Yesterday, we learnt that Facebook’s new Timeline feature could reveal just who has “unfriended” who. Well, it is another day, and not surprisingly, another Facebook privacy debacle has arisen – one that has landed it in much hotter water than other recent concerns – the little matter of Facebook admitting it tracks the web-activity of users, even after they have logged out of the social networking site.
Last week, at the f8 Conference and the launch of the new Timeline feature, Facebook also introduced its concept of ‘frictionless sharing,’ where a user’s activity on non-Facebook sites, like music services Spotify, Rdio, and Slacker, and other media sites, could be shared with the user’s Facebook friends on the social network via a corresponding Facebook-integrated app, or each time they clicked a Like button.
The concept of sharing here was meant as a recommendation engine for Facebook users, allowing them to share content easily without requiring repeated sign-ins, and other additional steps. The frictionless sharing approach has already met with much criticism, with experts questioning the need for the all-or-nothing sharing after clicking the Like button, something that is littered all over the web. [RELATED_ARTICLE]
On Sunday however, a blog post by security consultant Nik Cubrilovic sparked a raging controversy overnight on the web, arguing that Facebook can track a user’s non-Facebook web activity even after they have explicitly logged out of the service. Cubrilovic showed that Facebook never actually deletes the cookies required to maintain your browsing session with the social networking site, in fact, adds a few, and changes the expiry date of the rest to a year or more in the future. Anytime a user visits a site with a Facebook Like button onboard, and clicks it, the cookie information of the user is sent to Facebook’s servers.
Elaborating on the issue, Cubrilovic said:
"Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions."
Facebook has defended itself from Cubrilovic’s tracking claims by admitting it doesn’t delete cookies after a user logs-out, but instead uses them for other, security based purposes, enumerated by self-styled FB engineer Gregg Stefancik below, instead of the alleged tracking. The cookie data collected is apparently also never shared with third-party vendors, or advertisers, and, Facebook claims it scrubs the cookie data clean of any extra, inadvertently gained, personal information before storing it.
The logged out cookies, specifically, are used primarily for safety and security protections, including:
- Identifying and disabling spammers and phishers
- Disabling registration if an underage user tries to re-register with a different birth date
- Helping people recover hacked accounts
- Powering account security features, such as login approvals and notifications
- Identifying shared computers to discourage the use of “Keep me logged in.”
As it stands right now, Cubrilovic’s blog post has evidently got him a reaction from the company, leading up to a 40-minute conference call in which the social networking giant promised the security consultant it would address the cookie-related issues. This includes two other cookie issues, apart from fixing the log-out cookie tracking issue within 24 hours, and replacing it with a new process where the cookies will still exist, but not be identifiable with the user. Until this happens, if Facebook's newest loophole worries you, use a private browsing session like Chrome's incognito mode for cookie-free social networking jamborees. Do also let us know what you think about the whole issue, in the comments section below: