back to article Facebook: 'We don't track logged-out users'

Facebook has attempted to shoot down claims that it leaves cookies on users' machines even after they log out of the social network. The response came after an Australian blogger alleged the site can still snoop on your web surfing after you've signed out. Nik Cubrilovic, concerned about Facebook's approach to privacy, said …

COMMENTS

This topic is closed for new posts.
  1. The Fuzzy Wotnot
    Pint

    Oh yeah?

    "Generally, unlike other major internet companies, we have no interest in tracking people,"

    "Generally" you have no interest in tracking people. Would like to clarify this rather vague statement?

    1. User McUser
      Big Brother

      He means that they don't have to track their users since said users happily hand over all their personal information directly.

      Exactly what do FB users *think* those little "Like" buttons do?

      1. NomNomNom

        Facebook might not track users browsing, but this does suggest it *could* be done (for pages with like buttons)

        What if one of the facebook engineers decides to start collecting that information themselves, as a kind of a side project. Then I dunno perhaps they turn evil one day and post all the sites everyone has visited for the last month to their facebook walls, or perhaps post it to wikileaks. The ensuing chaos would be hillarious.

  2. Anonymous Coward
    Anonymous Coward

    That's because they don't call it tracking.

    hello 'frictionless sharing'.

  3. ratfox
    Devil

    When caught, deny

    Well, it might be that they do not actually USE these cookies to track you. But why do they exist, then? Is that a "bug"?

  4. Christoph
    Big Brother

    Mandy Rice-Davies Applies

    “our cookies aren’t used for tracking” “most of the cookies you highlight have benign names and values”.

    Well he would say that, wouldn't he?

    "Generally, unlike other major internet companies, we have no interest in tracking people,"

    ROFL!

  5. Code Monkey

    “most of the cookies you highlight have benign names and values”.

    So no "all" then.

    1. Pascal Monett Silver badge
      Thumb Down

      That sounds just like the dentist when he says "this won't hurt a bit" before shoving a shrieking piece of spinning metal in your molars.

      1. The Alpha Klutz
        Mushroom

        get with the times

        my dentist uses semtex and c4

      2. Mike Flugennock
        FAIL

        Man... your dentist is SICK...

        "That sounds just like the dentist when he says 'this won't hurt a bit' before shoving a shrieking piece of spinning metal in your molars."

        I don't know about _your_ dentist, but _mine_ loads me up with novocaine before coming anywhere _near_ my mouth with a shrieking piece of spinning metal.

        Analogy FAIL.

    2. Stoneshop
      FAIL

      And a benign name means

      exactly what?

    3. Gav
      Boffin

      benign

      This cookie here is called 'fb_fluffykitten' and has the values 'rainbows', 'candy' or 'giggles'.

      What do they do and what do they mean? Oh, it's technical, you wouldn't understand, don't you worry yourself with that boring stuff. All you need to know is they have benign names and values.

  6. Jeremy 2
    Angel

    I suspect it would have gone like this if it were an in-person statement:

    "Generally, unlike other major internet companies, we have no interest in tracking people.... No, really. Honestly! What?! Oh shut up."

  7. Pete Spicer
    Coffee/keyboard

    "Generally, unlike other major internet companies, we have no interest in tracking people,"

    Should be:

    "Generally, like other major internet companies especially Google, we have no interest in telling people how we are tracking them. Better for advertising, see."

    1. Law
      Big Brother

      Tracking is for amateurs!

      "Generally, unlike other major internet companies, we have no interest in tracking people because we already have all your details/photos/habits/family logged in our own systems, you see, tracking is for amateurs, we are pros!!"

  8. Danny 5
    Mushroom

    i wonder

    how long it'll take this time before facebook makes a public apology. It seems to be working well for them so far, so why change a winning strategy. It still amazes me how much facebook is actually getting away with, there have been companies in the past that got slammed badly for similar issues. somehow people seem to accept a simple apology every time facebook messes up.

    Kudos to facebook of course, they certainly have their PR machine up to spec.

