Facebook denies cookie tracking allegations

Facebook denies cookie tracking allegations

Summary: Facebook has denied allegations that it can track what you're doing online even if you log out of the social network. In fact, one of the company's engineers says Facebook cookies aren't used for tracking at all.

SHARE:
21

Update: Facebook fixes cookie behavior after logging out.

Over the weekend, self-proclaimed hacker Nik Cubrilovic accused Facebook of tracking its users even if they log out of the social network. The company has denied the claims and has offered an explanation as to why its cookies behave the way they do.

For reference, here's what I wrote based on Cubrilovic's findings:

After running a series of tests analyzing the HTTP headers on requests sent by browsers to facebook.com, he discovered that Facebook alters its tracking cookies the moment you log out, instead of deleting them. Since your uniquely identifying account information is still present in these cookies, Facebook can continue to track you. This means that if you log out of Facebook, you're not really doing much. If you then head to a website that contains a Facebook plugin, your browser will continue to send personally identifiable information back to Palo Alto.

I also said I contacted Facebook for more information on this issue. A spokesperson replied but did not offer an official statement. Instead, he pointed me to a comment made on my article, from Facebook engineer Arturo Bejar. Here is what he wrote:

I am a Facebook engineer that works on these systems and I wanted to say that the logged out cookies are used for safety and protection including: identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of "keep me logged in."

Also please know that also when you're logged in (or out) we don't use our cookies to track you on social plugins to target ads or sell your information to third parties. I've heard from so many that what we do is to share or sell your data, and that is just not true. We use your logged in cookies to personalize (show you what your friends liked), to help maintain and improve what we do, or for safety and protection.

In short, Bejar is saying Cubrilovic raises some good points and has some interesting findings, but reaches incorrect conclusions. The cookies in question are useful to Facebook for various reasons (providing custom content, maintaining the service, and protecting its users), but not for tracking people. In fact, the Facebook Help Center clearly states as much:

We do not share or sell the information we see when you visit a website with a Facebook social plugin to third parties and we do not use it to deliver ads to you. In addition, we will delete the data (i.e. data we receive when you see social plugins) associated with users in 90 days. We will keep aggregated and anonymized data (not associated with specific users) after 90 days for improving our products and services.

I'd like to thank Bejar for posting the comment on my blog. That being said, I'm still hoping to get an official statement from Facebook. I also spoke with Cubrilovic, who is working with Facebook to figure out whether or not the cookies really are a privacy concern.

Update: I finally got Facebook to comment.

"Facebook does not track users across the web," a Facebook spokesperson said in a statement. "Instead, we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.

Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of 'keep me logged in'."

See also:

Topic: Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • RE: Facebook denies cookie tracking allegations

    Doesn't Google already do a similar thing with Adwords. Have noticed that cookies left back by the Advertiser are used to display targetted advt. Specific examples are travel portals.
    anandgeor
  • RE: Facebook denies cookie tracking allegations

    Can't read this because of the social bookmark things are overlaying the text. Using IE9.
    NoNoNo..
  • Of course they do, it's how they make money on you.

    Why are you surprised? Isn't this the trade-off : free service in return for marketing information on your web browsing habits which they can then sell to advertisers?
    JonathonDoe
  • In short, "Trust us".

    He says they don't use the data. But nobody really knows, data like that often gets dumped into a warehouse or BI system and can be used for many purposes that are not visible to the data provider.
    terry flores
    • RE: Facebook denies cookie tracking allegations

      @terry flores This is the very crucial question: Should we trust Facebook is what Arnold Rosendaal has been asking. http://flyakite.org/2011/10/01/facebook-trust-them-or-not/
      clarinette
  • RE: Facebook denies cookie tracking allegations

    Would be interested to know why Internet Explorer now seems to use 235MB of RAM since the new profile change if they aren't tracking you via your facebook cookies. Also interesting to note that even while logged off of Facebook if I click on an add to Facebook link I no longer have to log into Facebook to do so; it will add the link and take me back exactly to the point of the page I was viewing before logging off. Sure they're not tracking your cookies ... *wink, wink, nudge, nudge ...* And why does Facebook now suggest sites to me upon logging back into Facebook that relate to sites visited just prior to logging on.
    comquest
  • RE: Facebook denies cookie tracking allegations

    I have noticed on my work computer that when going to certain sites. I get a pop up that facebook wants to open a file. I have never been logged into facebook on this computer as my company has it blocked. Obviously they are tracking even people who are not users across the web.
    mconmys
  • RE: Facebook denies cookie tracking allegations

    What is the mystery here?<br><br>A site with a facebook plugin is essentially an extension of facebook itself. If the site sees your cookie, and identifies you as a facebook user and then sends data back to facebook well....<br><br>1) Yes its tracking your use outside of facebook - call it what you want but its tracking<br><br>2) Isn't that what you signed up for? It not tracking just any site but sites that have facebook extensions -- which means this complaint is basically someone being upset about facebook tracking you when you use facebook.<br><br>duh.
    wendellgee2
  • If they don't use cookies to provide ads

    How come I can log out of facebook, search for an author on Amazon, then log back on facebook and all of a sudden I have advertisements pointing me to the author's books on Audible or Amazon? I really don't think that is a coincidence, especially when it shows an author that I've never mentioned in my FB posts and that none of my friends have mentioned.

