WebProNews Ad Rates Click Now!
Read WebProNews
With Friends!

Is Facebook Tracking Everywhere You Go Online?

Logging out doesn't seem to help, says one writer

Get the WebProNews Newsletter!
By · September 26, 2011 · 75 Comments
Is Facebook Tracking Everywhere You Go Online?

Is it possible that Facebook is tracking your web browsing activity, even when you are logged out?

According to Australian hacker and writer Nik Cubrilovic, Facebook could know that you are reading this article, simply because we, like most sites nowadays, have a Facebook share button.

Cubrilovic ran a little test involving cookies and found that logging out of Facebook does not mean that Facebook can’t still know every page you visit on the same browser.

Is it possible to be both private and social? Is privacy a long lost cause because of social networking like Facebook? Let us know what you think.

On his blog post on Sunday, he shows what cookies are sent during a logged-in Facebook user’s visit to Facebook.com compared to a logged-out user’s visit to Facebook.com. Logging out is apparently supposed to prompt the deletion of certain identifiers, but that doesn’t happen, says Cubrilovic.

The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user

This is not what ‘logout’ is supposed to mean – Facebook are only altering the state of the cookies instead of removing all of them when a user logs out.

This means that whenever you visit a page online that has a Facebook share button, like button or any other related widget, all of this pertinent information is being sent to Facebook. That’s how they can know where you are going on the web.

This shouldn’t be news to anyone. It’s right there in the Facebook Privacy terms -

We receive data whenever you visit a game, application, or website that uses Facebook Platform or visit a site with a Facebook feature (such as a social plugin). This may include the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID.

But the revelation here is that this information is available even when you are logged out, as the cookie experiment notes. And people might wonder what all of this data does for Facebook -

The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.

Apparently, Cubrilovic has been sitting on this information for a while, and has reached out to Facebook without any substantial response. He says that he was prompted to share this information due to the renewed privacy discussions happening across the internet regarding all of Facebook’s upcoming Open Graph changes and “frictionless sharing.”

That “frictionless sharing” phrase is one that Mark Zuckerberg used quite a bit in his f8 keynote. He explained that it meant users can share their activities across the web to Facebook without having to really think about it. The melding of Facebook and everything else, per say.

Some have privacy concerns, fearing that since applications will be allowed to post things to Facebook regarding your actions without explicit opt-in authorization, users might share stuff on Facebook that they really don’t want to share.

ZDNet has obtained a response from Facebook. They explicitly state that Facebook does not track users’ web activity. They also explain the purpose of logged out cookies -


Facebook does not track users across the web. Instead, we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.

Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of ‘keep me logged in’.

Facebook has responded in an additional way as well. As of today, the so called “a_user” cookie, the one which contains the user’s ID, is now destroyed upon logging out. Facebook said that “there is a bug where a_user was not cleared on logout, we will be fixing that today.”

Cubrilovic has updated his blog to discuss this change. He still warns about privacy, saying that the remaining post-logout cookies will still be there, and as a Facebook user, you just have to trust that they are using them for what they say they are using them for (see above).

Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.

In a nutshell, Facebook still has access to information about you when you logout. They give their specific reasons for keeping specific cookies active – mainly security and protection. I guess it’s up to Facebook users to decide if this explanation is understandable, or if measures like Cubrilovic suggests need to be taken – specifically wiping all cookies or using different browsers.

Privacy concerns and Facebook are the peanut butter and jelly of the social networking world, but it sure doesn’t seem to be hurting business.

What do you think? Is Facebook’s explanation satisfactory? Do you worry about your privacy as a Facebook user? Let us know in the comments.

RELATED ARTICLES:

Want To Work For Facebook? Here Are The Nearly 400 Positions They’re Hiring For

Want To Work For Facebook? Here Are The Nearly 400 Positions They’re Hiring For

Facebook, as you might expect from a freshly public Internet behemoth, has been hiring a bunch of people. Inside Facebook points to the company's LinkedIn feed, as well as its own Careers page. ...
Facebook Promoted Posts Feature Starting to Show Up for Some Pages

Facebook Promoted Posts Feature Starting to Show Up for Some Pages

According to a couple of sources out there in the internet, Facebook has started to roll out the Promoted Post feature for Page administrators. Whenever the feature arrives for you and yours, you'll ...
Facebook And Bolt Peters Join Forces

Facebook And Bolt Peters Join Forces

I wouldn't say that the current Facebook design is anti-user friendly, but it could use some improvements. Facebook's latest hiring suggests that they're taking user experience very seriously. Y...
Top Rated White Papers and Resources
There are 75 Comments. Add Yours.

  1. I think most people are going to continue using Facebook regardless of the privacy concerns. Do they track your every move… Maybe. But how many people log into their Gmail account using either Google Chrome or the Google Toolbar? As long as your logged in Google watches your every move too.
    Where’s the hype about that?
    Bottom line. Be aware of what you do and say online because there’s no takebacks. :)

    • Riki
      Reply

      Facebook is the big eye of Sauron?

    • Riki
      Reply

      Yes, but Facebook stores photos and never deletes.

  2. lp
    Reply

    Compared to Google, Facebook is a beginner at this stuff. It seems that soon enough online privacy will be a thing of the past, told by ageing folk to their grandkids.

  3. jla
    Reply

    Remember, remember, the 5th over November…

    • anon
      Reply

      of*, der.

  4. Bill Jackson
    Reply

    Right now I’m waiting to find out whether this is real, or just another overblown panic attack. If the doubt turns out to be real I’ll delete Facebook from my computer.
    I don’t need to know absolutely that they are invading my privacy. If the *doubt* is credible it’s goodbye.

  5. Gery
    Reply

    May be he is right but from my point of view,i don’t think they have to do it because they already know what a person want on web.
    Cubrilovic provide here a good analysis and self experience.I think i have to try out this one.

  6. Well, of COURSE Facebook tracks you everywhere you do. So do most web apps that use cookies. This should not come as a surprise to anyone.

    What ALSO should not come as a surprise to anyone is that these places do NOT log you out, and that your “agreement” to being cyber-stalked is buried in the pages-long user agreements from everything from email on down.

    Bottom line: You want privacy? Get off the web. If you’re online, someone is stalking you.

  7. There needs to be some federal laws passed that protect internet users. When a person is logged out of a site, the understanding is that they are finished with the service, so cookies shouldn’t be allowed to track anything the user does. Any tracking that goes on while a person is not logged in should be something that is opted into and not buried deep in the terms of service/privacy agreements.

  8. ruger98
    Reply

    No, facebook‘s explanation is far from satisfactory. I do NOT trust facebook whatsoever.

  9. Jim Hudspeth
    Reply

    It is no longer problem in our house. We stopped using Facebook at least a year ago; miss it like a toothache.

  10. There’s a simple answer. Install a different browser to use for facebook only. That’s what I did. I also don’t approve any facebook aps, and if I want to endorse a website I do so by posting a link directly on facebook.

    You can also kill the facebook cookie when you log out.

  11. B J
    Reply

    Perhaps its time someone developed a High Privacy Browser which blocked any cookie activity and did not
    use any information over the web other than a login name and password and any data being transmitted would
    not be recorded in any way.
    I expect there is a law against that!!

  12. If Facebook can tell us what our friends like, that means that they gathered data everywhere our friends went on the internet. That means they are gathering the same data on me too. I did not think about this untill this article brought it out. Privacy no longer exists on the internet. Agreeing to Facebooks signup agreement gave away our personal privacy. The same thing is happening when you click on some of the ads. It follows you around and reports back to the ad agency.

  13. Todd Herman
    Reply

    Al i gotr to say is read this post and you tell me, do we have internet provacy at al anoymore?

    New Canadian laws would kill all internet privacy.

    http://www.nupge.ca/node/2375

  14. It would appear that privacy is a thing of the past. We’ve placed ourselves in the position that we cannot live without these apparent amenities only to discover that they may not be as good as they first appeared. But, does this only apply to facebook? Browse with caution.

  15. Google has been doing this for years and they are by far a bigger and badder brother. Of course Facebook is tracking everywhere you go. I’m a programmer and I would. Good systems design is tracking your users activities. If Facebook is not tracking every website you are going to and matching that with a timeline of what you share online to basically track every second you are online, then they are foolish.

  16. polly dee
    Reply

    If someone logs into their facebook account on my computer and then logs out, does that mean facebook is now tracking my surfing habits?

    • If you don’t have a fb account then i would suppose that they are tracking you but are relating your browsing habits to that person that logged in to your computer and are sending those results back to fb headquarters.
      Now if you have an account too, then they are tracking your habbits too.
      I wonder how they know the difference between one user and another user on the same computer logged in on the same user (on the computer). I would assume that they would just track the last one to log in, anyone have any inside info on this??? I’m just guessing here, so if anyone has some actual knowledge on this it would be nice to hear from you.

      • I was just playing around with fb with my real account and a fake account i made. First of all the amount of cookies fb uses is rediculous, i’ve counted up to 12 cookies at certain times when browsing the site! Most of the time there are about 7 of them from the time you go to your profile page till you log out and close your browser.
        When you open your browser again you still have about 4. 2 of these expire 2 years later and 1 has a expiration date of a week later and the other one has a date that has already passed. the time right now is 7:15pm and the cookies expired today at 5:16:59 pm EDT (I live in the EDT time zone) this last one seems to be recording the last page i visited on fb.
        I tried to open the cookies sql from firefox but it was encrypted for the most part ):
        Anyways just thought I would post things I figure out, maybe somebody else can make some more sense out of fb and their cookies, cause i don’t believe what the spokesperson from fb says, and why should we facebook has lied so many times that their word means absolutely shit to me!

