Facebook admits tracking problems with cookies

Facebook has admitted its cookies could have been used to track people after they had logged out of the social-networking service, but said it has now remedied the problem.

Facebook says it has fixed a problem with cookies that could be used to identify users when they visit other websites. Photo credit: Facebook

On Wednesday, Facebook acknowledged the three cookies contained personally identifiable data, as revealed by Australian researcher Nik Cubrilovic in a blog post earlier in the week.

"Like every site on the internet that personalises content and tries to provide a secure experience for users, we place cookies on the computer of the user," the company said in a statement. "Three of these cookies on some users' computers inadvertently included unique identifiers when the user had logged out of Facebook."

"We fixed the cookies so that they won't include unique information in the future when people log out," it added.

As they stood, the cookies could have been used to identify other websites visited by its users. They gave rise to risks such as hackers gaining control of cookies through malicious cookie-harvesting, or Facebook itself deciding to use the information for commercial purposes.

Cubrilovic raised the issue after finding a number of persistent Facebook cookies that uniquely identified people who visited sites with Facebook 'Like' or 'Share' buttons, or with other Facebook-related widgets. He discovered the cookies by monitoring a Firefox browser session, and warned the company about the issue in November last year, he said.

There was no security or privacy breach—Facebook did not store or use any information it should not have.

– Facebook

"The most important of these [cookies] is a_user, which is the user's ID," Cubrilovic said in a blog post on Monday. While Facebook has not identified which cookies it has fixed, the researcher said the company has taken steps to destroy the a_user cookie on logout.

The 'datr' and 'lu' cookies could also be used to track logged-out Facebook users, Cubrilovic added. The 'datr' cookie tracks attempts to log in and to create multiple accounts (an anti-spammer measure). The 'lu' cookie is used to pre-fill the user's email address in the Facebook login form.

"These cookies, by the very purpose they serve, uniquely identify the browser being used — even after log-out," Cubrilovic said. "As a user, you have to take Facebook at their word that the purpose of these cookies is only for what is being described."

'No privacy breach'

In its statement on Wednesday, Facebook stressed that as it does not store the identifiers, it would not be able to use them for tracking. "There was no security or privacy breach—Facebook did not store or use any information it should not have," it said.

Changes to UK regulations in May mean that businesses must start getting the consent of users before putting tracking programs on their computers. They have until May 2012 to start complying with the new rules on the use of cookies.

The Information Commissioner's Office (ICO), which enforces data-protection regulations in the UK, said on Wednesday it has no immediate plans to look into Facebook's use of cookies.

"We'd need someone to raise it as an issue, or make a complaint," an ICO spokeswoman told ZDNet UK. "It isn't something we've been proactively looking into at this stage."

Instead, the ICO said it may raise the issue at a European level, through discussion in a group of privacy commissioners called the Article 29 Working Party.

"Privacy issues involving websites that are used by people across several countries tend to be raised at European level, as it makes more sense to offer an international view on the use of new practices and technologies," the data watchdog said in a statement.

In addition, the ICO said people should read Facebook's terms and conditions before signing up to make sure they are aware of how their information could be used.