[polemic]

The company says the data is sent because of the way the “Like” button system is set up; any cookies that are associated with Facebook.com will automatically get sent when you view a “Like” button.

They have a point. This is going to be the same for any site that has static content served elsewhere with cookies attached to the domain. Hot link to an image on my blog you commented on? OFFLINE DATA GATHERING ZOMG.

[bandushrew]

they dont really have a point, cookies are nailed to a specific domain or sub domain. If they really wanted to they could easily associate the like button with a subdomain of facebook if the user isn't logged in, such that the cookies associated with the user login don't get sent.

They don't really want to.

[nbm]

How would whatever system that does this discover that the user is or is not logged into Facebook? The javascript portion doesn't have access to cross-domain cookies, so that won't work. Anything else requires connecting to a domain such that cookies are passed on so that it could discover whether the user is logged in or out before passing it to a subdomain.

(I work at Facebook, but not on this.)

[bandushrew]

hmm? without pretty specific knowledge of the problem set facebook is trying to solve with its current set of code I am clearly unable to offer a solution that will resolve them all.

However, if one of the problems that they wanted to solve was 'we dont want to track user data unless they are logged in', they would have solved it by now.

The fact that they haven't means either (a) they just haven't thought about it or (b) they have thought about it, but do not want to solve it.

[nbm]

The purpose of the social plugins is to provide social context - telling you which of your friends has liked something, or that you are the first.

To do this, it needs to know who you are if you are a Facebook user that has not logged out. To do that, it needs to check the cookie that the Facebook web site sets when you are logged in.

Unfortunately, the web as it stands doesn't allow this interaction without divulging some information (time/date, browser, IP address, &c.) when the only interesting thing is who you are if you happen to be logged in.

This is the same problem that web analytics, certain comment systems, other social buttons, and other embedded functionality systems face.

About the best that can be done is explain what happens with that data when it is received - and that is explained at https://www.facebook.com/help/?faq=186325668085084

[bandushrew]

Dude, if I am a facebook user who has not logged out, they can send cookies as much as they like.

The browser manages this - if they are logged in, set a cookie that will be sent to the hypothetical 'like' subdomain of facebook, if they are logged out, remove the cookie.

This kind of functionality is really not rocket science, there are dozens of ways to implement it and I feel kind of stupid talking about it.

There are reasons for facebook not doing this, but they are not technical ones.

[danparsonson]

If they deleted the relevant cookies on logout then the problem would go away - I believe that's the crux of the issue, certainly for me anyway. Besides which, your hot-linking analogy, while technically correct, falls down when you consider just how many sites have a 'Like' button on them, compared with how many sites are hot-linking you - and more importantly how many visitors those sites get. It's hardly an equivalent scenario.

[rhizome]

Hotlink an image? That's now how the Like button works. It's more like linking to an IFRAME with its own javascript. Slight diff.

[pork]

Hardly. Hotlinking an image can send an FB cookie too, and that's all you need.

[polemic]

The JS can't break out of it's frame, so that doesn't really matter. The cookie comes with the request (image, html or JS, it doesn't matter).

[rhizome]

Gotcha. Interesting.

Thanks to both of you!

[tripzilch]

the difference is, that's not linked to your FB accounts and friends network / social graph.

not that third-party cookies aren't a big privacy issue, but this goes one step further.