According to Australian hacker and writer Nik Cubrilovic, Facebook could know that you are reading this article, simply because we, like most sites nowadays, have a Facebook share button.

Cubrilovic ran a little test involving cookies and found that logging out of Facebook does not mean that Facebook can’t still know every page you visit on the same browser.

Is it possible to be both private and social? Is privacy a long lost cause because of social networking like Facebook? Let us know what you think.

On his blog post on Sunday, he shows what cookies are sent during a logged-in Facebook user’s visit to Facebook.com compared to a logged-out user’s visit to Facebook.com. Logging out is apparently supposed to prompt the deletion of certain identifiers, but that doesn’t happen, says Cubrilovic.

The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user

This is not what ‘logout’ is supposed to mean – Facebook are only altering the state of the cookies instead of removing all of them when a user logs out.

This means that whenever you visit a page online that has a Facebook share button, like button or any other related widget, all of this pertinent information is being sent to Facebook. That’s how they can know where you are going on the web.

This shouldn’t be news to anyone. It’s right there in the Facebook Privacy terms -

We receive data whenever you visit a game, application, or website that uses Facebook Platform or visit a site with a Facebook feature (such as a social plugin). This may include the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID.

But the revelation here is that this information is available even when you are logged out, as the cookie experiment notes. And people might wonder what all of this data does for Facebook -

The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.

Apparently, Cubrilovic has been sitting on this information for a while, and has reached out to Facebook without any substantial response. He says that he was prompted to share this information due to the renewed privacy discussions happening across the internet regarding all of Facebook’s upcoming Open Graph changes and “frictionless sharing.”

That “frictionless sharing” phrase is one that Mark Zuckerberg used quite a bit in his f8 keynote. He explained that it meant users can share their activities across the web to Facebook without having to really think about it. The melding of Facebook and everything else, per say.

Some have privacy concerns, fearing that since applications will be allowed to post things to Facebook regarding your actions without explicit opt-in authorization, users might share stuff on Facebook that they really don’t want to share.

ZDNet has obtained a response from Facebook. They explicitly state that Facebook does not track users’ web activity. They also explain the purpose of logged out cookies -

Facebook does not track users across the web. Instead, we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.

Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of ‘keep me logged in’.

Facebook has responded in an additional way as well. As of today, the so called “a_user” cookie, the one which contains the user’s ID, is now destroyed upon logging out. Facebook said that “there is a bug where a_user was not cleared on logout, we will be fixing that today.”

Cubrilovic has updated his blog to discuss this change. He still warns about privacy, saying that the remaining post-logout cookies will still be there, and as a Facebook user, you just have to trust that they are using them for what they say they are using them for (see above).

Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.

In a nutshell, Facebook still has access to information about you when you logout. They give their specific reasons for keeping specific cookies active – mainly security and protection. I guess it’s up to Facebook users to decide if this explanation is understandable, or if measures like Cubrilovic suggests need to be taken – specifically wiping all cookies or using different browsers.

Privacy concerns and Facebook are the peanut butter and jelly of the social networking world, but it sure doesn’t seem to be hurting business.

What do you think? Is Facebook’s explanation satisfactory? Do you worry about your privacy as a Facebook user? Let us know in the comments.

Or ask Ben Affleck, who was depicted in a love-act with an 8-year-old’s hand-puppet that he thought was current girlfriend Jennifer Lopez.  Or more recently, Britney Spears’ cameo involved her attempting suicide but surviving as a disfigured, headless monster.

So Steve Jobs can’t be too thrilled that he is the focus of the season premiere of South Park, airing tonight on Comedy Central.

In this sneak peak of the upcoming episode we find Jobs’ in his trademark black turtleneck, introducing his newest creation, the HumancentiPad.  He lauds the new invention as “a new product that will once again revolutionize the way we use our phones and tablet devices.”  Video is NSFW due to unsavory references.

This bit is clearly a reference to last year’s underground hit horror film, The Human Centipede.  No need for me to go into details about it.  If you haven’t seen it, Google it.  Be careful, however.

