Facebook Can Track Your Web Browsing Activity Even After You Log Out

Facebook has announced a wealth of new features and updates over the last few weeks, not least of which is the ticker, which an app can post to passively through the new Open Graph API functionality. There are some privacy concerns here, as you may find that Facebook automatically shares something you do not want other people to see.

Some people have suggested that Facebook is actually tracking your Web browsing activity and logging out of Facebook would stop the social network from doing so. However, entrepreneur and hacker Nik Cubrilovic noted that logging out of your Facebook account does not necessarily stop the social network from tracking what you do on the Web.

Cubrilovic discovered that Facebook’s tracking cookies are altered slightly when you log out, rather than being deleted. This means that whenever you visit a website that contains the Like button, Share button or any other Facebook widget, certain information — such as your account ID — is still sent back to Facebook even if you’re logged out.

Cubrilovic says that anyone can repeat his tests (which focused on analyzing HTTP headers that browsers send to Facebook) by using a Web browser that contains developer tools.

It should be noted that, in the comments section of Cubrilovic’s post on this matter, a commenter claiming to be a Facebook engineer named Gregg Stefancik (a little Googling reveals that there is indeed a “Gregg Stefanick” who works at Facebook, so this could be legit) says Facebook does not track your Web activity through cookies.

Here are a few excerpts from Stefancik’s comment:

I’m an engineer who works on login systems at Facebook. Thanks, again for raising these important issues. We haven’t done as good a job as we could have to explain our cookie practices. Your post presents a great opportunity for us to fix that. At the same time, your post reaches some incorrect conclusions that I hope to clarify.

Generally, unlike other major Internet companies, we have no interest in tracking people. We don’t have an ad network and we don’t sell people’s information. As we state in our help center “We do not share or sell the information we see when you visit a website with a Facebook social plugin to third parties and we do not use it to deliver ads to you.”

Said more plainly, our cookies aren’t used for tracking. They just aren’t. Instead, we use our cookies to either provide custom content (e.g. your friend’s likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location).

The logged out cookies, specifically, are used primarily for safety and security protections, including:
- Identifying and disabling spammers and phishers
- Disabling registration if an underage user tries to re-register with a different birth date
- Helping people recover hacked accounts
- Powering account security features, such as login approvals and notifications
- Identifying shared computers to discourage the use of “Keep me logged in.”

We also maintain a cookie association between accounts and browsers. This is a key element of our phishing protections. However, contrary to your article, we do delete account-specific cookies when a user logs out of Facebook. As a result, we do not receive personally identifiable cookie information via HTTP Headers when these users browse the web.

Take Stefancik’s comments as you will — whether you believe this to be true or not is your call. The fact is that your Web browser is sending details of your browsing activity back to Facebook even when you’re logged out; it’s what Facebook does with this data that’s up for debate. That said, we reported on a study back in May that revealed Facebook and other social networks were able to track your browsing activity through their social scaring buttons. At the time, Facebook said it anonymizes all of the data it obtains through its social sharing buttons and it deletes this data after 90 days.

I don’t think there’s anything to worry about here, but that’s just my opinion. However, if you want to make absolutely sure that Facebook can’t track your activity when you want to visit websites that you might not want Facebook to know about, your best option is to either delete all of the Facebook cookies from your history first or switch to a different browser that you have not used to log in to Facebook in the past. Failing that, there is a Google Chrome extension that halts Facebook and other social networks from tracking your online activities by blocking social plugins across the Web.

Tags: , ,

3 Responses to Facebook Can Track Your Web Browsing Activity Even After You Log Out

  1. Anonymous says:

    Simple solution, I have my browser set to wipe all cookies as I close it. Done!