Skip to main content

Facebook denies user-tracking claims

Facebook has admitted that it uses cookies to track its users as they traverse the web, regardless of their logged-in status on the main Facebook site, but denies that it has anything to do with gathering as much advertising data on its users as possible.

Belatedly responding to our queries regarding researcher Nik Cubrilovic's evidence that Facebook retrieves personally identifiable cookies held on users' computers whenever they visit a Facebook-enabled site - which, these days, is pretty much any site on the web - even when the user has logged out, a Facebook spokesperson denies ill intent.

"Facebook does not track users across the web," the spokesperson disingenuously begins, before admitting that it tracks users across the web. "Instead, we use cookies on social plugins to personalise content - e.g. show you what your friends liked - to help maintain and improve what we do - e.g. measure click-through rate - or for safety and security e.g. keeping underage kids from trying to signup with a different age.

"No information we receive when you see a social plugin is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information," the spokesperson added in mitigation for the company's decision to continue such tracking even when a user has logged out of the main site.

The spokesperson also added a whole raft of wonderful features which, it is claimed, would be impossible if Facebook didn't retrieve certain cookies on logged-out users' visits to third-party sites. "Specific to logged out cookies," the spokesperson claimed, "they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorised is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of 'keep me logged in.'"

The spokesperson's comments have been backed up by Facebook engineer Gregg Stefancik, one of the employees responsible for the development and maintenance of the log-in system on the social networking site. "Generally, unlike other major Internet companies, we have no interest in tracking people," Stefancik claims in a reply to Cubrilovic's original blog post (opens in new tab). "We don’t have an ad network and we don’t sell people’s information.

"Said more plainly, our cookies aren’t used for tracking," Stefancik explains. "Contrary to your article, we do delete account-specific cookies when a user logs out of Facebook. As a result, we do not receive personally identifiable cookie information via HTTP Headers when these users browse the web."

While Stefancik's comments - and those of the Facebook spokesperson who reached out to thinq_ following the publication of our original article on the matter - indicate that Cubrilovic was wide of the mark on some of his assertions, further comments on the blog from anonymous readers suggest that the company's explanations aren't being entirely accepted.

Cubrilovic has promised to write a follow-up piece analysing his findings in more detail, and including reference to Stefancik's claims. monitors all leading technology stories and rounds them up to help you save time hunting them down.