Dave Winer wrote an article at Scripting.com explaining how Facebook keeps track of where you are on the web after logging in, without your consent. Nik Cubrilovic dug a little deeper, and discovered that Facebook can still track where you are, even if you log out. Facebook, for its part, hasdenied the claims. Regardless of who you believe, here’s how to protect yourself, and keep your browsing habits to yourself.
The whole issue has stirred up a lot of debate in privacy circles over the past few days. Here’s what the fuss is about, and what you can do to protect your privacy if you’re worried.
The Issue: Facebook’s Social Apps are Always Watching
For quite some time now, Facebook’s user tracking hasn’t been limited to your time on the site: any third-party web site or service that’s connected to Facebook or that uses a Like button is sending over your information, without your explicit permission. However, Winer noticed something mostly overlooked in last week’s Facebook changes: Facebook’s new Open Graph-enabled social web apps all send information to Facebook and can post to your profile or share with your friends whether you want them to or not.
Essentially, by using these apps, just reading an article, listening to a song, or watching a video, you’re sending information to Facebook which can then be automatically shared with your friends or added to your profile, and Facebook doesn’t ask for your permission to do it. Winer’s solution is to simply log out of Facebook when you’re not using it, and avoid clicking Like buttons and tying other services on the web to your Facebook account if you can help it, and he urges Facebook to make its cookies expire, which they currently do not.
Digging Deeper: Logging Out Isn’t Enough
Nik Cubrilovic looked over Winer’s piece, and discovered that logging out of Facebook, as Winer suggests, may deauthorize your browser from Facebook and its web applications, but it doesn’t stop Facebook’s cookies from sending information to Facebook about where you are and what you’re doing there.
Writing at AppSpot, he discovered that Facebook’s tracking cookies-which never expire, are only altered instead of deleted when a user logs out. This means that the tracking cookies still have your account number embedded in them and still know which user you are after you’ve logged out.
That also means that when you visit another site with Facebook-enabled social applications, from Like buttons to Open Graph apps, even though you’re a logged out user, Facebook still knows you’re there, and by “you,” we mean specifically your account, not an anonymous Facebook user. Cubrilovic notes that the only way to really stop Facebook from knowing every site you visit and social application you use is to log out and summarily delete all Facebook cookies from your system.
Why You Should Care
If you’re the type of person who doesn’t really use Facebook for anything you wouldn’t normally consider public anyway, you should take note: everything you do on the web is fair game. If what Cubrilovic and Winer are saying is true, Facebook considers visiting a web site or service that’s connected to Facebook the same thing as broadcasting it to your friends at worst, and permission for them to know you’re there at best.
Facebook says that this has nothing to do with tracking movements, and that they have no desire to collect information about where you are on the web and what you’re doing. They want to make sure that you can seamlessly log in at any time to Facebook and to sites and services that connect with it and share what you’re doing.
In fact, a number of Facebook engineers have posted comments to Winer’s original post and Cubrilovic’s analysis pointing this out. There’s also some excellent discussion in this comment thread at Hacker News about the issue as well. Essentially, they say this is a feature, not a problem, so if you have an issue with it, it’s up to you to do something about it.