifth is for the Disqus comments system. There are also two analytics scripts, one from Google and one from Omniture. In addition to those seven functional scripts there are four ad network scripts from Brightcove, DoubleClick, Omniture and Lotame. (I can’t actually tell for sure what Lotame does, but it definitely collects data.) If you install the add-ons above Webmonkey will not be able to track you. If you don’t, it, like the rest of the web, will.