Privacy-Aware Design: Opt-in alternatives for social media sharing

My previous post on Privacy-Aware Design (“Replacing Google Analytics with a decentralized alternative”) discussed the inherent privacy issue when a private corporation is able to track users around a large part of the internet.

I presented how the provision of a free service with undeniable benefits for website owners has led to a situation where Google is able to track any internet user around half of the web and that it happens without explicit consent of the end-users (who may only protect themselves from being tracked by browser privacy add-ons).

Following the same train of thought, the next topic in this series are social media integration practices. Ever since Facebook introduced their “Like” button in 2009 (with Twitter and Google following two years later), the provision of a simple means for end users to express their interest in an online page and share it as a recommendation to their SNS contacts has evolved into a core part of web publishing and marketing.

This post is part of a series on my research on “Privacy-Aware Design“ in a UI/UX context.

See list of all posts in the series

  1. Making the case for “Privacy-Aware Design”
  2. Privacy-Aware Design: Replacing Google Analytics with a decentralized alternative
  3. Privacy-Aware Design: Opt-in alternatives for social media sharing (this post)

The transparent user

As with Google Analytics, the free-to-use social elements provided by the big SNSs are very easy to implement and provide obvious value as they both encourage end users to share or subscribe to what they just read and make it as easy as pressing a button.

Yet, also the privacy issues are identical to the case of centralized analytics: the buttons by Facebook et al. have become a de-facto standard for contemporary web design – even a cultural icon of sort – and therefore are embedded in a big share of websites (30% of the top 10k websites, 17% of the top 1 million sites, according to calculations by builtwith.com).

And in similar fashion, the end user has no influence on whether his visit to a website is reported to the third party, other than manually modifying their browser to prohibit such tracking in general.

Other than believed by many, Facebook, Twitter and Google do not only receive information about the user visiting a page if they click “Like”, “Follow” or “+1”, but in the very moment the social media buttons appear on the page: the standard implementation of these buttons is to load them straight from the SNS’s server.

Dissecting the "Like" button: the button UI is loaded from Facebook servers, enabling the service to track users even without pressing the it (screenshot from the network monitor of the Firebug plugin for Firefox)
Image caption: Dissecting the “Like” button: the button UI is loaded from Facebook servers, enabling the service to track users even without pressing the it (screenshot from the network monitor of the Firebug plugin for Firefox, showing the Iframe content the embed code is loading from the facebook.com server).

The fact that for e.g. Facebook is indeed processing the request for an embedded “Like”-button against their database without end user interaction manifests itself when a text appears next to it listing the names of one or two friends who have liked a site and mentioning that “Friend X, friend Y and n others like this.” From a Facebook help page:

We record some of this information for a limited amount of time to help show you a personalized experience on that site and to improve our products. For example, when you go to a website with a Like button, we need to know who you are in order to show you what your Facebook friends have liked on that site. The data we receive includes your user ID, the website you’re visiting, the date and time and other browser-related information.

Ultimately, this means that Facebook et al. are able to create a very detailed profile of every internet user (no matter whether they are even subscribed users, but of course made even worse if users are at the same time logged in to one of the SNSs), protocolling exact browsing paths.

A thorough analysis of the issue with Facebook in particular can be found from Arnold Roosendaal’s book chapter “We Are All Connected to Facebook…” in: S. Gutwirth et al. (eds.) 2012, “European Data Protection: In Good Health?”; check Google Scholar for a link to a probably unauthorized full text PDF. Among other aspects, Roosendaal summarizes:

As indicated, the presentation of the button as a tool for Facebook members to share the web pages and items they like suggests that actual use of the button is necessary to set up communication with Facebook. Besides, nonmembers will think that they are not involved with Facebook in any case. This is obviously not true.

Data collection with consequences

It is of course easy to put these concerns aside with the argument that “I don’t have anything to hide”. But having nothing to hide does not mean that one wants to expose everything to the world.

If the concern of having private corporations create detailed databases of individual internet use is not enough to raise concern, how about the leakage of such information in data theft or through unintentional leaks? An article by the Electronic Frontier Foundation EFF even highlights the risk of governmental surveillance made easy by these practices:

Once a website sends data to a third party, it no longer has the power to stand up for its users against unconstitutional government requests for that data.

Research has shown the concerning accuracy of profiles derived from tracking data, e.g. the 2013 article “Private traits and attributes are predictable from digital records of human behavior” by Kosinski et al. – based on explicit “likes” and not even using implicit tracking data to the extent an SNS would be able to do.

Every time a "Like" button is loaded into a web page, the "datr" cookie together with the HTTP request variables allows Facebook to track who visited what webpage.
Image caption: Every time a “Like” button is loaded into a web page, the “datr” cookie together with the HTTP request variables allows Facebook to individually track who visited what web site; the cookie remains the same when the user moves from one website to the next (screenshot from the network monitor of the Firebug plugin for Firefox).

