Starting in April 2014, you may have noticed social referrals from Facebook coming into Google Analytics (GA) as source/medium lm.facebook.com and l.facebook.com. These referral visits from Facebook were being reported as visits from an unknown source until Facebook implemented the link shim. The link shim is designed to protect the personally identifiable information (PII) of users, and to warn users with an interim page when they are at risk of being redirected to a spammy or malicious website.
Here is a screen shot of lm.facebook.com and l.facebook.com referral sessions reported in the GA interface. m.facebook.com is mobile, and l.facebook.com and lm.facebook.com are referrals from Facebook via the link shim system.
The link shim allows marketers more visibility in terms of where users came from. When a user is on the internet using a secure server network, their activity and identity are highly protected. You many have seen or heard about HTTP versus HTTPS server headers. Put simply, the difference between an HTTP and an HTTPS server header is that HTTPS is secure from wire-tapping and “man in the middle” attacks. You can see Facebook with the secure server header HTTPS in the example screenshot below.
Before the link shim, visits from users operating on a secure server network came in as unidentifiable. This is because when a user is on a secure network, the referer header is not passed along. Basically what this means is that when a user clicks on a hyperlink and lands on a webpage, that destination webpage has no information about where the user came from.
In terms of privacy protection, Facebook provided a real word example of the link shim in action. It makes a lot of sense and it is fairly simple to understand. Let’s say hypothetically, the URL of a page in your timeline is www.facebook.com/yourname1, and someone clicks on a link from that page in your timeline to www.mywebsite.com. I can then see that the user had clicked from www.facebook.com/yourname1 to get to my site. I would then be able to identify exactly who you are because you shared a link to my site on a page in your Facebook timeline that someone clicked on. Some marketers may see this as a draw back because of course we want to know the identities of people we can target! Having said that, there are better ways to get to know your audience without violating their rights.
Facebook has a list of websites that they deem dangerous in some way. The list is refreshed on a regular basis. When a user is on Facebook or accessing Facebook through their email and they click on a link, Facebook cross checks the link with their database and warn the user if the site they are going to be redirected to is flagged as malicious.
In short, the link shim is a great system for both digital marketers and users. Digital marketers can report the ROI of Facebook more accurately. Users can rest assured that their identity is secure, and that they will not end up on malicious websites if they click on a link from Facebook.