Update: Facebook denies cookie tracking allegations. The original article is below.
Facebook has had privacy issues for a long time, and while the company has been working to improve its image, today's episode will likely set it back once again. Thanks to a modified cookie, Facebook allegedly knows what you're doing online even when you're not logged in.
At least that's what self-proclaimed hacker Nik Cubrilovic claims. After running a series of tests analyzing the HTTP headers on requests sent by browsers to facebook.com, he discovered that Facebook alters its tracking cookies the moment you log out, instead of deleting them. Since your uniquely identifying account information is still present in these cookies, Facebook can continue to track you, Cubrilovic argues.
This means that if you log out of Facebook, you're not really doing much. If you then head to a website that contains a Facebook plugin, your browser will continue to send personally identifiable information back to Palo Alto. Here's Cubrilovic's explanation:
With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies. You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight.
So how do you get rid of these Facebook cookies in a way that will still let you use the service? Well, you can delete them every time after you log out of the website. Alternatively, Hacker News user buro9 says you can use the following AdBlock Plus rules:
facebook.com^$domain=~facebook.com ~facebook.net|~fbcdn.com|~fbcdn.net facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
This will supposedly limit your usage of the social network to just facebook.com. If you need to use it on another website, you can temporarily whitelist it with the AdBlock switch.
If what Cubrilovic found today ends up being true, this could be a serious problem for Facebook. I have contacted Facebook for more information on this issue.
This is actually similar to the scrutiny Facebook has faced in Germany, especially recently. See the links below for full coverage.
- German minister tells colleagues to avoid Facebook
- Facebook agrees to sign voluntary privacy code in Germany
- German website creates two-click Like button, Facebook not amused
- Germany: Facebook Like button violates privacy laws
- Germany: Facebook facial recognition feature violates privacy laws