Does Facebook keep tracking users after they have logged out?

Australian hacker and blogger Nik Cubrilovic claims that Facebook keeps tracking its users after they have logged out from the site.

To do that, the social network allegedly uses cookies which, instead of being deleted once the users log out, are simply modified in such a way to send information about users visiting sites that have a Facebook “Like” button, “Share” button or any other widget or plugin.

Cubrilovic made the claim after having kept tabs on the HTTP headers on the requests sent by browsers to facebook.com, and encourages others to check for themselves.

“If you compare the cookies that have been set in a logged in request, and compare them to the cookies that are being unset in the logout request, you will quickly see that there are a number of cookies that are not being deleted, and there are two cookies (locale and lu) that are only being given new expiry dates, and three new cookies (W, fl, L) being set,” he says. “You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight.”

He points out that the only way to keep Facebook from doing so is either to delete all the cookies stored by the browser immediately after you have logged out, or to use a different browser when visiting Facebook and use it only for that purpose.

He also mentioned a separate privacy issue he had with Facebook a year ago, and which is possibly tied with this one. In short: he opened a few fake Facebook accounts in order to test some things, and after using them for a while, he began receiving suggestions of “friending” his real account.

“Somehow Facebook knew that we were all coming from the same browser, even though I had logged out,” he concluded, and pointed out that this could have serious implications if one is using Facebook from a private terminal.

He allegedly acquainted different people within Facebook with the issue more than a year ago, but failed to get a response to his emails.

But to this particular post he did receive a prompt response. One Gregg Stefancik, an engineer who works on login systems at Facebook, was quick to add that Facebook’s log out cookies aren’t used for tracking.

“Instead, we use our cookies to either provide custom content (e.g. your friend’s likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location),” he wrote.

He also added that Facebook deletes account-specific cookies when a user logs out, and that they don’t use them to suggest friends.

But, judging by the lively exchange of comments that followed, many users pitched in either confirm some of Cubrilovic’s claims or to declare that Facebook doesn’t walk the talk when it comes to privacy issues.

This discussion between Cubrilovic and Facebook can go on forever, I suspect, so I hope that other qualified and independent security researchers will look into the matter soon and share their findings.

More about

Don't miss