Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid T-Shirt |
| Blue Coat Products Enable Web Censorship in Syria »
October 24, 2011
Facebook Patent to Track Users Even When They are Not Logged In to Facebook
Patent application number 2011/023240:
Communicating Information in a Social Network System about Activities from Another Domain
Abstract: In one embodiment, a method is described for tracking information about the activities of users of a social networking system while on another domain. The method includes maintaining a profile for each of one or more users of the social networking system, each profile identifying a connection to one or more other users of the social networking system and including information about the user. The method additionally includes receiving one or more communications from a third-party website having a different domain than the social network system, each message communicating an action taken by a user of the social networking system on the thirdparty website. The method additionally includes logging the actions taken on the third-party website in the social networking system, each logged action including information about the action. The method further includes correlating the logged actions with one or more advertisements presented to the one or more users on the third-party website as well as correlating the logged actions with a user of the social networking system.
Facebook denies that this is a patent for that. Although Facebook does seem to track users even when they are not logged in, as well as people who aren't even Facebook users.
EDITED TO ADD (10/24): Facebook claims that, while they do collect information on non-users, they don't use it for profiling. This feels like hair-splitting to me; I get emails from Facebook with lists of friends who are already on the site.
EDITED TO ADD (10/24): It's a patent application, not a patent.
Posted on October 24, 2011 at 6:42 AM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
As an FYI: This is actually a published patent application, not a patent. Also, it would normally be written 2011/0231240, rather than 2,011,023,240.
You are most likely getting invite emails from Facebook since your friends imported whole lists of emails which included your.
 When a user takes an action on the social network system 100 or third-party website, the action is recorded in an action log 160. In one embodiment, the website 100 maintains the action log 160 as a database of entries. When an action is taken on the website 100 or third-party website, therefore, the website 100 adds an entry for that action to the log 160. In one embodiment, an entry comprises some or all of the following information:
 Time: a timestamp of when the action occurred.
 User: an identifier (user ID) for the user who performed the action.
 Target: an identifier for the user to whom the action was directed.
 Action Type: an identifier for the type of action performed.
 Object: an identifier for an object acted on by the action.
 Content: content associated with the action.
 Tag name
 Conversion type identifier
 Another example illustrating real-world actions that may be tracked involves what program material the user is accessing on a television system. A television and/or set-top receiver may act as an action terminal 150 and transmit a message indicating that a user is viewing (or recording) a particular program on a particular channel at a particular time. Again, these examples are presented to illustrate some of the types of devices and actions that may be captured as actions by a user and communicated to the social network system 100. A limitless variety of other applications may be implemented to capture real-world actions associated with a particular user and send that information to the social network system 100.
 After an amount of time, the action log 160 will become populated with a number of entries that describe actions taken by the users of the social network system 100. In particular embodiments, action log 106 includes both tracked actions taken by users at third-party websites as well as conversion tracking associated with advertisements seen or clicked-on by users. The action log 160 thus contains a very rich set of data about the actions of the users, and can be analyzed and filtered to identify trends and relationships in the actions of the users, as well as affinities between the users and various objects. In particular embodiments, the actions (e.g., purchases) made by a user at a third-party website...
Seriously, this needed to be exposed further.
Since a lot of people doesn't understand the privacy's borderline well due to this matter we expect to get to the bottom of it, and looking forward to hear Facebook response on it.
I am not sure how many people are familiar with the difference between a Patent Application and an Issued Patent.
(My understanding is that this difference involves, in order of importance: (1)hundreds of hours of billed time from a Patent Attorney, (2)three or four years of process at the US Patent/Trademark Office, and (3)the ability to convince the USPTO that the invention or process is both unique and non-obvious.)
However, I am not very familiar with how the Patent process is done with networked software.
This application should be required reading for every idiot who wants to join any 'social network'.
Maybe they would realize they're being Zuckered. Maybe they would finally understand the difference between customer and product.
...in continuation of my last post.
I am not very familiar with how the Patent process is done with networked software.
My familiarity with Patents is mostly limited to classes on Intellectual Property and the Patent Process at a previous job. That employing corporation made heavy use of Intellectual Property in negotiations with other companies.
There were lots of commonly-used processes in the business, and more than one new invention that had been developed in parallel by multiple competing companies. In that situation, the first company to make a claim at the Patent Office got legal advantage over the other companies, even if the Patent was denied or limited three years later by the USPTO.
But this was an industry that was mostly manufacturing.
I have a hard time thinking of ways in which FB can use this Patent as leverage against other companies who want to do similar things.
It seems like the most disruptive way of defeating the purpose of this tracking, even for non Facebook users, is deliberate misinformation. Perhaps I should maintain several different Facebook profiles, all with contradictory information (and random photos), and alternate which one I am logged into. It might be more damaging than just using NoScript.
