**SEE UPDATE AT BOTTOM OF POST**
Is Facebook tracking which websites users visit even after they've logged out of the service?
According to hacker and blogger Nik Cubrilovic: Yeah, it is. In a post to his personal blog, Cubrilovic writes that "[e]ven if you are logged out, Facebook still knows and can track every page you visit," pointing to Facebook cookies that remain active even after the user signs out. In his mind, this defeats the purpose of logging out of Facebook and presents a major privacy concern.
With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies.
This is all important because of Facebook's new frictionless apps, unveiled recently at Facebook's f8 Developer's Conference and rolling out now on the social network. Websites can write apps whereby all activity on their pages can be shared automatically to a user's Facebook profile. The aim is to make sharing more convenient, so that Facebook members can more easily browse what their friends are interested in and start conversations about common interests and activities.
Cubrilovic penned his post in response to another blog post by Dave Winer, in which Winer claimed to be "seriously scared" of the disclosures these apps would automatically make and that the only solution was to log out of Facebook when browsing.
Cubrilovic's post was a warning that logging out was not enough.
In a comment on Cubrilovic's blog, a reader identifying himself as Gregg Stefancik ("an engineer who works on login systems at Facebook") refuted "some of the incorrect conclusions," stating that "Facebook has no interest in tracking people" and that Facebook's cookies "aren't used for tracking." Though Facebook could see when one of its users visited a partner site, Stefancik said, it could not see which user it was and that the only information sent back to them was the user's language, country and browser. Since Facebook "doesn't have an ad network and [doesn't] sell people's information," the logged out cookies were used for:
- Identifying and disabling spammers and phishers- Disabling registration if an underage user tries to re-register with a different birth date- Helping people recover hacked accounts- Powering account security features, such as login approvals and notifications- Identifying shared computers to discourage the use of “Keep me logged in.”
According to an answer of a commonly asked question in Facebook's Help Center, when one of its users visits a site with a Facebook social plug-in, whether logged in or logged out, Facebook receives information about "the date and time you visited, the web page you came from (commonly known as the referrer URL), and other technical information about the IP address, browser, and operating system you use."
"This is industry standard data," the Help Center answer continues, "that helps us optimize your experience depending on which browser you are using or whether or not you are logged into Facebook."
Essentially, Facebook is indeed tracking where its users go after they log-out, but it is claiming to do so for benign reasons.
Facebook, of course, is constantly battling against privacy concerns. Recently, the social networking giant has fought back against worries over its new auto-tag feature in early September, "epidemic levels" of bullying amongst teens on its site and its ability to make cyber-stalking easier.
UPDATE: Facebook emailed us the following statement, reiterating much of what Gregg Stefancik wrote in his comment on Cubrilovic's blog:
Facebook does not track users across the web. Instead, we use cookies on social plugins to personalize content (e.g. show you what your friends liked), to help maintain and improve what we do (e.g. measure click-through rate), or for safety and security (e.g. keeping underage kids from trying to sign up with a different age). No information we receive when you see a social plugin is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.
Specific to logged-out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for underage people who try to re-register with a different birth date, powering account security features such as second factor login approvals and notification, and identifying shared computers to discourage the use of "Keep me logged in."
Facebook recently revamped its own privacy settings for users who are logged in to the site. Take a look at the slideshow (which originally appeared here) to see the most important changes you need to know now.