Tag Archives: cookies

Tweet, Like and Google +1 buttons: lessons in privacy

There are two articles that are essential reading for anyone who has a news site or blog, and interesting to anyone who cares about the data they are sharing online.

It is something we have written about in the past: Like and Tweet buttons – what news sites need to know about dropped cookies.

The first is this excellent article by James Cridland, managing director of Media UK. In his post “It’s a matter of privacy” he explains why his site has stripped out code and moved away from the official Twitter and Facebook buttons.

Whenever you see a tweet button, that means that site owner has added a small piece of code from Twitter onto their page. Load the page, and, whether you like it or not, Twitter is aware that someone has just loaded that page. If you’re signed in to Twitter, Twitter know that you’ve visited it. You don’t have to hit the tweet button or do aything else.

The same goes for the Facebook like button. Any page which uses it loads code from Facebook: and if you’re logged in (or even if you’re not), Facebook knows that you’ve seen that page – regardless of whether you click on the like button.

And the same goes for the Google +1 button. While there’s no evidence that Google Analytics knows who you are even if you are signed into your Google Account, Google +1 certainly does. Once more, simply by loading a page with a Google +1 button on it, you signal back to Google that you’ve looked at that page.

Cridland also points out that the collection of data slows the page loading time too.

Privacy is also a theme also taken up by the Guardian in the article, which first appeared on developer Adrian Short’s blog headlined “Why Facebook’s new Open Graph makes us all part of the web underclass“.

Short argues that by relying on social media sites business, including news sites, are poor tenants ruled by the whims our rich landlords. He too discussed how all social media sites pose privacy questions to sites and illustrates why Facebook, which launched a new type of Open Graph apps last week, is worth studying.

Facebook’s abuse of its Like button to invade people’s privacy is much less publicised. We all think we know how it works. We’re on a website reading an interesting page and we click the Like button. A link to the page gets posted to our wall for our friends to see and Facebook keeps this data and data about who clicks on it to help it to sell advertising. So far, so predictable.

What most people don’t know is that the Like button tracks your browsing history. Every time you visit a web page that displays the Like button, Facebook logs that data in your account. It doesn’t put anything on your wall, but it knows where you’ve been. This happens even if you log out of Facebook. Like buttons are pretty much ubiquitous on mainstream websites, so every time you visit one you’re doing some frictionless sharing. Did you opt in to this? Only by registering your Facebook account in the first place. Can you turn it off? Only by deleting your account. (And you know how easy that is.)

The article goes on to explain that most users accept the dropping of cookies and the collection of data as a necessary part of browsing. However, Short highlights an important point:

What Facebook is doing is very different. When it records our activity away from the Facebook site it’s a third party to the deal. It doesn’t need this data to run its own services. Moreover, Facebook’s aggregation and centralisation of data across all our disparate fields of activity is a very different thing from our phone company having our phone data and our bank having our finances. Worst of all, the way Facebook collects and uses our data is both unpredictable and opaque. Its technology and policies move so quickly you’d need to be a technical and legal specialist and spend an inordinate amount of time researching Facebook’s activities on an ongoing basis to have any hope of understanding what they’re doing with your data.

Short recognises that business – including news sites – rely on social media for their success. And he doesn’t offer any solutions.

Perhaps the first step is to follow BBC News and Media UK in using unofficial Twitter and Facebook buttons.

Update: The Next Web has today (27 September) published a post stating that Facebook has confirmed is collects data from Like buttons.

The post states:

Facebook has confirmed that the way it collects information from its users may result in the transmission of user data from third-party websites, even when they are logged out, but has asked for users to trust the company and will fix a total of three cookie-related issues within the next 24 hours.

Malcolm Coles: Four sites already implementing cookie law

Malcolm Coles has posted four examples of UK websites already implementing the new EU cookie law that came into force on 26 May.

Websites were given a year to “get their house in order” by the Information Commissioner’s Office (ICO) and work towards getting web users to agree to accepting the dropping of cookies – small text files placed onto a users computer.

The ICO has warned companies, however, that they should not leave it until 25 May next year to start complying and has already written to some websites following complaints received since 26 May.

The independent body has received criticism for not telling websites exactly how to get users to agree to accepting cookies, but said sites do not necessarily have to opt for a tick box agreement and can instead find another way of getting users to take “positive action” in order to agree to cookies being dropped.

The four sites that Coles highlights as already implementing cookie law are: the ICO (they had to, didn’t they?), All Things D, the Radio Times and the Island Web Works website on the Isle of Man.

Here is the example from All Things D and Coles’ comment:

It reads: “Some of the advertisers and web analytics firms used on this site may place ‘tracking cookies’ on your computer. We are telling you about them right upfront, and we want you to know how to get rid of these tracking cookies if you like. Read more.

“This notice is intended to appear only the first time you visit the site on any computer.”

It only appears on your first visit to the site (I presume they use a cookie to do that!).

Malcolm Coles’ full post is at this link

Related content:

UK webisite publishers need to wake up to new cookie regulations

Websites get a year to comply with new EU cookie laws

‘Like’ and ‘tweet’ buttons – what news sites need to know about dropped cookies

What is not to like about the buttons that drive traffic to your site from Facebook and Twitter? Quite a lot if you consider a study commissioned by the Wall Street Journal published in May.