  9. Anonymous Coward
    Anonymous Coward

    "we have no interest in tracking people," the insider added. "

    They've no need to - Facbook users dob themselves in by keying all the data FB are lilkey to want themselves

  10. Voland's right hand Silver badge
    Devil

    Even if they did not they can develop it

    Well, even if they did not have that interest what is exactly is there to prevent them from developing it?

    They can also track a number of other interesting things regarding the overall state of play on the Internet like for example round trip time, jitter and packet loss to 90% of it. That in itself costs a lot of money (and doubly so if you for example offer media)...

  11. frank 3
    Facepalm

    that fails the 'which is more likely' test.

    "Generally, unlike other major internet companies, we have no interest in tracking people," the insider added"

    Err. sure. An ad delivery network that has no interest in tracking the habits of its product (that's you, btw). It's rare you see a whole flock of pigs airbourne at one time.

  12. Bog witch
    Facepalm

    Lies

    Given that it is an obvious lie that '...we have no interest in tracking people' I think it is pretty safe to assume any other utterings from this mouthpiece are also a lie.

    It is probably safe to assume that FB, G and many, many others would want to track you and FB and G are the ones that have the best capability to do so.

  13. Gio Ciampa
    FAIL

    Confused...

    Er... isn't this how cookies are supposed to work?

    Site creates cookie; browser stores cookie; site asks for cookie on next visit to determine login details (or whatever)

    What this guy is on about is that he's not logged into Facebook at the time...

    ...except he's accessing a "Like" button... coming from facebook.com I presume, so is it at all surprising that the Facebook server is asking for the cookie to determine who has pressed "Like"?

    1. The Mole

      He isn't accessing a Like button, who is visiting another webpage on a totally unrelated site which displays a facebook like image, loaded straight from the facebook server which will see the cookies and be able to work out what page the image is embedded in. No user interaction required.

      1. Gio Ciampa

        Fair point - merely viewing a button icon shouldn't need cookies to be accessed.

        I'm guessing the code associated with the button will need user details to be able to send them to Facebook when the button is pressed - hence the cookie request. That it should be an on-click retrieval rather than on-load is the issue here I'd say.

      2. Gio Ciampa

        The El Reg Like button

        Just had a look at the source - as I suppose it'll be much the same:

        (Hope this pastes properly...)

        <iframe src="http://www.facebook.com/plugins/like.php?href=http://reg.cx/1QZ1&amp;layout=button_count&amp;show_faces=false&amp;width=90&amp;action=like&amp;colorscheme=light&amp;height=20" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:90px; height:20px;"></iframe>

        I'll wager the php generates the image, as well as handling the cookies.

        1. NomNomNom

          are cookies a red herring?

          I assume the http://reg.cx/1QZ1 part is a reference to the site/page the like button is on.

          in which case as someone else pointed out, even if there were no cookies they have all the information to snoop on your web browsing. When you visit a site with a like button facebook is sent your IP address and the page you are viewing.

          So the cookie is a red herring. The privacy hole is that sites you visit are sending facebook your IP address and a reference to the page you are viewing without your consent and without warning (how are you going to predict a like button is on a website before you visit?)

          With that information facebook could track surfing habits of ip addresses without cookies. For example if I visit the BBC next and there is a facebook like button on there facebook can potentially note that IP address N first visited the register then the bbc website. I assume facebook is far from alone in this respect. I assume advertisements on websites often work similar to like buttons where the advertiser is sent the IP address and the page the IP address is looking at on which the advert is on.

          What sets facebook apart is that it potentially has the additional ability to resolve each ip address into a real life identity.

          1. AdamWill

            Not really.

            It's not really a red herring. One of the cookies includes your Facebook account number, which - especially to Facebook - is a much more reliable indication of your identity than your IP address. People certainly don't always log in to sites from the same IP, and that's probably more true of Facebook than most sites, since people tend to access it from many different systems and from lots of different places.

  14. Fred Flintstone Gold badge
    Meh

    See comments on that claim

    The engineer's statement on what does what has already been taken to pieces..

  15. Thomas 18
    Go

    Sounds like you need... an audit!

