The issue was brought up by Australian hacker/writer Nik Cubrilovic, who did some testing with the cookies, and found that logging out doesn’t keep Facebook from knowing every page you visit.

The relevant part of Facebook’s Privacy terms:

We receive data whenever you visit a game, application, or website that uses Facebook Platform or visit a site with a Facebook feature (such as a social plugin). This may include the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID.

Facebook responded to the conversation, saying that they don’t track users across the web, but use the cookies for content personalization, and for safety and security reasons. Then they said the cookie in question, the one which contains the user’s ID was now being destroyed upon log-out.

Now, Cubrilovic is reporting that the “datr” cookie, first removed by Facebook and was no longer being set for logged in or logged out users when they visited a page integrating Facebook, is back. He shows this in a screenshot for Chrome after visiting CBSSports.com.

This particular cookie, Facebook says, helps them identify suspicious login activity.

Various mentions of the cookie by Facebook include:

“We set the ‘datr’ cookie when a web browser accesses facebook.com (except social plugin iframes), and the cookie helps us identify suspicious login activity and keep users safe. For instance, we use it to flag questionable activity like failed login attempts and attempts to create multiple spam accounts.”

“We don’t use them for tracking and they’re not intended for tracking.”

Facebook may indeed have honorable enough intentions for the cookie(s), but that doesn’t mean everybody feels comfortable with the company knowing everywhere they’ve been on the web, particularly as they face other privacy concerns with how they’re interacting with web content and it’s being viewed on the recently launched Ticker feature.

Meanwhile, reports have surfaced that lawmakers are urging the FTC to investigate Facebook over potential privacy issues.

According to Australian hacker and writer Nik Cubrilovic, Facebook could know that you are reading this article, simply because we, like most sites nowadays, have a Facebook share button.

Cubrilovic ran a little test involving cookies and found that logging out of Facebook does not mean that Facebook can’t still know every page you visit on the same browser.

Is it possible to be both private and social? Is privacy a long lost cause because of social networking like Facebook? Let us know what you think.

On his blog post on Sunday, he shows what cookies are sent during a logged-in Facebook user’s visit to Facebook.com compared to a logged-out user’s visit to Facebook.com. Logging out is apparently supposed to prompt the deletion of certain identifiers, but that doesn’t happen, says Cubrilovic.

The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user

This is not what ‘logout’ is supposed to mean – Facebook are only altering the state of the cookies instead of removing all of them when a user logs out.

This means that whenever you visit a page online that has a Facebook share button, like button or any other related widget, all of this pertinent information is being sent to Facebook. That’s how they can know where you are going on the web.

This shouldn’t be news to anyone. It’s right there in the Facebook Privacy terms -

We receive data whenever you visit a game, application, or website that uses Facebook Platform or visit a site with a Facebook feature (such as a social plugin). This may include the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID.

But the revelation here is that this information is available even when you are logged out, as the cookie experiment notes. And people might wonder what all of this data does for Facebook -

The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.

Apparently, Cubrilovic has been sitting on this information for a while, and has reached out to Facebook without any substantial response. He says that he was prompted to share this information due to the renewed privacy discussions happening across the internet regarding all of Facebook’s upcoming Open Graph changes and “frictionless sharing.”

That “frictionless sharing” phrase is one that Mark Zuckerberg used quite a bit in his f8 keynote. He explained that it meant users can share their activities across the web to Facebook without having to really think about it. The melding of Facebook and everything else, per say.

Some have privacy concerns, fearing that since applications will be allowed to post things to Facebook regarding your actions without explicit opt-in authorization, users might share stuff on Facebook that they really don’t want to share.

ZDNet has obtained a response from Facebook. They explicitly state that Facebook does not track users’ web activity. They also explain the purpose of logged out cookies -

Facebook does not track users across the web. Instead, we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.

Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of ‘keep me logged in’.

