Is it possible that Facebook is tracking your web browsing activity, even when you are logged out?
According to Australian hacker and writer Nik Cubrilovic, Facebook could know that you are reading this article, simply because we, like most sites nowadays, have a Facebook share button.
Cubrilovic ran a little test involving cookies and found that logging out of Facebook does not mean that Facebook can’t still know every page you visit on the same browser.
Is it possible to be both private and social? Is privacy a long lost cause because of social networking like Facebook? Let us know what you think.
On his blog post on Sunday, he shows what cookies are sent during a logged-in Facebook user’s visit to Facebook.com compared to a logged-out user’s visit to Facebook.com. Logging out is apparently supposed to prompt the deletion of certain identifiers, but that doesn’t happen, says Cubrilovic.
The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user
This is not what ‘logout’ is supposed to mean – Facebook are only altering the state of the cookies instead of removing all of them when a user logs out.
This means that whenever you visit a page online that has a Facebook share button, like button or any other related widget, all of this pertinent information is being sent to Facebook. That’s how they can know where you are going on the web.
This shouldn’t be news to anyone. It’s right there in the Facebook Privacy terms –
We receive data whenever you visit a game, application, or website that uses Facebook Platform or visit a site with a Facebook feature (such as a social plugin). This may include the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID.
But the revelation here is that this information is available even when you are logged out, as the cookie experiment notes. And people might wonder what all of this data does for Facebook –
The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.
Apparently, Cubrilovic has been sitting on this information for a while, and has reached out to Facebook without any substantial response. He says that he was prompted to share this information due to the renewed privacy discussions happening across the internet regarding all of Facebook’s upcoming Open Graph changes and “frictionless sharing.”
That “frictionless sharing” phrase is one that Mark Zuckerberg used quite a bit in his f8 keynote. He explained that it meant users can share their activities across the web to Facebook without having to really think about it. The melding of Facebook and everything else, per say.
Some have privacy concerns, fearing that since applications will be allowed to post things to Facebook regarding your actions without explicit opt-in authorization, users might share stuff on Facebook that they really don’t want to share.
ZDNet has obtained a response from Facebook. They explicitly state that Facebook does not track users’ web activity. They also explain the purpose of logged out cookies –
Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of ‘keep me logged in’.
Facebook has responded in an additional way as well. As of today, the so called “a_user” cookie, the one which contains the user’s ID, is now destroyed upon logging out. Facebook said that “there is a bug where a_user was not cleared on logout, we will be fixing that today.”
Cubrilovic has updated his blog to discuss this change. He still warns about privacy, saying that the remaining post-logout cookies will still be there, and as a Facebook user, you just have to trust that they are using them for what they say they are using them for (see above).
Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.
In a nutshell, Facebook still has access to information about you when you logout. They give their specific reasons for keeping specific cookies active – mainly security and protection. I guess it’s up to Facebook users to decide if this explanation is understandable, or if measures like Cubrilovic suggests need to be taken – specifically wiping all cookies or using different browsers.
Privacy concerns and Facebook are the peanut butter and jelly of the social networking world, but it sure doesn’t seem to be hurting business.
What do you think? Is Facebook’s explanation satisfactory? Do you worry about your privacy as a Facebook user? Let us know in the comments.