For the providers of independent online services, it is about time to consider the responsibility for designing systems that are aware of the privacy risks imminent in current “best practice”. This ultimately touches questions of user experience, as with growing awareness about privacy following the 2013 NSA revelations, more users may start to feel uncomfortable with losing control.

As the authors of aforementioned paper put it:

There is a risk that the growing awareness of digital exposure may negatively affect people’s experience of digital technologies, decrease their trust in online services, or even completely deter them from using digital technology. It is our hope, however, that the trust and goodwill among parties interacting in the digital environment can be maintained by providing users with transparency and control over their information, leading to an individually controlled balance between the promises and perils of the Digital Age.

On a side note, it also must not remain unmentioned that by embedding social media widgets in their website, a publisher gives the big SNS networks exact access to usage statistics and user profiles for their site.

“Transparency and control” are the motivation for suggesting two approaches below that avoid the default submission of user information to third-party SNS providers while acknowledging that users may want to intentionally “share”, “like” or “plus” online content on a network they trust.

Ready-to-use alternatives

The easiest solution to eliminate the problem would be to stop using SNS integration buttons. But, just as with analytics, visibility on social media channels has become too important a means for web publishers that forgoing it completely would be an option.

Yet, there are means to encourage and enable users to share links with their contacts, based on explicit expression of intent. In this article, I present two tested approaches, each with its own strenghts.

Solution 1: Replacing buttons with links

Twitter provides Web Intents, specially formatted links that open a pop-up window where the user can create a Tweet from the profile they are logged in on. I have been using these web intent links on this site for over a year by including a link at the end of every article, based on the format:

<a href="https://twitter.com/intent/tweet?url=http%3A%2F%2Fexample.com">Share this on Twitter</a>

This can further be developed by appending a related Twitter account that the user will be encouraged to follow after tweeting (“username” to be replaced with the according Twitter handle):

<a href="https://twitter.com/intent/tweet?url=http%3A%2F%2Fexample.com&related=username">Share this on Twitter</a>
Third-party buttons can be replaced with custom links using web intents or similar techniques.
Image caption: Third-party buttons can be replaced with custom links using web intents or similar techniques.

Even the procedure of following a user can be enabled by a web intent, using the link format

<a href="https://twitter.com/intent/user?screen_nameusername">Follow us on Twitter</a>

Facebook provides a similar tool, though it is pretty well hidden in the documentation while (not surprisingly) highlighting that it is not the preferred method:

<a href="https://www.facebook.com/sharer/sharer.php?u=http%3A%2F%2Fexample.com">Share on Facebook</a>

While there is no link format to “Follow” a Facebook page, an obvious workaround would be to provide a link to the Facebook page itself, where logged-in users will be provided with a button to subscribe; at the same time they would be empowered to first see what they are subscribing to.

Solution 2: Privacy-aware implementation

If the sharing buttons themselves are considered to be too important a UI element to be replaced with the non-standard link method, there are still ways to integrate these without leaking tracking data to a third party.

Once again, the view turns to Germany where – as mentioned in the previous part of this series – strict privacy laws have long forced website providers to work around the data-hungry default implementations of external services.

Just as the default Google Analytics tracking code, the Facebook “Like” button has in a sense been “outlawed” in Germany for many years. In 2011, the ULD Independent Center for Privacy Protection in Germany stated (in German) that the transfer of website user data to Facebook is in conflict with national privacy laws and recommended against the plug-in’s integration.

A popular solution among German webmasters is therefore the “two-click” social media integration: by default, web pages display only an image of a social media button that needs to first be clicked on by the user (often indicated on UI level by additional hints and an optional help text to explain the functionality), triggering the original third-party button to be loaded from the SNS. A second click – this time on the real button – then fulfils the intended action.

The "two-click" social media buttons in action (screenshot from heise.de): Only after clicking on the switch or the greyed-out button (above), the real button is loaded from the third party SNS (below).
Image caption: “Two-click” social media buttons in action (screenshot from heise.de, using their socialshareprivacy plugin): Only after clicking on the switch or the greyed-out button (above), the real button is loaded from the third party SNS (below) and can be clicked to carry out the action – e.g. sending a Twitter message.

IT publishing house Heise has developed an open-source jQuery plugin called socialshareprivacy (documentation unfortunately in German only, but the code and examples are almost self-explanatory) that can be seen on many sites on the German-speaking web – a sign that even though a privacy-aware design solution may seem awkward at first, a broad adaptation will increase users’ familiarity with a tool.

Obviously a similar technique is easy to implement custom-made, which may or may not be appropriate based on each particular context. To improve the usability for regular users not concerned with privacy, it is good practice to allow disabling the two-click implementation permanently, providing them with the original buttons by default on every visit.

This work in progress is part of a blog post series based on my ongoing research on restoring privacy on the web. Any commentary is highly encouraged and you may subscribe here to follow the upcoming posts on Privacy-Aware Design.

Tweet a comment or retweet a link to this article (syndicated Tweet)
1 fav'ed
1 repost

Responding with a post on your own blog? Submit the URL as webmention (?)

If you prefer, there is also an RSS feed