  17. Free fat loss information that could be the best weight loss solution on the internet today.

    • Mark
      Reply

      You be trollin’, Dawg.

  18. Absolutely I agree! I have deleted my profile in the past with no way of fully deleting it. When I signed back in, there it was. This recent week with the launch of the new Google+ (G+), I was very happy to leave Facebook with my personal profile and all of the long lost friends I never chat with anyway. Anyways, they now wouldn’t let me change my primary email address. After many attempts, it seemed like I finally did delete it after switching my primary. Now that this post is here. I want to go and try and retrieve it and see what happens. I never trusted Facebook online for many reasons. Great post!

    • if you deactivate your account it doesn’t delete it for 14 days! and if you do anything related to fb like clicking a like button on another site your fb account will be reactivated with all your pics,friends etc like it never happened!
      To actually delete your account you have to visit this link after you log into you fb account.
      http://www.facebook.com/help/contact.php?show_form=delete_account

      The real funny thing is that I could not find this page using facebook, I had to use google to find it by searching “delete facebook account”.
      This is just another sneaky thing facebook does.

  19. This is not surprising at all. Facebook is one giant data mining operation. This is why I always clear my cookies, cache, browsing history, everything after I use Facebook and when I log off the internet completely.

  20. I can tell that right now when I’m posting this message even Your site is tracking my moves such as:
    my IP, HTTP_referer, and so on.
    So about security of using facebook – there is no security at all. Here is the explanation:
    1. Your acc. at facebook – login and pass..
    2. I have dynamic IP. and I hadn’t logged out while my provider changed my dns.
    3. Somebody also made 2nd step.
    4. The result I can login to his/her acc.

    explanation 2:

    If your IP is static – all the servers could trace our routes.

    Explanation 3.

    javascript tool – to trace all actions from logged user at outer sides (sites where “facebook like” is embed)

    So I can tell that there is no privacy at all

  21. scubajeff
    Reply

    I ran a similar effort a few weeks ago after noticing my facebook profile pic in ebay auction listings, for me to like or not like. My question as the same, and I spent hours on the phone with both ebay and facebook asking where is the api, and where did i agree to this, what information is shared?
    I got absolutely no answers and got pushed around from person to person. I know google does this, but having all of my facebook friends know what im bidding on may lead to losing some good deals I worked hard to find. And I dont nec want them to know what I spend on what/when/why.

    I finally found respite in the privacy mode of firefox. And Ive left facebook. Im done, this is too much, and they sure didnt reassure me.

    • if you want just a social site without all the crap like fb and google+ then you can join AutumnsList.com
      It might not have millions of people on it YET, but it does have a lot of good people on it and some nice features.
      I’m on there and if i did this right this should lead you to my profile page, if not just look for Amanda Roberts (:
      http://www.autumnslist.com/profile/amanda
      They are really big on privacy as you will be able to tell by looking at the home page with the eyeball in the keyhole!

  22. I left FB yesterday.. never going back, and never gonna join G+.

  23. Mob
    Reply

    Would deleteing your facebook account eliminate ones website browsing activity if in fact facebook really is tracking all this?

  24. Melissa
    Reply

    My thoughts? You mean Facebook doesn’t have the ability to read minds?…yet?

  25. Maybe THIS will be “trigger” that will distinguish Facebook from Google+ and why many FB users will migrate and replace FB w/ G+

  26. I like the way Facebook justifies its actions by saying ‘we are just trying to protect you online, we’re also trying to protect your children and also protect your account from unauthorised access etc., etc.’ OH PLEASE!!! I hate this when big companies try to justify what they do by telling everyone how morally wonderful they are, like banks who pretend to be looking after everyone’s money so carefully and responsibly, while they gamble it away behind the scenes.

  27. Reminiscent of the unscrupulous behavior that MicroSoft used to employ.
    I remember in the late 1990′s when they developed the “default browser” code and embeded it into their OS as a way of defeating their main browser competion Netscape.
    It’s what you get with low-life people who have no scruples and don’t care about the “users” … only about the bottom-line, the bonus … the “mo” in money.

  28. Of course I am worried about my security online. Everyone should be conserned. It might not be big brother watching but someone is watching us all the time. From our activity online to walking down the street. They can say its for our own good, but is it really!

    Be afraid, be very afraid

    Kodiak45

  29. I’m thinking the use of “Inprivate” web surfing coupled with the manual deletion of all third party cookies may solve this. It will add a couple extra steps but it may work.
    Otherwise, simply download a new browser and only use it for Facebook. That may help with privacy as well.

What do you think? Respond.

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

WebProNews Videos | Advertise | About Us | Newsletter | Archive | News Feeds | Terms & Conditions | Contact Us

WebProNews is an iEntry Network ® publication - © 1998-2012 All Rights Reserved.