This is the one that got me to install "RequestPolicy" in firefox...
It gets scary real quick when you see which sites talk to which.
It also makes browsing very much faster, since your browser will stop talking to all the ads sites.
And of course, it blocks facebook from looking at your shit, since the fb cookies can't get back to the fb domain without a cross-site reference... so if you block all fb access from outside facebook, then they don't see it... of course you also don't get facebook likes buttons. Booohooo.
Also, it's a temporary measure. I'm pretty sure that, in this nice internet of ours, it won't take too long until sites start correlating... so if you let one facebook cookie escape, the other sites will create their own cookie with the fb id info, and then you lose anyways...
Marc, I too installed RequestPolicy in FireFox as a result of this, but I only lasted a few days. It soon became too tedious to keep giving permissions, although I guess it would be like the old firewalls that learned pretty quickly and and got much less intrusive after a couple of weeks. What really annoyed me was that although you are told which sites are being called the URLs are often meaningless. Some you can work out, say as image reference sites; others are just gobbledegook, but the page won't load until the correct one is allowed. Lots of trial and error; several Firefox crashes. I really hope something like this develops fast to become a lot slicker.
On the face of it the patent is for tracking users across third party web sites, ignoring the fact if they are logged in or not.
I'm sure Doubleclick (now owned by Google) has prior art on tracking everyone across all partner sites.
I am sure that Zuckermann did not dream up all of the notions, concepts, or blue sky dreams in the patent application. However, I am sure that someone knowledgable did, and that would likely be the spie (sic) organizations, who already use FB for tracking U.S. citizens.
The patent is keep keep anyone else from doing this (including the ability to exclude all others that already do this) so NOBODY else can find out what they are finding out. Remember, FaceBook says it is against the law for you to get your information from FaceBook, so they don't want you to know what they know about you. This is typical of state secret organizations, for which the purpose is to protect THEM and use the data, selectively when needed, AGAINST you.
Another issue, by the way, is that quite a few sites nowadays no longer have their own login but you instead login through one of the social network sites. In a sense a cool idea but for some other reasons I sometimes think it would be better to scatter ones online activity amongst many separate sites.
I deleted my Facebook account months ago and haven't regretted it for a single moment.
I think the US government ought to deny a security clearance to anyone with a FB account. If a person values their personal security this little how will they treat national security items?
For the most part, tracking depends on cookies and cache, and flash. If you routinely clear all of them (and ideally uninstall anything from adobe -- they're smart people but their products routinely have security issues -- then you probably have to live with today's weak html5 support and weak alternative pdf parsers), you will gain a marginal amount of privacy (this probably beomces the network equivalent of wearing a translucent skirt -- not enough by itself, but perhaps adequate when combined with other privacy measures).
Notice how they didn't list an assignee, just the inventors... A feeble attempt at keeping Facebook's name out of it?
Facebook usually has its name on the application, try Facebook = assignee here:
This is why I dedicate a use one browser for my day to day work (Opera), and a completely separate browser for my Facebook activity (Firefox).
I've found this to be very useful.
I've been wondering about their profiling for a while. I met another aspiring security guy at Defcon back in 2000 and we kept touch on IRC for about a year after that. We also exchanged a few emails, but the account I used is long dead. I haven't talked to the guy since 2001 or 2002, but he shows up as recommended to me on Facebook and Linkedin. He lives in a different state and we have no common friends/connections on the sites. I'd really like to know what in the hell they have that establishes that connection.
"It seems like the most disruptive way of defeating the purpose of this tracking, even for non Facebook users, is deliberate misinformation. Perhaps I should maintain several different Facebook profiles, all with contradictory information (and random photos), and alternate which one I am logged into. It might be more damaging than just using NoScript."
Totally agree. I combine this with my multiple browser strategy. My day to day browser is Opera and I have a garbage facebook account for it (almost never login either, only to get a FB company page promotion :P )
I use Firefox only for actually using my real Facebook account.
I think facebook is about to/already is hitting the 'hotmail syndrome', where the number of spam / junk profile accounts will be non-trivial because its too easy to sign up with fake info.
"It seems like the most disruptive way of defeating the purpose of this tracking, even for non Facebook users, is deliberate misinformation"
Spot-on. Years ago, I used to have a really nifty .cgi on my websites that generated pages with random names, bogus email addresses and random links pointing to the same script again in an effort to trap bots and other leeches not respecting robots.txt in an infinite loop, filling their databases with all sorts of crap in the process.
I would actually make a very generous donation to any developer willing and able to develop a similar browser add-on/extension as to subvert FB, Google and other profiling/dataming operations. A similar extension for Thunderbird would equally be appreciated, where any and all Facebook invitation or tag announcement is automatically met with some sort of "cease and desist" notification to sender.