    If you (Facebook) have the potential to track every user on every widget enabled page then you definitely need the services of the European Data Protection Commission. A short 5 year investigation comes at a low low price and can't be passed up... no really it can't, we need that private sector money now.

  16. armyknife

    "Generally" is an understatement it should read "Always"

    I've investigated the Facebook cookies and this is what I've found:

    I have numerous website tabs opened in Opera, that start up before I connect my ADSL, so the webpages load from cache and the cookies don't get updated as there's no connection. One of the opened pages is facebook, so when online I refresh it and check the facebook cookies from within the browser, there's 12 of them, all but one updated, showing "lasted visited" time of when I reloaded the page. So I log out of facebook, and the time of the cookies is updated.

    Then a couple of minutes later I refresh a random page, happen's to be a DM page about the Queen and quess what, ALL 12 facebook cookies have updated time lasted visited to exactly when I refresh the page.

    1. Charlie Clark Silver badge

      Have you ever seen the network traffic if you scroll or move your mouse on a FB page? It's like having an army of goons watching and noting your every move.

      Back to the problem - any FB JS checks for a FB cookie when it runs. That's largely what the "Like" buttons are for which is why in Jormany we're not allowed to use them without explicit consent from the visitor.

  17. Anonymous Coward
    Anonymous Coward

    surely....

    this could be easily tested by seeing whats going in and out of your pc?

    Maybe by seeing if anything is requesting the cookie when you hit one of these pages?

    I'm no expert, but surely someone bitching about this would have the skills to find this out?

  18. Harry

    Browsers should be designed work round this sort of abuse.

    Every browser should do several things, and it should be a legal requirement that they do so by default ...

    a) By default, cookies should not never be supplied to third party sites.

    b) If in a specific case the user chooses to allow a cookie to be supplied to a third party site, then that cookie should be unique depending on the first party site. So, if I'm visiting bbc,co.uk and there is a FB image in it, FB can at the most tell which other bbc.co.uk pages I've visited but if I subsequently visit itv.co.uk and that too has FB images in it, FB should not be able to tell that I am the same person.

    c) Ideally, the browser should deliver different cookies depending on whether a person is logged in to the site.

    Firefox can probably do most of the above with appropriate extensions, but setting them up is beyond the ability of many users and needs to be the default behaviour in all browsers.

    1. Fuh Quit
      Thumb Down

      By default, cookies should not never be supplied to third party sites.

      What's the impact of the call to Facebook to get the "Like" button? Surely that makes the Facebook cookie(s - as there are lots of them) first-party. And all bets are off.

      A nice way around 3rd party policy, I'd say.

      And a user who is not logged in but has the convenient cookies and does not have to type in their password.........they're easily-tracked by the unique identifier as this must exist because......they were once logged in successfully.

      I'd err on the side of not trusting the dev. Thank goodness the odd time I use FB is on my Touchpad.

    2. Dan 55 Silver badge

      RequestPolicy on Firefox

      It's easy. The first time you visit a site and it doesn't appear properly you click on the flag in the toolbar and allow the sites which should be allowed (e.g. The Reg should obviously be able to get to Reg Hardware and Reg Media) and leave the rest (e.g. Doubleclick) alone.

      And there you have it. All 3rd party tracking and like buttons suddenly disappear and you can remove your tinfoil hat.

    3. Anonymous Coward
      Anonymous Coward

      Not FF but IE

      Surprisingly IE has had user-configurable cookie protections for a long time. I have mainly used FF for many years but the cookie settings are not fine grained. I have recently returned to using IE9 due to, surprisingly, better security, and with the cookie settings I set them to allow first-party cookiesand session cookies but block third party cookies. Can't do this natively in FF but I recall it WAS an option a long time ago and still is to a limited extent in the Seamonkey version.

  19. James Micallef Silver badge
    Flame

    "have benign names and values"

    calling a man-eating lion "cute fluffy kitten" doesn't make it benign. And the cookies 'not being used for tracking'?? If they're there, they're being used, otherwise why set them in the first place?

  20. Anonymous Coward
    Anonymous Coward

    He's wrong.

