Facebook tracks users, even when logged out
Two days ago, Australian blogger and security consultant Nik Cubrolovic wrote a detailed article about how Facebook uses a system of browser cookies to track the websites that Facebook users visit when they have logged-out.
The story has become big news, especially for privacy advocates and those concerned about Facebook’s motives. Facebook has promised to fix the issue.
Browser cookies are small computer files that can collect information about a user as they browse the internet. Cookes are used by most websites (usually for statistical purposes), but are especially important for websites that require a log-in function in order for users to access their services. The cookies enable the website to ‘remember’ that a user is logged-in and who they are, so that the correct information can be presented. Without cookies, a user would be logged-out at every click.
Normally when a user logs-off a website, the cookies are deleted and personally-identifiable information is removed. In this instance, the cookies were being retained.
Through the use of Facebook “Like” buttons, Facebook servers are able to access the information within those cookies and so identify the browsing habits of individual users. That information includes a Facebook user ID, so that browsing habits can be matched to users.
According to the Wall Street Journal, Facebook acknowledges that it gets that data but says it deletes it right away. The company says the data is sent because of the way the “Like” button system is set up; any cookies that are associated with Facebook.com will automatically get sent when a person views a “Like” button.
Since writing his original post, Cubrolovic has published a table which shows exactly what cookies are being retained and what information they contain.
Cubrolovic claims on his blog that he’d contacted Facebook twice before he published his article in an attempt to alert them to the issue. They never responded. Now that Cubrolovic has made his discovery public, the story has made global headlines and Facebook has promised to fix the security issue within 24 hours.
When it comes to privacy, Facebook has a chequered history. This latest revelation will provide no comfort to users who may already be concerned or even suspicious about how Facebook monitors users.
It’s fair to say that many people would expect Facebook to track their behaviour within their website, but few would have expected them to be monitoring behaviour outside its confines.
One suggested safeguard is to use your browser in its “privacy mode”, which prevents the saving of any cookies at the closure of each session.
Internet Explorer 9 users: In the menu, go to Tools > InPrivate Browsing, or choose Ctrl + Shift + P
Firefox users: Open a new window then in the menu, go to Tools > Start Private Browsing or press Ctrl + Shift + P
Google Chrome users: Click on the spanner symbol, then select ‘New Incognito Window’ or press Ctrl + Shift + N
Apple Safari users: Click on the ‘gears’ icon (top-right corner), then choose Private Browsing… and select “OK”.