Facebook tracks you online even after you log out

Facebook tracks you online even after you log out

Summary: Think logging out of Facebook means the social network can't track what you're doing online? Think again.


Update: Facebook denies cookie tracking allegations. The original article is below.

Facebook has had privacy issues for a long time, and while the company has been working to improve its image, today's episode will likely set it back once again. Thanks to a modified cookie, Facebook allegedly knows what you're doing online even when you're not logged in.

At least that's what self-proclaimed hacker Nik Cubrilovic claims. After running a series of tests analyzing the HTTP headers on requests sent by browsers to facebook.com, he discovered that Facebook alters its tracking cookies the moment you log out, instead of deleting them. Since your uniquely identifying account information is still present in these cookies, Facebook can continue to track you, Cubrilovic argues.

This means that if you log out of Facebook, you're not really doing much. If you then head to a website that contains a Facebook plugin, your browser will continue to send personally identifiable information back to Palo Alto. Here's Cubrilovic's explanation:

With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies. You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight.

So how do you get rid of these Facebook cookies in a way that will still let you use the service? Well, you can delete them every time after you log out of the website. Alternatively, Hacker News user buro9 says you can use the following AdBlock Plus rules:

facebook.com^$domain=~facebook.com ~facebook.net|~fbcdn.com|~fbcdn.net facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

This will supposedly limit your usage of the social network to just facebook.com. If you need to use it on another website, you can temporarily whitelist it with the AdBlock switch.

If what Cubrilovic found today ends up being true, this could be a serious problem for Facebook. I have contacted Facebook for more information on this issue.

This is actually similar to the scrutiny Facebook has faced in Germany, especially recently. See the links below for full coverage.

See also:

Topic: Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Facebook tracks you online even after you log out

    Not surprised at all. This last set of changes has finally pushed me to delete my account. Not deactivate, but delete.
    • RE: Facebook tracks you online even after you log out

      @mike2k You're not really deleted. We are Facebook. Resistance is futile.

      • RE: Facebook tracks you online even after you log out

        @bmgoodman yeah that's what I am hearing too...I don't know if it's true.
  • Spooky.

    Spooky. Spooky. Spooky.
  • RE: Facebook tracks you online even after you log out

    You will be assimilated...
  • RE: Facebook tracks you online even after you log out

    I login Facebook with private mode enabled (InPrivate) in browser, does this prevent the problem?
    • RE: Facebook tracks you online even after you log out

      @GraphiteCube <br><br>Yes. The article ridiculously overstates the subversiveness of their cookie modifying techniques. They use a well known, well established, well documented, and incredibly common technique. There is nothing they do that with the cookie that google or other "trustworthy" companies don't do already. It's a common technique used for a decade to track activities for marketing purposes.<br><br>Since they operate within the specifications of cookies and are not "hacking" anything your privacy setting will be effective like they are on any other site you visit.
      • RE: Facebook tracks you online even after you log out

        @test20001 Man are you crazy? Just because someone shot 100 people does it become legal for anyone to shoot 1? Your logic that google does it doesnt really fly, does it? <br><br>Both of them are wrong and thats the problem here, what you call as a basic technique is probably unknown to millions of users in facebook and that is the problem dude. Dont try to justify somethings you cant, instead look at the problem from a layuser perspective and you will immediately understand.
      • RE: Facebook tracks you online even after you log out

        @prasanna_vp<br><br>You just compared a well known marketing technique to murder and you are asking me if I am crazy? That's rich.<br><br>I see this from the perspective of what it is. Common. Widely used. Nothing new. A decade old. Its not illegal and its not even in the same continent as murder.<br><br>You and your ridiculous, ignorant hyperbole sound like a paranoid suburban soccer mom inflating the threat so you and the other soccer moms can all enjoy the bonding experience of ignorance based mass hysteria.<br><br>Clearly I don't need an education on this subject, but you obviously do.<br><br>Furthermore, I never defended their actions. I simply answered the mans question about the threat and classified the threat as it exists in simple terms he could understand. No hype. Sorry that demystifying the hype the article uses to draw in readers is such a touchy subject for you.... lol murder.
      • RE: Facebook tracks you online even after you log out

        @test20001 right...
      • RE: Facebook tracks you online even after you log out


        When did Google becomes a 'trustworthy' company??? Did I miss a memo?
      • RE: Facebook tracks you online even after you log out

        @JJ_z no you didn't miss a memo but I think you did miss the fact that I quoted the word trustworthy
  • This is why I use adblock, Ghostary, and noscript.

