There are certain things users must sacrifice to play in the world of social media. One of them, to some extent, is privacy, and most who do “give it away” do so knowing that there are certain things they can do to keep private internet browsing, well, private. A common recommended practice for a while has been to log out of Facebook any time you don’t want to be tracked.
Apparently, that’s simply not enough.
Facebook has devised a very clever way to continue to track where you’re going and what you’re doing even if you log out. Through cookie manipulation by unsetting some, changing others, and adding a few more, Facebook is able to change the way your web browser sends data about where and when you visit websites. Rather than delete the cookies when you initiate the logout protocol, Facebook changes them in a way that will continue to broadcast your moves.
Any page with Facebook codes on them (such as Like buttons, Share buttons, or widgets) will still capture your activity and send it to Facebook, even after you log out. Here’s a screenshot of the evidence accumulated by hacker Nik Cubrilovic:
We ran the test independently and came up with similar results as well as the same conclusion.
Why Would Facebook Track Us?
Over the next few months, we will hear more from companies like Facebook about “improving user experience”. There have already been numerous occasions where user experience demands that we get tracked; smartphones, search engines, and advertising companies have been using data-tracking for “our own good” for years.
The more Facebook knows about us, the better they can serve us… to their advertisers and agencies interested in buying the data (which includes governments). For example, let’s say I’m a fan of Broadway musicals (which I am), but I don’t want my Thursday night poker buddies knowing about it. I could log out of Facebook and check out “How to Succeed in Business Without Really Trying” from the privacy of my own computer. Unfortunately, there’s a Facebook Like button on the page, so they now know my closet interest. They could then start serving me ads about other Broadway musicals that may pique my interest.
Sounds harmless, right? No.
Where does it end? With so many websites adding Facebook buttons, widgets, and thingies to their sites, let’s assume that a good chunk of our web browsing is Facebook-accessible at all times. That sort of data accumulation is not something that standard western-society humans are wanting done to them, particularly without our explicit permission.
Oh, wait. We gave permission. By joining Facebook.
Privacy is luxury if you’re going to play on the social web. Remember, we’re how Facebook makes money. We’re the product.
There are a few options one use to continue to use Facebook but maintain certain degrees of privacy:
- HackerNews reports using Adblock Plus with Facebook rules added will do the trick:
- You could have a “Facebook-Only” browser. In other words, use Firefox, Chrome, Safari, or whatever as your default browser. When you want to interact with Facebook, simply open up Opera or another browser for your social networking. Don’t surf the web on it, just use it for Facebook browsing. If you want to “Like” a web page, open it in your Facebook browser.
- Clear/block cookies. It’s a simple fix, but for many it’s inconvenient to constantly clear cookies. Still, it works (for now).
- Use private browsing options on your browser (as mentioned by Dave Hanron below). It’s my least favorite method as it disables some things that many people like such as history, but it’s definitely the most private way to surf.
Is Facebook evil? Greed over money and power are not necessarily evil, but they can drive people and companies to do evil things. This is one of them. There is nothing that they can say to convince us that this was anything other than a move to accumulate as much data as possible about us.
Shame on you, Mark Zuckerberg. Shame on you.
The Facebook Response
This is not an official response from Facebook (as there will not be an official response) but an engineer, Gregg Stefancik, posted a clarifying comment on the original post:
I’m an engineer who works on login systems at Facebook. Thanks, again for raising these important issues. We haven’t done as good a job as we could have to explain our cookie practices. Your post presents a great opportunity for us to fix that. At the same time, your post reaches some incorrect conclusions that I hope to clarify.
Generally, unlike other major Internet companies, we have no interest in tracking people. We don’t have an ad network and we don’t sell people’s information. As we state in our help center (http://www.facebook.com/help/?…, “We do not share or sell the information we see when you visit a website with a Facebook social plugin to third parties and we do not use it to deliver ads to you.”
Said more plainly, our cookies aren’t used for tracking. They just aren’t. Instead, we use our cookies to either provide custom content (e.g. your friend’s likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location).
The logged out cookies, specifically, are used primarily for safety and security protections, including:
- Identifying and disabling spammers and phishers
- Disabling registration if an underage user tries to re-register with a different birth date
- Helping people recover hacked accounts
- Powering account security features, such as login approvals and notifications
- Identifying shared computers to discourage the use of “Keep me logged in.”
Most of the cookies that you highlight have benign names and values. For example, the “locale” cookie is simply user’s language and country. I do understand some of the confusion around the ‘act’ and ‘lu’ cookies. The poorly named ‘act’ cookie is a UNIX timestamp with milliseconds and a sequence number that we use to measure and optimize the speed of the site (‘act’ is an abbreviation for “action”). We use the ‘lu’ cookie to identify public computers and discourage the checking of the keep me logged in box. On single user computers, we use the ‘lu’ cookie to prefill your facebook e-mail address on the login screen if you have *not* explicitly logged out.
We also maintain a cookie association between accounts and browsers. This is a key element of our phishing protections. However, contrary to your article, we do delete account-specific cookies when a user logs out of Facebook. As a result, we do not receive personally identifiable cookie information via HTTP Headers when these users browse the web.
Finally, we’ve confirmed that we don’t, and never have, used cookies to suggest friends. If you send us the user IDs of the test accounts you created, I’m happy to investigate further.
Again, my apologies that your previous concerns were not addressed. Since your reports, we’ve introduced a bug bounty program to streamline and reward whitehat security reports (http://www.facebook.com/note.p…. I hope this more secure and reliable channel will be useful for you. We really hope you’ll continue to let us know about issues you see.
I hope these clarifications were helpful. Please let me know if you’d like to discuss further.
What Gregg should know (or maybe he shouldn’t) is that Facebook is very much in the business of utilizing user data for its advertising. It’s the whole reason that the site is profitable. Internally, they do what they need to do to keep the honest engineers feeling positive about their work, but the data is collected and used. Period. Thinking otherwise is foolish.
Just because it’s meant as technology to protect us from ourselves (ie not logging out at the library) doesn’t make it right.