Updated 10pm Pacific with comments from Facebook.
Entrepreneur and hacker Nik Cubrilovic reports that Facebook can track the web pages you visit even when you are logged out of Facebook.
According to Cubrilovic’s tests, Facebook merely alters its tracking cookies when you log out, rather than deleting them. Your account information and other unique identifiable tokens are still present in these cookies, which means that any time you visit a web page with a Facebook button or widget, your browser is still sending personally identifiable information back to Facebook.
“With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook,” Cubrilovic wrote.
“They definitely have the information stored,” Cubrilovic told VentureBeat in an interview today. “As to what they do with it, you can only speculate.”
Facebook engineer Arturo Bejar said (in the comments on this post) that Facebook uses the data from logged-out cookies only to prevent spamming, phishing and other security risks.
“Also please know that also when you’re logged in (or out) we don’t use our cookies to track you on social plugins to target ads or sell your information to third parties,” Bejar said.
Cubrilovic’s claims are based on his analysis of HTTP headers sent by browsers to Facebook.com. He says the tests are repeatable by anyone with a browser that has development tools installed.
If correct, this could be a potentially serious violation of privacy. Some people are already alarmed that Facebook’s new “open graph” apps can report what you are reading or listening to in real time, adding the media you consume to your profile as an update without you clicking a “like” button.
It’s not clear how Facebook’s 800 million reported users will react to this revelation. “Facebook trains you to undervalue your privacy,” said author and BoingBoing editor Cory Doctorow earlier this week at the Strata Summit in New York, and many of the site’s users have shown no hesitation at all in continuing to use the site despite its complicated and constantly-changing privacy settings.
On the other hand, consumer reaction to Facebook’s Beacon feature several years ago forced the company to significantly revamp its approach. Beacon was similar to this year’s open graph in that it shared information about what you were doing online without you having to take explicit actions, like clicking on a button. Eventually, Facebook changed the way this worked, so nothing was shared without your explicit permission.
To block Facebook from following you, you need to delete all Facebook-related cookies after logging out. You may also be able to use AdBlock Plus to block Facebook, with the following rules, as reported on Hacker News:
Note: we haven’t tested these rules for efficacy yet.