Information itself is not dangerous, it's what's done with it. Some database on Facebook's servers that has a log of some subset of websites I've visited doesn't concern me one iota, provided Facebook have good data protection policies (which they do).
If they give this data to some advertiser (provided it's anonymized), it still doesn't concern me. I'd actually prefer to see ads that are relevant to my interests than not.
It seems that there is an infinite set of privacy advocates who condescendingly claim to think and act on behalf of the entire human race ("this needed to be exposed further...", "This application should be required reading for every idiot...", "People should demand that ... such collection be double-opt-in ONLY") because everyone else is seemingly too stupid to understand or care about privacy principles. I'm an example of someone who does understand the privacy implications of Facebook's tracking cookies, but has no concerns with them. Come at me bro.
@Mike Rose -
First, facebook does /not/ have a good record of keeping identifying information away from third parties. There have been countless reports of facebook 'apps' that have had access to personal information. Here's one such report: http://online.wsj.com/article/...
Second, even if facebook has very good data protection policies (I don't know, but for discussion, I'll stipulate), that doesn't mean that they are unhackable or that your data is safe. It merely suggests that they make a best effort using best practices. Professional security companies like RSA get hacked. Banks get hacked. Militaries get hacked. It happens. Period.
Third, there has been quite a bit of research that shows that 'anonymized' data is less anonymous than you think. It can frequently be de-anonimized when used in conjunction with publicly available information. Here's a lay article written by Bruce himself: http://www.wired.com/politics/security/...
Finally, I'd say that most privacy advocates don't want to outlaw facebook, targeted ads, or other things like that. Most probably want a clear disclosure and an opt-in requirement, or at least a guaranteed ability opt-out.
So... come at be bro?
Second, even if facebook has very good data protection policies (I don't know, but for discussion, I'll stipulate), that doesn't mean that they are unhackable or that your data is safe
Although there are lots of caveats attached, but it would appear that Facebook as already been hacked at some level per this Brian Krebs article: http://krebsonsecurity.com/2011/10/...
Well, at least the patent will prevent anyone else from tracking users while they're logged out...
So, who owns the cookies on my computer? Do I? Can anyone tell? Why not set up a clearing house? Once a day I could stop by, drop off my FB, Google, etc cookies, pick up someone else's, and go my merry way. I might actually turn the ads back on to see what popped up.
Sounds like a DMCA violation ;)
Everything is a DMCA violation. So host it in Russia.
Without going into a detailed retort to your points as I am not at all interested in getting into a tit-for-tat debate, I'll clarify my points a little further for the sake of provoking some thought around privacy principles.
Firstly, I'm not claiming that Facebook is 100% secure or should even be 100% trusted. What I am saying is that there is a trade-off between privacy concerns and usability (I'm also classifying targeted advertising as usability here). Given what I know of Facebook's privacy and security, I am personally happy to take the risk.
Secondly and more importantly, privacy advocates speaking on my behalf without my explicit support is disingenious at best. I am specifically levelling my criticism at privacy advocates as I can't count the number of times I've seen vitriolic responses in which they don't seem to understand that other people may have differing opinions.
Not everyone shares the same sense of concern/paranoia and while you may feel strongly about privacy, you should understand that it's not objective and it's not universal. All I ask is that privacy advocates take the blinkers off and stop assuming that everyone is stupid if they don't think like you do. There are many of us out here who have given it thought, qualitatively assessed the risk and accepted it.
Ultimately, speak for yourself and yourself alone; and I'll do the same.
"It seems like the most disruptive way of defeating the purpose of this tracking, even for non Facebook users, is deliberate misinformation"
This doesn't work as well as one might suppose, however. If one is talking about user data in aggregate then error rate per million users would have to be in the hundred thousands before the data would become statistically fouled. On the other hand, if the people you are trying to obstruct are the police, they likely have your biometric or other personal data from an alternative source that they can cross check against.
There is a certain appeal to the idea that a good offense is the best defense but the trouble is that your not fooling anyone. The statistician has already accounted for you in his error rate and the police can subpoena your ISP. So unless the goal is to hide your faithlessness from your spouse, the disinformation strategy is rather a waste of time.
@altjira: Why not set up a clearing house? Once a day I could stop by, drop off my FB, Google, etc cookies, pick up someone else's, and go my merry way.
Already available, see http://www.googlesharing.net/ ; but you have to trust them.
@Mike Rose: I'd actually prefer to see ads that are relevant to my interests than not.
You want "relevant to my interests than not", but you will get "relevant to their interests about you".
If they knew you are going to spend 600$ to buy an iPad, they wouldn't advertize for better bargains on iPads to you. Readers, please replace "iPad" by your favorite product.
