The big news out of last week's Facebook f8 Developer Conference was the site's user interface revamp, multimedia integration with services like Netflix and Spotify and so-called "frictionless sharing."
But this past weekend, the online security and privacy community was abuzz with another big Facebook story: allegations from Australia-based entrepreneur and hacker Nik Cubrilovic that "Even if you are logged out, Facebook still knows and can track every page you visit."
Here's how the story goes: Last year, Nik discovered that when you visit Facebook, the site leaves behind cookies that contain unique identifiers that could be used to follow you around on any site that integrates Facebook functionality. The kicker: the cookies' unique identifiers persist, even after you've clicked "Log out." He says he notified Facebook about this, but received no response.
When I first read about this, I decided to test Nik's findings myself. Armed with an HTTP analyser plugin and an appetite for digging into my browser's cookies, I logged into Facebook. I checked my cookies, and indeed, in the entry for Facebook.com, there was a unique identifier sitting there, a 24-character string of gobbledygook that looked something like this: yQqATmlDhTxzpk0Y9zNVsuWc.
Then, I logged out of Facebook and checked my cookies again. The unique identifier – the big string of gobbledygook – was still there.
So I shut down my web browser, restarted, and checked my cookies again. The identifier remained. I should mention that this particular cookie wasn't set to expire for a full year. In order to remove the cookie, I had to explicitly delete it from within my browser.
The concern here is how the unique identifier that Facebook leaves on your computer could be associated with your online behavior on any site that integrates Facebook. For instance, the CBC web site has Facebook Like buttons. And so do health information websites. Pornography websites have Like buttons. The question is, do you really want those Like buttons to be able to access a unique ID that could be tracked back to your Facebook identity?
When I first read about this story, I reached out to Facebook for their response. I didn't receive one. However, someone claiming to be a Facebook engineer did respond to Cubrilovic's blog post: "Generally, unlike other major Internet companies, we have no interest in tracking people." He says Facebook uses this kind of cookie information to do other things, though: to fight spam and phishing attacks, keep underage users off the site and to help users recover hacked accounts. Whether you consider these uses "tracking" depends on your definition of the word "tracking."
My biggest concern is how this kind of activity rubs up against what I consider reasonable expectations around my online activity. If I log out of a web site – any web site – my expectation is that my interactions with them are done. Finished. Not that bits of their code will continue to follow me around.
Related to that, I'm worried that along with all the good things that come with the social web, there are also some very serious surveillance and privacy risks. Over the past several years, we've seen so many little bits of third-party code added to the web sites we visit: "Like" buttons and Tweet buttons and advertisements and widgets (there are several on this web page alone). When I load up CBC.ca, I get content from CBC. But I also get little bits of code from social sharing websites and ad networks and tracking services. I assume I'm entering into an interaction with one company – CBC – but I'm actually entering into interactions with all kinds of other companies, some of which I'm not even aware of.
So what to do? In the case of Facebook and the cookies they leave on your computer, there are a few ways to opt out. First, you can manually clear your Facebook cookies. Usually, this involves going into the privacy settings of your browser.
Another option is to have a Facebook-only browser. So, for instance, if you regularly use Internet Explorer, you could get a copy of Firefox or Google Chrome, or Safari, or any other browser... and use it for Facebook and nothing else. If that seems a little too cumbersome, you could try a browser plugin like Disconnect or Ghostery. Or you could use the "Incognito" or "Private Browsing" modes that are available in some browsers.
And, even though it won't help with cookies, a tin-foil hat is always a fashionable accessory.