Facebook's New Privacy Bust: Users Log In but They Can't Log Out [Update]

Last Updated Sep 26, 2011 5:37 PM EDT

The biggest news at the f8 Facebook developer's conference last week was the open graph announcement. The company wants to expand its network of interconnections with other sites so people can see every more about what their Facebook friends read, hear, and see. Virtually everything would fall onto a Facebook timeline.

It's another example of Facebook's repeated privacy creep. Over time, the company keeps trying to learn more about all its users, pushing for a future where current notions of privacy simply don't exist. Now, depending on what apps and settings you use, it will be possible for things you read and see to appear on Facebook without your having to actually do anything. Not even click a "like" button. But it goes even further. Developer Nic Cubrilovic realized that Facebook can track every page you read even if you log out of the site. That means there is no getting away from Facebook tracking for many people.

Not-so-sweet cookies
Cubrilovic first noticed odd things about Facebook last year. As part of a development project, he had to create multiple profiles on the service. He'd log into one, log out, and then use another. Facebook would start suggesting the various fictitious people as possible friends. The service sets cookies that identify the browser to Facebook after sessions.

Leaving a cookie for later use is nothing new on the Internet. Nor is associating a particular account with a given computer and browser. Advertising networks do it all the time.

A Facebook spokesperson pointed to an engineer's comment on our sister site ZDNet, who said that the cookies are used for various reasons, but not for tracking people. Perhaps that's true. Perhaps not. The company has yet to provide an official statement on the issue, and one engineer might not know everything done by the site. Also, any statement that Facebook does not "share or sell" user data may be technically correct. But the company can still use the data internally to better direct ads.

[Update: A Facebook spokesperson emailed the following statement:
Facebook does not track users across the web. Instead, we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of 'keep me logged in'.
The statement develops some serious holes under analysis, which is what led me to send the following questions to Facebook:
  • Do your open graph partners have the ability to read and interpret the cookies?
  • Do they send information back to you?
  • How can you show what friends liked if you don't keep a record of what they've done, which would seem to be the same as tracking?
  • How can you measure click-through rate of users using "cookies on social plugins" if someone isn't monitoring who is doing what and where it's happening?
  • Since your system often does know who the person previously logged in was and is looking for a password, how is that not the same as staying logged in? That is, still knowing who the person is?
  • If you don't use any information from social plugins to target ads, what do you do with the information?
I'll pass on any useful answer that I get.]

What makes this question particularly thorny is how interconnected Facebook seeks to become with so many other parts of the Web, and how an increasing number of major sites that will modify their apps to connect with Facebook's Open Graph. Here are a few that announced with Facebook:
  • The Guardian
  • Hulu
  • The Daily
  • The Independent
  • Netflix
  • The Washington Post
  • Yahoo
Sorry, that's not how it works
Many who use Facebook who don't like the idea of other sites reporting information back have typically logged out of the system before going elsewhere. (I know I have.) What Cubrilovic argues is that this does no good:
But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.
When users log out, Facebook still leaves cookies intact that identify users as particular members, even though the site may say that you have logged out. Effectively, you don't get to log out.

Interestingly, Cubrilovic claims that he tried for a year to talk to Facebook about this, only to get no response. He says he finally went public with it because of the potential privacy issues with the company's announcements last week. If so, it wouldn't be that surprising. Facebook is a company that makes money by helping advertisers to use consumers' personal information to better target marketing. It loses information if someone can log out.

When you have to remember what not to share
As Dave Winer notes, there's an intrinsic ethical difference between using information people post about themselves and seeking out other data that you can find by following them. If you can track someone from site to site, it's as though you followed them in an unmarked car and took notes about everything they did.

The practical problem for many is that without the explicit step of posting something onto their accounts (and that can happen in some cases just by clicking a like button), they could easily forget that everything -- everything -- on a given site could go hurtling back to become public knowledge. What if they were reading about finding a new job and their bosses were connected through Facebook? What if they had some medical condition they didn't want widely known? Too bad and too late: it's already out there.

Related: Image: morgueFile user duboix, site standard license.
  • Erik Sherman On Twitter»

    Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.

Comments