Researcher warns Facebookers of logout risk

Hacker Nik Cubrilovic has issued a warning regarding Facebook's latest features, telling users that simply logging out of Facebook is no longer enough to ensure you're not being tracked.

Facebook's latest creation, the Timeline concept unveiled at the company's annual f8 conference last week, is designed to tie in to third-party sites and services: films you watch, journeys you take, music you listen to, and even books you read all automatically report back to Facebook in order to update your profile page.

That's a neat trick, and one that gives Facebook a hitherto unheard-of quantity of data from its users, which can then be sold to advertisers in order to improve targeting - and, thus, returns.

If you're unsure about the concept of your life being broadcast live on your Facebook profile, Facebook recommends that you always log out of the site before heading elsewhere. Cubrilovic's research suggests that might not be enough to ensure your privacy, however.

"Logging out of Facebook only de-authorises your browser from the web application," Cubrilovic explains in his blog post. "A number of cookies - including your account number - are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit."

That's a worrying thought: logging out is, in theory, a clear indication that you're done with Facebook and would like the tracking to stop. While it will prevent the public-facing tracking - i.e. the automatic updates of your activity on your Timeline page - Cubrilovic's research suggests that it won't have any effect on the private side, allowing Facebook to continuously update its advertising profile on each of its users regardless of logged-in status.

"This is not what 'logout' is supposed to mean," Cubrilovic complains. "Facebook are only altering the state of the cookies, instead of removing all of them when a user logs out. With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies."

Cubrilovic claims that Facebook's tracking isn't new. "I first emailed this issue to Facebook on the 14th of November 2010," he claims. "I also copied the email to their press address to get an official response on it. I never got any response. I sent another email to Facebook, press and copied it to somebody I know at Facebook on the 12th of January 2011. Again, I got no response. I have copies of all the emails, the subject lines were very clear in terms of the importance of this issue. I have been sitting on this for almost a year now."

Although previous warnings have been made with regards to the extent to which Facebook tracks its users, Cubrilovic's article indicates blatant dishonesty. For now, the message seems clear: if you use Facebook and value your privacy, delete the cookies after every session - or try a third-party utility such as Facebook Disconnect for Chrome, which claims to prevent Facebook's third-party site tracking while still allowing full use of the site.

At the time of writing, Facebook had not responded to our request for comment on Cubrilovic's research.