Facebook: 'We don't track logged-out users' Facebook has attempted to shoot down claims that it leaves cookies on users' machines even after they log out of the social network. The response came after an Australian blogger alleged the site can still snoop on your web surfing after you've signed out. Nik Cubrilovic, concerned about Facebook's approach to privacy, said …
Facebook might not track users browsing, but this does suggest it *could* be done (for pages with like buttons)
What if one of the facebook engineers decides to start collecting that information themselves, as a kind of a side project. Then I dunno perhaps they turn evil one day and post all the sites everyone has visited for the last month to their facebook walls, or perhaps post it to wikileaks. The ensuing chaos would be hillarious.
"That sounds just like the dentist when he says 'this won't hurt a bit' before shoving a shrieking piece of spinning metal in your molars."
I don't know about _your_ dentist, but _mine_ loads me up with novocaine before coming anywhere _near_ my mouth with a shrieking piece of spinning metal.
Analogy FAIL.
This cookie here is called 'fb_fluffykitten' and has the values 'rainbows', 'candy' or 'giggles'.
What do they do and what do they mean? Oh, it's technical, you wouldn't understand, don't you worry yourself with that boring stuff. All you need to know is they have benign names and values.
how long it'll take this time before facebook makes a public apology. It seems to be working well for them so far, so why change a winning strategy. It still amazes me how much facebook is actually getting away with, there have been companies in the past that got slammed badly for similar issues. somehow people seem to accept a simple apology every time facebook messes up.
Kudos to facebook of course, they certainly have their PR machine up to spec.
Well, even if they did not have that interest what is exactly is there to prevent them from developing it?
They can also track a number of other interesting things regarding the overall state of play on the Internet like for example round trip time, jitter and packet loss to 90% of it. That in itself costs a lot of money (and doubly so if you for example offer media)...
"Generally, unlike other major internet companies, we have no interest in tracking people," the insider added"
Err. sure. An ad delivery network that has no interest in tracking the habits of its product (that's you, btw). It's rare you see a whole flock of pigs airbourne at one time.
Given that it is an obvious lie that '...we have no interest in tracking people' I think it is pretty safe to assume any other utterings from this mouthpiece are also a lie.
It is probably safe to assume that FB, G and many, many others would want to track you and FB and G are the ones that have the best capability to do so.
Er... isn't this how cookies are supposed to work?
Site creates cookie; browser stores cookie; site asks for cookie on next visit to determine login details (or whatever)
What this guy is on about is that he's not logged into Facebook at the time...
...except he's accessing a "Like" button... coming from facebook.com I presume, so is it at all surprising that the Facebook server is asking for the cookie to determine who has pressed "Like"?
Fair point - merely viewing a button icon shouldn't need cookies to be accessed.
I'm guessing the code associated with the button will need user details to be able to send them to Facebook when the button is pressed - hence the cookie request. That it should be an on-click retrieval rather than on-load is the issue here I'd say.
Just had a look at the source - as I suppose it'll be much the same:
(Hope this pastes properly...)
<iframe src="http://www.facebook.com/plugins/like.php?href=http://reg.cx/1QZ1&layout=button_count&show_faces=false&width=90&action=like&colorscheme=light&height=20" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:90px; height:20px;"></iframe>
I'll wager the php generates the image, as well as handling the cookies.
I assume the http://reg.cx/1QZ1 part is a reference to the site/page the like button is on.
in which case as someone else pointed out, even if there were no cookies they have all the information to snoop on your web browsing. When you visit a site with a like button facebook is sent your IP address and the page you are viewing.
So the cookie is a red herring. The privacy hole is that sites you visit are sending facebook your IP address and a reference to the page you are viewing without your consent and without warning (how are you going to predict a like button is on a website before you visit?)
With that information facebook could track surfing habits of ip addresses without cookies. For example if I visit the BBC next and there is a facebook like button on there facebook can potentially note that IP address N first visited the register then the bbc website. I assume facebook is far from alone in this respect. I assume advertisements on websites often work similar to like buttons where the advertiser is sent the IP address and the page the IP address is looking at on which the advert is on.
What sets facebook apart is that it potentially has the additional ability to resolve each ip address into a real life identity.
It's not really a red herring. One of the cookies includes your Facebook account number, which - especially to Facebook - is a much more reliable indication of your identity than your IP address. People certainly don't always log in to sites from the same IP, and that's probably more true of Facebook than most sites, since people tend to access it from many different systems and from lots of different places.
If you (Facebook) have the potential to track every user on every widget enabled page then you definitely need the services of the European Data Protection Commission. A short 5 year investigation comes at a low low price and can't be passed up... no really it can't, we need that private sector money now.
I've investigated the Facebook cookies and this is what I've found:
I have numerous website tabs opened in Opera, that start up before I connect my ADSL, so the webpages load from cache and the cookies don't get updated as there's no connection. One of the opened pages is facebook, so when online I refresh it and check the facebook cookies from within the browser, there's 12 of them, all but one updated, showing "lasted visited" time of when I reloaded the page. So I log out of facebook, and the time of the cookies is updated.
