Today in Panopticlick news...

How YouPorn Checks What Other Porn Sites You've Visited

When a visitor surfs into the YouPorn homepage, a script running on the website checks to see what other porn sites that person has been to.

It's based on your browser changing the color of links you've already clicked on. A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color "purple," meaning you've clicked them before.

A group of researchers from UCSD trolled through the Web's most popular sites to see which ones were collecting this information about visitors. They found it on 46 other news, finance, sports, and games sites, reporting their findings in a paper with the intimidating title, "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications."

Facebook's 'Like This' button is tracking you:

This article is shrill and takes a while getting to the point, but the gist is that: A) every site that includes a 'Like' button on it shares a Facebook-issued cookie, so FB is able to associate together your visits to all of those sites, even if you aren't logged in and don't click the button; and B) if you ever do log in to FB, they issue you a new cookie and (the article assert without evidence) retroactively associate the old pseudonymous cookie with the new one, linking all that old history data with your now-logged-in account.

Previously, previously.

Tags: , ,

8 Responses:

  1. LunaticSX says:

    I thought it was common knowledge that Facebook tracked all Facebook member web activity across non-Facebook sites via the "Like" buttons that those other sites add to their pages. After Facebook's Beacon was launched (and failed) it seemed pretty obvious that this was another attempt at similar data mining/aggregation. Only this one goes way beyond purchases to all kinds of web activity, and it's much more low-key (instead of automatically collecting and broadcasting users' purchase data on their Facebook walls, the "Like" button scheme only does the broadcast when the user actually clicks the button, but data on page visits is STILL being collected regardless).

    This is why I was surprised to see you implement all those Facebook "Like" buttons on the DNA Lounge website.

    The insidiousness of it is that most 3rd party websites think that all that's happening is that they're getting some free promotion on Facebook whenever anyone clicks a Facebook "Like" button on their site.

    A few months ago, in order to sandbox Facebook on my computer I used on Mac OS X ( to create a site-specific browser for Facebook. Now when I'm on my computer I only log in to Facebook through that browser. For good measure I also always log out whenever I'm done using Facebook. While I'm mobile I'll still (and only) use Facebook's iPhone app, since iOS has pretty good app sandboxing built-in.

    • LunaticSX says:

      Amendment: "Common knowledge" being to people who pay appropriate attention to privacy regarding Facebook (I expect most people reading here).

    • jwz says:

      I didn't add those Like buttons because I have some great desire to help Facebook out with their spamming, but because I'm *trying to run a business*. Being the only business not using Facebook is not beneficial to me or, really, anyone else. The paranoid already know what to do. The other 99.999% don't care.

      • LunaticSX says:

        My surprise comes from how I'd expected you'd know about how Facebook uses the "Like" buttons to track user activity on other sites, or you did know and implemented them anyway, considering that you're well known to take a stand on many other issues where there may be conflict between an incremental benefit to business and privacy or other other social issues.

        • jwz says:

          It hadn't occurred to me that they could track the logged-out and then re-associate them with the logged-in. But, mostly, I just don't care.

          • Nick Lamb says:

            Facebook has said officially that they don't do this. But of course we have no way of knowing (given their size and sprawl management might honestly believe that while engineers are in fact doing it)

            This is going to happen anyway. A society without privacy is perfectly workable, it's just that it happened faster than we could adjust to it. Celebrity magazines ("Look, Jennifer and David buy groceries, in a shop! Like us!") are as much a symptom as Facebook Like. We'll get used to pretending we don't know and don't see things, like any parent of a normal teenager.

            That said during the adjustment period the NHS might have wanted to think harder before adding Like buttons to embarrassing or even career-threatening disease information pages. Who the hell "Likes" STDs anyway?

          • Nick Lamb says:

            By the way, this OpenID plugin does not suck, unlike the last one (or maybe it's the same one but configured better?)

  2. David Baron fixed the CSS privacy leak, the fix is in the Firefox 4 betas.

    Sucks about the Facebook button, but everyone is voluntarily giving Facebook all their information anyway, it's not like they have to be exceptionally evil to get more than enough data to make money off of.