    I think I smell a liar.
    GSG
    • RE: I think I smell a liar...

      @GSG I know I do... LoL... Went shopping on Overstock recently, and within minutes I was seeing ads on the Facebook sidebar pointing me right back to the items I was shopping for on Overstock!
      EnKrptyed
      • RE: Facebook denies cookie tracking allegations

        @EnKrptyed all I can say is there is proof in the pudding!!!
        ryanlee05
  • RE: Facebook denies cookie tracking allegations

    Gee, Facebook denies 'cookie tracking'. Well, I can only say, last Friday, I was logging into CNET.com and I noticed that a comment that one of my friends on Facebook was logged in???!!! Tell me, that's NOT tracking!!!

    For me, that was invasion on my privacy, as well as my friend's privacy. Oh, I like to connect with my family and friends on Facebook, but NOT around the Internet!!! Where I go, as well as my family and friends go, is nobody's business.
    MmeMoxie
  • RE: Facebook denies cookie tracking allegations

    Reporters should seek the truth. There appears to be an implied credibility given to someone who works for Facebook or oppose to data gathered from the self-proclaimed hacker. I would think that the expectation from most users is that if I logout of Facebook, I have no reasonable expectation that ANY data regarding my none Facebook activities would be sent back to Facebook. <br><br>But, mostly I take issue with the author of this post that until he gets official word from Facebook. I mean what would you expect them to say? No, what we need are reporters/bloggers to seek the truth. The hacker's finding should be reproducible and the question for Facebook would be why are you doing this? How does tracking this information assist with SPAM protection? I mean a facebook engineer posting on your blog is about as unofficial as it gets because the company could always disavow those remarks as his own. This post really added nothing to helping readers understand whether this is an issue or not.
    windowseat
  • RE: Facebook denies cookie tracking allegations

    FB won't even let you sign up unless you are acceptng ALL of ther cookes, IINCLUDING 3rd parties galore! Many of the cookies don't even come from FB or snythiing relsted to itl
    But, without FB, those partes would never know about me to try to send those cookies. After a little surfing and sniffng around, I set to accept 3rd partes, and guess what? Siignup went nice ans smoothly. Kll 3rd psrtes agsin, snd I was kicked out. FB id BSing sbout their cookies.
    tom@...
  • Define &quot;cookie;&quot; define &quot;tracking&quot;

    Sometime it all depends on what the definition of "is" is, right? In this case the key word is "your information." It is not a coincident that Facebook did not respond; instead, they pointed out to a private Bejar. According to Facebook's ToS, once you've signed up, all you post on FB is theirs, not yours; so they do not share "your" info they sell "their info" on your browsing.
    znakit
  • RE: Facebook denies cookie tracking allegations

    The comment "registration for a under-age users who try to re-register with a different birthdate" tells anyone who thinks about it that tracking is being done. Sure, later in the article Facebook says they delete all info after 90 days, but how then would they know that someone is using a diffrerent name?
    WCarlS
  • Beware the FB apps ToS

    When you accept a FB app Terms Of Service (ToS), you often grant them full access and use to your profile information (name, address, phone, email, etc). I have no doubt they can vaccum up your cookies info as well once you grant ALL by accepting the ToS. And the beauty is no one reads them, they just Accept.
    Telexer
  • RE: Facebook denies cookie tracking allegations

    Here lately my Norton has been catching "Cookie Trackers" and it has been when I leave my Facebook Page. Explain that, if they are denieing the issue.
    Tazzy312
  • If you trust them, you're crazy

    Data comes back with cookies from their plugins just as it does with Google ads. If you put Google or Facebook on your website, you are agreeing to let those companies spy on your visitors.

    Facebook may not collect or use that data but they could any time they want. All they need to do is post a change to their terms and, bingo, your only recourse is to stop using web sites that have Facebook on them.

    Fat chance.

    We need laws, people. We need laws that create penalties for companies that use data collected from third party cookies like those from images and Facebook plugins.
    TQ White II
  • I wouldn't trust Zuckerberg...

    I wouldn't trust Zuckerberg as far as my two year old grand-niece could throw him.

    In my honest opinion, Facebook is no longer (or probably never was) a social network. It is a marketing tool, which not only invades peoples' privacy on a constant basis (can you say "opt out"?), but is primarily a tool for Zuckerberg to sell either your personal info, or to sell access to your personal info to vendors and app creators.
    MGP2