Then a couple of minutes later I refresh a random page, happen's to be a DM page about the Queen and quess what, ALL 12 facebook cookies have updated time lasted visited to exactly when I refresh the page.
Have you ever seen the network traffic if you scroll or move your mouse on a FB page? It's like having an army of goons watching and noting your every move.
Back to the problem - any FB JS checks for a FB cookie when it runs. That's largely what the "Like" buttons are for which is why in Jormany we're not allowed to use them without explicit consent from the visitor.
Every browser should do several things, and it should be a legal requirement that they do so by default ...
a) By default, cookies should not never be supplied to third party sites.
b) If in a specific case the user chooses to allow a cookie to be supplied to a third party site, then that cookie should be unique depending on the first party site. So, if I'm visiting bbc,co.uk and there is a FB image in it, FB can at the most tell which other bbc.co.uk pages I've visited but if I subsequently visit itv.co.uk and that too has FB images in it, FB should not be able to tell that I am the same person.
c) Ideally, the browser should deliver different cookies depending on whether a person is logged in to the site.
Firefox can probably do most of the above with appropriate extensions, but setting them up is beyond the ability of many users and needs to be the default behaviour in all browsers.
What's the impact of the call to Facebook to get the "Like" button? Surely that makes the Facebook cookie(s - as there are lots of them) first-party. And all bets are off.
A nice way around 3rd party policy, I'd say.
And a user who is not logged in but has the convenient cookies and does not have to type in their password.........they're easily-tracked by the unique identifier as this must exist because......they were once logged in successfully.
I'd err on the side of not trusting the dev. Thank goodness the odd time I use FB is on my Touchpad.
It's easy. The first time you visit a site and it doesn't appear properly you click on the flag in the toolbar and allow the sites which should be allowed (e.g. The Reg should obviously be able to get to Reg Hardware and Reg Media) and leave the rest (e.g. Doubleclick) alone.
And there you have it. All 3rd party tracking and like buttons suddenly disappear and you can remove your tinfoil hat.
Surprisingly IE has had user-configurable cookie protections for a long time. I have mainly used FF for many years but the cookie settings are not fine grained. I have recently returned to using IE9 due to, surprisingly, better security, and with the cookie settings I set them to allow first-party cookiesand session cookies but block third party cookies. Can't do this natively in FF but I recall it WAS an option a long time ago and still is to a limited extent in the Seamonkey version.
have the users login in the same order, at about the same time every day, playing the exact same Zenga Facebook games? No, my usage patterns stick out like a sore thumb if anyone is bothering to track them. And obviously violate the t&c for the sock puppets.
If what I've read so far is correct and IP addies are passed by the Like button code, it would seem that FB can track me even if I do not (and I DO NOT !) have a FB acct. They may not have my name to tag the IP addy with, but that hardly renders the info totally useless.
IIRC Germany recently hauled FB over the coals about the Like button, must have been for this very reason?
So what, my IP address changes daily. Now maybe with the compliance of my ISP Facebook could do something with that tracking information. Without it it means nothing to them.
No Germany did no such thing. All they did was ban Facebook Like buttons (and other similar features) from state websites. Not the same thing at all.
I have an account because my clients do.
They have Facebook as part of their marketing strategy (which has its own dangers, but that's for another day), and in order to contain that risk I need to know as much as possible about it from an end user perspective.
The picture that emerges is dire. You really need an almost around the clock surveillance to keep an eye on it, made worse because nobody actually appears to take *any* responsibility. It was only after the news about the cookies hit major sites that FB decided to answer, and then only "unofficially" - I suspect because it was starting to hit the press in a way that would hurt their current attempts to sell themselves.
Of late I've seen the now active use of facial biometrics (to be fair, it's Google who started that with their web albums). When someone adds a picture and biometrics match it instantly suggests names to tag pictures with. It's well beyond creepy. The whole gig with interrupting people for their mobile number to "make their account safer" (yeah, right) is another example of an aggressive push towards grabbing as much private data as they can get their hands on.
It thus seems a good decision that I only used images with messed up biometrics..
If you were to do a straw poll AC - you would probably find that most of 'those above', do not.
In other news:
Psychic Sally defends her 'integrity' -
http://www.dailymail.co.uk/news/article-2041787/Psychic-Sally-defends-integrity-denies-getting-information-man-backstage.html
I DID NOT have an earpiece in receiving messages from the man behind the curtains.
Read MY LIPS!
Rather than blocking fb domains what you need is a list of approved cookie domains. If fb decide to create a new cookie domain called lksdhjksdghf.net it wouldn't be in your list so you wouldn't accept the cookies.
Yes I know setting this up can be a pain at first, but once it's there it needs very little maintenance.
I tend to believe facebook. If they were evil they would have a dislike button (that would actually be fun) because for evil purposes it would be far more useful to know what people hated than what they liked.
Of course they could still track you anyway, but if they really were info whores looking to grab as much data as possible they would want dislike info too.
Are you seriously suggesting that they are not evil because they are not willing to expose themselves to lawsuits in the most litigious nation of the world?