@ChoppedBroccoli: This is why I dedicate a use one browser for my day to day work (Opera), and a completely separate browser for my Facebook activity (Firefox).
You can also have two independent session of Firefox, with option "-no-remote". Example in linux:
firefox -no-remote -P nofacebook & firefox -no-remote -P default
This is why I use ShareMeNot and NoScript.
For those that have grown tired of requestpolicy in Firefox, there is also Ghostery
"Ghostery sees the invisible web - tags, web bugs, pixels and beacons. Ghostery tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity"
Facebook long ago took a flying leap into the deep end of evil ...
My question is if I delete my facebook is it ever really gone? I would love to get rid of it but my friends would think I'm no longer friends with them and take it to heart which I think is stupid. I've heard of stories of deleting a facebook then coming back years later and everything is just how you left it.
I'm not a FB user, so I can only speculate on what might be a good plan.
I would suggest that you slowly start deleting your FB content over the course of a month or more. That way, every week when FB does their backups and database extractions, the content you removed from your account won't be part of that record.
When you finally do "delete" your FB account, the "snapshot" that is taken of the status of your account will not have much data in it.
As described above I'd slowly make your fb account devoid of information. But id go a step further and replace existing content with dummy content. Its possible of course that facebook keeps infinite snapshots though so who knows. Scroll down on this blog to read the recent FB related story about Max - maybe that will give you a good idea on what information fb retains about you :)
Also I figure you'll need to churn or delete your social graph by unfriending everyone
@Tom. I believe the answer to your question is clearly "no, it's never truly gone." Certainly, there is no way to be certain that what you have deleted is truly deleted. And even if FB deletes it after a certain period of time, whose to say where your data has been stored by various bots that crawl the web.
I think the only sane answer is to say that once someone has put their personal information under the control of a third-party they have to assume the worst: that someone has kept a copy of it somewhere. It's trivial these days to digitize and backup data. The strategy outlined by "non-user" is better than nothing, certainly, but it's not one that I place much confidence in.
There's a popular debate among enterprises re: allowing access to social networks on work resources. Most seem to be moving in this direction, with some going so far as to integrate social media hooks into enterprise front end. This tracking issue has implications beyond the obvious. There's a difference between giving up (some) privacy in order to receive a service and something much broader.
Thanks to the few people who posted after me. I think back to when I got a Facebook I was 19 and I didn't really think of the privacy of my data. I have removed it from my phones and cut back on visiting the site. I do like the idea of putting in dummy information but storage is cheap I'm wondering if it will ever really be gone. I have had a number of discussions with friends and family that anything they post on there could be pulled up years from now. I have also looked at sites like failbook.com and lamebook.com and I'm amazed by what kind of information people post on their Facebook. Take Care Folks.
Firstly, I dont know how deleting your account helps since it says in the title that they will still track you.
Secondly, Isn't this the entire business of facebook. Why do you think someone will offer you a great social networking platform for free without having any interest in your data/activities.
Finally, why is only facebook at the centre of this. I recently integrated Google tracking into my clients internet shopping cart website. In order to do shopping cart tracking I had to send google details of each item placed in the cart during checkout with price etc. The benefit to my client is that they are able to log into google and see awesome graphs of which items are selling most and in which countries etc. The benefit to google? They know exactly what you are buying and for how much. And all this happens in the background too...
The concept may be "new," but not too different from the ideas behind the likes of Index Medicus, Science Citation Index, Social Science Citation Index, etc. With a more than passing knowledge of bibliometrics and of inferential statistics, target groups can be identified that include and extend beyond facebook. A number of years back there was a piece of software, "negopy," which did exactly this, identifying groups on the basis of with whom talked to whom. I believed that if was used by the UN to identify opinion leaders for knowledge dissemination Only thing, here, that seems new is the tagging of content. Guess the patent application does not really involve new ides and techniques, but does raise the spector of the politics of political control.
If it was a patent it might be used do protect privacy ...
But for Facebook to not use it but still enforce it against those that might is an interesting concept.
There is a reason that this blog has a short list of Allowed HTML tags...
On one side this form of tracking has cut down remarkably on the number of unsolicited requests (via email, snail mail, door to door and high street marketing representatives), to take part in consumer surveys.
I have a Facebook and LinkedIn account and have given some thought to the value of the usable information I might be dropping on them.
All things considered it is a fair trade off.
I'm pretty lousy at keeping them up to date and visit them once or twice a year, usually from a hotel computer when I am jet lagged.
Facebook supposedly has over 800 million users.
The way they accomplish that is by also keeping info on people who:
-had an account in the past and closed it
-have never signed up for an account in the first place
"Facebook is the biggest secret flop on the net"
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.