back to article It's official: Deploying Facebook's 'Like' button on your website makes you a joint data slurper

Organisations that deploy Facebook's ubiquitous "Like" button on their websites risk falling foul of the General Data Protection Regulation following a landmark ruling by the European Court of Justice. The EU's highest court has decided that website owners can be held liable for data collection when using the so-called "social …

  1. Anonymous Coward
    Anonymous Coward

    No f in button?

    at the bottom of this article, in between the twitter button and the linkdim button, is a button with an f in it.

    How does that relate to the article's content?

    How do readers get rid of the f in button?

    I think we should be told. What do other readers think?

    1. Tomato42 Silver badge

      Re: No f in button?

      Correct me if I'm wrong (hardly a web developer myself), but as far as I can tell, the buttons use media hosted on El Reg servers and do not run scripts from FarceBook or Twatter. So I see no obvious way that the information about El Reg visitors is shared with them automatically...

      1. elDog Silver badge

        Re: No f in button?

        It's very difficult for anyone to know what javascript or what host applications are run when a button is clicked, or hovered over, or even rendered. NoScript and uMatrix are good ways to stop the JS cascades from stealing your cookies, but BuckFace can also have the host run lots of backend software when you visit the page.

        1. VikiAi Silver badge
          Happy

          Re: No f in button?

          Privacy Badger plugin does a pretty good job of blocking this sort of stuff too.

        2. Anonymous Coward
          Anonymous Coward

          Re: No f in button?

          It's very difficult for anyone to know what javascript or what host applications are run when a button is clicked

          That's why I block Javascript by default. I have no problem enabling it on sites where I need the information, in which case I am aware of the potential risk I take (and could theoretically inspect what is about to happen, but let's be honest, few of us do) but by default it's off.

          That's the same as locking your car door by default, even if you live in a safe neighbourhood - just good habits.

          1. Lusty

            Re: No f in button?

            "That's the same as locking your car door by default"

            Not really. Locking my car doesn't cripple its ability to be driven. What you're doing is more like replacing the windscreen with ply and removing the wheels. Sure, you can still sit in the car but you won't get very far until you put it back to a state that supports driving. Almost nothing on the modern Internet works without Javascript, so really you're causing yourself no end of problems while simultaniously giving no bother whatsoever to Facebook and the like. Who still made billions, probably using some of your data provided by friends.

            1. Duncan Macdonald Silver badge
              Thumb Down

              Re: No f in button?

              Disabling Javascript is a necessity on most websites. Even ignoring the privacy implications, enabling Javascript allows a lot of unwanted ads to run. NoScript and AdBlockPlus (or equivalents) are requirements for sane use of the internet.

              1. Electronics'R'Us
                Thumb Up

                Excessive scripting

                News websites, in particular, are guilty of really excessive scripting (for ads natch). I use NoScript to block the scripts that have no value (to me) but I can still use the sites (and log in if I so desire - I have a subscription to one of them).

                If I enable all the scripts (as happens in Chrome) it maxes out a core of my laptop. NoScript helps to prevent this.

                One thing I really want to see (particularly for e-commerce sites) is a list of domains that need to run scripts for transactions to actually complete. (Whether they should actually need to run scripts is another matter entirely).

                1. VinceH Silver badge

                  Re: Excessive scripting

                  "One thing I really want to see (particularly for e-commerce sites) is a list of domains that need to run scripts for transactions to actually complete. (Whether they should actually need to run scripts is another matter entirely)."

                  This ^.

                  I'd like to be able to visit a site, see a (non-JS, obviously) link that lists the domains/scripts that need to be run for basic functionality - so I can enable scripting for those domains, and the retailer has the opportunity to take some of my money off me.

                  But, being a cynical old fart, I just know that there will be sites listing domains from which they earn money (i.e. advertising) as necessary script sources, which puts us right back into square one of enabling them carefully, one by one, until we hit the right ones.

                2. -tim

                  Re: Excessive scripting

                  If a web page takes credit card numbers, all the javascript on the page must be audited to meet PCI-DSS requirements. It is amazing how many site owners don't seem to understand their liability.

                  1. Warm Braw Silver badge

                    Re: Excessive scripting

                    all the javascript on the page must be audited

                    A commonly-heard defence is that "the payment page is hosted by the payment service provider, so it must be secure". Then it turns out that the payment service merely provided a template into which the merchant has incorporated a plethora of scripts plucked seemingly at random from all corners of the internet.

                3. Anonymous Coward
                  Anonymous Coward

                  Re: Excessive scripting

                  One thing I really want to see (particularly for e-commerce sites) is a list of domains that need to run scripts for transactions to actually complete. (Whether they should actually need to run scripts is another matter entirely).

                  Install uBlock Origin and open the logger before you open the page and you can see it all. At that point it's time to choose :)

              2. Mage Silver badge

                Re: Disabling Javascript is a necessity on most websites.

                To block malware. Works better than AV software. Esp. Zero day exploits. Both BBC & CNN have served malware because the greedy people selling adverts that they use don't vet advertisers and the ads use 3rd party javascript.

                3rd party javascript should be illegal.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Disabling Javascript is a necessity on most websites.

                  I like the idea that 3rd party scripts (and cookies whilst we are at it) become illegal... Or at the very least blocked by default in browsers.

                  As someone who develops sites/services, it really wouldn't be a issue... Admittedly marketing would go ape **** about not having every known gadget, widget, tracking, metric sucking plague installed on the page...

                  Could we do a deal? No 3rd party anything... But whilst we are at it, let's rework the stupid cookie related laws to dump the "do you accept" popups on every site.

                  That should be a browser based policy too.

            2. Tigra 07 Silver badge
              Thumb Down

              Re: No f in button?

              "Not really. Locking my car doesn't cripple its ability to be driven"

              Not for you, no. But it does cripple the ability of a carjacker driving your car.

            3. Anonymous Coward
              Anonymous Coward

              modern Internet

              I don't know which internet you're using but the one I use works just fine with all the snooping shit disabled by blockers.

              Unless by "modern" Internet you mean all the pop ups, auto playing ads and the rest of the garbage then you are right, none of that works, which is exactly the result I'm after.

              If I HAVE to use a site that is unusable without JavaScript then just the bare minimum required gets enabled, causes me no problems at all really.

              1. Lusty

                Re: modern Internet

                "I don't know which internet you're using but the one I use works just fine with all the snooping shit disabled by blockers."

                You're confusing "disabling snooping shit" with turning off JavaScript. Ad blockers don't turn off JavaScript they target evil things. Try actually turning off JavaScript and see how far you get...

                1. Anonymous Coward
                  Anonymous Coward

                  Re: modern Internet

                  I'm not confused by anything, although you seem to have a problem with reading comprehension, I DO disable JS at all times and enable just the minimum as needed, as I said not a problem and also has the benefit of stopping exploits such as Browser fingerprinting which depend on JS to work.

                2. Duncan Macdonald Silver badge
                  FAIL

                  Re: modern Internet

                  I use both NoScript and AdBlockPlus - both are needed. (Some sites do not work with AdBlockPlus alone as scripts check for the presence of ad blockers and disable the use of the site if detected - NoScript stops the detection of the ad blockers. )

                  With the exception of a few sites such as eBay for which JavaScript is necessary - if a site requires Javascript for browsing then I will not use it.

                  Disabling JavaScript also stops a large proportion of the malicious content on the internet from doing damage.

                  1. Richocet

                    Re: modern Internet

                    To maintain your privacy, use privacy badger and uBlock Origin. I run both.

                    AdBlock plus doesn't block tracking. Blocking javascript doesn't block most tracking and has many inconvenient (for you) side-effects.

                    Speaking from experience - I am currently typing this on a break from implenting cross-site tracking code for my employer. It doesn't use any javascript FYI.

                3. Anonymous Coward
                  Anonymous Coward

                  Re: modern Internet

                  "Try actually turning off JavaScript and see how far you get..."

