Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The "Like" button infrastructure (images, JavaScript) is loaded from Facebook's servers via a cross-domain request. Those servers can theoretically use cookies or IP addresses in conjunction with referrers to do tracking even without clicking Like, for both authenticated and unauthenticated users.

Some content is loaded off of their CDN, which I highly doubt is doing any tracking. The non-CDN pings are quite possibly not doing tracking, but it would be possible for Facebook to enable some tracking with most people never noticing.



"I highly doubt is doing any tracking."

On what evidence do you have this doubt?

facebook has a long history (the entirety of their existence) of being extremely greedy about personal data. Whenever outsiders have had the chance to see inside their thought process on collecting data, it has always been clear they'll collect anything and everything they can. What they're doing with it might not be nefarious; but they love personal data like no company ever before, and go to great lengths to own it.

I'd be surprised if they aren't tracking every request that passes through their servers and gathering usage patterns of everyone on the Internet, regardless of whether someone is logged into facebook or not, and regardless of whether the request originated on a facebook property. That's just the kind of thing facebook does, as far as I can tell. If they aren't doing it already, it's just a matter of time.


I'm speculating that the CDN servers are running stripped-down, static-file-only HTTP servers that don't integrate with a more complex user-identification and logging infrastructure to help with throughput.

I could be completely wrong.


I agree that they probably aren't doing complex user-identification...probably no cookies or JavaScript or anything like that happening on their CDN.

But, IP alone would be enough to follow the trail of most people (I know all the caveats about IP!=individual, but that data is still far from worthless), and collecting IP trails would be absolutely trivial and practically free from a performance perspective. The difference in a high performance webserver environment with logging vs. without logging is less than one percent...probably much less.

With a bit of clever data juggling, and logging of user agents and other information about the client, compare that to past visits from the same IP on properties where facebook has more data (from cookies and logged in activity), and identify users by name with pretty good accuracy.

In short: Performance is not a factor for logging, and facebook wouldn't need a large amount of additional cooperation from the client, like cookies or JavaScript bugs, to track users who aren't logged in. They just need to combine the already available log data in useful ways. A big part of the reason all these fancy distributed key/value stores and BigTable imitators exist (and why facebook has developed their own in-house) is for processing exactly this kind of data.

I'm extremely confident that facebook logs everything, though I have no idea what sorts of things they do with the resulting data.



Why wouldn't they be doing tracking? It seems like a big portion of the benefit to them in doing connect/like/etc. They do make their money selling ads, and they are seemingly hot to collect as much information as possible.


This is Facebook we're talking about, right? Of course they're tracking. If no other reason than for ad retargetting.


It seems like logging enough detail to matter on so many loads would cost more in time and money than the data is worth.

edit: And then I did the math. A 15 byte IP (pretending all IPs are made of four 3 digit numbers) plus a 400 byte URL across 1b accesses is less than half of a terabyte hard drive. Guess we're doomed.


A 15 byte IP (pretending all IPs are made of four 3 digit numbers)

An IP address is just a 32 digit binary number. 4 bytes, not 15. The dotted quad notation is just to help the humans typing them in.


I was thinking in terms of most logs I've seen where it's stored as text.


We delete the logs from social plugins (including the Like button) after 90 days:

https://www.facebook.com/help/?faq=17512

The purpose of social plugins is to enable you to share things to your Facebook profile easily - not tracking.

Bret Taylor CTO, Facebook


So what if they are tracking? It's a separate issue to whether or not Facebook is controlling data / privacy too much. The same tracking issues with the Like button exist with any technology that is included on a huge number of websites, including advertising networks and Google Analytics (which expressly exists purely to track users!)

It is not inherently evil to track users. What you do with that information decides the morality of the situation. It seems to me that rolling this non-issue into the arguments against Facebook is actually harmful to the FSFs cause - why would they bother telling us about something trivial if they had real concerns to air?†

† I am not saying that there aren't real concerns, or that the FSF isn't airing them - just that airing a non-issue looks bad




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: