Facebook Like, social sharing buttons on your website may land you in GDPR hot water if data goes a-wanderin' In a case being considered by the European Court of Justice (CJEU), Advocate General Michal Bobek argued on Wednesday that website operators should share some responsibility with providers of embedded web widgets for ensuring that any data collection complies with legal requirements. In other words, if you embed a Facebook ' …
I was sent a link to an article for a UK newspaper by a friend, I opened the site and they had the privacy policy shown up front, OK to continue or control privacy settings. I chose control...
It displayed me a list of 275 tracking sites that were linked to the site and all were defaulted to ON! On top of that, there was no option to disable all of them, I had to literally click 275 times on the page to turn off the tracking. It is the last time I will visit that site or any other site that takes the Michael like that!
You'll probably find there is a button to turn them all off, however it won't be marked as such. The site you are talking about may have had a button called "measurements" which when clicked killed all the individual providers.
However, this very site probably does not have GDPR compliant cookies in place and the only options for logging out are by going to the individual mentioned sites and trying to work out how to do it from there. They also rely incorrectly on "legitimate business reasons" which, does not actually mean what the companies who rely on it think it means.
"I did look for any method of disabling them all, there wasn't one. I've landed on a few other sites that did have such an option. This one was just plain hostile."
Let me guess. What used to be Trinity Mirror Group? I think it's now called Reach.
"f it was one of the Mirror(Reach) group then there is a button - I was wrong about measurement it is called information and storage."
And it does absolutely nothing to the huge list of pre-ticked opt-in boxes. At least it doesn't in my browser. Possibly it might if I opened up to the huge list of sites that want to run scripts on that page but that defeats the object. And in any case it doesn't affect the basic offence against GDPR. By being pre-ticked they're opt-out not opt-in.
"If it was one of the Mirror(Reach) group then there is a button - I was wrong about measurement it is called information and storage."
Ah, I understand. The information is: Beware of the Leopard
The storage, of course, is locked, in a disused lavatory, in the basement. There are no stairs. Or lights.
The one with the electronic thumb in the pocket, of course.
"You'll probably find there is a button to turn them all off, however it won't be marked as such."
There's one opt-out page I've encountered several times which has a big "conitinue" button which takes you nack to the opt-out selection unless you have opted-in and the way to retian the opt-out is to cliick the word "leave" which is in much smaller fontsize just below the the huge "continue" button.
Seems like GDPR is going to throw one hell of a monkey wrench in the current ad paradigm.
I really hope you're right, but I think if it does the corporate lobbyists will start a whisper campaign that the GDPR will hamstring the EU economy and some holes will be carved in it before long.
"corporate lobbyists will start a whisper campaign that the GDPR will hamstring the EU economy and some holes will be carved in it before long."
They'll find FB et al have irretrievably fouled the nest.
Some more conscientious site operators do not embed the Facebook button from a FB server (as that means a user is actually downloading an asset from FB servers, giving them the metadata mentioned in the article). Instead you can just locally host the image on your own servers with a link behind it that only gets activated if someone clicks on it.
It is a great way to take your visitor's privacy seriously but still have the option of some of them choosing to 'Like' your site.
Once upon time, having link on webpage was just that, link. No data collected, just link that would take you to the site. Most people (sheeple?) seem to think that is all the links do now. The damn things are shipping everything back to the mothership whether you click on them or not.
The best we can probably hope for is a return to the old method. But then the cool kids won't be able to tell the world where they're having lunch without actually logging in and posting.
long before GDPR. Under the previous data protection rules it was still illegal.
That is why heise publiching in Germany (also runs the Heise Security website) published the Shariff module in 2014, which can be added to any website.
It shows greyed out social media icons with sliders next to them. When you explicitly want to share with a specific social media site, you can change the slider of the relevant icon and it becomes active and only then does the relevant code for that website get loaded.
Until the social media giants exercise their rights and prevent third parties publishing colourless images of their trademarks...
Making the tracking optional doesn't really solve the problem - people really don't have any clue about the full consequences of opting in and are unlikely to accept that, say, foreign governments could start influencing their voting intentions as a result. The whole business model needs to be outlawed.
"Until the social media giants exercise their rights and prevent third parties publishing colourless images of their trademarks."
In that case the site owners would have to weigh up their options and not having the media buttons seems increasingly likely for someone who has taken this precaution in the first place.
