If you were thinking logging out of Facebook means the social network can’t track what you’re doing online? Think again..
Facebook has had privacy issues for a long time, and while the company has been working to improve its image, today’s episode will likely set it back once again. Thanks to a modified cookie, Facebook allegedly knows what you’re doing online even when you’re not logged in. Yes, Facebook uses cookies to track users even when they have signed out of the service. Evne though Facebook has denied allegations that it tracks users when they are logged out, saying it only uses tracking cookies to personalise content and to make the social networking site more secure.
An Australian technologist Nik Cubrilovic, recently claimed that when the user is logged out of Facebook, rather than deleting its tracking cookies, the site merely modifies them, maintaining account information and other unique tokens that can be used to identify its users. So Even if you are logged out, Facebook still knows and can track every page you visit on the web. Even Facebook admit that it alters, but does not delete cookies when users log out.
After running a series of tests analyzing the HTTP headers on requests sent by browsers to facebook.com, we can easily see that Facebook alters its tracking cookies the moment you log out, instead of deleting them. Since your uniquely identifying account information is still present in these cookies, Facebook can continue to track you.
This means that if you log out of Facebook, you’re not really doing much. If you then head to a website that contains a Facebook plugin, your browser will continue to send personally identifiable information back to Palo Alto. Here’s Cubrilovic’s a explanation on this:
With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies. You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight.
So how do you get rid of these Facebook cookies in a way that will still let you use the service? Well, you can delete them every time after you log out of the website. Alternatively, Hacker News user buro9 says you can use the following AdBlock Plus rules:
facebook.com^$domain=~facebook.com ~facebook.net|~fbcdn.com|~fbcdn.net
facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
This will supposedly limit your usage of the social network to just facebook.com. If you need to use it on another website, you can temporarily whitelist it with the AdBlock switch. If what Cubrilovic found today ends up being true, this could be a serious problem for Facebook. The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com.
Even if you are logged out, Facebook still knows and can track every page you visit.
The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.
Here is what is happening, as viewed by the HTTP headers on requests to facebook.com. First, a normal request to the web interface as a logged-in user sends the following cookies:
Facebook Cookie
The request to the logout function will then see this response from the server, which is attempting to unset the following cookies:
Facebook Cookie Unset
To make it easier to see the cookies being unset, the names are in italics. If you compare the cookies that have been set in a logged-in request, and compare them to the cookies that are being unset in the log-out request, you will quickly see that there are a number of cookies that are not being deleted, and there are two cookies (locale and lu) that are only being given new expiry dates, and three new cookies (W, fl, L) being set.
Now If we make a subsequent request to facebook.com as a ‘logged out’ user:
Facebook Cookie Logout Call
The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged-out page. Logged-out requests still send nine different cookies, including the most important cookies that identify you as a user
This is not what ‘logout’ is supposed to mean. Facebook are only altering the state of the cookies instead of removing all of them when a user logs out.
With my browser logged out of Facebook, whenever I visit any page with a Facebook Like button, or Share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies. You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight.
The social networking giant said that the logged-out cookies are used to identify spammers and phishers, detect when an unauthorised person is trying to access a user’s account, help users regain access to an account when it’s been hacked and disable registration for underage users who try to re-register with a different birth date.
What is your thoughts on this, is Facebook justified to track logged-out users, Leave your comments in the comment section below:
Ravi Kanth L - Tech Blogger 