back to article Facebook: 'We don't track logged-out users'

Facebook has attempted to shoot down claims that it leaves cookies on users' machines even after they log out of the social network. The response came after an Australian blogger alleged the site can still snoop on your web surfing after you've signed out. Nik Cubrilovic, concerned about Facebook's approach to privacy, said …

COMMENTS

This topic is closed for new posts.

Page:

  1. The Fuzzy Wotnot
    Pint

    Oh yeah?

    "Generally, unlike other major internet companies, we have no interest in tracking people,"

    "Generally" you have no interest in tracking people. Would like to clarify this rather vague statement?

    1. User McUser
      Big Brother

      He means that they don't have to track their users since said users happily hand over all their personal information directly.

      Exactly what do FB users *think* those little "Like" buttons do?

      1. NomNomNom

        Facebook might not track users browsing, but this does suggest it *could* be done (for pages with like buttons)

        What if one of the facebook engineers decides to start collecting that information themselves, as a kind of a side project. Then I dunno perhaps they turn evil one day and post all the sites everyone has visited for the last month to their facebook walls, or perhaps post it to wikileaks. The ensuing chaos would be hillarious.

  2. Anonymous Coward
    Anonymous Coward

    That's because they don't call it tracking.

    hello 'frictionless sharing'.

  3. ratfox
    Devil

    When caught, deny

    Well, it might be that they do not actually USE these cookies to track you. But why do they exist, then? Is that a "bug"?

  4. Christoph
    Big Brother

    Mandy Rice-Davies Applies

    “our cookies aren’t used for tracking” “most of the cookies you highlight have benign names and values”.

    Well he would say that, wouldn't he?

    "Generally, unlike other major internet companies, we have no interest in tracking people,"

    ROFL!

  5. Code Monkey

    “most of the cookies you highlight have benign names and values”.

    So no "all" then.

    1. Pascal Monett Silver badge
      Thumb Down

      That sounds just like the dentist when he says "this won't hurt a bit" before shoving a shrieking piece of spinning metal in your molars.

      1. The Alpha Klutz
        Mushroom

        get with the times

        my dentist uses semtex and c4

      2. Mike Flugennock
        FAIL

        Man... your dentist is SICK...

        "That sounds just like the dentist when he says 'this won't hurt a bit' before shoving a shrieking piece of spinning metal in your molars."

        I don't know about _your_ dentist, but _mine_ loads me up with novocaine before coming anywhere _near_ my mouth with a shrieking piece of spinning metal.

        Analogy FAIL.

    2. Stoneshop
      FAIL

      And a benign name means

      exactly what?

    3. Gav
      Boffin

      benign

      This cookie here is called 'fb_fluffykitten' and has the values 'rainbows', 'candy' or 'giggles'.

      What do they do and what do they mean? Oh, it's technical, you wouldn't understand, don't you worry yourself with that boring stuff. All you need to know is they have benign names and values.

  6. Jeremy 2
    Angel

    I suspect it would have gone like this if it were an in-person statement:

    "Generally, unlike other major internet companies, we have no interest in tracking people.... No, really. Honestly! What?! Oh shut up."

  7. Pete Spicer
    Coffee/keyboard

    "Generally, unlike other major internet companies, we have no interest in tracking people,"

    Should be:

    "Generally, like other major internet companies especially Google, we have no interest in telling people how we are tracking them. Better for advertising, see."

    1. Law
      Big Brother

      Tracking is for amateurs!

      "Generally, unlike other major internet companies, we have no interest in tracking people because we already have all your details/photos/habits/family logged in our own systems, you see, tracking is for amateurs, we are pros!!"

  8. Danny 5
    Mushroom

    i wonder

    how long it'll take this time before facebook makes a public apology. It seems to be working well for them so far, so why change a winning strategy. It still amazes me how much facebook is actually getting away with, there have been companies in the past that got slammed badly for similar issues. somehow people seem to accept a simple apology every time facebook messes up.

    Kudos to facebook of course, they certainly have their PR machine up to spec.

