Facebook: you can check out but you can never leave

Facebook has agreed to fix a an issue with its system that meant it continued to track the online activity of users even after they had logged out of the site.

The issue was discovered by Australian security blogger Nik Cubrilovic, who wrote this week about Facebook’s privacy settings after a debate broke out about the site’s plans to let third party applications post to a user’s timeline without their explicit case-by-case approval.

While some sources have suggested users should evade this by logging out of the site after each session, Cubrilovic noted that as things stand this wouldn’t be enough. He examined cookies on his computer both while using Facebook and after logging out. In the latter case, rather than all the cookies being removed as you would expect, some remained active with only minor changes. Some cookies had their expiry date extended and there were even three new ones created.

In total, there were nine cookies still being accessed after logging out, including those that specifically identified him as the user. These were accessed whenever he visited a third-party site containing a Facebook “Like” button or similar tool. And, of course, if he’d been using a public terminal, subsequent users would have been falsely identified as being him by Facebook.

Cubrilovic says he e-mailed Facebook about this issue last November and again this January, receiving no reply. He notes starkly “They really need to get their shit together on reporting privacy issues.”

Since posting the blog, Cubrilovic has had a 40-minute discussion with Facebook engineers and staff in the US. He says the company tells him that within 24 hours it will alter the cookies setup: they will remain in use but will no longer personally identify the user.

Facebook itself has told the Wall Street Journal that the cookies are needed to avoid bogus logins, and to make it easier for people to use the “Like” button without the need to type in login details everytime. It says it deletes the data received this way immediately and that none of the information is used to target advertising.

9 Responses to Facebook: you can check out but you can never leave

  1. So effectively FB is tracking the IP address of all Likes (not out the norm). But then it uses your IP to determine that if you're either using the same IP as another FB user or perhaps even sit behind the same subnet then you probably know the other person and they suggest you Friend them? Is that what I'm getting out of this?

    • Not exactly – a Cookie only tracks a computer, and contains the information about the website that created it (usually involving login details – cookies are actually how you stay logged into a site as you navigate it's subsequent pages). However, as the "Like" button has spread through the internet, the cookies have been being used else where as well. Now, you can log out of FB, and still click a "Like" button and have it show up on your FB page.
      The concern with all this is, these cookies contain info about your account that these other websites can access – and once they have that, they can pay your page a visit to collect even more data on you (for marketing purposes; i.e. to sell you things)
      How FB is planning on creating an "annoymous cookie" while still allowing you to access your account and use FB features that exist off-FB, I cannot imagine.

  2. Jeez this is so old skool. I have been telling my friends since the dawn of the ‘like’ button that not matter what you do they still track you, whether logged in or not. Google do this all the time through their ad’s system, but I would prefer to give them the information as they offer me so much more in return. Facebook is what Google could have been if their mantra was “Don’t be evil!” Install NoScript and a cookie blocker in FireFox and it should stop The Facebook from collecting information.

    • Oh and I forgot to add that it does not matter if they figure out a way to anonymize the cookies, they can still get you through the HTTP ETag they place on the Like Button image.

  3. See I just thought everyone knew thIs; I’m sure when you select to follow apps while still in Facebook one of the options is/was about connecting and sending data …”even when logged out”… or similar. The fact that liking other pages while not logged in therefore follows on.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.