You can say any amount of positive stuff about people, but if you enable negative statements you will have to deal with consequential damages. You know, slander, repetitional harm - the works. If I was running any company, that idea would get an instant "dislike"..
No, I most seriously do NOT tend to believe Farcebook. I don't trust any organization that considers the rights of its users a mere inconvenience. I'm picky like that.
When you LOG OUT we don' track you. But you know - closing the Facebook window does not log you out, which is all that 99% of people do. So when you are logged in - which most people are all the time, all the cookies taste even better to the Facebook people.
Plus after reading all the posts, we can surmise that they have the technology to do it, even if some random engineer thinks they can't - its a big company - there are other people working there.
This is a tech site so I presume the majority of people placing comments here are actually people working in the tech industry. Don't get me wrong there are a few comments that indicate people understand what is really going on here but the rest..... If the bunch of losers are running the computers of the world then God help us all :). (and as for the author ....)
"...Whether or not Cubrilovic’s claim that he notified Facebook without response during 2010 is accurate, he certainly got a hair-trigger response from Facebook this time..."
Ah, hah. So, I guess that Australian dude is _right_, then.
" 'Generally, unlike other major internet companies, we have no interest in tracking people,' the insider added."
D'AHH HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA ...oops, damn, I've wet 'em.
This is why I use Chrome's "Block all third-party cookies." ("When the option to block third-party cookies from being set is enabled, also block third-party cookies from being read.") flag. Not like 99.99% of the sites used require third-party cookies (even ones that currently exist, from being read as well, as stated) to function, eh? Nice feature, limits cookies to originating-site-only appropriately.
Blocking third party cookies won't save you from flash cookies, abuse of html5 (!) technologies like site storage (up to 50MB) etc.
Google analytics is a good example how much sites you trust deliberately sell your privacy out for some nice looking statistic pages and better ranking at Google. There is nothing to block there since the embedded code runs inside the very html page you read.
Tracking people got so out of hand that ordinary non technical politicians started to ask questions to these companies.
I mean, just blocking third party cookies won't save your privacy for the time being. They will sure profile you. Legimate sites like Google and large advertising networks have "opt out" mechanisms but that is all.
Facebook itself is target of all my paranoia since BBC of UK, inexplainably added "like" button to all news stories. It isn't like BBC guys doesn't know what kind of privacy breach they create, they run one of largest and oldest websites on planet. Something mysterious must have happened to decide polluting the entire site with spying button of an American company. If I was a British reporter, I would sure investigate it.
To the editor, i heard ont eh radio last night this guy speaking about this problem with Facebook cookies. He said the best way to stop facebook tracking people is to either deliberately delete all their cookies, or have Ad Blocker Plus running with the 'https://adversity.googlecode.com/hg/Antisocial.txt' script loaded up.
Generally,... I'm inclined to agree with the negative attitude toward facebook. I find their continual-tracking project creepier than 50 spiders in a bathtub, and I consider Zynga as being somewhere between Goldman Sachs and Vladimir Putin on the sleaziness scale (no, I won't tell you which one is worse; it should be obvious). I not only lack an account, but haven't BEEN on facebook.com. I know, crazy, right?
Ironically, though, the sheer venom of recent facebook comments, and the near-100% agreement among them, is making me reluctant to continue to accept the party linewithout skepticism. Much as with the climate change articles here, the wild-eyed frenzy is causing a reset: I've become as suspicious of the people opposing the thing I oppose, than I am of the thing I oppose itself.
I -am- on Google+, by the way. Joined a few months ago when I got an invite. Don't want to fall behind the times, you know.
This post has been deleted by its author
In fairness, I think that talking smack about customers to blow off steam is pretty universal. Doctors have plenty of derogatory names they call their patients, for example.
I own a small business myself, and I treat my customers as well as I can, and actually (gasp) respect them - hell, I'm friends with some of them.
But sometimes, on a day when things are frustrating, and nothing seems to be going right, someone says, "Hey, we got the order for [whoever]", and I'll reply, "Crazy bastards!" That doesn't mean I really think people are crazy for buying stuff from us; I'm proud of what I do. It means that you can't go around talking like there's always a mic on you (which is ironic, given some of Facebook's recent moves). If you put some of the things we joke about online, it'd look pretty bad sometimes - and sometimes it'd look an awful lot like the Zuck quote up there.
Mr. Zuckerberg may or may not be a rat bastard who wants to know everything about everyone and sell all of it, but that particular quote - without context - is meaningless.
Soon they'll be asking me where I am and what I'm doing, and to provide pictures of me doing it, and who I'm doing it with...
Privacy invasion has been an issue long before the internet, if you walk out of a shop you're no longer a customer of that shop, but what's stopping the shop owner looking out the big glass thing to see where you go. If this annoys you, you probably wouldn't go to that shop again.
Your ISP can, and does track everything you do online anyway, and will sell it to the likes of 'phorm', so if your issue is about being watched, sell your PC and buy a book.
There are many, many free apps and browser add ons that will enable you to protect yourself from snoopy and co, or you could use proxies etc but ultimately you leave a footprint everywhere and if someone wants to use that to their benefit then they will find a way of doing so.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