Yep, pretty much an open and shut case. The "like" button is very clever marketing by Facebook but it really is just a tracking beacon and one of the reasons for the GDPR. More importantly, companies that use gimmicks like this are fooling themselves: while they can collect some data, they can only get what Facebook will give them, while Facebook gets to keep everything and aggregate it so that they can track users across the internet; they can (and do) even sell the data collected to companies' competitors. Would be nice to see more emphasis on the business aspects in these kind of stories.
The problem is that Facebook, Pinterest, Twitter etc offer little code snippets for a site builder. People thoughtlessly include them.
If you MUST promote these toxic parasites, (Pinterest and Youtube are not just personal info thieves but serial copyright infringers), then put an icon/image and an HTML link. NO script. The scripts are tracking* people that load the page, not just those clicking. Surely that's been illegal even before GDPR?
(* i.e. ALL the browser info that the host page gets, which is still too much due to idiotic deliberate design. Browsers share too much).
"care to hit the Facebook like button"
It's just an image with an HTML link, not the snippet that FB offers. Unless I'm missing something due to uMatrix. AFAIK El Reg has used "polite" legal SM icons for some time. Right click and "inspect element" if using Waterfox or Firefox.
That's the problem with the FB (and others) supplied snippit. It tracks using scripts. If you have facebook scripts but not the facebook domains hosting the image etc blocked, then to an extent FB still senses the traffic and maybe even get your browser stats. I'm not sure how much a non-unique URL of an image exposes. Usually "clear" pixels as trackers have a unique per page URL. Also why ALL remote content, not just scripts, but remote images are blocked in my email client. Often email remote images have unique "fake" url suffixes after the / for the main domain to enable per destination delivery verification. Website image trackers are similar.
It's time that the ONLY 3rd part content on a website is a non-unique URL that is only an HTML link, no image loading, script or tracking suffix. It may even be a legal requirement already, even before GDPR in Europe, it's just people like Irish Data Commissioner are "lazy" (Google moves ALL EU T&C to Google Ireland from Google LLC in Jan, yet STILL has no clear opt out and by defaults tracks).
Time to ditch Google API, Google Fonts and Google Analytics etc. All the equivalents can be hosted free on your own server. Stop giving Google a free ride. No Google service is free. Ordinary users pay via their usage.
"Also why ALL remote content, not just scripts, but remote images are blocked in my email client."
Me too. I also don't allow my mailreader to interpret HTML.
Someone where I work didn't realize that this was possible, and asked me why I never read her emails. I told her that I do, and why does she think I don't? Turns out it's because the program she uses embeds a tracker that lets her know who has opened it, but since I block all that stuff, she never got notification that I did.
That made me very happy.
Interesting that (at least on my screen) the reddit, twitter and linkedin icons are all anchor links to a sharing url but the facebook one is 'just' an image, not a link, although the cursor reacts to it so presumably (cba to look) some scripting to do 'stuff' with it when clicked.
Reg at least gets a thumb up for them not being evil tracking things, assuming the above mentioned script isn't doing that...
The current fashion is to use Instagram (and several similar sites). The difference between them and Facebook is that they are designed to be embeddable and provide resources without which you cannot read the page - f.e. pictures. If you are Joe Average luser and you have an Instagram account appropriate information is collected and the page owner gets it by being subscribed to the relevant APIs as an "advertiser" or a "partner".
A good example (apologies for linking RT, but they are one of the most exemplary slimef*cks to use it): https://www.rt.com/news/445645-miss-universe-iceland-russian-origin/
Seemingly harmless article with some blond beauty queen clickbait. It is set up for data collection of who you are. By the way a significant chunk of the material USA now blames to be Instagram election interference was probably uploaded on Instagram for similar purposes - use it as a CDN which captures detailed user data in the process and it is not something to which they fess up openly so they are at present a GDPR fair game. They are not the only ones too - there are USA sites working for their "adversaries" doing that.
One thing I never do these days is to directly go from site to site. If I'm looking for something I get a list from the search engine (usually startpage), then close the browser. My browser is configured to delete all cookies on exit. When I go to one of the sites on the list in a new session they get very little info about me - and if I see that 'Like' button it's immediate shut down.
The only time I ever use google is when looking up software and programming info (it does tend to be quite good for that), so they must have a very slanted profile for me!
That might seem tedious and overkill, but it's surprising how quickly it becomes a habit and it doesn't actually slow me down - just a few seconds against many minutes actually on a site.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
