Update: US congressmen ask FTC to investigate Facebook cookies.
Over the weekend, self-proclaimed hacker Nik Cubrilovic accused Facebook of tracking its users even if they log out of the social network. The company responded by denying the claims and offering an explanation as to why its cookies behave the way they do. Now, Cubrilovic says Facebook has made changes to the logout process, and detailed what each cookie is responsible for.
Facebook has five cookies that persist: datr, lu, p, L, and act. There are also two session cookies that persist after the logout procedure: a_user and a_xs. The former, which is the user's ID, is now destroyed on logout. This is the one Cubrilovic had the most issue with. Here is how Facebook describes it:
What you see in your browser is largely typical, except a_user which is less common and should be cleared upon logout (it is set on some photo upload pages). There is a bug where a_user was not cleared on logout. We will be fixing that today.
The datr cookie is set when a browser first visits facebook.com (except via social plugin iframes), and helps Facebook "identify suspicious login activity and keep users safe." The lu cookie is also set the first time a browser visits facebook.com and is used to identify the browser – it helps "protect people using public computers." The a_xs cookie is a string used to prevent cross-site scripting attacks – it serves to check the payload of any requests to the server.
These cookies uniquely identify the browser being used even after logout, and Cubrilovic says that you shouldn't worry about them, unless you can't take Facebook at its word that the purpose of these cookies is only for what is being described. Cubrilovic says the remaining cookies are not very interesting: "they set things like the language of your browser and device dimensions." He believes the most interesting cookie, a_user, now behaves as it should.
Here is his conclusion on the whole fiasco:
Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.
It's important to note that Facebook did not previously say it was going to make changes. Both statements I received, from a Facebook engineer and from a Facebook spokesperson, were written as explanations of the process. While Cubrilovic says nothing about Facebook's insistence it does not track users (as far as we know, this is true), it appears he was right about the logout issue, because according to him, the social network has now fixed it. I have contacted Facebook to verify this.
Update: A spokesperson has replied but did not offer an official statement. Instead, he once again pointed me to a comment made on my article, this time from Facebook engineer Gregg Stefancik. Here is what he wrote:
I'm an engineer who works on these systems. I want to make it clear that there was no security or privacy breach. Facebook did not store or use any information it should not have. Like every site on the internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user. Three of these cookies on some users' computers included unique identifiers when the user had logged out of Facebook. However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose. In addition, we fixed the cookies so that they won't include unique information in the future when people log out.
I asked if I could also get a PR statement (like I did last time), but was denied. "That is the statement," the spokesperson told me.
Photo credit: fairytalefrosting