The last time Mr. Jobs appeared on South Park, he was a featured guest at the premiere of Mr. Garrison’s new transportation device, the “IT.”  The IT operated by two strategically placed metal rods…just check out the video below.  If you haven’t guessed, it’s also NSFW.

Job’s company Apple has been in the news recently.  Two data scientists discovered a file in iOS devices that stores users’ location data.  It took Apple over a week to respond, but they finally did this morning in a press release.

Today, Jobs himself responded to the tracking issue in an interview with All Things D’s Mobilized.  He reiterated what Apple’s release said earlier, that they weren’t tracking anyone.

“We haven’t been tracking anyone,” Jobs said in a telephone interview with Mobilized on Wednesday. “The files they found on these phones, as we explained, it turned out were basically files we have built through anonymous, crowdsourced information that we collect from the tens of millions of iPhones out there.”

“As new technology comes into the society there is a period of adjustment and education,” Jobs said. “We haven’t–as an industry–done a very good job educating people, I think, as to some of the more subtle things going on here. As such, (people) jumped to a lot of wrong conclusions in the last week.”

It’s a good thing he responded, as the public’s concern continues to grow about the tracking issue.  The recent privacy concern is most likely too recent to be a part of tonight’s South Park episode, but who knows.  Those guys are crafty.  I can see it now:

Unencrypted geo-logging is bad, mmmmmmkay.

This is the unequivocal opening statement from Apple’s official release this morning.  This marks the first official response from the company since the iPhone tracking location data snafu.

Of course by now you know that last week two data scientists presented information on a hidden data file on iOS devices that was storing location data that reached as far back as one year.  Although there was no indication that this specific data was being directly sent to Apple or any other party, the data was unprotected and unencrypted so it raised privacy concerns.

Apple, as well as Google have admitted in the past to collecting anonymous random location data for the purposes of improving upon its location database.  But logging all of that info into a single file was ominous news for some.

Earlier this week, an email surfaced that purported to be a conversation with Steve Jobs about the issue, but the validity of that correspondence wasn’t confirmed.  The response did sound snarky enough to be Mr. Jobs, however.

In today’s official release from Apple, they address the  particular data file that was found to be storing location data.  Apple states that the reason it exists is to assist location calculating.  They blame a bug on the fact that it has been logging data as far back as one year.

6. People have identified up to a year’s worth of location data being stored on the iPhone. Why does my iPhone need so much data in order to assist it in finding my location today?
This data is not the iPhone’s location data—it is a subset (cache) of the crowd-sourced Wi-Fi hotspot and cell tower database which is downloaded from Apple into the iPhone to assist the iPhone in rapidly and accurately calculating location. The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data.

On Monday, it was also found that the iPhone was logging your location data even if you disabled location services in the settings.  Apple also says that this is a bug, and will be fixed.

Here is Apple’s full statement:

Apple would like to respond to the questions we have recently received about the gathering and use of location information by our devices.

1. Why is Apple tracking the location of my iPhone?
Apple is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so.

2. Then why is everyone so concerned about this?
Providing mobile users with fast and accurate location information while preserving their security and privacy has raised some very complex technical issues which are hard to communicate in a soundbite. Users are confused, partly because the creators of this new technology (including Apple) have not provided enough education about these issues to date.

3. Why is my iPhone logging my location?
The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested. Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple.

4. Is this crowd-sourced database stored on the iPhone?
The entire crowd-sourced database is too big to store on an iPhone, so we download an appropriate subset (cache) onto each iPhone. This cache is protected but not encrypted, and is backed up in iTunes whenever you back up your iPhone. The backup is encrypted or not, depending on the user settings in iTunes. The location data that researchers are seeing on the iPhone is not the past or present location of the iPhone, but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location, which can be more than one hundred miles away from the iPhone. We plan to cease backing up this cache in a software update coming soon (see Software Update section below).

5. Can Apple locate me based on my geo-tagged Wi-Fi hotspot and cell tower data?
No. This data is sent to Apple in an anonymous and encrypted form. Apple cannot identify the source of this data.

6. People have identified up to a year’s worth of location data being stored on the iPhone. Why does my iPhone need so much data in order to assist it in finding my location today?
This data is not the iPhone’s location data—it is a subset (cache) of the crowd-sourced Wi-Fi hotspot and cell tower database which is downloaded from Apple into the iPhone to assist the iPhone in rapidly and accurately calculating location. The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data.

7. When I turn off Location Services, why does my iPhone sometimes continue updating its Wi-Fi and cell tower data from Apple’s crowd-sourced database?
It shouldn’t. This is a bug, which we plan to fix shortly (see Software Update section below).

8. What other location data is Apple collecting from the iPhone besides crowd-sourced Wi-Fi hotspot and cell tower data?
Apple is now collecting anonymous traffic data to build a crowd-sourced traffic database with the goal of providing iPhone users an improved traffic service in the next couple of years.

9. Does Apple currently provide any data collected from iPhones to third parties?
We provide anonymous crash logs from users that have opted in to third-party developers to help them debug their apps. Our iAds advertising system can use location as a factor in targeting ads. Location is not shared with any third party or ad unless the user explicitly approves giving the current location to the current ad (for example, to request the ad locate the Target store nearest them).

10. Does Apple believe that personal information security and privacy are important?
Yes, we strongly do. For example, iPhone was the first to ask users to give their permission for each and every app that wanted to use location. Apple will continue to be one of the leaders in strengthening personal information security and privacy.

Software Update

Sometime in the next few weeks Apple will release a free iOS software update that:

• reduces the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,
• ceases backing up this cache, and
• deletes this cache entirely when Location Services is turned off.

In the next major iOS software release the cache will also be encrypted on the iPhone.

Senators, representatives, state officials and entire foreign countries have all requested a response from Apple regarding the involuntary logging of location data in iOS devices.

And according to MacRumors, Apple’s Steve Jobs has broken his silence to a random, unnamed MacRumors reader.  Here’s the alleged email correspondence:

Q: Steve,

Could you please explain the necessity of the passive location-tracking tool embedded in my iPhone? It’s kind of unnerving knowing that my exact location is being recorded at all times. Maybe you could shed some light on this for me before I switch to a Droid. They don’t track me.

A: Oh yes they do. We don’t track anyone. The info circulating around is false.

Sent from my iPhone

Always the skeptic, I of course question the legitimacy of this brief conversation…but if that response doesn’t sound like Steve Jobs then I don’t know what does.  The only way I would’ve been sure that it was really Jobs is if he would’ve referred to the claims as “magical.”

The unidentified sender of the email query should be told that tests confirmed last week the Google was also mining for location data through Android devices much more aggressively and much less anonymously than they led on.

Today, more information emerged about the now famous consolidated.db file.  The WSJ reported that through their own tests they found that disabling location services on your iDevices does not stop the logging of location data.  Many had thought this would be a quick fix to the problem.

Whether this was really Jobs or not, you have to expect a more formal response in the next few days.  The media firestorm around this topic began almost a week ago.

The proposal comes in the form of a report called, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers."

"Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy," said FTC Chairman Jon Leibowitz. "The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well," 

"This proposal is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines," the FTC says.

It is ‘reasonable for companies to engage in certain practices – namely, product and service fulfillment, internal operations such as improving services offered, fraud prevention, legal compliance, and first-party marketing,’ the FTC’s report says. "By clarifying those practices for which consumer consent is unnecessary, companies will be able to streamline their communications with consumers, reducing the burden and confusion on consumers and businesses alike."

Whlie consumer protection is certainly a good thing, there is concern throughout the industry that the government doesn’t understand how things work well enough to propose such guidelines. There is no doubt that the guidelines would have huge ramifications throughout the industry if they were to be implemented, though it’s important to note that this is just a proposal of guidelines for potential legislation at this point. 

"While many companies may publicly welcome better consumer privacy protection, the ideas in the report go against most of the targeting and data collection practices in use today," says industry analyst Greg Sterling. "Most of them (with some notable exceptions) rely on consumer ignorance."