Facebook has responded in an additional way as well. As of today, the so called “a_user” cookie, the one which contains the user’s ID, is now destroyed upon logging out. Facebook said that “there is a bug where a_user was not cleared on logout, we will be fixing that today.”

Cubrilovic has updated his blog to discuss this change. He still warns about privacy, saying that the remaining post-logout cookies will still be there, and as a Facebook user, you just have to trust that they are using them for what they say they are using them for (see above).

Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.

In a nutshell, Facebook still has access to information about you when you logout. They give their specific reasons for keeping specific cookies active – mainly security and protection. I guess it’s up to Facebook users to decide if this explanation is understandable, or if measures like Cubrilovic suggests need to be taken – specifically wiping all cookies or using different browsers.

Privacy concerns and Facebook are the peanut butter and jelly of the social networking world, but it sure doesn’t seem to be hurting business.

What do you think? Is Facebook’s explanation satisfactory? Do you worry about your privacy as a Facebook user? Let us know in the comments.

Google Crunches Its Cookies Faster

Over the rest of 2007, Google’s servers will start issuing new cookies to visiting browsers. Instead of their current 2038 expiration date, these cookies will devour themselves after two years, assuming the browser never returns to Google.

Peter Fleischer, Global Privacy Counsel at Google, discussed the change at the official Google blog.

“After listening to feedback from our users and from privacy advocates, we’ve concluded that it would be a good thing for privacy to significantly shorten the lifetime of our cookies – as long as we could find a way to do so without artificially forcing users to re-enter their basic preferences at arbitrary points in time,” he said.

The 2038 cookies will go away, and a two-year cookie will be baked to replace it. While it looks like a significant change on the surface, Google’s cookie will effectively function for regular Google users just like the current cookie does.

As Fleischer explained, the two-year cookie auto-renews every time a browser visits Google. Instead of that fixed expiration date 31 years from now, those cookies will gain new life with every subsequent Google visit.

A long-lived cookie becomes one with serial immortality. People with concerns about cookies on their machines should manage them with their browser’s tools, if they really want to control how long a cookie, Google’s or anyone else’s, resides on their machines.

ComScore analyzed the first-party

I agree with the author of this article that these acquisition are not about ad serving technology but about user data and reach. I have written in my past article about how these acquisitions by these three giants were a huge steps towards building behavioral targeting networks.

The rich set of user data that these companies will be able to gather by these acquisitions is very valuable. All of these companies had cash to hire smart people and build the ad serving technology for a fraction of what they paid for acquisitions. So it is not about technology. What they could not have done on their own was the reach and rich user data. The only way to gather that kind of information was to acquire the companies which have those.

So why do they need that user data? One of the issues with advertising is that by placing contextual ads advertisers waste lots of impression because they reach a lot of people who are not even interested in their offers or products. This rich user data (tied via cookie) will provide Google, Microsoft and Yahoo understanding of which users could potentially be interested in offers/products of an advertiser. Historical user data will allow them to understand what kind of users have responded to what kind of offers/products in past. The new acquisition will also allow them to reach all those user which were earlier not in their network plus provide them more data. This will allow them to target the ads to right set of users, users who are most likely to click on an ad and convert (buy, register etc.). By generating higher click-thorough and conversion they can command premium from advertisers. Everybody benefits from this, publishers can sell their inventory for a premium, advertisers will reach right set of customers and consumers will get the offers and products they care about. The three giant (Google, Microsoft and Yahoo) make money by providing this rich data and hence taking their cut from publishers (in many cases they will also act as publishers).

Some might argue that cookie deletion will cause a problem in aggregating the past user histories. I agree that cookie deletion is an issue but all these companies have some way for user to login or provide their real information (gmail, hotmail, yahoo mail, google checkout, toolbars, messengers etc.) which can help them tie all the cookies together. I will blog about this more in my future article.

Another issue raised by this article was privacy. I have written a lot about this in past, here is link to my past post which talks about this issue Behavioral Targeting: Audience Of One.

Behavioral Targeting will become a norm (it already is) and these three giants will own (already do) a significant portion of that user data that will make it possible.

Here are my other articles on Behavioral Targeting

Comments

Some of the reaction to this is predictable. First, there is considerable skepticism about the findings themselves. Perhaps that’s justified. Lord knows there are plenty of flawed studies done, not least when the studying party has a strong self-interested stake in the outcome. In addition, the frequency of deletion coupled with the lack of disparity between 1st & 3rd Party cookies (where automated Spyware tools might provide an explanation) makes it hard for many people to understand. Are internet users really this consistent about deleting cookies when they have to do it manually? It does seem hard to believe. Keep in mind, as well, that we are talking cookie deletion – not rejection. So though 3rd Party cookies may share a similar lifespan to 1st Part cookies, they are considerably less likely to find their way onto a computer in the first place. And while the comScore study wasn’t especially clear about this, it doesn’t seem to have focused on cookie rejection at all.

There is a second common reaction summed up in the idea that this level of errors in reporting doesn’t much matter because analysts are concerned with trends not absolute numbers. Anil Batra of Zaaz, for instance, argues (here) that it would make no (or little) difference whether your site got 5k visitor or 3K visitors – the important thing is how your site is trending in response to your actions.

I’m afraid I can’t agree with this thinking. At first glance it’s not necessarily wrong-headed though I’d argue that in fact it’s important to know your actual audience size on the web – that real numbers do matter and not just trends. Imagine a conference organizer who wouldn’t tell sponsors how many visitors the conference draws – only that it is trending upwards. I doubt I’d sponsor a booth!

But this is really just the tip of the iceberg when it comes to analysis. After all, total visitors IS pretty far down on the list of statistics of interest to the analyst. Unfortunately, almost every single statistic that matters is going to be effected – and sometimes devastatingly – by this level of error in visitor tracking. Perhaps Zaaz doesn’t track "New" visitors to the site vs. returning ones. But I do. And when half of my "new" visitors are really heavy repeat visitors I can hardly hope that my analysis will be crisp. Then too, I’ve always believed that tracking repeat customers on a site is central to most eCommerce analysis. But with this level of error I’m misclassifying a big chunk of that behavior.

Or again, perhaps people aren’t worried about what tools or pages drove repeat visits or cross-session sales behaviors. But it seems important to me. For a portal site like the one tested by comScore, the bellwether analysis is content impact on engagement. I’d like to say that this analysis may still be possible with this level of error, but I’m not sure that it would be.

Not concerned about these little things? Well how about the fact that every one of your campaigns might be significantly mis-counted in terms of conversion? That seems pretty consequential.

In short, just because comScore isn’t focused on analytics but only on traffic reporting doesn’t mean the impact of their findings is limited to traffic. And the impact for analysis of this level of error in 1st Party cookies would be very bad indeed. That’s not an admission you’d probably expect to hear from a web analytics consultancy and I’m sorry if this constitutes breaking ranks, but our first commitment ought to be to the truth of the numbers.

On the other hand, I too have some caveats about the general applicability of these results to every site. First, it’s important to understand the difference between each statistic. The 31% 1st Party cookie rate is, in my view, probably the most damning statistic in the study. Why? Because unless the behavior is somehow related to the specific site in question, you’d expect it to hold up for every site. Or then again, maybe you wouldn’t. If we accept that this statistic represents manual deletion of cookies, then there are two alternatives. The first is that people simply erase all cookies. That’s certainly possible – maybe even likely since it’s so easy to do. But a user may also scan the cookies on the target system and since cookies are often quite identifiable it’s possible that some cookies are much more likely to be deleted than others. It may be that an Amazon or Charles Schwab cookie is much less likely to be deleted than an AOL one. That’s one of the reasons it would be very interesting to understand the qualitative part of the comScore study – namely, what deleters (especially "serial" deleters) were actually doing. In addition, I’d like to understand if this problem is especially severe for certain browser populations (Firefox). And are users simply setting their browser to delete all cookies every time they close? This might explain the behavior of deleters – they aren’t doing any manual work at all. It would also imply that for this segment even same day uniques are overstated.

