Facebook’s Like button is tracking all of us, to target us with ads

At least there’s a way to opt out! Oh wait….

David bisson
David Bisson

Facebook now using ads to track everyone, including non-users

Facebook is now using its Like button and similar plugins to track everyone on the internet, including those who do not have an account with the popular social networking website.

On Thursday, Andrew Bosworth, vice president of ads and business platform for the social media platform, published a blog post announcing a significant change to Facebook’s ad platform, otherwise known as the “Facebook Audience Network”:

“…we introduced Facebook Audience Network two years ago to help publishers and developers support their services by showing relevant, high quality ads to people who visit their websites and apps. …In the past, we’ve only shown ads in these places to people who have Facebook accounts. Today, we’re expanding Audience Network so publishers and developers can show better ads to everyone – including those who don’t use or aren’t connected to Facebook.”

Sign up to our free newsletter.
Security news, advice, and tips.

New education

When it comes to user engagement, the social media site’s ad platform currently rests on a model of serving ads to its users and selling that information back to advertisers.

Those changes announced by Bosworth will now empower Facebook to track a user across most (if not all) of the web pages they visit by altering the code that is used to display related plugins such as the omnipresent “Like” button.

The social media site will observe how users engage with those buttons and will then use that information to serve them with targeted ads, as Bosworth clarified to The Wall Street Journal:

“Our buttons and plugins send over basic information about users’ browsing sessions. For non-Facebook members, previously we didn’t use it. Now we’ll use it to better understand how to target those people.”

Like buttonFacebook claims its new policy will help deliver “better” ads of a higher standard to web users everywhere. But that’s assuming people WANT to receive targeted ads from Facebook.

Unfortunately, there’s little recourse available for those not excited by these changes.

Facebook recommends that non-users opt out of receiving ads by visiting the Digital Advertising Alliance website or by clicking on the AdChoices icon next to an Audience Network ad.

Alternatively facebook says you can tap the adchoices icon next to an audience network ad heres what that icon looks like

Even so, they’ll likely end up seeing the ads anyway. As reported by Softpedia, Facebook will still bill ad distributors and providers for the advertising content, giving these actors little incentive to acknowledge users’ wishes.

In the meantime, Facebook users can update their settings to stop seeing targeted ads, but that means they’ll just see random advertisements instead.

Looks like Facebook is set to take over the digital advertising scene with little input from its users.

At least they can still manage their privacy settings and implement two-step verification (2SV) to protect their accounts, should they choose to do so.

If you don’t like the idea of Facebook tracking your online activity, our recommendation is to set your browser up to use Incognito or Private Browsing mode, and to consider running a browser add-on such as Privacy Badger, NoScript or Ghostery that can block trackers.

You may even wish to go one step further to protect your online privacy, covering your tracks by browsing via Tor.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

19 comments on “Facebook’s Like button is tracking all of us, to target us with ads”

  1. Kevin

    Sorry Graham but I don't get it.

    what ingredients are necessary? an open tab on facebook, pressing the like button ever?
    surely not just visiting a site?
    would you be so kind as to explain?

    1. Bob · in reply to Kevin

      It wasn't Graham who wrote the article; it was David ;-)

      To answer your question: you log in to Facebook, do whatever and then logout. That alone is sufficient to allow Facebook to track your web browsing.

      Facebook download a cookie onto your computer in order to log you in. Without that cookie you can't access Facebook. You CAN delete cookies after using Facebook but ultimately there's so much unique information transmitted from your computer that Facebook use when tracking their customers that your efforts will be fruitless.

      David's suggestion about using browser add-ons will help to an extent but for the reasons I've just given it'll offer little real privacy protection – these add-ons do help prevent some malware from being installed so they're not pointless.

      Even having a conversation with friends in the same room is enough to allow Facebook to deliver you targeted ads! How? By having the Facebook app installed on your phone. They can also monitor all your phone calls using this same method although they deny doing the latter:

      "Like any good academic, Burns put this to the test. She discussed certain things while near her phone running the Facebook app and its listening feature, which is available only in the US. She then noticed that the site served adverts relevant to her conversation."