  9. Anonymous Coward
    Anonymous Coward

    "we have no interest in tracking people," the insider added. "

    They've no need to - Facbook users dob themselves in by keying all the data FB are lilkey to want themselves

  10. Voland's right hand Silver badge
    Devil

    Even if they did not they can develop it

    Well, even if they did not have that interest what is exactly is there to prevent them from developing it?

    They can also track a number of other interesting things regarding the overall state of play on the Internet like for example round trip time, jitter and packet loss to 90% of it. That in itself costs a lot of money (and doubly so if you for example offer media)...

  11. frank 3
    Facepalm

    that fails the 'which is more likely' test.

    "Generally, unlike other major internet companies, we have no interest in tracking people," the insider added"

    Err. sure. An ad delivery network that has no interest in tracking the habits of its product (that's you, btw). It's rare you see a whole flock of pigs airbourne at one time.

  12. Bog witch
    Facepalm

    Lies

    Given that it is an obvious lie that '...we have no interest in tracking people' I think it is pretty safe to assume any other utterings from this mouthpiece are also a lie.

    It is probably safe to assume that FB, G and many, many others would want to track you and FB and G are the ones that have the best capability to do so.

  13. Gio Ciampa
    FAIL

    Confused...

    Er... isn't this how cookies are supposed to work?

    Site creates cookie; browser stores cookie; site asks for cookie on next visit to determine login details (or whatever)

    What this guy is on about is that he's not logged into Facebook at the time...

    ...except he's accessing a "Like" button... coming from facebook.com I presume, so is it at all surprising that the Facebook server is asking for the cookie to determine who has pressed "Like"?

    1. The Mole

      He isn't accessing a Like button, who is visiting another webpage on a totally unrelated site which displays a facebook like image, loaded straight from the facebook server which will see the cookies and be able to work out what page the image is embedded in. No user interaction required.

      1. Gio Ciampa

        Fair point - merely viewing a button icon shouldn't need cookies to be accessed.

        I'm guessing the code associated with the button will need user details to be able to send them to Facebook when the button is pressed - hence the cookie request. That it should be an on-click retrieval rather than on-load is the issue here I'd say.

      2. Gio Ciampa

        The El Reg Like button

        Just had a look at the source - as I suppose it'll be much the same:

        (Hope this pastes properly...)

        <iframe src="http://www.facebook.com/plugins/like.php?href=http://reg.cx/1QZ1&amp;layout=button_count&amp;show_faces=false&amp;width=90&amp;action=like&amp;colorscheme=light&amp;height=20" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:90px; height:20px;"></iframe>

        I'll wager the php generates the image, as well as handling the cookies.

        1. NomNomNom

          are cookies a red herring?

          I assume the http://reg.cx/1QZ1 part is a reference to the site/page the like button is on.

          in which case as someone else pointed out, even if there were no cookies they have all the information to snoop on your web browsing. When you visit a site with a like button facebook is sent your IP address and the page you are viewing.

          So the cookie is a red herring. The privacy hole is that sites you visit are sending facebook your IP address and a reference to the page you are viewing without your consent and without warning (how are you going to predict a like button is on a website before you visit?)

          With that information facebook could track surfing habits of ip addresses without cookies. For example if I visit the BBC next and there is a facebook like button on there facebook can potentially note that IP address N first visited the register then the bbc website. I assume facebook is far from alone in this respect. I assume advertisements on websites often work similar to like buttons where the advertiser is sent the IP address and the page the IP address is looking at on which the advert is on.

          What sets facebook apart is that it potentially has the additional ability to resolve each ip address into a real life identity.

          1. AdamWill

            Not really.

            It's not really a red herring. One of the cookies includes your Facebook account number, which - especially to Facebook - is a much more reliable indication of your identity than your IP address. People certainly don't always log in to sites from the same IP, and that's probably more true of Facebook than most sites, since people tend to access it from many different systems and from lots of different places.

  14. Fred Flintstone Gold badge
    Meh

    See comments on that claim

    The engineer's statement on what does what has already been taken to pieces..

  15. Thomas 18
    Go

    Sounds like you need... an audit!

    If you (Facebook) have the potential to track every user on every widget enabled page then you definitely need the services of the European Data Protection Commission. A short 5 year investigation comes at a low low price and can't be passed up... no really it can't, we need that private sector money now.

  16. armyknife

    "Generally" is an understatement it should read "Always"

    I've investigated the Facebook cookies and this is what I've found:

    I have numerous website tabs opened in Opera, that start up before I connect my ADSL, so the webpages load from cache and the cookies don't get updated as there's no connection. One of the opened pages is facebook, so when online I refresh it and check the facebook cookies from within the browser, there's 12 of them, all but one updated, showing "lasted visited" time of when I reloaded the page. So I log out of facebook, and the time of the cookies is updated.

    Then a couple of minutes later I refresh a random page, happen's to be a DM page about the Queen and quess what, ALL 12 facebook cookies have updated time lasted visited to exactly when I refresh the page.

    1. Charlie Clark Silver badge

      Have you ever seen the network traffic if you scroll or move your mouse on a FB page? It's like having an army of goons watching and noting your every move.

      Back to the problem - any FB JS checks for a FB cookie when it runs. That's largely what the "Like" buttons are for which is why in Jormany we're not allowed to use them without explicit consent from the visitor.

  17. Anonymous Coward
    Anonymous Coward

    surely....

    this could be easily tested by seeing whats going in and out of your pc?

    Maybe by seeing if anything is requesting the cookie when you hit one of these pages?

    I'm no expert, but surely someone bitching about this would have the skills to find this out?

  18. Harry

    Browsers should be designed work round this sort of abuse.

    Every browser should do several things, and it should be a legal requirement that they do so by default ...

    a) By default, cookies should not never be supplied to third party sites.

    b) If in a specific case the user chooses to allow a cookie to be supplied to a third party site, then that cookie should be unique depending on the first party site. So, if I'm visiting bbc,co.uk and there is a FB image in it, FB can at the most tell which other bbc.co.uk pages I've visited but if I subsequently visit itv.co.uk and that too has FB images in it, FB should not be able to tell that I am the same person.

    c) Ideally, the browser should deliver different cookies depending on whether a person is logged in to the site.

    Firefox can probably do most of the above with appropriate extensions, but setting them up is beyond the ability of many users and needs to be the default behaviour in all browsers.

    1. Fuh Quit
      Thumb Down

      By default, cookies should not never be supplied to third party sites.

      What's the impact of the call to Facebook to get the "Like" button? Surely that makes the Facebook cookie(s - as there are lots of them) first-party. And all bets are off.

      A nice way around 3rd party policy, I'd say.

      And a user who is not logged in but has the convenient cookies and does not have to type in their password.........they're easily-tracked by the unique identifier as this must exist because......they were once logged in successfully.

      I'd err on the side of not trusting the dev. Thank goodness the odd time I use FB is on my Touchpad.

    2. Dan 55 Silver badge

      RequestPolicy on Firefox

      It's easy. The first time you visit a site and it doesn't appear properly you click on the flag in the toolbar and allow the sites which should be allowed (e.g. The Reg should obviously be able to get to Reg Hardware and Reg Media) and leave the rest (e.g. Doubleclick) alone.

      And there you have it. All 3rd party tracking and like buttons suddenly disappear and you can remove your tinfoil hat.

    3. Anonymous Coward
      Anonymous Coward

      Not FF but IE

      Surprisingly IE has had user-configurable cookie protections for a long time. I have mainly used FF for many years but the cookie settings are not fine grained. I have recently returned to using IE9 due to, surprisingly, better security, and with the cookie settings I set them to allow first-party cookiesand session cookies but block third party cookies. Can't do this natively in FF but I recall it WAS an option a long time ago and still is to a limited extent in the Seamonkey version.

  19. James Micallef Silver badge
    Flame

    "have benign names and values"

    calling a man-eating lion "cute fluffy kitten" doesn't make it benign. And the cookies 'not being used for tracking'?? If they're there, they're being used, otherwise why set them in the first place?

