Facts about Social Plugin Privacy

- Did you know that social plugins (Like button, +1, etc.) transmit information which identifies you by name along with the Web sites you visit to online social networks? (Facebook, Google+, etc.)

- Did you know that certain social plugins are so sophisticated that access and transmit such private, identifying information even if your block third-party cookies in your Web browser?

- Did you know that information transmitted by social plugins and which identifies you to a social networking service (e.g., Facebook) is not entirely cleared when you log out from it?

- Do you realize that you cannot be aware of the existence of social plugins before you visit a specific Web page? Once you see them rendering within the page, they have already finished transmitting your information to the online social network (e.g., Facebook).

The widespread adoption of social plugins, such as Facebook's Like and Google's +1 buttons, has raised concerns about their implications to user privacy, as they enable social networking services to track a growing part of their members' browsing activity. Existing mitigations in the form of browser extensions can prevent social plugins from tracking user visits, but inevitably disable any kind of content personalization, ruining the user experience.

In this research project we propose a novel design for privacy-preserving social plugins that decouples the retrieval of user-specific content from the loading of a social plugin. In contrast to existing solutions, this design preserves the functionality of existing social plugins by delivering the same personalized content, while it protects user privacy by avoiding the transmission of user-identifying information at load time.

We have implemented our design in SafeButton, an extension for the Firefox and Chrome Web browsers, that fully supports personalization for seven out of the nine social plugins currently provided by Facebook, including the Like button, and partially due to API restrictions the other two. Our implementation also enables the use of non-personalized social plugins, such as those offered by Twitter, LinkedIn and other social networking services, without revealing unnecessary private user information.

As privacy-preserving social plugins maintain the functionality of existing social plugins, we envisage that they could be adopted by social networking services themselves for the benefit of their members. To that end, we also present a pure JavaScript design that can be offered transparently as a service without the need to install any browser add-ons.


Peer-reviewed Publications - Conference Papers

Privacy-Preserving Social Plugins. Georgios Kontaxis, Michalis Polychronakis, Angelos D. Keromytis, and Evangelos P. Markatos. In Proceedings of the 21st USENIX Security Symposium. August 2012, Bellevue, WA. (Acceptance rate: 19%)


Safebutton Logo We have implemented our design in SafeButton, an extension for the Firefox and Chrome Web browsers so that users of Facebook and other social networking services can benefit from it. Our code is freely available. We will soon be releasing the extension for Firefox.

The extension for Chrome will be available really soon! (pending Chrome Web Store review)

Safebutton currently prevents privacy leaks from the great majority (if not all) of the social plugins offered by Facebook, Twitter, Google and LinkedIn. It also offers functionality for Facebook's Like button, Twitter's Tweet and Follow buttons, Google's +1 button and LinkedIn's Share button. Safebutton supports full functionality for most social plugins offered by these social networking services and partial functionality for the rest. However, the code is still experimental and therefore is ommited from the beta release of the extension. More functionality will be added to the extension on a rolling basis.

DISCLAIMER: This is still experimental software and part of an ongoing research project.

BUGS: Should you find a bug in our software (e.g., come across social plugins which Safebutton fails to properly handle - either render them in privacy-preserving manner or at least prevent them from leaking sensitive information) please let us know! We rely on user feedback to keep improving Safebutton :)


Facebook's Like button instance
Instance of a Facebook Like button.

Safebutton's Like rendering
Safebutton's rendering of the same Like button.

Design Overview

Design overview of traditional social plugins.Design overview of Safebutton for privacy-preserving social plugins.
Loading phase of social plugins, e.g., a Facebook Like button. After a page is fetched (1), the browser loads the IFRAME of the social plugin (2). If the user is logged in on the social networking service (e.g., Facebook), the plugin receives and displays personalized information (3). Users are identified (and can be tracked) through the HTTP cookies included in the request. Unfortunately logging out of the SNS will not always hinder its tracking capabilities.The loading phase of privacy-preserving (safebutton) social plugins. When a social plugin is encountered (1), the Social Plugin Agent intervenes between the plugin and the SNS (2). The agent requests (3) and receives (4) only publicly accessible content, e.g., the page's total number of "likes", without revealing any user-identifying information to the SNS. The agent then combines this data with personalized information that is maintained locally (and has been fetched in the past in a privacy-preserving manner), and presents the unified content to the user (5).
Network Security Lab, Columbia University