"The new framework would place burdens on online ad networks, data vendors and others in the advertising value chain that most would find unwelcome," he adds. "And more information disclosures and consumer control over data would probably mean more consumers opting out of much of online tracking and targeting."

Cynthia Boris at MarketingPilgrim notes that online advertisers are already working on a self-policing program, but that "it looks like the federal government is going to have their say and their say trumps anything from the private sector."

The FTC’s proposal is open to public comment (of which I’m sure there will be more an incredible amount) until January 31. The proposal covers much more than just the "do no track" mechanism, calling for better privacy practices and transparency from businesses in general. More from the FTC here.

Yahoo Tech reports on the efforts of a group of advertising associations that have come together to build a set of rules and regulations that the industry can use to give the consumer the privacy they expect and let marketers keep the freedoms that government intervention would likely hinder.

The centerpiece of these guidelines are the provision of transparency in tracking practices and easier opt-out for consumers. While it is certainly a big question as to how well these guidelines will actually work the hope is that the industry will be less of a focus of the FTC (Federal Trade Commission) and Congress.

These guidelines are coming from trade associations that represent 5,000 companies. The consortium comprises the American Association of Advertising Agencies, Association of National Advertisers, Direct Marketing Association, the Interactive Advertising Bureau and the Better Business Bureau. Their members are some of the nation’s largest companies, including Google Inc., General Electric Co., Microsoft Corp., Coca-Cola Co. and Procter & Gamble Co.

These guidelines include recommendations that companies

1. Tell consumers more clearly when they’re being tracked
2. Educate consumers on how Web tracking works
3. Give consumers an easy way to opt out of being followed
4. Provide “reasonable” security for the data they collect
5. Limit how much data they retain
6. Get consumer approval before making material changes that would erode privacy protections with specific areas such as children’s personal information, financial data and medical records getting more protection.

Anyone caught by this new group will be reported to the federal government. This plan should go into effect in 2010. Sounds reasonable enough but of course there are those who feel that this will not be enough.

Jeff Chester, executive director of the Center for Digital Democracy, said the online ad industry’s promise to regulate itself through the new guidelines is designed to undercut the federal government’s increased interest in overseeing online behavioral advertising.

He fears that the guidelines don’t go far enough and that there needs to be fair rules passed by Congress that ‘online marketing can thrive but consumers have greater control on how the information collected is being used.’

I am sure that the views of Pilgrim readers regarding government intervention in business are all over the map so we’ll ask you the question: Should the industry police itself or should the federal government be involved? What are the pros and cons of both options? Here’s your chance to form your own policy for people to see and show off your position on government’s role in business. Sounds like a fun and light topic to consider while enjoying the holiday weekend, right?

Comments

Does the new canonicalization tag make it safe to add tracking arguments to some of my internal links without fear that Google will split the quality signals between the two addresses?

Matt says, "I believe you can do this," but he recommends trying it out on one directory or a small set of URLs at first to make sure it’s completely safe. If you can do something with cookies or your analytics package, Matt says that would be better because as he explains, "Suppose someone copies and pastes a URL…they might copy and paste it differently…and maybe that URL goes away or the tracking code changes…so if you can make the URLs unified. That’s still better, but I believe this sort of thing can still work totally fine with the new canonicalization tag."

Basically, Matt just wants you to be cautious and make sure it works for you to avoid any issues.

If the Canonicalization tag is something you’re not familiar with, it’s something that Google, Yahoo, and Microsoft announced jointly a while back in an effort to reduce duplicate content. Matt discussed it with WebProNews upon its launch:

Matt has also elaborated on the tag in a longer video and slideshow:

Matt is frequently posting informative videos to YouTube, which can generally be found here. He is also posting longer ones with presentations from conferences on his blog. These are both good resources for webmasters to bookmark.

In the middle of the holidays, people began to notice and question how some Adobe applications pinged a remote server at 2o7.net. Omniture owns that domain; the requests from Adobe apps were destined for 192.168.112.2O7.net.

Some wondered if this represented a type of spying on Adobe customers. Nack posted a response to the topic, listing the occasions when Adobe apps make outside calls. He called the commentary on sites like Valleywag “wild accusations.”

