Facebook accused of tracking logged-off users

Facebook has been accused of tracking users even after they have logged out.

Facebook continues to use cookies to follow people across the web, even when they’re done using the site, according to Australian hacker and writer Nik Cubrilovic.

“Logging out of Facebook only de-authorises your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com,” Cubrilovic said in a blog post discussing the issue.

“Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.”

According to HTTP headers in traffic logs shown by Cubrilovic, Facebook sent nine different cookies, even after users logged out.

[If you login on a public terminal and then hit ‘logout’, you are still leaving behind fingerprints of having been logged in

“This is not what ‘logout’ is supposed to mean – Facebook is only altering the state of the cookies instead of removing all of them when a user logs out,” he said.

Although Facebook said the tracking is to improve user experience, the logged-off tracking data could represent a useful source for mining users’ habits, and pose a security risk on public computers.

“There are serious implications if you are using Facebook from a public terminal,” Cubrilovic said. “If you log in on a public terminal and then hit ‘log out’, you are still leaving behind fingerprints of having been logged in.

“As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser. Associating an account ID with a real name is easy – as the same ID is used to identify your profile.”

Facebook feedback

Facebook has yet to respond to a request for comment from PC Pro, but the company appears to have used the blog itself to address the issue.

“I’m an engineer who works on login systems at Facebook. We haven’t done as good a job as we could have to explain our cookie practices,” Gregg Stefancik posted on the blog, adding that he believed there were inaccuracies in the assertions made.

“Generally, unlike other major internet companies, we have no interest in tracking people,” he said. “We don’t have an ad network and we don’t sell people’s information. Our cookies aren’t used for tracking.”

Stefancik, said the undeleted cookies were used to either “provide custom content (for example, your friend’s likes within a social plugin), help improve or maintain our service (measuring click-through rates to help optimise performance), or protect our users and our service (for example, defending denial of service attacks)”.