Two U.S. congressmen today asked the Federal Trade Commission (FTC) to investigate recent accusations that Facebook tracks its users even after they log out of the social network, an issue the company says it has since fixed. Edward Markey, a Massachusetts Democrat, and Joe Barton, a Texas Republican, want the FTC to take a closer look at Facebook's business practices.
You can read the full two-page letter yourself: FTC Facebook Letter – September 28, 2011 (PDF). I've also typed up the relevant excerpt below:
Facebook has admitted to collecting information about its users even after its users had logged out of Facebook. Facebook was able to obtain this information when users visited websites that connect with Facebook, including websites with "Like" buttons. There are an estimated 905,000 sites that contain the "Like" button.
As co-Chairs of the Congressional Bi-Partisan Privacy Caucus, we believe that tracking user behavior without their consent or knowledge raises serious privacy concerns. When users log out of Facebook, they are under the expectation that Facebook is no longer monitoring their activities. We believe this impression should be the reality. Facebook users should not be tracked without their permission.
This past weekend, self-proclaimed hacker Nik Cubrilovic accused Facebook of tracking its users even if they log out of the social network. He explained that even after logging out of the service, whenever he visited a website that had a Facebook plugin, information including his account ID was still being sent to Palo Alto.
The company responded by denying the claims and offering an explanation as to why its cookies behave the way they do. The company explained that it does not track users across the Web and its cookies are used to personalize content. As for the logged-out cookies, Facebook said they are used for safety and protection.
Yesterday, Cubrilovic said Facebook made changes to the logout process, and that the cookies in question now behave as they should. They still exist, but they no longer send back personally-identifiable information after you log out. The company also took the time to explain what each cookie is responsible for.
Cubrilovic offered the following conclusion to the whole fiasco:
Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.
Facebook engineer Gregg Stefancik made this concluding statement in a comment on this blog:
I'm an engineer who works on these systems. I want to make it clear that there was no security or privacy breach. Facebook did not store or use any information it should not have. Like every site on the internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user. Three of these cookies on some users' computers included unique identifiers when the user had logged out of Facebook. However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose. In addition, we fixed the cookies so that they won't include unique information in the future when people log out.