Facebook coughs to tracking its users

Researcher Nik Cubrilovic has responded to Facebook's claims that it doesn't track logged-out users with evidence that it does exactly that - prompting an emergency patch from the company to remove the tracking 'feature.'

Following Cubrilovic's claims to have found evidence that Facebook was loading personally identifiable cookies from logged-out users when they visited third party sites, a company spokesperson denied any such activity.

"Facebook does not track users across the web," a Facebook spokesperson categorically told thinq_ following our story on Cubrilovic's claims. "No information we receive when you see a social plugin is used to target ads, we delete or anonymise this information within 90 days, and we never sell your information."

Sadly, it appears that Facebook's blanket denial wasn't quite accurate - or, to put it another way, was a bare-faced lie.

In an updated post, Cubrilovic details how Facebook loads a particular cookie held on logged-out users' systems which contains their full user ID - allowing the company to tell when a particular user visits a third-party site, whether or not they've logged out of the main Facebook site.

While only active on Facebook-enabled pages - such as those that have tied in to the company's Timeline and Ticker services, or those that include a Facebook 'Share' or 'Like' button - it's a worrying breach of the company's promise of privacy, and one that has its users up in arms.

"Facebook has made changes to the logout process," Cubrilovic writes in his updated blog post, "and they have explained each part of the process and the cookies that the site uses in detail."

Following Facebook's denials of his claims, Cubrilovic spent 48 hours in discussion with the company's engineers to get to the bottom of his findings, which are at odds with Facebook's very public statements.

The issue, it transpires, is a bug: the user-tracking cookie 'a_user' should, Facebook claimed, be cleared during the log-out process, but a flaw in the company's software meant that it was remaining on the system. Quite why this cookie, which Facebook claims should never exist on a logged-out user's system, was being loaded as part of the third-party Facebook integration system is not yet clear.

There's good news, however: "As of today, this cookie is now destroyed on logout," Cubrilovic writes, explaining that the bug has now been resolved thanks to his input - albeit nearly a year after he tried to first discuss the issue with Facebook.

Despite this, Cubrilovic warns that Facebook's system still tracks you across the web, but using codes that can identify a particular browser rather than a particular user. He also warns of another cookie, which stores a timestamp, that could be used to identify a logged-out user - although Facebook claims that it doesn't use it for such a purpose.

"Facebook has changed as much as they can change with the logout issue," Cubrilovic concludes. "They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though.

"I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe," he adds.

Facebook has yet to respond to our query as to why it claimed that no tracking of logged-out users took place even as Cubrilovic liaised with the company's engineers to address exactly that issue.