As comScore positions the study, however, the most damning finding is probably the one about the potential traffic impact of serial cookie "deleters." And for their particular chosen site, the impact would indeed be considerable. But for many of our sites, this group would probably have much less of an impact. Why? Portal sites are unusual in attracting a very high volume of repeat visits. comScore reported an average of nearly 13 1st Party cookies during a month for the 7% of visitors with 4 or more cookies detected. For most of our client sites (that aren’t portals), the overwhelming majority of visitors will come much less often than this. And if only a very small percentage of visitors are multiple repeaters and only a small percentage (7%) of those are multiple deleters, then the impact is likely to be considerably less (in terms of percentage of total visitors) than for a portal site. It’s likely true that no set of sites has a higher percentage of frequent return visitors than a true portal.

I’ll be honest – I find the study worrisome. It’s not that I haven’t realized that cookie deletion is a significant issue or that the potential impact of frequent return visitors on visitor traffic eluded me. But every analyst knows there is a line between data that is fuzzy but useful and data that is too messy to analyze. And I’ll be honest as well in saying that we see many sites where the number of visitors flagged as "New" would be better explained by the comScore view of the world than by the one prevalent (including by us) in the web analytics world. Depending on how the comScore study shakes out, web analysts may be facing a significant rethinking of where we are relative to that "fuzzy" line for almost every kind of interesting analysis. For some types of sites, at least, this might drive our short-term tool kit back to the pathetic same session analysis we were stuck with in tools a couple of years back.

comScore has their own agenda, here, obviously. But to me, the issue is ultimately about much more than unique visitor counts. Perhaps Anil is right to discount the importance of that statistic. But in doing so, he’s surely missing the larger point. In my view, the basic analytic toolkit of visitor segmentation and cross-session tracking is at risk in light of these findings. What’s the point of visitor segmentation when your visitors are lost every couple of days? This is an issue the measurement community just can’t ignore. I remember when 3rd Party cookie rejection rates began to climb and the ostrich like mentality that insisted this wasn’t an issue. Till suddenly the vendors made it possible to use tagged 1st Party cookies and everyone began implementing first party cookies. Sadly, we may not have solved our problem.

Are there short-term solutions? Possibly. And they begin with getting a handle on the scope of the problem for your site and understanding how to protect your analysis from these problems. You can begin to get a handle on the issue for your site by examining the trends in "New" visitors – especially if you can measure from significant events like a measurement start, a new cookie, or major traffic spikes. You might also want to look at the percentage of New/Returning visitors by Browser type. If you have strong behavioral cues on your site (like Login), you can measure the degree to which these behaviors are used by "NEW" visitors. This percentage compared to total visitor usage is an excellent way to get a reasonable read on how much or little of a problem you have. Handling bias is trickier, but if you want to analyze, for example, whether types of tools or content drive repeat visits, then you’ll be wise to start with a universe of visitors that you can prove has remained cookie constant. How might you do this? By insuring that you segment for behavior in both the 1st and last month of your study. This will narrow your analysis, but insure that you’ve ruled out cookie issues.

In the end, every problem in data quality simple complicates the life of the analyst more and makes doing good analysis just that much harder. I don’t much care who wins the great traffic reporting war. But I care very much that web analytics have a mechanism for tracking with some degree reliability the over time behavior of visitors. Where there is a will, I’m confident our truly fine tool vendors will find a way. It may be incumbent on analysts to provide that will.

Comments

]]> http://www.webpronews.com/comscore-the-great-debate-2007-04/feed 0 http://www.webpronews.com/comscore-cookie-crunch-causes-crummy-counts-2007-04 http://www.webpronews.com/comscore-cookie-crunch-causes-crummy-counts-2007-04#comments Tue, 17 Apr 2007 11:52:36 +0000 WebProNews Staff http://www.webpronews.com/?p=37038 Counting the online audience through the use of cookies may be overstating the size of the audience for websites, due to Internet users deleting cookies from their machines.

ComScore: Cookie Crunch Causes Crummy Counts

The usefulness of cookies has been debated virtually since the time they came into broader use online. Cookies are small text files stored on a person’s computer when they visit websites that use them. The website can in turn use those cookies later to enable certain commerce functions, or to track their movements for analytic purposes.

ComScore said in a study of 400,000 home PCs in December 2006 that cookie-based measurements could be off by 2.5 times, or 150 percent. That’s a serious overstatement with implications for advertising and audience measurement.

The regular deletion of cookies by some Internet users causes this inflation. ComScore’s Magid Abraham said: “With just 7 percent of computers accounting for 35 percent of all (first party) cookies, it

It looks like Mike is aiming to uncover mysteries and dispel some of the common myths about things in the ad business, and his first major post is a good one that teaches people about what’s in an advertising cookie. Many adware and spyware removal programs accuse cookies from ad companies as being spyware-related, when as Mike shows they aren’t that nefarious by explaining how they work and what’s really in an ad cookie.

I’m looking forward to learning more from Mike about many of the technical details of the ad network/exchange/technology world, so keep it up Mike!

Comments

Reddit | Furl

Bookmark WebProNews:

It’s the women in the family’s fault, always feeding us so we don’t waste away like godless orphan Scrooges, plying us with chocolate covered pretzels, chocolate turtles, peanut butter balls, peanut butter fudge, peanut brittle, brownies, chocolate fudge, cakes, pies, gravy, sausage balls, cheese balls, tuna balls, crackers, cookies, chips, dips, cheeses, and little white cloudy confections that we don’t exactly know what’s in them, but Mom calls it “divinity.”

And my sister makes these nameless wonderful things that are, basically, Reese’s Peanut Butter Cups wrapped in a chocolate chip cookies. Yes, there are starving people everywhere in the world at Christmas and I’m chowing down on friggin peanut butter cups wrapped in friggin chocolate chip cookies, blissfully ignoring the level of indulgence this is, ignoring that there’s somebody out there thrilled about the fruit basket Santa left them. At least some poor fellow will benefit from some brand new trousers when I donate them as a fat tax.

Or maybe they mean to fatten us up so we can’t run away.

But, like I said, we’re not alone. Hitwise reports that as soon as the sugar buzz wore off, people were rolling to the dieting websites like pilgrims to the Ganges, trying not to get fudge on the keyboard, disappointed you can’t eat a Web cookie.

Because we had time to watch the reruns, cheek-stuffed, the Biggest Loser Club website saw the greatest increase in traffic, jumping up (waddling up) 146 percent. eDiets.com gained 82 percent, and the leading weight loss site, Weight Watchers, had its cyber-glycemic levels soar by 70 percent.

For the week ending December 30th, the top search terms containing the term “diet” were: south beach diet, diet pills, diet, atkins diet, diabetic diet, diet plans, cabbage soup diet, lemonade diet, free diet plans, and master cleanse diet.

That last one just sounds nasty, but it may be the last resort if your sweat smells like burnt marshmallows.

Stay Puft is not your friend, Ray.

“Unfortunately,” says Hitwise’s Bill Tancer, “data from past years tells us that online diet interest is fleeting, and should start declining by the second week of January.”

Cabbage soup and master cleanse diets just don’t have the same appeal as peanut butter and chocolate. Excuse me, I have to go hang myself with a Charleston Chew.

The Top 10 Dieting Sites by Market Share of US Visits January 1, 2006:

1. Weight Watchers
2. Nutrisystem
3. eDiets
4. The Biggest Loser Club
5. SparkPeople
6. WebMD Weight Loss Clinic
7. South Beach diet
8. Jillian Michaels
9. Jenny Craig
10. Diabetic Living Diet

Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark WebProNews: