Friending Facebook

Emil Protalinski
Home / News & Blogs / Friending Facebook

Facebook tracks you online even after you log out

By | September 25, 2011, 2:59pm PDT

Summary: Think logging out of Facebook means the social network can’t track what you’re doing online? Think again.

Update: Facebook denies cookie tracking allegations. The original article is below.

Facebook has had privacy issues for a long time, and while the company has been working to improve its image, today’s episode will likely set it back once again. Thanks to a modified cookie, Facebook allegedly knows what you’re doing online even when you’re not logged in.

At least that’s what self-proclaimed hacker Nik Cubrilovic claims. After running a series of tests analyzing the HTTP headers on requests sent by browsers to facebook.com, he discovered that Facebook alters its tracking cookies the moment you log out, instead of deleting them. Since your uniquely identifying account information is still present in these cookies, Facebook can continue to track you, Cubrilovic argues.

This means that if you log out of Facebook, you’re not really doing much. If you then head to a website that contains a Facebook plugin, your browser will continue to send personally identifiable information back to Palo Alto. Here’s Cubrilovic’s explanation:

With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies. You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight.

So how do you get rid of these Facebook cookies in a way that will still let you use the service? Well, you can delete them every time after you log out of the website. Alternatively, Hacker News user buro9 says you can use the following AdBlock Plus rules:

facebook.com^$domain=~facebook.com ~facebook.net|~fbcdn.com|~fbcdn.net
facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

This will supposedly limit your usage of the social network to just facebook.com. If you need to use it on another website, you can temporarily whitelist it with the AdBlock switch.

If what Cubrilovic found today ends up being true, this could be a serious problem for Facebook. I have contacted Facebook for more information on this issue.

This is actually similar to the scrutiny Facebook has faced in Germany, especially recently. See the links below for full coverage.

See also:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Friending Facebook”

Topics

Facebook, Social Media, Emil Protalinski

Emil Protalinski has covered the tech industry for five years for multiple publications.

Disclosure

Emil Protalinski

Emil has nothing to disclose.

Biography

Emil Protalinski

Emil Protalinski has covered the tech industry for five years for multiple publications, including Neowin for two years and Ars Technica for three years. He has written 1,000s of articles for both, with a particular focus on scrutinizing Microsoft products and services. Recently, Emil has expanded his coverage to non-Microsoft technologies, including the social networking giant Facebook.

32
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Facebook tracks you online even after you log out
jackson1984-24316069205748857739440257893812 10th Oct
Resources similar to the one you introduced nfljersey up best here's likely to be quite a must have to me! I will submit a hyperlink to this web page on my blog page web page. I am assured my visitors will uncover that instead a must have.
View in thread
0 Votes
+ -
RE: Facebook tracks you online even after you log out
mike2k 25th Sep
Not surprised at all. This last set of changes has finally pushed me to delete my account. Not deactivate, but delete.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
bmgoodman 25th Sep
@mike2k You're not really deleted. We are Facebook. Resistance is futile.

wink
0 Votes
+ -
RE: Facebook tracks you online even after you log out
Mr_Tech Updated - 26th Sep
@bmgoodman yeah that's what I am hearing too...I don't know if it's true.
0 Votes
+ -
Spooky.
Userama 25th Sep
Spooky. Spooky. Spooky.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
MoeFugger 25th Sep
You will be assimilated...
0 Votes
+ -
RE: Facebook tracks you online even after you log out
GraphiteCube 25th Sep
I login Facebook with private mode enabled (InPrivate) in browser, does this prevent the problem?
0 Votes
+ -
RE: Facebook tracks you online even after you log out
test20001 Updated - 25th Sep
@GraphiteCube

Yes. The article ridiculously overstates the subversiveness of their cookie modifying techniques. They use a well known, well established, well documented, and incredibly common technique. There is nothing they do that with the cookie that google or other "trustworthy" companies don't do already. It's a common technique used for a decade to track activities for marketing purposes.

Since they operate within the specifications of cookies and are not "hacking" anything your privacy setting will be effective like they are on any other site you visit.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
prasanna_vps Updated - 25th Sep
@test20001 Man are you crazy? Just because someone shot 100 people does it become legal for anyone to shoot 1? Your logic that google does it doesnt really fly, does it?

Both of them are wrong and thats the problem here, what you call as a basic technique is probably unknown to millions of users in facebook and that is the problem dude. Dont try to justify somethings you cant, instead look at the problem from a layuser perspective and you will immediately understand.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
test20001 Updated - 25th Sep
@prasanna_vp

You just compared a well known marketing technique to murder and you are asking me if I am crazy? That's rich.

I see this from the perspective of what it is. Common. Widely used. Nothing new. A decade old. Its not illegal and its not even in the same continent as murder.

You and your ridiculous, ignorant hyperbole sound like a paranoid suburban soccer mom inflating the threat so you and the other soccer moms can all enjoy the bonding experience of ignorance based mass hysteria.

Clearly I don't need an education on this subject, but you obviously do.

Furthermore, I never defended their actions. I simply answered the mans question about the threat and classified the threat as it exists in simple terms he could understand. No hype. Sorry that demystifying the hype the article uses to draw in readers is such a touchy subject for you.... lol murder.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
Bradish@... 26th Sep
@test20001 right...
0 Votes
+ -
RE: Facebook tracks you online even after you log out
JJ_z 26th Sep
@test20001

When did Google becomes a 'trustworthy' company??? Did I miss a memo?
0 Votes
+ -
RE: Facebook tracks you online even after you log out
test20001 26th Sep
@JJ_z no you didn't miss a memo but I think you did miss the fact that I quoted the word trustworthy
0 Votes
+ -
This is why I use adblock, Ghostary, and noscript.
kcredden2 Updated - 25th Sep
Because except for a very tiny minority of sites, you cannot trust them. They're worse than politicians, because at least you can tell when a politician is lying. How many times have you seen a corporation's mouth move?

If a site wants my ad dollars, instead of screwing with us, behind our backs, with EULAs that takes away all rights to sue, tracking us all over the net, selling our e-mail addresses to advertisers, and what not.

Why don't you try being honest? Get rid of a EULA, Don't use web-bugs to track us, no DRM, get rid of cookies, unless it's for storing passwords (or REALLY enhancing our experience.) and destroy credit cards of your users after a purchase, instead of storing them on even "secure" servers (servers cannot be made secure enough.) Also don't make ads that move, flash, talk, play music, etc. I'll look at an ad IF I want too.

Maybe then, I'll white-list a site from Adblock, Ghostary, and Noscript.

I'm not picking on ZDnet, persay. I'm just doing a blanket rant now.

- Kc
0 Votes
+ -
RE: Facebook tracks you online even after you log out
TigerRaptorFX Updated - 26th Sep
@kcredden2 I also use Ghostary, AdBlock, and NoScript. But mine is kicked up a few notches. I have Cookie Monster set to block all cookies. Until I give that website permission under temporary or session. BetterPrivacy is almost a must have. Cookie Monster doesn't block LSO's trackers, and Ghostary along with ABP won't catch all of them ether. I also have referrers disabled with RefControl.

Sounds like a lot, but I prefer to keep them at bay.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
lehnerus2000 26th Sep
@kcredden2
You are 100% correct.
My friend and I were only discussing this yesterday.

Someone needs to tell advertisers that all of their crappy noisy ads are being blocked.
If they only used the old school static ads, people might actually see them instead of blocking them.

Of course instead of demanding that sites use static ads, they'll demand that more garbage js routines be added to pages.

Therefore the "arms race" (advertisers vs users) will continue to escalate.

@jollygreenguy@
I'm not demanding a free lunch.
I just don't like being continuously blasted with ads for offensive garbage at 100dB+.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
arturobejar 25th Sep
I am a Facebook engineer that works on these systems and I wanted to say that the logged out cookies are used for safety and protection including: identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of 'keep me logged in".

Also please know that also when you're logged in (or out) we don't use our cookies to track you on social plugins to target ads or sell your information to third parties. I've heard from so many that what we do is to share or sell your data, and that is just not true. We use your logged in cookies to personalize (show you what your friends liked), to help maintain and improve what we do, or for safety and protection.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
bhartman36 25th Sep
@arturobejar

I believe what you're saying, but I think the thing that worries people is that Facebook could use the cookies for tracking purposes. Even if the tracking is benign, it's still more tracking than people seem willing to accept (at least some people).
0 Votes
+ -
RE: Facebook tracks you online even after you log out
arturobejar 25th Sep
@bhartman36

Yes I understand the concern, and there are so many memes about us tracking to sell data, which are completely false and so hard to dispel. My hope here is that by being transparent about what we do with these cookies and systems that people will better understand so they can make the informed decision that works best for them. We do make all of our work on this thinking about the people who use Facebook.

If it helps another engineer in the team, Gregg, posted more technical details at Nik's blog: http://nikcub-cache.appspot.com/logging-out-of-facebook-is-not-enough
0 Votes
+ -
RE: Facebook tracks you online even after you log out
prasanna_vps 25th Sep
@arturobejar Yes I understand there maybe positive benefits/intent in doing this, but what prevents your business bosses from doing otherwise sir? The answer is nothing... and that is where my problem lies
0 Votes
+ -
RE: Facebook tracks you online even after you log out
jollygreenguy@... 25th Sep
@arturobejar I could care less if facebook tracked my every move on the internet. Remember folks, TANSTAAFL - there ain't no such thing as a free lunch.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
arturo bejar 26th Sep
@arturobejar
I am Arturo Bejar too... So what? Just because someone claims to work for Facebook in comments does not make it real...
0 Votes
+ -
RE: Facebook tracks you online even after you log out
Mr. Wet 25th Sep
Well, I doubt most people who are on facebook will worry about these cookies because they plaster most of the personal information directly on the website.
0 Votes
+ -
Not enough
wright_is 25th Sep
Deleting the cookie also won't help that much. The Like script means they will also still get your IP-Address. Unless you disconnect your DSL connection and reconnect (assuming you don't have a static IP-Address), they can also follow you without the cookie - they can track non-members as well.