      Final thought – if you use Facebook you're a "dumb fuck" according to its founder Mark Zuckerberg. He freely admits his comments:

      "Upon being asked by the friend how he managed to get all the information, Zuckerberg replied: "People just submitted it. I don't know why. They 'trust me'. Dumb fucks."


      1. graphicequaliser · in reply to Bob

        I don't get it. I am not a Facebook user and have no account with them, so I cannot possibly log on to Facebook. If I browse a page which has a Facebook commentary at the bottom, I cannot click on any of the "Like" buttons without being confronted by a Facebook login page. Is Dave saying that when being met with a Facebook login page, that causes Facebook tracking cookies to be exchanged?

        1. Bob · in reply to graphicequaliser

          Yes, simply visiting the official Facebook page OR visiting any page with a Facebook 'like' button page is sufficient for them to track you.

          It makes no difference if you're a Facebook user or not although, obviously, if you're not a Facebook user then they'll have far less information about you.

          Many privacy-aware webmasters don't use Facebook 'like' buttons for this very reason. Others have a toggle where you have to slide a switch before the like button is made visible; that gives you the best of both worlds: privacy if you want it or no privacy if you're a Facebook user and you voluntarily choose to toggle the switch and hit 'like'.

          Facebook have been tracking people for years using this facility – it's nothing new and there's thousands of site who offer data derived from this. But remember that there are dozens of other very large advertisers out there like Google Analytics.

          1. graphicequaliser · in reply to Bob

            Hopefully, the installation of Privacy Badger will stop this kind of tracking!

  2. A guest

    And of course, this blog post contains a Facebook like button.

    1. Graham CluleyGraham Cluley · in reply to A guest

      No it doesn't. Or at least it doesn't include one that allows Facebook to track your movement around the web.

      Instead of one of Facebook's Like buttons, I have a button which simply visits Facebook's site *if* you click on it.

      Here is that link in all it's glory…


      If you click on it, and are logged into Facebook, Facebook will ask you if you want to share the link on the site.

      So, I let people make the choice. If they want they can click on the link and visit Facebook to share the link. But Facebook doesn't learn anything about you from you visiting my site.

      This – in my opinion – is a much better way for websites to give users the ability to share content via Facebook than using the insidious Facebook Like button.

      1. Barry · in reply to Graham Cluley

        Glad you explained that, Graham. I have a Facebook share button on my blog at https://www.bphtraining.com which seems to work in a similar way to yours.

      2. Jason · in reply to Graham Cluley

        But this blog does have a "button" for Twitter that enables Twitter to track you, and it appears to have a plug in for Gravatar that would allow Gravatar to track you (if someone posting had a Gravatar avatar?).

        My main concern with the general "tracking" problem is we'll see schemes that pay websites to pass on info about all visitors, and it's a fair chance Facebook would be a leader in any such scheme. It appears browser requests for webpages uniquely identify users, and it's very difficult to anonymise yourself when browsing.

        1. Graham CluleyGraham Cluley · in reply to Jason

          Thanks for the note about the Twitter issue.

          I actually had the same thought earlier today when I was at the circus (yes, really!) with my family. As soon as I came through the door to take a look at the Twitter button (it was residing in the author biogs at the end of articles) there was your comment.

          Anyway, I have now replaced that Twitter button with one of my own creation so – huzzah! – another potential dependency on a social network removed. :-)

          Regarding Gravatars. Yes, like many other sites running WordPress, grahamcluley.com uses gravatars to display a picture alongside author’s comments.

          It’s clearly useful to differentiate between different commenters, but I have never been entirely comfortable with the way gravatars work.

          At the same time, I have never considered Automattic (who own wordpress.com and gravatar.com) to be *anything* like as ‘evil’ as some other tech companies out there. If Gravatars upset you, I recommend running one of the blockers described in the article… or not getting a gravatar.

          If anyone has a better solution that could be easily implemented please let me know.

  3. Stop FUD!

    Yes, and we knew that for a very long time. Ghostery, ABP all have ability to block social media buttons (and tracking). Install them, block Facebook.
    And if you do not like Facebook tracking and \ or privacy invasion, stop using it and in your host file add entry for facebook to point to localhost. Job done

    1. coyote · in reply to Stop FUD!

      Apparently you don't understand what FUD is. But never mind that; what's amusing is you're suggesting ways to block the tracking and that's exactly what was done in this article. So IF this post is FUD then YOUR RESPONSE IS ALSO FUD. Choose your poison.

      Incidentally, you seem to not understand that it now affects those who don't use Facebook. Also, even if you map facebook.com to the servers that link (and I mean ad networks also) to it are also part of the problem (you see it's not all about Facebook). And are you sure (I haven't looked into this and frankly I don't care enough to look) it's 'facebook.com' that does the tracking? It's not like they don't have subdomains. Finally, doing all this requires knowing that it's being done and not everyone does; therefore this is an advisory: it's not telling you what to do or whether it should bother you.

  4. Kevin

    Thanks Bob, and others.
    So, is it true that if you've ever seen the facebook login page, on a particular machine, you have a tracking cookie that will report your entire browsing history to facebook next time you "see the facebook login page".
    Should I look to see the size said cookie has grown to, or does it get the info from elsewhere?
    thanks again

    1. Bob · in reply to Kevin

      Yes, that's true Kevin. Just the same as Google track your browsing habits if you've ever logged into a Google service in the same browser (and have neglected to clear out your cookies).

      The cookie doesn't 'grow', it effectively (and I'm simplifying here) assigns an advertising ID to you. This is then used to track you across websites.

      Unfortunately unless you use separate browsers for particular tasks you've got an uphill struggle.

      Take a look at this website and look how much information your browser leaks!


      Click 'Start Test'.

      You'll notice that your browser gives away so much information that even in the absence of cookies you're easily tracked by companies like Google who collate much of that information whenever you log in to one of their services. Even clearing out cookies or using browser add-ons won't help very much because it's all too easy to retroactively cross reference.

      That website (run by Johndonim) have their own software but, despite their marketing hype, it doesn't really protect you against sophisticated advertisers / attackers. But their website gives you a useful indication of exactly how your online habits can be linked to your real-life persona.

      Take a look at the book by Bruce Schneier, the eminent cryptographer:


      Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

  5. Jim Goodyear

    That just confirmed my dislike of f******k.
    I have just deactivated my (unused) account and I feel better already.
    BTW Graham, thanks for the heads-up about the new Brave browser (faster and safer and more secure), i am now on it and it is faster, and as far as i know it has no f******k like button !!
    thanks for that

  6. coyote

    It's not surprising they want to serve more adverts; it wouldn't be surprising for any organisation: it's actually expected. As much as I hate adverts I'd rather they be more relevant to me. But something that is surprising: they hadn't started this earlier. Finally, what might be more scary is the answer to the question of what will they do next. I'm sure they'll continue so it's just a matter of time before the question is answered, for worse or for worse.

  7. Gregory Holmes, M.D.

    Great. You acknowledge that Facebag is intrusive, and then you encourage people to join the Graham Cluley News Facebook page.

    I have never understood how people who advocate that users educate themselves about privacy and security can turn right around and promote one of the worst offenders…namely, Facebag.

    Evidently, even you people in the security world have decided that you "cannot" survive without whoring yourselves out to the very thing you purport to condemn. To hell with principle…apparently.

    Wow. Just wow.

    1. Graham CluleyGraham Cluley · in reply to Gregory Holmes, M.D.

      Thanks for your comment Gregory.

      In no way am I encouraging people to join Facebook.

      However, what I do say is that if you *are* on Facebook, then please consider joining my Facebook group because it can keep you informed about security threats, Facebook scams, privacy scares and the like…

      Much as many of us dislike Facebook, we have to acknowledge that it has many many users (over a billion I believe…) and it would be a mistake for us to ignore them, or not give them an opportunity to become more clued-up about security and privacy threats.

      Who knows… maybe joining my Facebook group will be the first step in some people deciding to leave Facebook altogether? :)

  8. Lars

    FB users are dumb fucks worse than Zuckerberg

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.