The End of Privacy: Facebook Tracks Your Moves Even If You Log Out

Facebook Tracking

There are certain things users must sacrifice to play in the world of social media. One of them, to some extent, is privacy, and most who do “give it away” do so knowing that there are certain things they can do to keep private internet browsing, well, private. A common recommended practice for a while has been to log out of Facebook any time you don’t want to be tracked.

Apparently, that’s simply not enough.

Facebook has devised a very clever way to continue to track where you’re going and what you’re doing even if you log out. Through cookie manipulation by unsetting some, changing others, and adding a few more, Facebook is able to change the way your web browser sends data about where and when you visit websites. Rather than delete the cookies when you initiate the logout protocol, Facebook changes them in a way that will continue to broadcast your moves.

Any page with Facebook codes on them (such as Like buttons, Share buttons, or widgets) will still capture your activity and send it to Facebook, even after you log out. Here’s a screenshot of the evidence accumulated by hacker Nik Cubrilovic:

Facebook Cookies

We ran the test independently and came up with similar results as well as the same conclusion.

Why Would Facebook Track Us?

Over the next few months, we will hear more from companies like Facebook about “improving user experience”. There have already been numerous occasions where user experience demands that we get tracked; smartphones, search engines, and advertising companies have been using data-tracking for “our own good” for years.

The more Facebook knows about us, the better they can serve us… to their advertisers and agencies interested in buying the data (which includes governments). For example, let’s say I’m a fan of Broadway musicals (which I am), but I don’t want my Thursday night poker buddies knowing about it. I could log out of Facebook and check out “How to Succeed in Business Without Really Trying” from the privacy of my own computer. Unfortunately, there’s a Facebook Like button on the page, so they now know my closet interest. They could then start serving me ads about other Broadway musicals that may pique my interest.

Sounds harmless, right? No.

Where does it end? With so many websites adding Facebook buttons, widgets, and thingies to their sites, let’s assume that a good chunk of our web browsing is Facebook-accessible at all times. That sort of data accumulation is not something that standard western-society humans are wanting done to them, particularly without our explicit permission.

Oh, wait. We gave permission. By joining Facebook.

Privacy is luxury if you’re going to play on the social web. Remember, we’re how Facebook makes money. We’re the product.

Recommendations

There are a few options one use to continue to use Facebook but maintain certain degrees of privacy:

  • HackerNews reports using Adblock Plus with Facebook rules added will do the trick:
    ||facebook.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
    ||facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
    ||fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
    ||fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
  • You could have a “Facebook-Only” browser. In other words, use Firefox, Chrome, Safari, or whatever as your default browser. When you want to interact with Facebook, simply open up Opera or another browser for your social networking. Don’t surf the web on it, just use it for Facebook browsing. If you want to “Like” a web page, open it in your Facebook browser.
  • Clear/block cookies. It’s a simple fix, but for many it’s inconvenient to constantly clear cookies. Still, it works (for now).
  • Use private browsing options on your browser (as mentioned by Dave Hanron below). It’s my least favorite method as it disables some things that many people like such as history, but it’s definitely the most private way to surf.

Is Facebook evil? Greed over money and power are not necessarily evil, but they can drive people and companies to do evil things. This is one of them. There is nothing that they can say to convince us that this was anything other than a move to accumulate as much data as possible about us.

Shame on you, Mark Zuckerberg. Shame on you.

The Facebook Response

This is not an official response from Facebook (as there will not be an official response) but an engineer, Gregg Stefancik, posted a clarifying comment on the original post:

I’m an engineer who works on login systems at Facebook.  Thanks, again for raising these important issues.  We haven’t done as good a job as we could have to explain our cookie practices.  Your post presents a great opportunity for us to fix that.  At the same time, your post reaches some incorrect conclusions that I hope to clarify.

Generally, unlike other major Internet companies, we have no interest in tracking people.  We don’t have an ad network and we don’t sell people’s information.  As we state in our help center (http://www.facebook.com/help/?…, “We do not share or sell the information we see when you visit a website with a Facebook social plugin to third parties and we do not use it to deliver ads to you.”

Said more plainly, our cookies aren’t used for tracking.  They just aren’t.  Instead, we use our cookies to either provide custom content (e.g. your friend’s likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location).

The logged out cookies, specifically, are used primarily for safety and security protections, including:

  • Identifying and disabling spammers and phishers
  • Disabling registration if an underage user tries to re-register with a different birth date
  • Helping people recover hacked accounts
  • Powering account security features, such as login approvals and notifications
  • Identifying shared computers to discourage the use of “Keep me logged in.”

