10 public-interest groups have asked the Federal Trade Commission (FTC) to investigate Facebook's various business practices. This demand comes right after two similar ones this week: two US congressmen asked the FTC to investigate how Facebook's cookies behave, and Ireland's Data Protection Commissioner has agreed to conduct a privacy audit of Facebook. Given that the social network's international headquarters is in Dublin, the latter is the more serious one as the larger majority of the site's users could be affected.
The consortium of US consumer and privacy groups wants the FTC to look into allegations that Facebook tracks its users even after they log out of the social network, an issue the company says it has since fixed. They are also concerned about its "frictionless sharing" feature that is available on the newly launched Ticker and the upcoming Timeline and Open Graph rollout announced at f8 last week. Last but not least, the agency is being told to examine whether the new Ticker and Timeline features boost privacy risks for users by combining biographical information in an easily-accessible format.
If you want more information, one of the members of the group, the Electronic Privacy Information Center (EPIC) is hosting the full 14-page letter (PDF) that was collaboratively written to the FTC. Alternatively, this excerpt from the introduction should give you the general gist:
Facebook's tracking of post-log-out Internet activity violates both the reasonable expectations of consumers and the company's own privacy statements. Although Facebook has partially fixed the problem caused by its tracking cookies, the company still places persistent identifiers on users' browsers that collect post-log-out data and could be used to identify users. "Frictionless sharing" plays a leading role in the changes Facebook announced at the recent f8 development conference, and works through the interaction of Facebook's Ticker, Timeline, and Open Graph. These changes in business practices give the company far greater ability to disclose the personal information of its users to its business partners than in the past. Options for users to preserve the privacy standards they have established have become confusing, impractical, and unfair.
The Electronic Privacy Information Center ("EPIC"), The American Civil Liberties Union, The American Library Association, Bill of Rights Defense Committee, The Center for Digital Democracy, The Center for Media and Democracy, Consumer Action, Consumer Watchdog, PrivacyActivism, and Privacy Times recommend that the Commission investigate whether the changes recently announced by Facebook are consistent with the policies and representations that were in place when consumers provided their personal information to Facebook or whether they constitute unfair and deceptive trade practices, in violation of consumer protection law in the United States.
This past weekend, self-proclaimed hacker Nik Cubrilovic accused Facebook of tracking its users even if they log out of the social network. He explained that even after logging out of the service, whenever he visited a website that had a Facebook plugin, information including his account ID was still being sent to Palo Alto.
The company responded by denying the claims and offering an explanation as to why its cookies behave the way they do. The company explained that it does not track users across the Web and its cookies are used to personalize content. As for the logged-out cookies, Facebook said they are used for safety and protection.
After a long technical discussion, Cubrilovic confirmed Facebook made changes to the logout process, and that the cookies in question now behave as they should. They still exist, but they no longer send back personally-identifiable information after you log out. The company also took the time to explain what each cookie is responsible for.
Cubrilovic offered the following conclusion to the whole fiasco:
Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.
Facebook engineer Gregg Stefancik made this concluding statement in a comment on this blog:
I'm an engineer who works on these systems. I want to make it clear that there was no security or privacy breach. Facebook did not store or use any information it should not have. Like every site on the internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user. Three of these cookies on some users' computers included unique identifiers when the user had logged out of Facebook. However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose. In addition, we fixed the cookies so that they won't include unique information in the future when people log out.
I have contacted Facebook for more information about this issue and will update this article if I hear back.
- US congressmen ask FTC to investigate Facebook cookies
- Irish Data Protection Commissioner to begin Facebook audit
- Facebook tracks you online even after you log out
- Facebook denies cookie tracking allegations
- Facebook fixes cookie behavior after logging out
- A closer look at the Facebook Timeline and the Open Graph