A hacker says on his blog that he's found proof that Facebook tracks users while they're logged out. A Facebook rep fires back in the comments section.
It’s pretty amazing how Facebook can suggest friends for you based on the most ephemeral of connections. Or how about when you log in and see ads for services you were just searching for on Google? Or what about when Facebook synced all of your cell phone contacts to the site without you realizing you’d allowed it? What about the new API that allows apps to post items on your timeline without you even doing anything. Not to mention the frequent design changes that put your privacy settings under different menus and submenus.
Maybe you’re thinking “Well maybe if I just log out of Facebook....”
Logging out is not enough says self-professed hacker, entrepreneur, and writer Nik Cubrilovic.
“…Logging out of Facebook only deauthorizes your browser from the web application; a number of cookies (including your account number) are still sent along to all requests to Facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit,” he wrote in a blog post Sunday.
Yes. Even when you’re logged out.
In a series of browser cookie diagrams--cookies that most of us probably rarely examine with scrutiny--Cubrilovic shows that not all of those cookies are deleted when you log out.
“The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user…Facebook are only altering the state of the cookies instead of removing all of them when a user logs out,” he writes.
Basically, visiting any site that integrates Facebook, meaning any site with a “suggest to friends” or a “like” or “share” button, even while logged out, your information, including account ID, is still being sent to Facebook.
He goes on to explain an experiment he conducted using multiple Facebook accounts from the same browser. Each time he logged out, the fake accounts would still receive suggestions to friend his primary account. Somehow Facebook knew that the accounts were all coming from the same browser.
“There are serious implications if you are using Facebook from a public terminal. If you login on a public terminal and then hit 'logout', you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser. Associating an account ID with a real name is easy--as the same ID is used to identify your profile,” he wrote.
Cubrilovic’s first comment after posting the blog came from a user named Gregg Stefancik who identified himself as an engineer who works on Facebook’s login systems.
“We haven’t done as good as job as we could have to explain our cookie practices,” but Facebook is not interested in tracking users outside of Facebook, he said. Stefancik says the cookies are used to help provide users with custom content and security.
The altered-but-not-deleted cookies are used to identify spammers, identify shared computers, help people recover hacked accounts, and power security features like login approvals and notifications, he said.
“We also maintain a cookie association between accounts and browsers….However, contrary to your article, we do delete account-specific cookies when a user logs out of Facebook,” he says.
But what about the psychic friend suggestions on Facebook--a phenomena experienced by a number of Facebook users? Take a look at the confusion on this thread .
“We don’t, and never have, used cookies to suggest friends. If you send us the user IDs of the test accounts you created, I’m happy to investigate further,” Stefancik says. Stefancik then suggests Cubrilovic submit his information to Facebook’s bug bounty program .
So Facebook does keep cookies when you log out, but their purpose is for enhanced security, and all account-related cookies are deleted. Interesting response, but for the people who have actually experienced Facebook’s psychic powers, it may take a little more convincing.
“I have no reason to believe you do anything but your job, but the answers leave gaps wide enough to drive a truck through. So I'm not buying it. For me, FB is the 2nd biggest security and privacy risk for an Internet user,” an anonymous commenter replied to Stefancik.
photo by GOIABA/flickr