                  Pretty far, given that my browsers block almost all javascript by default, anything I turn on is 'temporary', and if I am on too long, I kill the browser and restart, or purge all the temporary permissions.

                  Occasionally I reach the point where I don't want to enable more scripts. Usually I leave the site.

                  If I must use the site, I start a clean read only OS in a VM, read the site, then reboot it.

                  No one is allowed to force me to run whatever they want on my actual environment. That would be a bad policy.

            4. Anonymous Coward
              Anonymous Coward

              Re: No f in button?

              Almost nothing on the modern Internet works without Javascript

              Wrong. Websites that are written properly will still be usable without Javascript, as they will have a <noscript> block to render the content without scripting.

              Most websites are usable to an extent without Javascript enabled, although the pretty bits might break.

              Personally, I use the NoScript addon and if a site that I visit is so badly written that it is unable to function with just the top-level domain being allowed, then I dump it and move on

              1. Mage Silver badge

                Re: No f in button?

                +1 on NoScript.

              2. Doctor Syntax Silver badge

                Re: No f in button?

                "Most websites are usable to an extent without Javascript enabled, although the pretty bits might break."

                And those that aren't I generally consider useless.

            5. JohnFen Silver badge

              Re: No f in button?

              "Almost nothing on the modern Internet works without Javascript"

              As someone who avoids letting Javascript run by default, I can say that this hasn't been my experience at all. There is a class of sites that require it, but fortunately they tend to be sites I don't care about anyway. The vast majority of the web I see run just fine without JS,

      2. IGotOut

        Re: No f in button?

        It not a standard Facebook URL but the image source does seem to be a unique identifier: Do others get the same?

        https://www.theregister.co.uk/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/facebook.svg

        1. Donn Bly

          Re: No f in button?

          I have the same image url on my end, and I checked a couple of different articles and they have the same image url as well so it isn't tagged to the article either.

          The button uses jquery to launch the Facebook UI, passing the url of the page on which the button was clicked. There, you would then have to provide your facebook credentials if you are not already logged in from another tab, and at which point you are then tagged and tracked.

          So, it looks like the button and image are not trackers in and of themselves, but if you click on it you will be launching a tracker.

          1. Marco Fontani

            Re: No f in button?

            The button is a "share on Facebook" button, which is why it requests you log in in order to complete the operation. Same goes for all other login protected sites you'd want to share an article with via the widget: if you aren't logged in, and the site doesn't allow sharing links anonymously, you'll have to log in to use it, and "be tracked". Somehow it doesn't scream as much "dark pattern" as what the article talks about w/regards to the "like" button which instead allegedly tracks by default?

          2. Lusty

            Re: No f in button?

            "So, it looks like the button and image are not trackers in and of themselves, but if you click on it you will be launching a tracker."

            First rule of magic. Look at this bright blue button with our logo over here. Nothing nefarious going on WITH THIS BUTTON. No don't look over there, nothing to see over there...

            1. Tigra 07 Silver badge
              Go

              Re: No f in button?

              Look into my eyes.

              Look into my eyes.

              Not around the eyes.

              Don't look around the eyes. Look into my eyes.

              *click*

              You're under.

              Facebook is not logging you everywhere you go.

            2. This post has been deleted by its author

        2. Marco Fontani

          Re: No f in button?

          That's a per asset cache bust string, set to whatever git sha1 for master was "current" at the time the asset was introduced. We use those everywhere, not just for the Facebook image. Grep the site source for picker.

          1. sabroni Silver badge

            Re: That's a per asset cache bust string

            Really? Both IGotOut and Donn Bly claim to have the same url, and it's also shared across articles. If it's a cache buster it's not working. Why would you put a cache buster on a call to a static image?

            1. Marco Fontani

              Re: That's a per asset cache bust string

              Both IGotOut and Donn Bly claim to have the same url, and it's also shared across articles

              Yes, as it should be - as it's the exact same icon! Its "unique" URL ensures it's only fetched once by your browser, and reused if it's in its cache, as it should be. With that URL structure, and assuming you don't clear all caches when your browser closes, and assuming you have enough space in your browser's cache (and... yadda yadda yadda) you only "pay" the "download price" for that image once every 13months, as that's the validity of a "design picker" URL.

              If we ever were to change the image served by that path part (sans SHA), and for some obscure reason we wanted to retain its path part as-is (which is silly... just create a new file!), we would have the option of "simply" sticking in a new SHA, and everyone would fetch the new image, and cache the new image for 13mo.

              This isn't _that_ useful for static assets like furniture images, or site logo, or the like - as those very seldom change and often enough we can/do/will just use a new file name. This is, though, _very_ useful for us to be able to cache-bust the site JS and CSS at-will "just" by changing the SHA in the URL.

              The reason we put the cache bust string on all those places is simply because this way we can be conservative in the expiration time given when the "real" /Design/... file is requested (7d) and can be lax (13mo expiration) when the URL path is, instead, "more unique".

              Think of the /design_picker/SHA/PATH as a RewriteRule for /PATH, which adds a longer expiration time - that's pretty much exactly what it is; no more, and no less.

              It's (also) a cache buster, and it's working exactly how it should be - for the things that need it as a cache buster; for those who need it for the higher expiration time, it's also performing as required.

              Hope this helps! For anything more, though, webmaster@

              1. sabroni Silver badge
                Facepalm

                Re: That's a per asset cache bust string

                Thanks! Early in the morning but no real excuse....

      3. eldakka Silver badge

        Re: No f in button?

        My umatrix shows a (blocked) script from connect.facebook.net on the article page, so there is definitely something going back to facebook, whether it's the Like button or something else I have no idea.

      4. Richocet

        Re: No f in button?

        They don't need to run any scripts.

        The like button calls a number of resources from Facebook servers into your browser session, which allows Facebook to read and write cookies, and obviously learn which page you are looking at when and on what browser. Doing this on a large proportion of the web pages you visit builds up a substantial database of your browsing activity.

        1. Anonymous Coward
          Anonymous Coward

          Re: No f in button?

          "Doing this on a large proportion of the web pages you visit builds up a substantial database of your browsing activity."

          Do things like Trackmenot (look it up) still reduce the value of this "database of browsing activity"?

          Trackmenot is (was?) a browser extension which introduces a proportion of 'fake' browsing activities, unrelated to the real user's activities, thereby degrading the 'signal to noise' ratio of the snooped information, and (ultimately?) reducing the commercial value of the snooped info, perhaps to such an extent that it's no longer commercially intersting to carry on gathering it.

          Back in Blank Reg's day, it was the government or related organisations that were snooping on the people. Nowadays, the snooping has been outsourced to the social networks, and people 'voluntarily' submit their private lives to the eyes of Facebook, Amazon, Paypal, etc. The top brass in and around those companies then find interesting ways of monetising the snooped info. The people paying for the snooped info (often, but not always, government people) *might* be less interested if they knew it was polluted with lots of fakery (or, they might not).

          https://en.wikipedia.org/wiki/Max_Headroom_(TV_series)#Blank_Reg

    2. Nick Kew Silver badge

      Re: No f in button?

      I see no such button. Nor the buttons you describe as flanking it.

      I have no recollection of getting rid of them in my browser settings, but I guess I must have done. Perhaps it was a side-effect of getting rid of animations, which are the kind of ad that I absolutely refuse to allow on my screen?

      Hmm, come to think of it, I do recollect finding such irrelevant buttons annoying based on the sheer number of sites where the wretched things appear. Maybe I did explicitly block them?

    3. Hstubbe

      Re: No f in button?

      "at the bottom of this article, in between the twitter button and the linkdim button, is a button with an f in it". There isn't for me. Looks like your browser is broken, did it somehow disable or uninstall ublock origin? You.should not surf the web unprotected, it exposes you to malware and your privacy to unscrupulous data hoarders.

      1. This post has been deleted by its author

    4. N2 Silver badge
      Mushroom

      Re: No f in button?

      I never see any of that nonesense,

      facebook and the like get resolved to 127.0.0.1 and are also blocked in NoScript.

      Just to make sure, also been blocked in 'little snitch' as well.

    5. Anonymous Coward
      Anonymous Coward

      Re: No f in button?

      As far as I'm concerned the "f" stands for "Fuckwit" for using it.

    6. steviebuk Silver badge

      Re: No f in button?

      It does relate in that it's not the thumbs up button. It's just a link to their Facebook page so is fine.

    7. The Central Scrutinizer

      Re: No f in button?

      So el reg is being complicit in the data slurping it's reporting on. My irony meter just exploded.

    8. Warm Braw Silver badge

      Re: No f in button?

      I did point this out in response to an article on El Reg that was critical of Facebook's tracking. The comments were moderated and of course mine was rejected. However, I was contacted by the article's author and it did seem there were some internal discussions about the value of the social media links. Perhaps this will be sufficient to tip the balance.

      I have been using Firefox Focus, which avoids a lot of these problems. Sad to see it wither on the vine.

    9. adnim Silver badge

      Re: No f in button?

      What f button?

      Block known malware domains at the router

    10. This post has been deleted by its author

  2. Chris Gray 1
    Devil

    simple solution!

    Simple solution - use a tool like "NoScript" in your browser to block Javascript, and never allow any scripts from Facebook to run.

    In terms of other aspects of browser operability, your mileage may vary.

    1. Tomato42 Silver badge

      Re: simple solution!

      cool, I'll direct all the muggles that install it your way

      you know, to handle those "few" and "infrequent" support questions that "sometimes" will require your help

      /s

    2. IGotOut

      Re: simple solution!

      Wrong way.

      You shouldn't have to run No Script to protect your privacy.

      This is EXACTLY what is required.

      1. Joe W Silver badge

        Re: simple solution!

        Exactly. A workaround is not what we need. Same for intrusive ads, blocking them is dealing with the symptoms, not the disease itself. Now let us hope that they hit fborg with the GDPR....

        1. Remy Redert

          Re: simple solution!

          That'll be Ireland's responsibility, so little chance the. However this ruling means websites are going to have to unlink from the Borg or risk being in the line of fire.

      2. Doctor Syntax Silver badge

        Re: simple solution!

        "You shouldn't have to run No Script to protect your privacy."

        Agreed but there are good reasons to run it for security purposes. There are folk out there who couldn't care one way or another about your privacy, just your money or the use of your PC for mining.

  3. Anonymous Coward
    Anonymous Coward

    Just say no to FakeBook and the rest

    Block them all. NoScript, Ublock Adguard and the rest or just hosts file and firewall rules.

    Make your life a Social Media free zone.

    If you have to use them then do it from a device or a VM that has nothing personal on it. One IT Savvy woman I know has a separate VM each one. These are all connected via different VPNs. This is going to extremes but these [redacted][redacted] companies will stop at nothing to steal your life and sell it to advertisers.

    They really are blots on society and the sooner they die the better.

    Sadly, with the increase in Trash TV aka Love Island/big Brother/Get me out of here, all aimed at the 16-34 age group, I don't see this happening anytime soon. Fools and their money are easily parted.

    1. big_D Silver badge

      Re: Just say no to FakeBook and the rest

      I filter them out at the DNS level - they are blacklisted on my DNS server.

      But that isn't something the average user can do. This is something website owners need to be aware of and deal with in a responsible way.

      Heise (a German IT publisher) released the c't Shariff library for web developers back in 2014. It displays locally cached black-and-white images for each social media site, along with a slider (off by default), which will then load the real image and associated code, when the user activates it. The site can remember the users selected state in cookies.

      Original article, in German:

      https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html

      Github repository for Shariff:

      https://github.com/heiseonline/shariff

      1. Mike 16 Silver badge

        Re: Just say no to FakeBook and the rest

        Totally agree that a responsible website owner should use this. Of course, it is more profitable to sell out your users.

        Bruce Schneier ( https://www.schneier.com/ ) uses a fork of this. There is no (good) reason for a website not to, other than wanting to abuse the trust of their readers. More info at (gotten by clicking the 'I' button in the line of grayed social-sharing icons) :

        http://panzi.github.io/SocialSharePrivacy/

    2. eionmac

      Re: Just say no to FakeBook and the rest

      Is not "The Register" a social media site?

