Facebook explains why it tracks you even when you’re logged out

Cookies have been a feature of the web for as long as I can remember. In many cases they are a useful feature to have as they remember your preferences and limit the amount of times you need to login to a service you have signed up for. But there is a dark side to cookie use in the form of themtracking where you go.

The advice to anyone concerned about tracking through cookies is to use a good cookie clean-up utility and log out of sites you believe to be tracking you around the web. But in the case ofFacebook it turns out that logging out of your account is not enough–Facebook continues to track you.

This is possible because when you log out of Facebook the associated cookies are not deleted off your machine. So, any site you visit that has a connection to Facebook e.g. the Like button that is now so common, will proceed to check if you have a Facebook cookie. If you do, it can pick up the information and know you’ve visited that site.

This logged out tracking was discovered by the Australian writer and hacker Nik Cubrilovic and confirmed logging out is no longer enough. His conclusion is the only way to stop Facebook tracking is to delete all associated cookies and use Facebook in a separate browser to your other, general web surfing.

Facebook cookie when logged out

On Nik’s post where he detailed his findings, Facebook engineer Gregg Stefancik took the time to respond in the comments section. The point he made is that yes, Facebook does track logged out users, but it has good reason to do so.

Stefancik’s main point is that Facebook does not share or sell the information it gathers, nor does it use the information for its own advertising or partners. In fact, he states that Facebook does not carry out any tracking at all, at least not in the usual way.

Stefancik breaks the situation down into logged in and logged out cookie use to give us a clear idea of what Facebook is doing. When logged in, Facebook uses cookies to serve up custom content, monitor click-through rates, and for security purposes such as two-factor authentication and to counteract denial-of-service attacks.

When you log out, the remaining Facebook cookies become a different tool for the social network. Stefancik states they are useful for blocking spammers and phishers, stopping underage users from re-registering with a fake birth date, continuing to keep login approvals and notifications secure, keeping track of shared computer logins, and as a way of helping in the recovery of hacked accounts.

So while Facebook “tracking” when logged out of your account may seem like cause for concern, it in fact turns out to be part of a wider security effort for the social network. Stefancik also states that logging out of Facebook does delete “account-specific cookies” and those that are left do not allow for personal identity tracking.

The one area where this would continue to be of most concern is public terminal use. Facebook does leave cookie information on the machine related to your account, so if you are using a public machine, you can walk away having logged out with that data still present. It is then in the hands of the software managing that public machine to delete all traces of your session.

Whatever you feel about when and why Facebook tracks you, remember you always have a choice if you feel it is a concern. Delete all cookies relating to the service and only use it in a browser separate to your general web surfing. That way the tracking will only ever be for Facebook-related viewing.

Read more at Nik Cubrilovic

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: