Facebook counters cookie tracking allegations

A Facebook engineer has said the social networking company does not use persistent cookies to track users when people are not logged in to Facebook.Facebook cookies are primarily used for service and security reasons, Facebook login engineer Gregg Stefancik said on Monday.

A Facebook engineer has said the social networking company does not use persistent cookies to track users when people are not logged in to Facebook.

Facebook cookies are primarily used for service and security reasons, Facebook login engineer Gregg Stefancik said on Monday.

"Our cookies aren't used for tracking. They just aren't," said Stefancik in comments on a blog post. "Instead, we use our cookies to either provide custom content (e.g. your friend's likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location)."

Facebook has been repeatedly criticised over user privacy issues, and chief executive Mark Zuckerberg has acknowledged that there is often a "backlash" against new Facebook features.

Australian researcher Nik Cubrilovic said in a blog post on Sunday that Facebook alters the state of cookies stored on a user's computer when they have logged out, but does not remove the cookies. Moreover, nine cookies, including account identification, are sent to Facebook every time a user visits a site with a Facebook 'like' button, Cubrilovic said.

"With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook," said Cubrilovic. "The only solution to Facebook not knowing who you are is to delete all Facebook cookies."

Cubrilovic said that he had discovered a cookie called 'act', which he claimed stood for 'account number', which allowed Facebook to identify logged-out users online.

Stefancik countered this claim in a comment on Cubrilovic's blog post by saying that 'act' in fact stood for 'action', and was a UNIX timestamp used to measure and optimise the speed of the site. Moreover, Facebook deletes account-specific cookies when a user logs out, said Stefancik.

A Facebook spokeswoman on Monday confirmed that Stefancik had commented on Cubrilovic's blog.