Facebook tracking cookie returns, according to hacker

The datr cookie, which can be used for tracking users, is once again being set on third-party websites with a Facebook social plugin – whether you are logged in or logged out of the service.
Written by Emil Protalinski, Contributor

Update: This has been confirmed. Facebook: cookie tracking issue is limited, fix coming today.

Self-proclaimed hacker Nik Cubrilovic says he has once again caught Facebook red-handed. After being tipped off by Twitter user Jonathan Mayer about cbssports.com, he has discovered Facebook is once again setting its datr cookie via Like buttons and other social plugins.

Back in May, The Wall Street Journal reported the following:

Until recently, some Facebook widgets also obtained browsing data about Internet users who had never visited Facebook.com, though Facebook wouldn't know their identity. The company says it discontinued that practice, which it described as a "bug," earlier this year after it was disclosed by Dutch researcher Arnold Roosendaal of Tilburg University.

The cookie was being set even if the user had never been to the Facebook site, and even if he or she didn't click on a given Facebook widget. Cubrilovic says the datr cookie is now back and just as before, and is being "set by all the third-party sites that we tested." It can be read later to track a user across different Web properties and back to the Facebook site.

Facebook's own description of the datr cookie is as follows:

We set the 'datr' cookie when a web browser accesses facebook.com (except social plugin iframes), and the cookie helps us identify suspicious login activity and keep users safe. For instance, we use it to flag questionable activity like failed login attempts and attempts to create multiple spam accounts.

Cubrilovic says that despite this explanation, the cookie is now again being set. It is reportedly the first cookie that is set on all third-party websites with a Facebook social plugin, and for all users of the social network – whether you are logged in or logged out.

Independent researcher Ashkan Soltani, who filed a bug about the datr cookie before, has submitted again submitted a bug report to Facebook, according to Cubrilovic. It's currently unclear if this cookie was re-enabled accidentally or on purpose, but either way an explanation is in order.

Last week, Cubrilovic accused Facebook of tracking its users even if they log out of the social network. He explained that even after logging out of the service, whenever he visited a website that had a Facebook plugin, information including his account ID was still being sent to Palo Alto.

The company responded by denying the claims and offering an explanation as to why its cookies behave the way they do. Palo Alto explained that it does not track users across the Web and its cookies are used to personalize content. As for the logged-out cookies, Facebook said they are used for safety and protection.

After a long technical discussion, Cubrilovic confirmed Facebook made changes to the logout process, and that the cookies in question now behave as they should. They still exist, but they no longer send back personally-identifiable information after you log out. The company also took the time to explain what each cookie is responsible for.

Following all this, 10 privacy groups and US congressmen sent letters asking the Federal Trade Commission (FTC) to investigate Facebook for these and other practices. Furthermore, Ireland's Data Protection Commissioner has agreed to conduct a privacy audit of Facebook. Given that the social network's international headquarters is in Dublin, the latter is the more serious one as the larger majority of the site's users could be affected. Facebook has even had to defend itself in regards to a recent patent it filed, arguing that the document does not describe how to track logged-out users.

If Cubrilovic's latest findings are accurate, governments around the world just got another reason to probe the social networking giant. I have contacted Facebook to find out more about this issue.

See also:

Editorial standards