Surprise! Facebook doesn't like privacy countermeasures

German tech-news site Heise changed their "Like" buttons to be locally-hosted images that only transform into real Facebook "Like" buttons once you click them -- meaning that if you don't click anything, Facebook can't track you, and that actually "liking" the page requires two clicks. (Also presumably meaning that the page loads way faster.)

Facebook responds:

"The manner in which have incorporated the Heise.de Like Button violates our Platform Policies" Tina Kulow said of Facebook to heise online. Policies in these states:

8th You must not use or make derivative use of Facebook icons, or use terms for Facebook features and functionality, if such use could confuse users into thinking that the reference is to Facebook features or functionality.

Loosely translated, one must use one that is only for Facebook icon Facebook features. This is precisely the 2-click solution to the case. The only difference from conventional solutions is that these buttons before transferring any data to an explicit activation Facebook. How exactly violate this privacy-friendly 2-click solution to this paragraph shall is not yet clear. Facebook has also mentioned in our article on the occasion of the Web site of the radio station SWR3 asked to remove their similarly implemented, privacy-friendly 2-click solution.

If it hadn't occurred to you yet that Facebook cares far more about the "Like" buttons that you don't click than about the ones that you do -- there you go.

I had been considering doing this two-click thing solely to speed up my page loads. I find myself somewhat more motivated to do so now. (Though it still sounds like kind of a pain in the butt.)

Tags: , , ,

50 Responses:

  1. John Adams says:

    Just about everyone wants the pre click data; problem is that in Germany this sort of pre click tracking on the part of Facebook is illegal.

  2. Andy says:

    To make it even better, it's arguably a violation of European data privacy law for a European website to include a non-privacy-protecting "Like" button on their website, since Facebook doesn't comply with data privacy requirements. (Basically: if a company keeps a database about a person, they must disclose the information to the person on request, delete the information if requested, correct the information if it is wrong, and maintain it securely against breaches, with real consequences if breached.) It's illegal for a company to export personally identifying information to avoid the requirements of the data privacy laws.

  3. bryan says:

    I've been using sharemenot for a few weeks without any problems

    http://sharemenot.cs.washington.edu/

  4. Nick Lamb says:

    Does the self-hosted option of http://sharenice.org/website/technical make it any less of a pain in the backside?

    All that Facebook can do if you violate their "policies" is shut off your Facebook access and cut into its own market share.

  5. Here’s a proper translation:

    The manner in which Heise.de incorporated the Like button violates our Platform Policies”, Tina Kulow of Facebook explained to heise online. They state:

    You must not use or make derivative use of Facebook icons, or use terms for Facebook features and functionality, if such use could confuse users into thinking that the reference is to Facebook features or functionality.

    Loosely translated, this means you may only use Facebook icons for Facebook functionality. However this is in fact the case for the 2-click solution. The only difference from conventional solutions that these buttons will not transmit any data to Facebook prior to explicit activation. It remains unclear exactly how this data privacy-conscious solution is supposed to violate the named clause. Furthermore, following the mention in our article, Facebook have also sent the website of SWR3 radio a request to remove their similarly implemented, privacy-friendly 2-click solution.

    And the first update:

    Meanwhile Andreas van de Castel of Facebook substantiated the complaint: “Section I.8 forbids the imitation of Facebook functionality. You have done just that by using the Like button.”, he explained his interpretation of the situation. De Castel is responsible for Social Plugins at Facebook. However, these 2-click buttons use Facebook functionality without any modification, and differ only in how they are incorporated.
    Should heise online not heed the request to stop this purported abuse, then the application would be blocked (which would be done based on its app ID) and “repeated, non-policy-conforming incorporation would result in a blacklisting of the domain on Facebook”. This would mean that heise.de contents could no longer be shared on Facebook, de Castel explained the further consequences.

    (Beautiful… a threat.)

    Update #2:

    Tina Kulow of Facebook Germany has spoken again. In a tweet, she wrote: “To clarify: a 2-click button is not ideal – but not a problem. Only a Like button that merely visually pretends to be one is not OK. That’s all.” Since heise online changed the design of the button for the first click that activates the Like function, there should now be no obstacles on Facebook’s part to further use of the 2-click button by heise online and other websites.

  6. Samuel says:

    What about a button that turns into a facebook button if you mouseover it for more than 0.1 second?

    • Breton Plumbroke says:

      or hoverintent.js!

      • That would actually be brilliant... only turn it into a real facebook button once the mouse slows down enough to suggest the user is going to hover over it.

        Until Facebook changes their policy, that is. :-)

    • Jeffrey Paul says:

      The concept of mouseOver does not exist on the many dozens of millions of computers in use for web browsing today that do not use mice.

      (i.e. Android, iOS, etc.)

  7. mjgoins says:

    You could take the facebook buttons off your site.

  8. [...] So how can Facebook then acquire more accurate data than these traditional companies? It’s pretty simple. You know that Like-button that is showing up all over the web these days? Turns out that Facebook is hosting all those images (and you cannot host this yourself as that is a Term of Service breach). [...]

  9. catfrog says:

    im going to have to agree with mjgoins, just take facebook off your site

    • jwz says:

      Don't be a fucking idiot. Do you think they're there because I like Facebook or I think they're pretty? They're there because I'm running a fucking business and this is how you promote in the Twenty First Century.

      • DFB says:

        I honestly don't understand how this works, because I have no Facebook account. With the Like/+1 buttons, if a lot of people click them or visit the pages that they are on, where and how does the resulting promotion occur? Is there any way to measure how much traffic they are driving?

        • Colin says:

          It shows up in the feed of their friends when someone "likes" something. "DNA Pizza? Huh? If Joe likes it, maybe it's good!" Basically free advertising for the people using the Like buttons while FB chews through everyone's online activity and uses it to make their own ads more attractive to advertisers.

  10. What if I use on mouse over like event to simulate this. I also feel a pain in this kind of situation that on every page load we pay to price to social networking sites in terms of speed.

  11. Bob O`Bob says:

    I suggest perhaps "the problem is" that there are still places where pre-click tracking is /not/ illegal.

  12. alectic says:

    I'm fairly sure that facebook like buttons load through an iframe -- so they load asynchronously and their presence shouldn't affect the speed of the site they are on...

    • jwz says:

      That's a fascinating, and wrong, theory.

      • alectic says:

        Can you be more specific? I'm looking at the like button on this very site, and I see that it's an iframe...

        As far as iframes blocking the page load -- in general (AFAIK) most browsers will block the window.onload event for a page until their contents are loaded *only if* the iframe is part of the original DOM of the page. However, if the iframe is generated by a script (as is the case with fb like buttons -- take a look at the js source in this page) and inserted into the DOM by the script, most browsers that I know of will not block the onload event...

        • jwz says:

          Yes, it is an iframe, and yes, it slows down the page load a lot. Read the comments on the "considering" link.

          • alectic says:

            Interesting thanks...

            I see some js for google on that calendars page, but I don't see the same js to dynamically inject the fb like button...am I missing something? Are they 2 different implementations of the fb like button?
            (I didn't dig in too deep, I have to head out but might play later)

            Assuming I am just missing the js to inject the iframe, I wonder why iframes slow things down so much? I ran (only 1, to be fair) profile (in chrome) on that calendars page and the bulk of the time was spent on garbage collection...

            • Breton Plumbroke says:

              you're looking at the wrong profiling panel. try "net"

              • alectic says:

                The network timeline is interesting as well -- according to that (after loading the page a few times times to eyeball outliers), it looks like window.onload was blocked by all the /gallery/* pictures, not the iframes. The last of all the facebook and google resources appear to have loaded ~3seconds before those /gallery/* pictures finished at around the 3-3.25second mark

              • alectic says:

                (where the whole page typically took around 5.75 - 6secs)

            • localpcguy says:

              There actually is 2 versions of the Facebook Like button, one that uses an iFrame directly in the HTML code of the page and one that dynamically inserts an iFrame into the page through JS.

              In my experience, the JS version does tend to make the page "FEEL" slower, because the Like button pops up often after the page is displayed. If you are not careful while coding it this can also cause issues with your page layout.

              The iFrame version tends to reserve the space immediately and seems to be more responsive about showing immediate.

