It is hard to avoid the word Facebook in the news recently. At the company’s F8 conference two weeks ago, the network announced big changes to the user experience: the new Timeline profile, partnerships with music streaming sites like Spotify and the “open graph” concept. All of these alterations will, of course, have large implications on user privacy and security on the social networking site. However, we found it hard to focus on these changes, when just a few days after the conference, an Australian hacker revealed a huge security issue: Facebook was enabling cookies that continued to track its users even after they had logged out of the site.
In his blog, on Sunday, September 25, Nik Cubrilovic wrote, “Even if you are logged out, Facebook still knows and can track every page you visit that has Facebook integrated.” As he further investigated the tracking, Cubrilovic realized that the only way for a user to be out of the eyes of Facebook’s scrutiny is to delete every Facebook cookie in your browser or use a separate browser for Facebook. Even scarier than this accusation, is that it is true: Facebook confirmed it to the Wall Street Journal.
The article explains how Facebook data collection really works: “When you log in to Facebook or visit Facebook.com without logging in, the site places small files called “cookies” on your computer. Some of these cookies remain on your computer even after you log out, and then whenever you visit a site that connects to Facebook – such as those with a “Like” button – information from those cookies is sent back to Facebook, providing a record of where you’ve been on the Web.” Facebook claims that they are not using this information to serve advertisements and that they also “scrub” the information out of their system. They also assert that they use the cookies to prevent phishing attacks.
After making the declaration that they should “be trusted,” as reported by CNET, Facebook ended up deleting many of these offending cookies. However, PCMag confirmed that not all cookies were removed and the ones that are still active are there primarily for security reasons. The article explains: “A cookie known as ‘datr,’ for example, helps identify suspicious login activity, while another called ‘lu,’ protects those using public computers.”
Users must decide which is more important: Facebook or their privacy and security?
Note: At this time this issue is still making breaking news. Facebook has been sued over the tracking of logged out users and also continues to track despite claims that the “bug” was fixed. According to Consumerreports.org, various privacy advocates and lawmakers are also calling for an FTC probe against the social network.