Skip to main content

Facebook caught tracking its users again

Hacker and thorn in Facebook's side, Nik Cubrilovic has once again caught the company doing precisely what it claims not to: tracking its users when they visit third-party sites.

Cubrilovic first tugged the social networking giant's tail with claims that a uniquely identifiable cookie was being loaded from clients' systems when they visited any third-party site that hosts Facebook content - such as the popular 'Like' button - even if the user had logged out.

Facebook denied any such activity, claiming: "Facebook does not track its users across the web. Instead, we use cookies on social plugins to personalise content - e.g. show you what your friends liked - to help maintain and improve what we do - e.g. measure click-through rate - or for safety and security e.g. keeping underage kids from trying to signup with a different age.

"No information we receive when you see a social plugin is used to target ads, we delete or anonymise this information within 90 days, and we never sell your information," the company added in a belated response to our original piece covering Cubrilovic's findings.

Sadly, that response turned out to be poppycock. Even as a Facebook PR guru was churning out the statement above, engineers were working to remove a supposed 'bug' in the company's log-in system that was failing to clear the personally identifiable cookie Cubrilovic was seeing loaded on third-party sites.

With that bug fixed, Cubrilovic claimed that the biggest issue was resolved. Sadly, more privacy concerns have reared their ugly head for the social networking giant - and Cubrilovic is once again at the centre of the controversy.

In an updated post (opens in new tab), Cubrilovic claims that a user-tracking cookie excised in May following an exposé by the Wall Street Journal - again claimed by Facebook to be a 'bug' rather than a deliberate attempt to track its users when they visit third-party sites - is back, and allows Facebook to even track users who have never signed up to their service in the first place.

"This cookie could then be read later and used to track the user across different web properties and back to the Facebook site. The cookie was being set even if the user had never been to the Facebook site, and even if they didn't click a 'Like' or 'Share' button," Cubrilovic writes of the reports in May. "Today, that cookie is back. It is being set by all the third-party sites that we tested."

Cubrilovic claims that, contrary to Facebook's previous statements that it has no interest in tracking its users, the company is wilfully violating the privacy of web users in order to improve the targeting of its advertising, which is the main source of income for the social networking service.

While he admits that there is the possibility that the cookie has been re-enabled by mistake - which, if Facebook's claims back in May that the tracking was a result of a bug, would be the only explanation acceptable to those wondering just what Facebook is up to on the privacy front - coming so soon after another cookie was deleted it seems vanishingly unlikely.

Instead, Facebook appears to be playing a game of whack-a-mole: removing each cookie as it is found to be used for tracking purposes and simply moving on to another, re-enabling older cookies when it thinks that nobody is looking.

We have reached out to Facebook for a response on this latest privacy gaffe, but have yet to receive a response.

UPDATE 1824:

Facebook has pointed us towards a comment by log-in engineer Gregg Stefancik - the man who claimed the originally reported tracking cookie was a 'bug' - denying any wrongdoing. "We still have a policy of not building profiles based on data from logged out users," Stefancik claims. "As we discussed last week, we are examining our cookie setting behavior to make sure we do not inadvertently receive data that could be associated with a specific person not logged into Facebook.

"We have been made aware of two instances in the past two weeks related to cookies which needed to be addressed. What you describe in this post is not a re-enabling of anything, but a separate issue involving a limited number of sites, including CBSSports. We have moved quickly to investigate and resolve this latest issue which will be fully addressed today. We encourage security researchers to test our practices and report them to us through our whitehat programme which rewards people like you who identify issues," Stefancik pointedly concludes - neglecting to mention that issues submitted through the whitehat programme in exchange for rewards are handily kept out of the public eye. monitors all leading technology stories and rounds them up to help you save time hunting them down.