              I have heard that if you have too many iFrames on a page the entire page becomes less responsive, and I think this would be where the JS version becomes preferable. The ability to control WHEN the Facebook Like buttons are generated on the page is vital to how your page feels to the end user. I'd rather the Like buttons take an extra 3s to show up, rather than have it slow down the entire page. I move all my Facebook Like button generating code out of the BODY of the HTML and into a function that I call after the DOM is loaded and sometimes even after I've done some other functions first, depending on the site, and how critical on-load JS actions are to the site.

        • Shay says:

          Not a developer, but from what I know about iframe behavior, it's exactly the opposite of what you say.

  13. [...] Surprise! Facebook doesn’t like privacy countermeasures [...]

  14. Francis Avila says:

    I've long used a homebrew solution where the social networking buttons (facebook, google+, etc) only load after being in view for a certain amount of time. I determine this with an event handler for the window's scroll event. To help performance it only does a visibility check a few times a second, not every time the scroll event is fired, and it memoizes a list of dom nodes to check and their coordinate positions on initialization. After that it's just a matter of finding the document coordinates of the viewport and doing some math to see which dom nodes are visible. If it's visible, I copy a data-src attribute value to the src attribute value and remove the dom node from the check list. This loads the iframe. If this is not pretty enough you can replace an image with a constructed iframe.

    This approach has worked very well for us and users seem to not mind it. Obviously you need javascript (which you mostly need anyway for those buttons), but it works on mobile browsers and solves the big page-load slowdown from loading all those iframes at once. It doesn't help for privacy, though, since no explicit user action is necessary to load the button. That requires a 2-click solution of some kind.

  15. [...] lo dicho hasta ahora, si es que hay alguno) de una noticia de la que ese hace eco Jamie Zawinski en Surprise! Facebook doesn’t like privacy countermeasures. En resumen: sitio alemán incorpora botón ‘me gusta’, pero sin incluir los recursos [...]

  16. [...] Шпионските „харесва ми“ бутони. By Nako, on септември 3rd, 2011 Търси се аддон за Opera (и Chrome, но Операта е по важна) които да блокира или поне да спре шпионирането на многоброините facebook like, google  +1 , twitter и т.н. бутони по страниците. ShareMeNot addona за Firefox върши идеална работа, но не ползвам Firefox.Още по темата: http://www.jwz.org/blog/2011/09/surprise-facebook-doesnt-like-privacy-countermeasures/ [...]

  17. alkammy says:

    http://hackerne.ws/item?id=2957165 - instructions to disable all preclick tracking for facebook (client side obviously!)

  18. [...] Heise article on 2-click Like button Slashdot article JWZ’s rant [...]

  19. DFB says:

    Google+ doesn't seem to do this by default (+1s people click are accessible but do not show up by default.) So I would recommend, if page load time is improved more than a few dozen milliseconds, just using the Facebook "like" and save the Google "+1" for until they ever do anything with it. On the other hand maybe it influences search results. I'm at my caring threshold.

    • DFB says:

      The parent comment was supposed to be a reply to Colin's explanation of what Facebook "like"s do....

  20. [...] data prior to one clicking the like button. What data is collected and how is it used by facebook? http://www.jwz.org/blog/2011/09/...  Add AnswerBIU     @   Edit Link Text Show answer [...]

  21. phuzz says:

    I knew there was a good reason I have the entire facebook domain blocked through adblock.

  22. Andrew says:

    You are all retards. All of you.

    The text facebook sent is about using their corporate brand and images in your page under false pretences. The site clearly doesn't have the right to appropriate the Like button and change its behaviour (2 clicks) as they are damaging facebooks brand by having an inconsistent user interface. Facebook have to enforce this rule as this could be the thin end of the wedge.

    If they used their own image that you have to click to enable the facebook Like button, that would be fine.

  23. Legolas says:

    How about making something (a 'Like' text or a mashup of some like/digg/.. icons?) that only shows (and loads) the like-alike buttons of all those service when hovered over?

  24. [...] JWZ points out that Facebook blocks features that delay like-button loading. Part of Facebook’s long-term plan is to have enough identity data plus browsing data to operate an effective display network (though that business is competitive enough that they might just sell the data). [...]

  25. SvOlli says:

    The code is available: http://www.heise.de/extras/socialshareprivacy/ (MIT license)

    It seems like the page is only available in German language right now. If an automated translation does not help, contact me.

  26. osmosis says:

    http://getfaceoff.com/ someone made it into a chrome extension. Block the Like button from Chrome.