  4. Fred Flintstone Gold badge

    This is *news* ?!?

    This is not a slight on El Reg, more on the fact that it's taken that long for anyone to flag this in a manner that gets it to court because that's been known for, well, almost as long as FB (and the rest of the asocial bunch) have been spreading these trackers.

    There's another fun one floating around: a web developer is selling code that gets you logged with Google Analytics, even if you have it filtered out. In my opinion, that so much misses the point that the idiots deserve an educational court appearance too.

  5. Anonymous South African Coward Silver badge

    I see that f in button, and I'm not gonna clickee on that linkee

    Wonder if every EU-based company will be removing their f in buttons from their websites in order not to fall foul of this ruling.

    And will this, by implication, mean that world+dog also have to remove their f in buttons as well?

    1. 2+2=5 Silver badge
      Joke

      > And will this, by implication, mean that world+dog also have to remove their f in buttons as well?

      They can remove the F in buttons or get the F off - their choice.

    2. Anonymous Coward
      Anonymous Coward

      I see that f in button, and I'm not gonna clickee on that linkee

      Ah, but that's the problem with the widget approach - you don't need to click it. You have visited a page with an active signalling component, and FB/Google et al now know you've been there. That's also the deceptive bit behind advertising. It's not just that you get fed ads that "suit" you (according to the algorithm du jour), the very fact that you visited a site is also data that gets back to the advertiser. It's not just Google Anal-ytics that gives your presence away.

  6. James 29

    Facebook container

    I use Facebook container on Firefox for this reason. Facebook works perfectly, but all these buttons/widgets are blocked

    Great if you want to be able to use FB but not have all the rest of the tracking

    https://github.com/mozilla/contain-facebook

  7. mark l 2 Silver badge

    I don't foresee a sudden rush to completely remove these social media buttons from EU website as they get too much benefit from them, as when a customer likes and shares on social media its free marketing for the business. So I expect they will just remove the tracking code and cookies and make them into static links to avoid being liable as a data collector.

    1. Paul Crawford Silver badge

      That is still a victory for privacy. Just not as good a nuking FB from orbit.

    2. Doctor Syntax Silver badge

      "when a customer likes and shares on social media its free marketing for the business."

      The implication of this ruling is that it's no longer free. It's potentially very expensive. It will take a while for this to filter through to marketroids given that their standard MO seems designed to put the business at risk post GDPR.

  8. Mike 137 Bronze badge

    The big problem remains

    This is far from the breakthrough for privacy it appears to be from the article. The decision that FashionID is not a joint controller for the subsequent processing by Facebook is the crocodile on the sofa. The data subject is forced to sit on the sofa by FashionID, but whether the crocodile (Facebook) bites is not deemed to be under its control.

    Joking apart, the fundamental intrusion into privacy is not the information that a data subject visited this specific site (the collection of which is under the control of FashionID) but the cumulative profile of the data subject's browsing, which is entirely and solely under the control of Facebook. The latter's reliance on the vastly abused lawful basis of "legitimate interest" allows a data subject to object, but fat chance of this highly lucrative profiling being abandoned. The best offer of redress that has been made to me in a similar case is "you are free to submit a right to be forgotten request after every transaction".

    The one benefit of this judgement is that it provides grounds to object to a web site owner where automated and/or covert tracking is in use, but once again I don't hold out much hope of such an objection driving change. Legislation is toothless unless those constrained by it actually care.

    1. Anonymous Coward
      Anonymous Coward

      Re: The big problem remains

      Agreed to some extent. However Facebook have no say in whether a website uses this plugin it is up to the website to do it. Therefore the website is facilitating this data collection and is responsible to the visitor to make sure that this is in accordance to the law.

      Why would a website wish to take a risk on facilitating the collection of data, as a controller, when they can't ensure sufficient safeguards are put in place to process that data accordingly. They can then be jointly liable.

