Facebook answers privacy flap over leftover cookies

Sep 27, 2011 by Nancy Owano report

(PhysOrg.com) -- A Sunday blog post by self-described hacker, writer and entrepreneur Nik Cubrilovic has set off a firestorm of discussions and accusations that Facebook violates user privacy in the form of tracking via leftover cookies. Cubrilovic accused Facebook of using cookies to track users even after users have logged off. “Logging out of Facebook only de-authorizes your browser from the web application,” he said. "A number of cookies (including your account number) are still sent along to all requests to facebook.com."

Facebook “alters” tracking cookies when you log out instead of deleting them.

Cubrilovic’s findings were from his analysis of HTTP headers sent by browsers to Facebook.com. The solution, he said, is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.

The story quickly propagated as did news of Facebook employee responses that Facebook’s millions of users should not be bothered.

Facebook did not deny that cookies remain even after the user has logged out. What Facebook did seek to correct was any notion that leftover cookies were used to snoop.

Facebook engineer Arturo Bejar said that Facebook uses data from logged-out cookies to prevent spamming, phishing and other security risks.

An extended Facebook response with similar assurances came from Gregg Stefanci, a Facebook engineer. Stefani defended Facebook's intentions as user-centric, and not for profiteering by snooping.

"We don’t have an ad network and we don’t sell people’s information.” Stefanci said. "Rather, the logged-out cookies are used for safety and security protections."

One example of user protection, he said, was disabling registration if an underage user tries to re-register with a different birth date. Another purpose was helping people recover hacked accounts, and identifying shared computers to discourage the use of 'Keep me logged in.'

While Facebook staffers’ reactions defending have been quite clear, a stinging sentence on Cubrilovic's Sunday blog is feeding news posting after news posting: “This is not what 'logout' is supposed to mean.”

The cookies flap comes at a time when privacy watchdogs are worried about Facebook's new Timeline feature and are preparing a letter to the Federal Trade Commission to look into the sharing of information via Timeline. The Electronic Information Center is especially concerned over Timeline, a new design for a profile page. Jeff Chester of the Center for Digital Democracy believes that the redesign is part of an effort to boost data collection prior to an IPO.

Explore further: LinkedIn membership hits 300 million

Related Stories

AOL integrates Facebook chat with AIM

Feb 10, 2010

(AP) -- As part of an ongoing effort to improve its user experience, Internet company AOL Inc. is letting users of its AIM instant-messaging service chat with friends on Facebook.

Social networking aggregator sues Facebook

Jul 10, 2009

(AP) -- In a counter-punch to the world's biggest online hangout, a small Web company called Power.com has sued Facebook, saying it doesn't follow its own policy of giving users control over their content.

Facebook tightens user security

Jan 26, 2011

Facebook on Wednesday announced heightened privacy controls for members of the world's largest online social network.

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 5

Adjust slider to filter visible comments by rank

Display comments: newest first

Doug_Huffman
2.4 / 5 (5) Sep 27, 2011
Do not trust deFaceDbook. Do not use Facebook.
stealthc
1 / 5 (1) Sep 27, 2011
the solution is to use the tor standalone version of firefox -- click on it to establish a connection in a standalone version of firefox, takes all of the headache over fiddling with settings and just lets you browse without their nosing into your business.
deepsand
2.7 / 5 (12) Sep 27, 2011
More cookie paranoia.

Firstly, "log-out" does not mean "clear persistent cookies," but only "clear session cookies."

Secondly, cookies cannot be altered or read by anyone other than the Domain Name (DN) that created them, and then only when one is connected to that DN. The notion that idle cookies are somehow being used is urban myth.
Ricochet
5 / 5 (1) Sep 28, 2011
I experienced a similar issue with Mapquest. I had a packet sniffer running that scanned outbound packets for my personal info, etc... it caught the website trying to send every address I typed into their search pages to the ad agency they ran through. That was about 5 years ago, and I haven't used them since, so I don't know if that's a current practice... maybe someone with a packet sniffer can check it?
deepsand
2.8 / 5 (12) Sep 28, 2011
That:
Has nothing to do with cookies; and,
Can be done client side, as was your experience, or server side without your knowledge.

Either way such data collection is SOP. If that bothers one, DO NOT USE ANYTHING GOOGLE, as they are egregiously aggressive in this regard.

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...