Facebook is accused of over-tracking users

PEOPLE DATABASE Facebook has been accused of tracking its users around the internet even after they have logged out of its web pages.

The firm recently announced a number of changes to its users' web pages, including Timeline, which is a feature that displays a users' life on one page.

Users hoping to avoid something described as "frictionless sharing", a Facebook feature that lets applications post status items to your timeline, have been advised to log out of the web site. However, according to hacker and writer Nik Cubrilovic, this does not work.

"The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com," he writes.

"Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions."

Cubrilovic raised the issue with Facebook a year ago, he writes, and then once again. With new privacy complaints being fired at the firm he has decided to raise it again.

"This is not what 'logout' is supposed to mean - Facebook are only altering the state of the cookies instead of removing all of them when a user logs out," he writes.

"With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies," he adds. "You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight."

This feature has other connotations, according to the blogger, who adds that Facebook retaining information about the user within the browser, again even after logging out, has "serious implications" for people accessing the web site from a public terminal like a web cafe.

"If you login on a public terminal and then hit 'logout', you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser," he adds.

"Facebook knows every account that has accessed Facebook from every browser and is using that information to suggest friends to you. The strength of the 'same machine' value in the algorithm that works out friends to suggest may be low, but it still happens."

Cubrilovic, who has contacted the firm twice already, seems to be bored with the Facebook process and its apparent refusal to acknowledge problems with its web pages.

"I reported this issue to Facebook in a detailed email and got the bounce around. I emailed somebody I knew at the company and forwarded the request to them. I never got a response," he adds.

"The entire process was so flaky and frustrating that I haven't bothered sending them two XSS holes that I have also found in the past year. They really need to get their shit together on reporting privacy issues, I am sure they take security issues a lot more seriously."

Update
We asked Facebook for a response to the accusations and it pointed us back to the Facebook engineer that had commented under Cubrilovic's post.

"I'm an engineer who works on login systems at Facebook. Thanks, again for raising these important issues. We haven't done as good a job as we could have to explain our cookie practices," writes the engineer, Gregg Stefancik.

"Generally, unlike other major Internet companies, we have no interest in tracking people. We don't have an ad network and we don't sell people's information. As we state in our help center ‘We do not share or sell the information we see when you visit a website with a Facebook social plugin to third parties and we do not use it to deliver ads to you'... Said more plainly, our cookies aren't used for tracking. They just aren't."

So, although it looks like they are tracking users, in fact they are not. Rather, if we understand correctly, they accompany them on their travels. This sounds intrusive to us, but hey, we ain't Facebook.

"Instead, we use our cookies to either provide custom content (e.g. your friend's likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location)," he adds.

Logged out cookies, the ones that the firm does keep once a user has logged out are for safety and security. Stefancik said that they were used to help people recover hacked accounts, identify spammers and phishers, and identify shared computers in order to help people log out correctly.

"[We] maintain a cookie association between accounts and browsers," he adds. "This is a key element of our phishing protections. However, contrary to your article, we do delete account-specific cookies when a user logs out of Facebook. As a result, we do not receive personally identifiable cookie information via HTTP Headers when these users browse the web." µ