A Tale of Facebook Tracking

December 17, 2020

A short exchange on Twitter with a bit of snark led to a friend discovering just how pervasive Facebook tracking is on the web.

Someone I follow on Twitter posted wondering why folks weren’t on Instagram.

I replied that I am trying to avoid Facebook as much as possible.

A friend, Jim Rea, jokingly replied with a flip Yoda quote “There is no try, only do”.

I checked out my friend’s business website and the Safari Privacy Report noted that it was blocking two different Facebook trackers.

So I replied:

“That's much easier said than done.

For example on many websites (including your own) I try to avoid Facebook, but I do end up encountering Facebook tracking scripts.”


My friend was completely flabbergasted as this took him completely by surprise. He had no idea there were Facebook tracking scripts on his site.

Jim is a longtime Mac developer. He released the first version of his company’s flagship product, Panorama, in 1988. His app has been around longer than BBEdit. He’s run a successful business as an indie Mac developer for over 30 years.

He contacted me privately because he wasn’t seeing the Facebook tracking that I was seeing. So we did a little investigating.

A Little Investigating

When I inspected the page in Safari using Inspect Element, the Facebook scripts were present. But if I looked at the HTML source that Safari had downloaded, the Facebook scripts were nowhere to be seen.

Some other script embedded in the page was adding the additional Facebook script elements to the page.

His website being important to his business, Jim knew exactly what analytics he was using on his site. This wasn’t a case where he had outsourced the website to someone else. And those analytics scripts were exactly what was in the downloaded HTML.

We figured out that Jim wasn’t seeing the Facebook scripts when he browsed his own site because he had a browser extension installed that prevented the additional scripts from being injected. As soon as he turned off the extension and refreshed—there they were!


Jim tracked down and removed the script that was installing the Facebook scripts. You can visit the Provue site to see for yourself.

This episode really brought home for me the incredible pervasiveness of cross-site and cross-app tracking.

It also made me realize the importance of bringing information to light. If it were not for the new Privacy Report in Safari, I would not have dug into that site’s HTML just to make a snarky Twitter comment to a friend. That report makes what had been obscured for many years very obvious and discoverable.

And finally it also demonstrated to me just how insidious and hidden this tracking can be. In this case, even a diligent, technically knowledgable developer ended up unknowingly having Facebook tracking scripts on their site.

Google Analytics And Alternatives

If you visit the Provue site in Safari and look at the Privacy Report, you’ll notice there is one tracker still present, and being prevented from profiling you—Google Analytics.

Google Analytics is very popular and widely used. It can gather extremely detailed site analytics and it is free, except for very high traffic sites.

As an example of its pervasiveness, as of today, the Safari Privacy Report for the popular site Daring Fireball also lists Google Analytics as its only blocked tracker.

Choosing Analytics

I like having some web analytics. I essentially want to know how many visitors showed up and what pages they viewed. On the BuildSettingExtractor site, I like to know how many times the download link was clicked. Seeing referrers is nice too, as it’s often how I find out if a post or site has been linked to in an article or newsletter.

When I moved this site off of Wordpress, I no longer had built-in analytics. I signed up for Google Analytics because it was free. That lasted about two weeks.

It bothered me that Safari needed to block cross-site tracking on my site. Also, I found that Google Analytics is much more complex than I need or want. There also seems like there is a one-day delay in seeing your full analytics. The best thing about it for me was that it is free.

So, I started looking for an alternative. I found a website No More Google that lists privacy-friendly alternatives for various Google products. I looked through the options, comparing features, and found that Fathom was going to be the best choice for me.

Fathom For Me

Fathom provides the set of analytics I was looking for, plus it’s simple and privacy-minded. Fathom doesn’t use cookies, so no need for that annoying cookie notification. The service anonymizes users so no identifiable user information is ever tracked. Finally, Fathom allows you to set up unlimited sites. As someone with multiple low-traffic sites, this was a big plus. Finally, I have a static site, so a self-hosting solutions were not going to be an option.

Fathom is not free but I found the cost reasonable. Its focus is on being a sustainable business that makes its money through selling its service, not by collecting and selling information.

I’ve been using Fathom for about a month now. I’ve been happy with the features and how it works. A support request received an incredibly fast response, so my experience with their support has been good.

If you’re looking for privacy-centric analytics, consider all of the services listed at No More Google.

Of course, different folks have different needs for analytics. But if your needs are similar to mine, I’d recommend taking a look at Fathom. I’ve had a good experience so far.

If you decide to look at Fathom, you can use this affiliate link for $10 off your first invoice. (Ironically the buttons on that page set a cookie to ensure you get the $10 credit.)

To Track Or Not To Track

In the past month, I’ve been thinking about web analytics and tracking scripts for my own sites, but also managed to discover some on a site that surprised the site’s author.

If you have your own sites, you have an opportunity to choose how and if to collect analytics. But even then, it is important to be vigilant, since you could be inadvertently be getting more tracking than you had expected. •