This is one of the reasons that Like (and Google +1, Twitter etc.) scripts are illegal for sites viewed in Germany.

heise.de (computing magazin publisher) have a control panel for registered users, where they can decide whether they want to see the Like buttons or not. For normal visitors, all the buttons are replaced by a slider button, which is disabled by default. To "Like" a story, the user has to physically enable the Like script, before they can like the page. This enables the site to comply with data protection law and still provide "Like" buttons to those that want to use them.
0 Votes
+ -
WARNING ...
Ludovit 26th Sep
If you add the above Ad Block Plus rules, some features of Facebook will stop working ...

After adding the rules, the three games I play ceased to function correctly, if at all ... disabled the rules, and all is well now ...

Ludo
0 Votes
+ -
Facebook does not track users across the web.
andrewnoyes 26th Sep
Hi there,

I wanted to send along a note on behalf of Facebook Communications.

Facebook does not track users across the web. Instead, we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.

Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of 'keep me logged in'.

One of our engineers, Gregg Stefancik, also posted a longer and more technical explanation on the original blog post: http://nikcub-static.appspot.com/logging-out-of-facebook-is-not-enough
0 Votes
+ -
RE: Facebook tracks you online even after you log out
kaycee1257 26th Sep
@andrewnoyes I've clicked on to Washington Post & other articles and seen Facebook's social plugin list showing MY OWN FACE & NAME with a note that I had "liked" or "shared" the article -- when I had NOT liked or shared the articles in question; I'd simply clicked over from a Facebook friend's link. This happened twice, and it makes me really skeptical of Facebook's integrity.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
wright_is 26th Sep
@andrewnoyes The problem is, even this behavious is illegal in Europe (at least parts of it). You get a cookie, or you receive the IP address of somebody who isn't logged in to Facebook, when they visit a 3rd party site. Under EU Data Protection law, before you get their IP address or read a cookie, when they access this 3rd party site, you need to get their permission *before* you execute the social plugin script. That essentially makes Likes, +1s etc. illegal in Germany and other parts of the EU.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
dumbyellowdog 27th Sep
@andrewnoyes I wanted to send along a note on behalf of... me, who always seems to have your crap taking up my space (even if it's only a few bytes, it's more than I want to share with you). I don't use your service and I don't *want* to use your service, however, I always appear to have cookies from your service. Can you explain to me how that's helping anyone except your service? I might be underage? My account might get hacked? Really?

Sure, I don't have all the aforementioned cookies, but I always seem to have some sort of "datr" in there, despite my many deletions. Having more than 0 cookies from you is not my desire. But no, you're not the kind of company who respects anyone, as has been made abundantly clear by dear leader there.

So, though I know you'll never be back to read these comments, it does feel good to at least say something. Now, not to sound like Abe Simpson, but.. get off my lawn!

Also, when you're trying to deny something, it's usually a good idea to not repeat what you already said in slightly different terms, it erases credibility faster than being a mouthpiece for facebook.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
groovjet Updated - 27th Sep
so what? sounds pretty useful and innovative.
If we sit can calculate all the ways all the different technologies can track us (cell phone; credit card etc.), we would turn agoraphobic. Rock out with your face out. Track me? my likes? my dislikes? so what?
We have been doing it to "celebrities" for years. Everytime you pick up a rag mag.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
HomerBush 27th Sep
Time to make this invasive process illegal. Just because you call this a common marketing process does not make it any less reprehensible. It is wrong, and should also be illegal. Fortunately, I am in a position to advance that.
0 Votes
+ -
How to Get Facebook fans
Buy Facebook Likes 2nd Oct
The fact that Facebook does not even remove the cookies once you log-out, instead they are just modified basically means they can track all the sites we go to, our search phrases, buying patterns, etc.... that is not good at all for consumer protection. To get back at Facebook for doing this I also How to Get Facebook Likes and How to Get Facebook fans and its great because I do not have to provide any admin access and they deliver almost 1,000 new Facebook Likes per day! They even have a real-time reporting dashboard to track all my live and completed orders. This is worth paying for.
0 Votes
+ -
RE: Facebook tracks you online even after you log out
jackson1984-24316069205748857739440257893812 10th Oct
Resources similar to the one you introduced nfljersey up best here's likely to be quite a must have to me! I will submit a hyperlink to this web page on my blog page web page. I am assured my visitors will uncover that instead a must have.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix