Social Share Links Are (Probably) Spying On You

Facebook website

We've worked on countless websites that have social media sharing functionality. You know, those little links that let you easily post to Facebook, Twitter, or some other social network?

These widgets work by requiring a developer to embed a script tag on their site. Like this:

Twitter Embed Script

By embedding JavaScript from a third-party source, you've allowed that provider to modify the content of your HTML page. Putting concerns aside about what could go wrong (XSS attacks, unexpected manipulation of the page, JavaScript execution errors), and just focusing on what is happening is a reason to avoid most approaches to share links.

When you embed a share widget on your site, you've added tracking by that social network. Now social networks can associate each visitor’s profile with the content that is on your page. Social networks, and Facebook, in particular, use that to build an advertising profile based on your content.

A hypothetical example: If your site provided medical or self-help advice, the share widget on the page loads JavaScript from Facebook. Like many, visitors to your site are always logged into Facebook even if they don't have it open. When the JavaScript is loaded, it knows the profile of the user—and how it shows when you've liked or retweeted something. The JavaScript can then check the URL of the page, which Facebook can then index. Facebook can associate the content of the page with the user's profile. And finally, Facebook can now show advertisements targeting the medical condition of visitors to your page. And, that's all just from the site visitor looking at your content. This requires no interaction with the Facebook share widget; the mere act of loading the widget is enough to associate the widget with the content of your site.

Combined Share Widgets Can Be Even Worse

An alternative to using the direct widgets provided by social networks are those created by other providers that wrap around social media links. Examples include AddThis, ShareThis, AddToAny, Shareaholic, and many others. However, this further compounds the problem. Not only are Facebook and Twitter tracking your visit, but so is the provider of the sharing widget.

For example, in the privacy policy of AddThis (which is owned by Oracle) states:

Publishers provide us with AddThis Data so that we can build Segments and Profiles to facilitate personalized interest-based advertising for you by Oracle and our Oracle Marketing & Data Cloud customers and partners. By installing the AddThis Toolbar, Toolbar Users provide consent for us to use their AddThis Data for interest-based advertising.

Using a centralized share provider has only introduced another aggregator and broker of people's interests. Not all services are equally bad, but be sure to carefully read the terms of service when using any of these providers. Note in most cases, using one of these widgets will also load the SDKs for each enabled social network to count engagement such as likes, retweets, etc.

Alternatives and Suggestions

The absolute best thing an organization concerned with privacy can do is not include any share links at all. That would avoid any direct connection between your visitors and data aggregators. However, for many clients, designers, and visitors, having some share capabilities is expected. What can developers do to meet the requirements and be responsible for user data?

The answer is pretty simple. Use links. Each social network has a simple URL that you can use to prepopulate a sharing form with the URL of your content. At its simplest, these links look something like this:

HTML Social Link for Social Sharing

No JavaScript. Just HTML.

Be sure to include the rel attribute to prevent the third-party site from being able to manipulate the browser history. And using target = "_blank" opens a new window, so the user doesn't immediately leave your page.

This provides a happy middle ground where sharing is still available for users, but it makes it impossible for social networks to track users simply visiting the page. Once the user clicks/taps on the share link, then they're consenting to use those social networks (and thus be tracked and profiled).

Copy/paste example services that don’t include any JavaScript can help with generating these links, see the following sites for examples:

As of this writing, you can also check out the share links here on Lullabot.com, which uses a combination of these direct-share URLs with lightweight JavaScript to open in a sized new window.

Although privacy is starting to become a focus for the general public, many users still may not realize that their browser is logged into social networks all the time. Websites big and small, then facilitate the tracking of users by loading JavaScript from these social networks, resulting in extensive profiling based on the viewed content used to create targeted advertising. 

Share links are often privacy trojan horses. As the builders of the web, we should take care to account for the privacy of our site visitors. So the next project you're on, advocate for a non-tracking solution.

 

Published in

Nate Lampton

Nate Lampton standing in front of greenery.
Nate Lampton is a leader in Open Source with over a decade of contributions to the Drupal project. He joined Lullabot in 2006.