Most of the cookies that you highlight have benign names and values.  For example, the “locale” cookie is simply user’s language and country. I do understand some of the confusion around the ‘act’ and ‘lu’ cookies.  The poorly named ‘act’ cookie is a UNIX timestamp with milliseconds and a sequence number that we use to measure and optimize the speed of the site (‘act’ is an abbreviation for “action”).  We use the ‘lu’ cookie to identify public computers and discourage the checking of the keep me logged in box.  On single user computers, we use the ‘lu’ cookie to prefill your facebook e-mail address on the login screen if you have *not* explicitly logged out.

We also maintain a cookie association between accounts and browsers.  This is a key element of our phishing protections.  However, contrary to your article, we do delete account-specific cookies when a user logs out of Facebook.  As a result, we do not receive personally identifiable cookie information via HTTP Headers when these users browse the web.

Finally, we’ve confirmed that we don’t, and never have, used cookies to suggest friends.  If you send us the user IDs of the test accounts you created, I’m happy to investigate further.

Again, my apologies that your previous concerns were not addressed.  Since your reports, we’ve introduced a bug bounty program to streamline and reward whitehat security reports (http://www.facebook.com/note.p….  I hope this more secure and reliable channel will be useful for you.  We really hope you’ll continue to let us know about issues you see.

I hope these clarifications were helpful.  Please let me know if you’d like to discuss further.

What Gregg should know (or maybe he shouldn’t) is that Facebook is very much in the business of utilizing user data for its advertising. It’s the whole reason that the site is profitable. Internally, they do what they need to do to keep the honest engineers feeling positive about their work, but the data is collected and used. Period. Thinking otherwise is foolish.

Just because it’s meant as technology to protect us from ourselves (ie not logging out at the library) doesn’t make it right.

Comments

  1. JD Rucker says

    @Dave – totally. Added it to the list. I personally don’t like it as I feel it disables too much, but definitely an option and widely used.

  2. says

    I had a feeling there were some serious implications attached to all these FB changes they claimed would better our “user experience”. With FB predicting 5.74 billion in ad revenue for 2012 I had a feeling there was some improvements in data mining they were about to unleash. After the F8 conference I deactivated my account, this just isn’t worth it. Social media is supposed to be fun and private to some extent, but I fell FB has crossed the line and I am choosing to opt out. I wonder how big of a lashback, if any, FB will see when it comes to user accounts being deactivated? Netflix thought they could almost double their subscription fees and not lose anyone but they saw a huge backlash, I wonder if Zuckerberg will learn that he’s not the reason we are on FB- our friends are…

  3. says

    Users need to understand that they are giving up something (privacy) in order to use this “free” service. Since you are choosing to use Facebook, you really can’t complain. The only thing you can do is deactivate your account.

  4. Scott says

    Way ahead of y’all. I went in and changed everything (and I mean EVERYTHING) and deleted all possible identifying content. I created a false email and replaced my original. I’ve sent in my deactivate request.

  5. says

    I created threadthat.com as a free forum to share with friends without giving up your privacy. Everything you share is encrypted in-transit and at rest. You have the option of creating your own encryption passkeys. You don’t have to give anything up to get online privacy for free. There is no advertising and the site generates no revenue.

  6. gold says

    Users need to understand that they are automatically giving up privacy in order to use this “free” service. Since you are choosing to use Facebook, you really can’t complain when the network finds ways to keep you attached and always connected as it invades personal privacy.

  7. says

    JD — great post and thanx going to all this trouble to experiment and post the Cookie code — and also thx for posting both sides of the argument — very professional. Nancy Lyons did a post today on FB changes that you might want to weigh in on also: t.co/IQm3fd8w

  8. says

    Gregg Stefancik did not mention that they use their cookies to prevent creation multiple accounts. Many reasons are you create a page for your school or college, your community, your neighborhood…etc. If they say use fan pages instead , then there is a problem! you can’t share contents from web sites to your fan pages using the like button.

    I think facebook has to provide logout and clear all cookies option in addition to the logout option.

    Thank you for a great post.

  9. says

    Hello, Neat post. There’s a problem with your site in internet explorer, would check this? IE still is the marketplace chief and a huge element of other people will omit your excellent writing due to this problem.

  10. says

    In an antique, austere vintage like 1996 or 2001, Barolos usually takes years ahead around bluehost repaying of loan depends on the fine print decided by you as well as the lender.

  11. says

    It is really a great and useful piece of info. I’m satisfied
    that you simply shared this useful info with us.

    Please keep us informed like this. Thank you for sharing.

  12. says

    Hi superb website! Does running a blog like this require a large amount
    of work? I have no expertise in programming however I was hoping to start
    my own blog in the near future. Anyhow, if you have any suggestions or tips
    for new blog owners please share. I know this is off
    topic nevertheless I simply needed to ask. Thanks!

  13. says

    Hi there! This post couldn’t be written any better! Looking through this article reminds me of my previous roommate!

    He always kept preaching about this. I am going to send this post to him.
    Pretty sure he will have a great read. Thank you for sharing!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>