‘Like’ and ‘tweet’ widgets, which appear on one third of the world’s 1,000 most-visited websites, enable Facebook and Twitter to track and follow the sites a user visits by dropping cookies – small text files placed on a user’s computer.

New EU cookie law, which came into force in the UK on 26 May, requires websites to confirm they accept cookies before they can be dropped. So what is the legal position of websites that use ‘tweet’ and ‘like’ buttons, how should they act responsibly and can anything be done to stop this happening?

How Facebook and Twitter ‘follow’ your readers

The WSJ article explains how the ‘tweet’ and ‘like’ buttons on your site track readers:

For this to work, a person only needs to have logged into Facebook or Twitter once in the past month. The sites will continue to collect browsing data, even if the person closes their browser or turns off their computers, until that person explicitly logs out of their Facebook or Twitter accounts, the study found.

Kennish’s study examined more than 200,000 web pages on the top 1,000 sites. He found Facebook obtained browsing data from 331 sites, and Google obtained data from 250 sites, some of it from its Buzz widget. Twitter got browsing information from about 200 sites.

This all may sound a little ‘big brother’ to some Facebook and Twitter users but cookies are dropped by almost every website you visit and collect all sorts of data. One of the major uses of cookies by news sites is to gather audience data and display targeted advertising. They can also be dropped by any third-party with links on your site, such as Facebook and Twitter buttons.

So what can news sites do to prevent their readers being tracked by Facebook and Twitter?

Nothing, according to Julian Evans, an information security expert with his own blog on online security, who said all ‘tweet’ and ‘like’ buttons, even if they are made by third-parties, drop cookies.

The legal position of ‘tweet’, ‘like’ and cookies

However, websites are not liable for cookies dropped by third-parties, such as Facebook’s ‘like’, Twitter’s ‘tweet’ or other buttons and links on your site, according to the Information Commissioner’s Office, an independent public body which polices the new EU cookie law and can fine websites up to £500,000 for non-compliance.

Katherine Vander from the ICO told Journalism.co.uk that websites must, during the next few months, concentrate on getting their houses in order to make sure they comply with the new EU directive that came into force in the UK on 26 May which states users have to confirm they accept cookies before a website can drop them. Before that date internet users merely had to opt out of receiving cookies if they did not want their data collected.

What should sites do to act responsibly?

Although there is no legal requirement for news sites to get readers to opt in to agree to allowing Facebook and Twitter to drop cookies and track their reading habits, the ICO is encouraging news sites to act responsibly and inform readers what is going on.

“If you’re encouraging people to come to your site to use those facilities and you’re making a deliberate link there – which obviously [sites which have ‘tweet’ and ‘like’ buttons] are – you may well feel some sense of responsibility in terms of, at the very least, providing people with information about what might result in that happening,” Vander told Journalism.co.uk. She also asked news sites to keep up-to-date with Facebook and Twitter’s privacy policies.

She suggests sites which want to be really responsible should “put a note next to the link” to tell readers this button drops cookies.

That may not sound like an attractive solution to many as it may scare or confuse readers, many of whom think a cookie is just something to dunk in a cup of tea.

“Consumers don’t understand what cookies are. People don’t want to know what [a cookie] does, they just want to know it’s safe and their privacy is safe online,” security expert Julian Evans said.

He also pointed out that news sites should remember users willingly share their own information through login authentication sites like Facebook and Twitter.

What users can do to prevent cookies

  1. Log out of social networks when you are not using them. Use a separate browser to log on to Facebook and Twitter;
  2. Amend your browser’s privacy settings (preferences > privacy);
  3. Clear out your cookies;
  4. Clear out your ‘evercookies’, a persistent JavaScript API, which you can learn how to get rid of here;
  5. Use a service like Disconnect;
  6. Security expert Julian Evans, who runs ID-Theft Protect, recommends Firefox users install No Script, a script blocker that shows where your data is going.

ICO receives cookies complaints less than two weeks after new EU law introduced

The Information Commissioner’s Office has received complaints about websites dropping cookies less that a fortnight after new rules were introduced. The ICO will now write to the websites concerned to issue a warning.

An EU directive became law in the UK on 26 May and states that websites can only drop cookies – small text files left by websites on a user’s computer – if a person has given prior consent.

Before the new rules came into force users had to be given the option to opt out of receiving cookies and similar files which are used to gather data, but now users must opt in unless a website deems that it is “strictly necessary” to drop a cookie.

The ICO has the power to fine websites, including news sites, up to £500,000 for non-compliance. Speaking at the ABC Interaction conference yesterday Katherine Vander from the ICO said financial penalties would only by levied on “persistent offenders”.

New rules were introduced last month but websites were given a year to demonstrate how they plan comply with the new rules.

Internet users have already complained to the ICO, an independent public body based in Cheshire whose role it is to enforce the data protection act and the freedom of information act, which receives 30,000 complaints a year about data protection.

