Internet users tap Facebook Inc.'s "Like" and Twitter Inc.'s "Tweet" buttons to share content with friends. But these tools also let their makers collect data about the websites people are visiting!
These so-called social widgets, which appear atop stories on news sites or alongside products on retail sites, notify Facebook and Twitter that a person visited those sites even when users don't click on the buttons, according to a study done for The Wall Street Journal.
The widgets, which were created to make it easy to share content with friends and to help websites attract visitors, are a potentially powerful way to track Internet users. They could link users' browsing habits to their social-networking profile, which often contains their name.
For example, Facebook or Twitter know when one of their members reads an article about filing for bankruptcy on MSNBC.com or goes to a blog about depression called Fighting the Darkness, even if the user doesn't click the "Like" or "Tweet" buttons on those sites.
For this to work, a person only needs to have logged into Facebook or Twitter once in the past month. The sites will continue to collect browsing data, even if the person closes their browser or turns off their computers, until that person explicitly logs out of their Facebook or Twitter accounts, the study found.
Last year, Facebook introduced the "Like" button and other "smart" widgets. The widgets work with cookies that Facebook places in a Web browser when a user creates an account or logs in to its site. Together, they allow Facebook to recognize its users on any site with Facebook widgets.
Bret Taylor, Facebook's chief technology officer, says the technology lets websites show visitors what articles their friends liked, for example. "We don't use them for tracking and they're not intended for tracking," he says.
But Facebook says it still places a cookie on the computer of anyone who visits the Facebook.com home page, even if the user isn't a member. Mr. Taylor says Facebook uses such cookies to protect the site from cyberattacks by people who try to break in to users' accounts, among other things.
Until recently, some Facebook widgets also obtained browsing data about Internet users who had never visited Facebook.com, though Facebook wouldn't know their identity. The company says it discontinued that practice, which it described as a "bug," earlier this year after it was disclosed by Dutch researcher Arnold Roosendaal of Tilburg University.