Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Facebook Privacy

Facebook Cookies Track Users Even After Logging Out 352

Posted by samzenpus
from the sticking-with-you dept.
First time accepted submitter Core Condor writes "According to Australian technologist Nik Cubrilovic: 'Logging out of Facebook is not enough.' He added, Even after you are logged out, Facebook is able to track your browser's page every time you visit a website. He wrote in his blog: 'With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook.' After explaining the cookies behavior he also suggested a way to fix the tracking problem: 'The only solution to Facebook not knowing who you are is to delete all Facebook cookies.'"
This discussion has been archived. No new comments can be posted.

Facebook Cookies Track Users Even After Logging Out

Comments Filter:
  • My sure fire plan (Score:4, Insightful)

    by Osgeld (1900440) on Sunday September 25, 2011 @05:38PM (#37510286)

    dont use facebook

    • by betterunixthanunix (980855) on Sunday September 25, 2011 @06:07PM (#37510446)
      But but but we need Facebook. How else are we supposed to communicate with our friends?
      • Re: (Score:2, Insightful)

        by Truekaiser (724672)

        normal email, im(google, msn, aim.), irc, mobile texting, phones, and the ever useful face to face. :P

        • There are some claiming the imminent demise of SMS, and that email is already dead. The argument is that sending SMS costs money and sends your message through a third party but somehow misses the point that Facebook/Google +/etc. cost money in data charges, send your message through several third parties, cost in loss of privacy, and ultimately line the pockets of the same telcos.

          Hack : Wednesday 21 September
          Could SMSing be dead within 5 years? The public launch of Google + draws the attention of some social media analysts who says texting and email are dead men walking. Also, we take a look at what the high profile Afghan assassination means for the war... and an Adelaide gaming bar runs into licensing dramas and not just because of its name: Pimp Pad.
          download mp3: 12 MB [abc.net.au]

        • by thegarbz (1787294)

          While the parent should have been modded Funny rather than insightful, your post actually completely misses how the various technologies work in social interaction.

          Facebook does not replace Mobile Texting, Phones, or Face to Face.
          Most people despite what the Slashdot crowd may thing do not use IRC.
          Usage of Google MSN AIM ICQ etc has seen a steady downward trend across age groups typically replaced by chat functions in Facebook and the proliferation of free txt messaging and smartphones which treat a txt mes

    • by E.I.A (2303368)
      If I could mod this comment to the moon, I'd do it. I think the Onion explained it better than anyone else: http://www.theonion.com/video/cias-facebook-program-dramatically-cut-agencys-cos,19753/ [theonion.com]
    • by jhd (7165)

      Don't use Facebook with prejudice.
      Avoid it like you would the black plague.
      Purge it from your mind... face-wut?
      It can only make you stupid.

    • Are you sure that works?
      What's stopping any Facebook widget site from placing a cookie on your machine and tracking you? Sure they may not know who you are, but they can still collect all the same data. I don't know if they do this, but the whole Facebook network scares me.

    • by melted (227442)

      That doesn't really help. They will still track you, they just won't be able to link that data to your user profile. It is valuable even without a user profile. Say they notice that you visit a lot of "gadgets" sites. They can sell you to Microsoft (who buys FB data) and Microsoft will know you're interested in gadgets, so they'll show you more gadget ads.

      The only solution is block them through your hosts file, like I did, or at least block their cookies. That way your browser won't load their cookies and y

    • Don't use facebook

      That is only half the battle...

      Even deleting and/or blocking cookies does not work. A few months ago, it was reported that facebook tracks you based on ip address.

      Anytime you request an image from facebook, you are being tracked, including "like" buttons.

      I use DD-WRT and its access restrictions to block facebook.com at my router. Don't forget to block fcbkcdn.net as well.

      If you can not block access from your router, you can add facebook.com to your hosts files to redirect facebook to ip 127.0.0.1.

  • I though so... (Score:5, Interesting)

    by gemtech (645045) on Sunday September 25, 2011 @05:38PM (#37510290)
    a week ago I went to a website and it asked me (by my name) if I wanted to follow them on Facebook. I was not logged into Facebook at the time.
    • by jhoegl (638955)
      It sure is great Corporatization took over the interwebs, now not only do we have the government spying on our packets, we have corporations wanting to know what we do as well.

      WOOOWOOO!
      • Re:I though so... (Score:5, Insightful)

        by PopeRatzo (965947) * on Sunday September 25, 2011 @06:14PM (#37510490) Homepage Journal

        It sure is great Corporatization took over the interwebs, now not only do we have the government spying on our packets, we have corporations wanting to know what we do as well.

        You better adjust your attitude, Mr Man. Those are the Job Creators you're talking about and you better start showing a little gratitude by letting them track your movements and have sex with your wife whenever they want.

        Letting corporations fuck your privacy is the 2011 version of droit du seigneur.