    Not because I believe Facebook, but because if he were right and Facebook were tracking us that way, at least one of my two sock puppets would have been closed by now.

    1. Anonymous Coward
      Anonymous Coward

      You do realise that there are families with more than one person using Farcebook, or don't you?

      1. NomNomNom

        *trying to figure out from the distance between the c and r key whether that was a deliberate typo and concluding it was*

      2. Anonymous Coward
        Anonymous Coward

        Yep. But how many families sharing a pc for Facebook

        have the users login in the same order, at about the same time every day, playing the exact same Zenga Facebook games? No, my usage patterns stick out like a sore thumb if anyone is bothering to track them. And obviously violate the t&c for the sock puppets.

  21. Anonymous Coward
    Alien

    Clintonesque

    In order to address this issue you must first define what tracking is.

  22. Anonymous Coward
    Anonymous Coward

    To most of the posters above I have a question. If you hate FB as much as you seem to then why do you have an account?

    If I don't like a service I steer clear.

    1. Chris 3
      Facepalm

      Because

      You can like one aspect of a service, without liking all aspects of it.

      Incredible, I know.

    2. fandom

      I don't

      Yet, I have always taken for granted they could track me online due to all the 'I like it' buttons in web pages I do visit.

      Don't bother to call me paranoid, I actually don't care if they do.

      1. Chris 3

        And what would the expected behaviour be if you were logged out?

    3. Ohb1knewbie
      Devil

      IP tracking requires an Acct???

      If what I've read so far is correct and IP addies are passed by the Like button code, it would seem that FB can track me even if I do not (and I DO NOT !) have a FB acct. They may not have my name to tag the IP addy with, but that hardly renders the info totally useless.

      IIRC Germany recently hauled FB over the coals about the Like button, must have been for this very reason?

      1. Anonymous Coward
        Anonymous Coward

        So what, my IP address changes daily. Now maybe with the compliance of my ISP Facebook could do something with that tracking information. Without it it means nothing to them.

        No Germany did no such thing. All they did was ban Facebook Like buttons (and other similar features) from state websites. Not the same thing at all.

    4. Fred Flintstone Gold badge

      Good question . here is a good answer..

      I have an account because my clients do.

      They have Facebook as part of their marketing strategy (which has its own dangers, but that's for another day), and in order to contain that risk I need to know as much as possible about it from an end user perspective.

      The picture that emerges is dire. You really need an almost around the clock surveillance to keep an eye on it, made worse because nobody actually appears to take *any* responsibility. It was only after the news about the cookies hit major sites that FB decided to answer, and then only "unofficially" - I suspect because it was starting to hit the press in a way that would hurt their current attempts to sell themselves.

      Of late I've seen the now active use of facial biometrics (to be fair, it's Google who started that with their web albums). When someone adds a picture and biometrics match it instantly suggests names to tag pictures with. It's well beyond creepy. The whole gig with interrupting people for their mobile number to "make their account safer" (yeah, right) is another example of an aggressive push towards grabbing as much private data as they can get their hands on.

      It thus seems a good decision that I only used images with messed up biometrics..

  23. Eek

    Its a shame he didn't ask the right question

    If he did he would find at that Facebook don't use cookies to track visits to +1 pages. They use ip addresses and browser strings. Statistically the accuracy is enough that cookies are irrelevant to the data quality.

  24. Bradley Hardleigh-Hadderchance
    FAIL

    AC - How do you know they Do have an account?

    If you were to do a straw poll AC - you would probably find that most of 'those above', do not.

    In other news:

    Psychic Sally defends her 'integrity' -

    http://www.dailymail.co.uk/news/article-2041787/Psychic-Sally-defends-integrity-denies-getting-information-man-backstage.html

    I DID NOT have an earpiece in receiving messages from the man behind the curtains.

    Read MY LIPS!

  25. Anonymous Coward
    Anonymous Coward

    And this is why I have Like buttons blocked

    along with every other Facebook-related domain I can find. A pleasant side-effect is that suddenly many web pages load a good deal faster.