  20. Anonymous Coward
    Anonymous Coward

    He's wrong.

    Not because I believe Facebook, but because if he were right and Facebook were tracking us that way, at least one of my two sock puppets would have been closed by now.

    1. Anonymous Coward
      Anonymous Coward

      You do realise that there are families with more than one person using Farcebook, or don't you?

      1. NomNomNom

        *trying to figure out from the distance between the c and r key whether that was a deliberate typo and concluding it was*

      2. Anonymous Coward
        Anonymous Coward

        Yep. But how many families sharing a pc for Facebook

        have the users login in the same order, at about the same time every day, playing the exact same Zenga Facebook games? No, my usage patterns stick out like a sore thumb if anyone is bothering to track them. And obviously violate the t&c for the sock puppets.

  21. Anonymous Coward
    Alien

    Clintonesque

    In order to address this issue you must first define what tracking is.

  22. Anonymous Coward
    Anonymous Coward

    To most of the posters above I have a question. If you hate FB as much as you seem to then why do you have an account?

    If I don't like a service I steer clear.

    1. Chris 3
      Facepalm

      Because

      You can like one aspect of a service, without liking all aspects of it.

      Incredible, I know.

    2. fandom

      I don't

      Yet, I have always taken for granted they could track me online due to all the 'I like it' buttons in web pages I do visit.

      Don't bother to call me paranoid, I actually don't care if they do.

      1. Chris 3

        And what would the expected behaviour be if you were logged out?

    3. Ohb1knewbie
      Devil

      IP tracking requires an Acct???

      If what I've read so far is correct and IP addies are passed by the Like button code, it would seem that FB can track me even if I do not (and I DO NOT !) have a FB acct. They may not have my name to tag the IP addy with, but that hardly renders the info totally useless.

      IIRC Germany recently hauled FB over the coals about the Like button, must have been for this very reason?

      1. Anonymous Coward
        Anonymous Coward

        So what, my IP address changes daily. Now maybe with the compliance of my ISP Facebook could do something with that tracking information. Without it it means nothing to them.

        No Germany did no such thing. All they did was ban Facebook Like buttons (and other similar features) from state websites. Not the same thing at all.

    4. Fred Flintstone Gold badge

      Good question . here is a good answer..

      I have an account because my clients do.

      They have Facebook as part of their marketing strategy (which has its own dangers, but that's for another day), and in order to contain that risk I need to know as much as possible about it from an end user perspective.

      The picture that emerges is dire. You really need an almost around the clock surveillance to keep an eye on it, made worse because nobody actually appears to take *any* responsibility. It was only after the news about the cookies hit major sites that FB decided to answer, and then only "unofficially" - I suspect because it was starting to hit the press in a way that would hurt their current attempts to sell themselves.

      Of late I've seen the now active use of facial biometrics (to be fair, it's Google who started that with their web albums). When someone adds a picture and biometrics match it instantly suggests names to tag pictures with. It's well beyond creepy. The whole gig with interrupting people for their mobile number to "make their account safer" (yeah, right) is another example of an aggressive push towards grabbing as much private data as they can get their hands on.

      It thus seems a good decision that I only used images with messed up biometrics..

  23. Eek

    Its a shame he didn't ask the right question

    If he did he would find at that Facebook don't use cookies to track visits to +1 pages. They use ip addresses and browser strings. Statistically the accuracy is enough that cookies are irrelevant to the data quality.

  24. Bradley Hardleigh-Hadderchance
    FAIL

    AC - How do you know they Do have an account?

    If you were to do a straw poll AC - you would probably find that most of 'those above', do not.

    In other news:

    Psychic Sally defends her 'integrity' -

    http://www.dailymail.co.uk/news/article-2041787/Psychic-Sally-defends-integrity-denies-getting-information-man-backstage.html

    I DID NOT have an earpiece in receiving messages from the man behind the curtains.

    Read MY LIPS!

Page:

This topic is closed for new posts.

Other stories you might like