The UK is said to be leading the way in being early to adopt the EU cookie directive but there has been much backlash by the online industry against the new rules as cookies gather valuable audience data.

The ICO has received negative comments about how it has handled publicity around the new rules. “We’ve been criticised for not being more prescriptive. But we’re not best-placed to tell you,” Vander said.

“We fully recognise the challenges of implementing these requirements.

“You can be very clever how you get consent,” she told the conference, which included news organisations, suggesting the industry should seek to find ways to ask users to opt in to receive cookies. “It doesn’t have to involve ticking a box but it has to involve someone taking a positive action in some way,” she said.

Zuzanna Gierlinska from Microsoft Media Network, which handles display advertising, proposed the industry encourages transparency in the collection of consumers’ data.

“We operate in a Wild West environment when it comes to data. It’s bought and sold and it’s mostly misunderstood by the user.

“Lack of transparency breeds mistrust and threatens the online industry.”

Zuzanna Gierlinska suggests self-regulation of the advertising industry though companies adopting the so-called Online Behavioural Advertising Framework, adding an icon to sit beside advertising to tell the consumer if data is being collected.

Referring to the fact that the government is working with browser manufacturers to develop in-browser solutions, Ashley Friedlein, CEO and founder of Econsultancy, who also spoke at the event, said: “Personally, I’ve always felt doing this at a browser level is the only sensible solution.”

He added: “I can’t see what is currently being asked is practical so I think everyone is going to ignore it until something bad happens.”

Ministers confirm UK adoption of cookie rules

In a release today the Department for Culture, Media and Sport announced ministers have confirmed the UK will adopt an amended framework on electronic communications “exactly as set out by the EU”, which will include the need for website owners to get the user’s permission before a cookie – a text file used to store information such as user preferences – can be used.

Today’s announcement follows a consultation where concerns were raised about the impact of changes to the use of cookies.

To address these concerns, the Government has said it will work with browser manufacturers to see if browser setting can be enhanced to meet the requirements of the revised directive.

The updated directives must be implemented by 25 May, the release added, and the Information Commissioner’s Office will publish further guidance on the use of cookies.

Last month Information Commissioner Christopher Graham said the new law will be a challenge but “will have positive benefits” by offering more choice and control over what information businesses and other organisations can store on and access from consumers’ own computers.

But he added that the limited time remaining until the directive becomes European law was causing concern.

EU taking the biscuit? UK responds to new cookie legislation

Since the warning from the Information Commissioner this week that websites in the UK need to ‘wake up’ to new EU legislation on accessing information on user’s computers, many questions have been raised, but when they will be answered remains unclear.

Under the new legislation, which will come into force in May this year in an amendment to the EU’s Privacy and Electronic Communications Directive, websites will be required to obtain consent from visitors in order to store on and retrieve usage information from their computers such as cookies, which enable sites to remember users’ preferences.

The Internet Advertising Bureau responded to Christopher Graham’s announcement with its concerns, saying the new rules are “potentially detrimental to consumers, business and the UK digital economy”. The big question is how the EU directive will be interpreted into UK law – the implementation of which is down to the Department of Culture, Media and Sport.

According to Outlaw.com, the news site for law firm Pinsent Masons, the DCMS is working on a browser-based solution “to find a way to enhance browser settings so that they can obtain the necessary consent to meet the Directive’s standards”. But Rosemary Jay, a partner at Pinsent Masons and head of information law practice, told Journalism.co.uk this would only work for new downloads of browsers.

One of the things about browser settings, being talked about by the government, is even if you amend browsers it will only do it for new browsers and lots of people that are running browsers that are 10 years old, browsers that are really small. If you do it by re-designing browsers so they can very easily and quickly offer you cookie choices it’s only going to apply when people buy or download a new browser. There are a lot of questions around that. Equally if you say you’ve got to have a pop-up on the front page, or an icon, there are so many cookies that people get all the time for all kinds of peripheral things. Just in a behavioural advertising scenario you could get four cookies dropped during the course of someone delivering just a little bit of video.

Meanwhile TechCrunch’s Mike Butcher raises his concerns about the impact of the rules on EU start-ups.

So, imagine a world where, after 25 May when the law kicks in, your startup has to explicitly make pop-up windows and dialogue boxes appear asking for a user’s permission to gather their data. If enforced his law will kill off the European startup industry stone dead, handing the entire sector to other markets and companies, and largely those in the US.

But while debate rages on about how this law will be implemented in the UK and ultimately therefore the likely implications for users and websites, the BBC’s Rory Cellan Jones calls for some calm while the details are ironed out.

It may, however, be time for everyone to calm down about cookies. EU governments still have not worked out just how the directive will be implemented in domestic law, and what form “consent” to cookies will have to take. In the UK, the internet advertising industry appears confident that reminding people that their browser settings allow them to block cookies will be enough, while the Information Commissioner’s Office seems to think that they will need to do more.

My suspicion is that consumers will actually notice very little after 25 May, and the definition of consent will be pretty vague. But at least the publicity now being given to this “cookie madness” may alert a few more people to the ways in which their web behaviour is tracked. Then we will find out just how many people really care about their online privacy.