    1. NomNomNom

      "along with every other Facebook-related domain"

      Until they reroute like button image requests to non-facebook domains. You know for caching or something. Not spying on you. They wouldn't do that. Generally.

      1. Anonymous Coward
        Anonymous Coward

        Rather than blocking fb domains what you need is a list of approved cookie domains. If fb decide to create a new cookie domain called lksdhjksdghf.net it wouldn't be in your list so you wouldn't accept the cookies.

        Yes I know setting this up can be a pain at first, but once it's there it needs very little maintenance.

  26. Frank Bitterlich
    Big Brother

    They almost had me...

    ... until the "Generally, unlike other major internet companies, we have no interest in tracking people" bit.

    Thanks for the laugh...

  27. NomNomNom

    I tend to believe facebook. If they were evil they would have a dislike button (that would actually be fun) because for evil purposes it would be far more useful to know what people hated than what they liked.

    Of course they could still track you anyway, but if they really were info whores looking to grab as much data as possible they would want dislike info too.

    1. Fred Flintstone Gold badge
      Thumb Down

      No they wouldn't

      Are you seriously suggesting that they are not evil because they are not willing to expose themselves to lawsuits in the most litigious nation of the world?

      You can say any amount of positive stuff about people, but if you enable negative statements you will have to deal with consequential damages. You know, slander, repetitional harm - the works. If I was running any company, that idea would get an instant "dislike"..

      No, I most seriously do NOT tend to believe Farcebook. I don't trust any organization that considers the rights of its users a mere inconvenience. I'm picky like that.

  28. Tom Reg
    Big Brother

    I like the "logged out" bit the most.

    When you LOG OUT we don' track you. But you know - closing the Facebook window does not log you out, which is all that 99% of people do. So when you are logged in - which most people are all the time, all the cookies taste even better to the Facebook people.

    Plus after reading all the posts, we can surmise that they have the technology to do it, even if some random engineer thinks they can't - its a big company - there are other people working there.

  29. OziWan
    FAIL

    Groan

    This is a tech site so I presume the majority of people placing comments here are actually people working in the tech industry. Don't get me wrong there are a few comments that indicate people understand what is really going on here but the rest..... If the bunch of losers are running the computers of the world then God help us all :). (and as for the author ....)

    1. Anonymous Coward
      Anonymous Coward

      Wise MAn

      OK then wise one, bless us with your wisdom, we are willing to learn. Explain the situation, our ears are open.

  30. Mike Flugennock
    Coffee/keyboard

    applying Murphy's Law of Inverse Proportionality, here...

    "...Whether or not Cubrilovic’s claim that he notified Facebook without response during 2010 is accurate, he certainly got a hair-trigger response from Facebook this time..."

    Ah, hah. So, I guess that Australian dude is _right_, then.

    " 'Generally, unlike other major internet companies, we have no interest in tracking people,' the insider added."

    D'AHH HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA ...oops, damn, I've wet 'em.

  31. Archimedes_Circle
    Devil

    >Benign names

    So as long as it doesn't sound threatening, it can't be used to track you? By that logic, the Manhattan Project was somehow about Manhattan. Urban renewals or something I guess.

  32. Anonymous Coward
    Anonymous Coward

    This is why I use Chrome's "Block all third-party cookies." ("When the option to block third-party cookies from being set is enabled, also block third-party cookies from being read.") flag. Not like 99.99% of the sites used require third-party cookies (even ones that currently exist, from being read as well, as stated) to function, eh? Nice feature, limits cookies to originating-site-only appropriately.

    1. Ilgaz

      Cookies are just one way

      Blocking third party cookies won't save you from flash cookies, abuse of html5 (!) technologies like site storage (up to 50MB) etc.

      Google analytics is a good example how much sites you trust deliberately sell your privacy out for some nice looking statistic pages and better ranking at Google. There is nothing to block there since the embedded code runs inside the very html page you read.

      Tracking people got so out of hand that ordinary non technical politicians started to ask questions to these companies.

      I mean, just blocking third party cookies won't save your privacy for the time being. They will sure profile you. Legimate sites like Google and large advertising networks have "opt out" mechanisms but that is all.