      What it should do is make websites remove these plugins (and use static links instead which will do the same thing without the passive tracking) so they don't risk getting fined.

    2. Doctor Syntax Silver badge

      Re: The big problem remains

      "Legislation is toothless unless those constrained by it actually care."

      Legislation with sufficiently large penalties is far from toothless if those enforcing it care to use them The whole principle of penalties is to make those constrained care whether they want to or not.

  9. Anonymous Coward
    Anonymous Coward

    And what about pixels?

    I am assuming that most sites who use these 'like' buttons are also employing the Facebook Pixel on their webpage.

    If that is the case, then one would also assume (though with less probability of being correct, I think) that these sites would have their cookie policy set to inform users of this.

    Naturally all these sites are set to not place any cookies at all before consent is given (hah), but once that is done is the like button not simply - from a visitor standpoint - a visible and interactive tracking pixel?

    What I'm really asking is, would it not be more likely that pages that want to employ these trackers (or help FB, Twitter etc. track people) simply update their cookie information thing (which nobody reads anyway?) to reflect the use of the like button?

  10. Tom Paine Silver badge
    Thumb Up

    Truly excellent news

    I'm cautiously encouraged by how GDPR is panning out, so far. Moar pls

    1. Anonymous Coward
      Anonymous Coward

      Re: Truly excellent news

      Hmm, the issue is that if a company wants to have subtle abuses - like crappy cookie consents, they will get away with it for a very long time (forever?). As the worst risk is they will be taken to court but could easily back out before that stage. In nearly every case they will carry on, claiming they are in the right, and will ignore requests from visitors and the ICO until the last minute.

      Sure, morally sound companies will comply, and there is a load more awareness about it. However companies like Facebook which are obviously contradicting the law in a number of ways are still doing it until they get hauled up over it.

      I see that any links posted on Facebook (I am 'forced' to use it at the moment due to circumstances outside my control) now get a facebook client ID appended to them. This means Facebook are sending, PII, to every website regardless of whether that website has asked for it or not.

      1. Jamie Jones Silver badge

        Re: Truly excellent news

        As you say, there is more moral awareness, and occurances like this help raise the awareness of privacy.

        A few years ago, it was a case of "yeah, they all track. what can you do?"

        It will be a slow process, but hopefully things like GDPR will help to eventually make such tracking socially unacceptable, and sites who clean themselves up will want to show off their "green" credentials.

      2. Doctor Syntax Silver badge

        Re: Truly excellent news

        "In nearly every case they will carry on, claiming they are in the right, and will ignore requests from visitors and the ICO until the last minute."

        This is behaviour which will result in the biggest fines. It will probably take quite a few big fines, well publicised before boards start to realise the risks presented by the self-narcisists in their marketing departments. Then there'll be the businesses owned by self-narcisists but those will always be with us.

        1. Anonymous Coward
          Anonymous Coward

          Re: Truly excellent news

          Nope, for most companies they won't be fined at all for this sort of thing. They will agree to a change of behaviour - similar to the ASA, not allowing a advert to appear in its current form again (after the advert has already been run).

          Let's see how many fines are handed out, now, to site that use social media plugins for 'likes' & 'shares'. I bet it will be so close to zero that I'll call it now as zero.

          1. Anonymous Coward
            Anonymous Coward

            Re: Truly excellent news

            "Nope, for most companies they won't be fined at all for this sort of thing. "

            Fining *companies* (or other organisations) rarely works. Penaties for the people who control the organisations is likely to be more effective, both as punishment and deterrent.

  11. pavel.petrman Bronze badge

    How about the "Web Analyst" business now?

    There is hardly a website worth visiting without the dreadful Google Analytics et al in it (which in turn makes many of said websites hardly worth visiting). Some declare it somewhere deep in their "we value your privacy" bullsh documentation, most do not. Yet there is no simple way for the web-browsing person to avoid being slurped naked (on desktop that is, on Andorid or other tablets the resistance is completely futile). I, for one, would love to see this practice addressed by authorities, and this development about the F-button goes in the right direction.

