Facebook answers privacy flap over leftover cookies

September 27, 2011 by Nancy Owano

(PhysOrg.com) -- A Sunday blog post by self-described hacker, writer and entrepreneur Nik Cubrilovic has set off a firestorm of discussions and accusations that Facebook violates user privacy in the form of tracking via leftover cookies. Cubrilovic accused Facebook of using cookies to track users even after users have logged off. “Logging out of Facebook only de-authorizes your browser from the web application,” he said. "A number of cookies (including your account number) are still sent along to all requests to facebook.com."

Facebook “alters” tracking cookies when you log out instead of deleting them.

Cubrilovic’s findings were from his analysis of HTTP headers sent by browsers to Facebook.com. The solution, he said, is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.

The story quickly propagated as did news of Facebook employee responses that Facebook’s millions of users should not be bothered.

Facebook did not deny that cookies remain even after the user has logged out. What Facebook did seek to correct was any notion that leftover cookies were used to snoop.

Facebook engineer Arturo Bejar said that Facebook uses data from logged-out cookies to prevent spamming, phishing and other security risks.

An extended Facebook response with similar assurances came from Gregg Stefanci, a Facebook engineer. Stefani defended Facebook's intentions as user-centric, and not for profiteering by snooping.

"We don’t have an ad network and we don’t sell people’s information.” Stefanci said. "Rather, the logged-out cookies are used for safety and security protections."

One example of user protection, he said, was disabling registration if an underage user tries to re-register with a different birth date. Another purpose was helping people recover hacked accounts, and identifying shared computers to discourage the use of 'Keep me logged in.'

While Facebook staffers’ reactions defending Facebook have been quite clear, a stinging sentence on Cubrilovic's Sunday blog is feeding news posting after news posting: “This is not what 'logout' is supposed to mean.”

The cookies flap comes at a time when privacy watchdogs are worried about Facebook's new Timeline feature and are preparing a letter to the Federal Trade Commission to look into the sharing of information via Timeline. The Electronic Privacy Information Center is especially concerned over Timeline, a new design for a profile page. Jeff Chester of the Center for Digital Democracy believes that the redesign is part of an effort to boost data collection prior to an IPO.

- Tweet
- PHYSorg.com on Twitter

- Reddit
- Delicious
- Yahoo! bookmarks
- RSS
- QR code

view popular send feedback to editors

4.8 /5 (6 votes)

Move the slider to adjust rank threshold, so that you can hide some of the comments.

Display comments: newest first

Doug_Huffman
Sep 27, 2011

Rank: 2.8 / 5 (4)

Do not trust deFaceDbook. Do not use Facebook.

stealthc
Sep 27, 2011

Rank: not rated yet

the solution is to use the tor standalone version of firefox -- click on it to establish a connection in a standalone version of firefox, takes all of the headache over fiddling with settings and just lets you browse without their nosing into your business.

deepsand
Sep 27, 2011

Rank: 1 / 5 (2)

More cookie paranoia.

Firstly, "log-out" does not mean "clear persistent cookies," but only "clear session cookies."

Secondly, cookies cannot be altered or read by anyone other than the Domain Name (DN) that created them, and then only when one is connected to that DN. The notion that idle cookies are somehow being used is urban myth.

Ricochet
Sep 28, 2011

Rank: 5 / 5 (1)

I experienced a similar issue with Mapquest. I had a packet sniffer running that scanned outbound packets for my personal info, etc... it caught the website trying to send every address I typed into their search pages to the ad agency they ran through. That was about 5 years ago, and I haven't used them since, so I don't know if that's a current practice... maybe someone with a packet sniffer can check it?

deepsand
Sep 28, 2011

Rank: 1.5 / 5 (2)

That:
Has nothing to do with cookies; and,
Can be done client side, as was your experience, or server side without your knowledge.

Either way such data collection is SOP. If that bothers one, DO NOT USE ANYTHING GOOGLE, as they are egregiously aggressive in this regard.

Rank

4.8 /5 (6 votes)

From lemons to lemonade: Reaction uses carbon dioxide to make carbon-based semiconductor, 32 comments
Thioridazine kills cancer stem cells in human while avoiding toxic side-effects of conventional cancer treatments, 3 comments
SpaceX private rocket blasts off for space station (Update), 42 comments
Climate scientists say they have solved riddle of rising sea, 31 comments
SpaceX capsule has 'new car' smell, astronauts say (Update), 4 comments

more news

Facebook answers privacy flap over leftover cookies

Filter

Canada privacy office launches new Facebook probe

Facebook's new security feature: remote logouts

Privacy watchdog files complaint against Facebook

AOL integrates Facebook chat with AIM

More news stories

Browser wars flare in mobile space

Probability of contamination from severe nuclear reactor accidents is higher than expected: study

HyperSolar shows dirty water no barrier to power world

SpotterRF debuts Radar Backpack Kit (w/ Video)

Tesla to launch electric sedan in US on June 22

Land and sea species differ in climate change response: study

'Unzipped' carbon nanotubes could help energize fuel cells, batteries

T cells 'hunt' parasites like animal predators seek prey, study shows

Computer model used to pinpoint prime materials for efficient carbon capture

Change in developmental timing was crucial in the evolutionary shift from dinosaurs to birds: study

Almost half of new vets seek disability