      Facebook itself is target of all my paranoia since BBC of UK, inexplainably added "like" button to all news stories. It isn't like BBC guys doesn't know what kind of privacy breach they create, they run one of largest and oldest websites on planet. Something mysterious must have happened to decide polluting the entire site with spying button of an American company. If I was a British reporter, I would sure investigate it.

      1. Anonymous Coward
        Anonymous Coward

        I kind of like the idea that you are apparently keen on privacy and then you go and use Chrome and presumably other Google services. That would be the internet company that is keenest on tracking you.

  33. Head
    Megaphone

    Hmmm

    To the editor, i heard ont eh radio last night this guy speaking about this problem with Facebook cookies. He said the best way to stop facebook tracking people is to either deliberately delete all their cookies, or have Ad Blocker Plus running with the 'https://adversity.googlecode.com/hg/Antisocial.txt' script loaded up.

  34. Anonymous Coward
    Black Helicopters

    Optional

    Generally,... I'm inclined to agree with the negative attitude toward facebook. I find their continual-tracking project creepier than 50 spiders in a bathtub, and I consider Zynga as being somewhere between Goldman Sachs and Vladimir Putin on the sleaziness scale (no, I won't tell you which one is worse; it should be obvious). I not only lack an account, but haven't BEEN on facebook.com. I know, crazy, right?

    Ironically, though, the sheer venom of recent facebook comments, and the near-100% agreement among them, is making me reluctant to continue to accept the party linewithout skepticism. Much as with the climate change articles here, the wild-eyed frenzy is causing a reset: I've become as suspicious of the people opposing the thing I oppose, than I am of the thing I oppose itself.

    I -am- on Google+, by the way. Joined a few months ago when I got an invite. Don't want to fall behind the times, you know.

  35. This post has been deleted by its author

    1. Anonymous Coward
      Thumb Down

      Optional

      In fairness, I think that talking smack about customers to blow off steam is pretty universal. Doctors have plenty of derogatory names they call their patients, for example.

      I own a small business myself, and I treat my customers as well as I can, and actually (gasp) respect them - hell, I'm friends with some of them.

      But sometimes, on a day when things are frustrating, and nothing seems to be going right, someone says, "Hey, we got the order for [whoever]", and I'll reply, "Crazy bastards!" That doesn't mean I really think people are crazy for buying stuff from us; I'm proud of what I do. It means that you can't go around talking like there's always a mic on you (which is ironic, given some of Facebook's recent moves). If you put some of the things we joke about online, it'd look pretty bad sometimes - and sometimes it'd look an awful lot like the Zuck quote up there.

      Mr. Zuckerberg may or may not be a rat bastard who wants to know everything about everyone and sell all of it, but that particular quote - without context - is meaningless.

  36. Grubby
    Mushroom

    Hmmm

    Soon they'll be asking me where I am and what I'm doing, and to provide pictures of me doing it, and who I'm doing it with...

    Privacy invasion has been an issue long before the internet, if you walk out of a shop you're no longer a customer of that shop, but what's stopping the shop owner looking out the big glass thing to see where you go. If this annoys you, you probably wouldn't go to that shop again.

    Your ISP can, and does track everything you do online anyway, and will sell it to the likes of 'phorm', so if your issue is about being watched, sell your PC and buy a book.

    There are many, many free apps and browser add ons that will enable you to protect yourself from snoopy and co, or you could use proxies etc but ultimately you leave a footprint everywhere and if someone wants to use that to their benefit then they will find a way of doing so.

  37. Anonymous Coward
    Anonymous Coward

    "we have no interset in tracking users"

    But we will happily sell all the data WE aren't interested in to the companies that are interested.

    Twats.

    They really do think we were born yesterday.

    1. Fred Flintstone Gold badge
      Stop

      "Born yesterday"

      Sorry, but you cannot use Facebook then. You must be of a minimum age - at least, you must tell Facebook you are.

      BTW, I loved that BS the FB engineer was spouting that they used these cookies for age protection. Yeah, right..

This topic is closed for new posts.

Other stories you might like