    Because except for a very tiny minority of sites, you cannot trust them. They're worse than politicians, because at least you can tell when a politician is lying. How many times have you seen a corporation's mouth move?<br><br>If a site wants my ad dollars, instead of screwing with us, behind our backs, with EULAs that takes away all rights to sue, tracking us all over the net, selling our e-mail addresses to advertisers, and what not. <br><br>Why don't you try being honest? Get rid of a EULA, Don't use web-bugs to track us, no DRM, get rid of cookies, unless it's for storing passwords (or REALLY enhancing our experience.) and destroy credit cards of your users after a purchase, instead of storing them on even "secure" servers (servers cannot be made secure enough.) Also don't make ads that move, flash, talk, play music, etc. I'll look at an ad IF I want too. <br><br>Maybe then, I'll white-list a site from Adblock, Ghostary, and Noscript. <br><br>I'm not picking on ZDnet, persay. I'm just doing a blanket rant now. <br><br>- Kc
    • RE: Facebook tracks you online even after you log out

      @kcredden2 I also use Ghostary, AdBlock, and NoScript. But mine is kicked up a few notches. I have Cookie Monster set to block all cookies. Until I give that website permission under temporary or session. BetterPrivacy is almost a must have. Cookie Monster doesn't block LSO's trackers, and Ghostary along with ABP won't catch all of them ether. I also have referrers disabled with RefControl.<br><br>Sounds like a lot, but I prefer to keep them at bay.
    • RE: Facebook tracks you online even after you log out

      You are 100% correct.
      My friend and I were only discussing this yesterday.

      Someone needs to tell advertisers that all of their crappy noisy ads are being blocked.
      If they only used the old school static ads, people might actually see them instead of blocking them.

      Of course instead of demanding that sites use static ads, they'll demand that more garbage js routines be added to pages.

      Therefore the "arms race" (advertisers vs users) will continue to escalate.

      I'm not demanding a free lunch.
      I just don't like being continuously blasted with ads for offensive garbage at 100dB+.
  • RE: Facebook tracks you online even after you log out

    I am a Facebook engineer that works on these systems and I wanted to say that the logged out cookies are used for safety and protection including: identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of 'keep me logged in".

    Also please know that also when you're logged in (or out) we don't use our cookies to track you on social plugins to target ads or sell your information to third parties. I've heard from so many that what we do is to share or sell your data, and that is just not true. We use your logged in cookies to personalize (show you what your friends liked), to help maintain and improve what we do, or for safety and protection.
    • RE: Facebook tracks you online even after you log out


      I believe what you're saying, but I think the thing that worries people is that Facebook [i]could[/i] use the cookies for tracking purposes. Even if the tracking is benign, it's still more tracking than people seem willing to accept (at least some people).
      • RE: Facebook tracks you online even after you log out


        Yes I understand the concern, and there are so many memes about us tracking to sell data, which are completely false and so hard to dispel. My hope here is that by being transparent about what we do with these cookies and systems that people will better understand so they can make the informed decision that works best for them. We do make all of our work on this thinking about the people who use Facebook.

        If it helps another engineer in the team, Gregg, posted more technical details at Nik's blog: http://nikcub-cache.appspot.com/logging-out-of-facebook-is-not-enough
    • RE: Facebook tracks you online even after you log out

      @arturobejar Yes I understand there maybe positive benefits/intent in doing this, but what prevents your business bosses from doing otherwise sir? The answer is nothing... and that is where my problem lies
    • RE: Facebook tracks you online even after you log out

      @arturobejar I could care less if facebook tracked my every move on the internet. Remember folks, TANSTAAFL - there ain't no such thing as a free lunch.