3 ways to outsmart Facebook cookies

When you log out of Facebook, you might think that your web surfing activities are now a private affair between you and your browser, but Australian entrepreneur and hacker Nik Cubrilovic has discovered that Facebook’s cookies continue to send data about users’ web surfing habits back to Facebook after logging out:

 [L]ogging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page [with a ‘Like’ button] you visit. 

Cubrilovic backs up his claims with code from Facebook’s cookies and the data, called HTTP headers, sent to Facebook from his browser. Says Cubrilovic:

With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook.


Facebook engineers have denied these allegations. Although Facebook’s spokesperson refused to provide an official statement, he endorsed a ZDNet comment by Facebook engineer Arturo Bejar. Bejar said that the cookies still active after logging out are only used for identifying spammers and phishers, detecting unauthorised account access and other security features. He also said:

Also please know that also when you’re logged in (or out) we don’t use our cookies to track you on social plugins to target ads or sell your information to third parties. I’ve heard from so many that what we do is to share or sell your data, and that is just not true. We use your logged in cookies to personalize (show you what your friends liked), to help maintain and improve what we do, or for safety and protection.

Bejar’s explanation is echoed by Facebook engineer Gregg Stefancik on Cubrilovic’s blog, but comprehensively challenged by another commenter.

Cubrilovic describes how he discovered the problem in November 2010 when he was creating some fake Facebook accounts for testing purposes:

After using the fake accounts for some time, I found that they were suggesting my real account to me as a friend. Somehow Facebook knew that we were all coming from the same browser, even though I had logged out.

Another commenter on Cubrilovic’s blog had a similar experience:

I also created a "new" facebook page that I didn't want linked to anyone to test something with a friend and freaked out when it suggested my REAL account to my NEW account. And I knew that if I accepted, it would then suggest my NEW account to all of my REAL friends, so I promptly deleted the account (which only means I deactivated it :/)

Cubrilovic says he contacted Facebook to no avail, and that he has gone public with the information a year later because of the “renewed discussion about Facebook and privacy this weekend.”

For the average user, this is a bit of a he said/she said situation. Most of us lack the technical skills to evaluate both parties’ claims, but it’s hard to take Facebook’s engineers at face value. Facebook has a history of eroding users’ privacy, and Zuckerberg has stated repeatedly that he believes the age of privacy is over.

Such a stance benefits Facebook enormously, of course. Without publicly shared information on the site, it’s hard to persuade new users that it’s worth signing up. It isn’t at all surprising that Facebook might nibble away at the edges of what is acceptable for a cookie to do, on the basis that they can say one thing, do another, and most users won’t know the difference.

But what can you do if you are — and you really should be — concerned about cookies from sites such as Facebook, Twitter, LinkedIn and Google? Here are some tactics that should slow down the leak of data:

• Use a different browser just for social networking

There are lots of browsers around now, so in theory you could delete all your social network cookies from your main browser, then use a second one just for those sites. In practice, segregating your web usage by website type is not all that easy.

• Use private browsing when using social networks

Chrome has Incognito windows which automatically delete your web history and cookies when you close all open Incognito windows. Firefox has Private Browsing which will delete your browser, search, download and web form histories, as well as cookies and temporary internet files. Safari also has Private Browsing but it is not as private as it should be and will not automatically clear cookies.

• Use privacy plug-ins like Priv3, Ghostery or Adblock Plus

Researchers from Berkeley and Rutgers Universities have created a plug-in for Firefox called Priv3 which blocks web tracking by “Facebook, Twitter, Google +1 and LinkedIn”, but allows you to interact with their social features if you want to.

Ghostery alerts you to all the invisible trackers hidden in the websites you visit, and allows you to control which scripts can run. It’s available for all the major browsers.

AdBlock Plus was initially written to block intrusive ads, but also allows you to add rules for specific sites. (ZDNet provides such rules for Facebook’s cookies.) Similar software is available for Chrome, FireFox, Safari and Internet Explorer.

Whatever you do, do something. Facebook is hard to escape these days, but that doesn’t mean you need to let your data escape too.

Published Date: Sep 26, 2011 06:36 pm | Updated Date: Sep 27, 2011 09:52 am

Also See