    1. Doctor Syntax Silver badge

      Re: How about the "Web Analyst" business now?

      NoScript blocks them. I won't be opening it up so it will continue blocking them.

    2. Jamie Jones Silver badge
      Big Brother

      Re: How about the "Web Analyst" business now?

      "We value your privacy" is in the context of a valuation - What they are ssying is "we put a monetary value on your private information"

  12. Rudolph Hucker the Third
    Stop

    For those using Firefox with the Facebook Container enabled, that Container shows an alert while visiting El Reg with this message:

    The Facebook "Like" and "Share" buttons that appear on shopping, news and other sites contain Facebook trackers. Even if you don’t use them, Facebook uses these buttons to track you. Facebook Container blocks these trackers and will display a fence icon to show you where these trackers were removed.

    Facebook Container removes their trackers on other sites. The following will not work:

    Facebook like, share and comment buttons on other websites. Facebook Container removes any trackers and related functionality.

    Logging in or creating accounts on other websites using Facebook. To log in using your Facebook account, you must allow the site past the Facebook Container boundary.

    https://support.mozilla.org/en-US/kb/facebook-container-prevent-facebook-tracking

    1. Evil Scot
      Paris Hilton

      I was harvested like that.

      That little cold snap last year caused a delivery from Dreams to be cancelled.

      Had to re-book online.

      FaceSpam spent the next 6 months advertising mattresses to me.

      1. Doctor Syntax Silver badge

        Re: I was harvested like that.

        "FaceSpam spent the next 6 months advertising mattresses to me."

        You know why, don't you? Because you let it.

        1. Anonymous Coward
          Anonymous Coward

          Re: I was harvested like that.

          Blame the victim?

        2. Evil Scot

          Re: I was harvested like that.

          All my browsers are "Do Not Track". (Computer Misuse Act?)

          After blocking every advertiser, I found out how to reset my "interests" in Facebook.

          Really should go to Dreams and inform them how Facebook attempted to Monitise the theft of their business.

      2. eionmac

        Re: I was harvested like that.

        "after you had your bed", this seems pointless. The advertisers paid FB to display items to a person who had already bought that item, and unlike food not routinely purchased every day. So advertisers paid FB for really no value, only FB profited.

  13. FrogsAndChips Silver badge
    FAIL

    "It is the controller, not the processor, who would be held accountable for any GDPR sins"

    No, no, no, nono, NOOO!

    Under GDPR, both data controllers AND data processors can be held accountable if they don't comply with their respective obligations and both can be fined in the same proportions if found guilty. That's one of the bug changes that GDPR introduced, that DP can now be fined directly by regulators.

  14. Mage Silver badge
    Devil

    Only image + link

    I've ALWAYS said that anything more than an image + link for ANY other site, Advert or Social media is immoral, toxic and dishonest data theft.

    Now, Google APIs, Google Fonts, clear pixels, third party cookies (at all), 1st party cookie when you didn't log in, Google Analytics?

    1. Jamie Jones Silver badge

      Re: Only image + link

      I agree with you. I think GDPR does too.

      Of course, the image hosted on the local site, a generic link, and referred from a generic url (so they can't grok a unique id ftom referral information)

  15. Anonymous Coward
    Anonymous Coward

    But what does it MEAN ?????

    Especially in the UK which seems to be immune to ECJ rulings on web privacy.

    Quick show of hands: whose employer has asked them to review their web portal as a result of this news ? Urgently or not ?

    I'm hazarding a guess it's close to - if not actually - zero.

    1. Doctor Syntax Silver badge

      Re: But what does it MEAN ?????

      "I'm hazarding a guess it's close to - if not actually - zero."

      That's because it needs to be followed up with fines that make whatever news media manglements read. And an awareness that this means YOU. Manglements catch on slowly. Once they do, just watch the panic set in.

  16. Dr Gerard Bulger

    They will get round it as you will "agree". So soon when you land on any web site you will have to tick T&Cs, before reading anything. and those will be will be 3000 words plus. Life is too short, tick and Facebook gets its data

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019