Nack returned with a new post to follow up on the story again. He explained how all requests to Adobe.com also ping Omniture for anonymous analytics purposes; Adobe posted a tech note about this too.

The topic of the questionable subdomain used by Omniture came up twice. At a quick glance, 192.168.112.2O7.net may look like a local, non-routable IP address. Even the letter ‘O’ is capitalized, unlike the usual 2o7.net preference for lowercase.

It looked to us and to others like a blatantly deceptive name choice. Nack said on his latest post that Adobe didn’t really know why Omniture used that subdomain.

However, Adobe plans to have Omniture change the server name, presumably to something a little more self-explanatory. Nack has done well to respond on the story a couple of times, without getting defensive or accusatory, and that positive approach probably helped keep what seems to be a minor question of analytics from being blown out of proportion.

]]> http://www.webpronews.com/adobe-omniture-tracking-issue-addressed-again-2008-01/feed 1 http://www.webpronews.com/adobe-bemused-by-spying-claims-2007-12 http://www.webpronews.com/adobe-bemused-by-spying-claims-2007-12#comments Sun, 30 Dec 2007 00:32:21 +0000 WebProNews Staff http://www.webpronews.com/?p=42963 The discovery that some Adobe products phone home to analytics firm Omniture brought out the tinfoil hat crowd, and a raised eyebrow from Adobe’s John Nack.

Nack, senior product manager for Adobe Photoshop, felt moved enough by the sturm und drang surrounding reports of his company’s products allegedly spying on Adobe customers to respond to the blogosphere drama.

Later, Nack blogged about the situation that Uneasy Silence noticed when Adobe CS3 pinged what looked like a non-routable IP address: 192.168.112.2O7.net:

According to Doug Miller from the Adobe.com team, “Omniture is Adobe’s web analytic vendor for Adobe.com. There are only 3 places we track things via Omniture anywhere in or around our products.”:

•  The welcome screens (these things) in some Adobe apps include a Flash SWF file that loads current news, special offers, etc. These requests hit Adobe.com servers and are logged, like regular browser-based traffic, by Omniture.

•  Adobe Bridge embeds both the Opera browser and the Flash Player, both of which can be used to load Adobe-hosted content. These requests are also logged.

•  Adobe apps can call various online resources (online help, user forums, etc.), and those requests are logged.

“This, as far as I’ve been able to discover, is the extent of the nefarious ‘spying’,” said Nack.

He also chided Valleywag, CenterNetworks, and Daring Fireball for throwing around “wild assertions” about the traffic to Omniture, especially with Adobe staff mostly off for the brief holiday. However, Nack did have a sense of humor about this, asking why no one had done a crude Photoshop to besmirch the company, too.

We’ll give Nack credit for responding to this on a slow day, but Adobe and Omniture also deserve a ding about the ear for the disguised IP address they use to connect to 2o7.net. There’s no way someone at Omniture came up with that clever little subdomain for any reason other that to try and deceive an admin watching network traffic into thinking it was an internal route.

]]> http://www.webpronews.com/adobe-bemused-by-spying-claims-2007-12/feed 2 http://www.webpronews.com/pubcon-talking-with-brett-crosby-2007-12 http://www.webpronews.com/pubcon-talking-with-brett-crosby-2007-12#comments Thu, 06 Dec 2007 16:11:49 +0000 Lee Odden http://www.webpronews.com/?p=42459 While walking the WebmasterWorld Pubcon exhibit hall floor I ran into Brett Crosby from Google.

We talked about some of the new enhancements that have been added to Google Analytics. The addition of site search tracking in Google Analytics was of particular interest to me and I thought I would share here.

While walking the WebmasterWorld Pubcon exhibit hall floor I ran into Brett Crosby from Google.

We talked about some of the new enhancements that have been added to Google Analytics. The addition of site search tracking in Google Analytics was of particular interest to me and I thought I would share here.

Be sure to check out the TopRank channel on YouTube for more SEO interviews.

Comments

Tag:

]]>