Facebook denies cookie tracking allegations

Update: Facebook fixes cookie behavior after logging out.

Over the weekend, self-proclaimed hacker Nik Cubrilovic accused Facebook of tracking its users even if they log out of the social network. The company has denied the claims and has offered an explanation as to why its cookies behave the way they do.

For reference, here's what I wrote based on Cubrilovic's findings:

After running a series of tests analyzing the HTTP headers on requests sent by browsers to facebook.com, he discovered that Facebook alters its tracking cookies the moment you log out, instead of deleting them. Since your uniquely identifying account information is still present in these cookies, Facebook can continue to track you. This means that if you log out of Facebook, you're not really doing much. If you then head to a website that contains a Facebook plugin, your browser will continue to send personally identifiable information back to Palo Alto.

I also said I contacted Facebook for more information on this issue. A spokesperson replied but did not offer an official statement. Instead, he pointed me to a comment made on my article, from Facebook engineer Arturo Bejar. Here is what he wrote:

I am a Facebook engineer that works on these systems and I wanted to say that the logged out cookies are used for safety and protection including: identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of "keep me logged in."

Also please know that also when you're logged in (or out) we don't use our cookies to track you on social plugins to target ads or sell your information to third parties. I've heard from so many that what we do is to share or sell your data, and that is just not true. We use your logged in cookies to personalize (show you what your friends liked), to help maintain and improve what we do, or for safety and protection.

In short, Bejar is saying Cubrilovic raises some good points and has some interesting findings, but reaches incorrect conclusions. The cookies in question are useful to Facebook for various reasons (providing custom content, maintaining the service, and protecting its users), but not for tracking people. In fact, the Facebook Help Center clearly states as much:

We do not share or sell the information we see when you visit a website with a Facebook social plugin to third parties and we do not use it to deliver ads to you. In addition, we will delete the data (i.e. data we receive when you see social plugins) associated with users in 90 days. We will keep aggregated and anonymized data (not associated with specific users) after 90 days for improving our products and services.

I'd like to thank Bejar for posting the comment on my blog. That being said, I'm still hoping to get an official statement from Facebook. I also spoke with Cubrilovic, who is working with Facebook to figure out whether or not the cookies really are a privacy concern.

Update: I finally got Facebook to comment.

"Facebook does not track users across the web," a Facebook spokesperson said in a statement. "Instead, we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.

Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of 'keep me logged in'."

See also:

• Facebook tracks you online even after you log out
• German minister tells colleagues to avoid Facebook
• Facebook agrees to sign voluntary privacy code in Germany
• German website creates two-click Like button, Facebook not amused
• Germany: Facebook Like button violates privacy laws
• Germany: Facebook facial recognition feature violates privacy laws
• Facebook offers new privacy policy for regular people