      • by Kenja (541830)
        They can only keep track of the information you willingly give them. If you really thought Facebook was a charity, thats your own fault. If you realized they are a for profit organization, how did you think they made your money if not with the information you provide them?
        • by jhoegl (638955)
          You think just Facebook is doing this?

          Perhaps you should see what your ISP is doing.
    • That's because FB social plugins are Facebook. They are run from FB servers and are like mini-sites built into Yathoo! etc. It shouldn't be surprising that if you stay logged in to FB, their proxies on other sites will know who you are.
    • I've looked at my web traffic lately and see an awful lot of traffic to Facebook when I go to other sites. And it is not that I'm just "logged out" of Facebook, I don't have a Facebook account and never have (and never will). There is no valid reason for this traffic between me and Faceook. The next step may be to put a bad link for Facebook in my Hosts file.
      • by jbmartin6 (1232050) on Sunday September 25, 2011 @06:26PM (#37510568)
        There is no such thing really as "other sites." Your browser loads bits and pieces from all over the place on practically every page you visit, such as ads, 'like' and 'share' buttons, etc. And each of these requests to different sites for all these bits and bobs on the page carries information on what site you think you are visiting, etc. This is standard web browser behavior. When you load that little button or thingie from facebook.com your browser tells Facebook what page you loaded it from and also helpfully sends along any cookies it has for Facebook.com domain. This is by no means unique to Facebook, you could find the same thing with reddit, digg, google, or any other site that has bits and pieces being loaded as part of other people's pages.
        • Thanks for the lecture, but I know how HTML works. Obviously I'm not surprised by all of those fetches from Google as sites get ads from them or links to a video source when I load a page with embedded video. But I'm seeing this over and over again when I load pages that don't even have a visible reference to Facebook on them. Clearly they are getting sites to embed something that references Facebook, but the extra traffic it costs me seems to be for Facebook's benefit, not mine. Time to block it.
  • As if anyone could have been surprised by this, didn't Slashdot already cover this story?
  • I just did a search in Firefox to delete all Facebook cookies. Yum!
  • by Greyfox (87712) on Sunday September 25, 2011 @05:48PM (#37510342) Homepage Journal
    You can configure firefox privacy options to drop most cookies when you log out. I trust a few sites to persist cookies in my browser, everyone else my browser accepts cookies from and quietly drops them on the floor when I exit. I don't know that it helps all that much but it's not that much effort to make it harder to snoop around at what I'm browsing.
    • by rsborg (111459)

      You can configure firefox privacy options to drop most cookies when you log out. I trust a few sites to persist cookies in my browser, everyone else my browser accepts cookies from and quietly drops them on the floor when I exit. I don't know that it helps all that much but it's not that much effort to make it harder to snoop around at what I'm browsing.

      Your solution fails when dealing with Flash cookies, as those can't be removed via the browser, only through the Adobe Flash interface. This also explains why Facebook is so interested in Disqus and IntenseDebate market... they want to profiile everyone all the time.

      • by bipbop (1144919)
        Your knowledge is out-of-date. In fact, the Flash shared objects are annoyingly deleteable these days--since they now disappear when people clear browser history or cookies, or in any other number of circumstances, people have been deleting their saves for Flash games and getting irritated at authors of said games for not being able to work around it. Damned if you do, damned if you don't.
        • by tepples (727027)

          people have been deleting their saves for Flash games and getting irritated at authors of said games for not being able to work around it.

          Once the player turns 13 (COPPA age), the player can create an account on the game's server to save the player's progress there.

  • Ghostery (Score:2, Informative)

    by schnikies79 (788746)

    http://www.ghostery.com/ [ghostery.com]

    For everyones reference, it's currently blocking facebook connect here on slashdot.

  • This is not the first message on Slashdot about this phenomena.

    And like the previous time Ghostery is the preferred plug in to suppress it.

  • by WCMI92 (592436) on Sunday September 25, 2011 @05:55PM (#37510376) Homepage

    Facebook is a website I refuse to have any relationship with. I do not have an account, nor will I EVER have an account. Their management is easily the most evil and anti-customer in the industry, constantly taking actions against their user's best interest.

    This should surprise no one. I block their cookies in my browser and never intentionally go there.

    I keep trying to tell the lemmings I know who pour their intimate personal information into Facebook that it is foolish to do so. The website's name should be "InfectMyPCWithAVirus.COM", or "StealMyIdentity.COM".

    Zuckerberg better sell the damn thing before the inevitable class action lawsuit consumes the millions he's made off exploiting his customers. Of course, I hope he doesn't, he is one asshole I would very much love to see bankrupted and forced to get an honest job somewhere. I bet he ends up at Sony, developing rootkits...

    • I knew it - Tom from MySpace does have a Slashdot account!
    • Re: (Score:2, Insightful)

      by WCMI92 (592436)

      LOL. Moderated down by a Facebook lemming in denial no doubt. Go get your personal identity stolen. Go get your computer infected by a virus. The only thing Zuckerberg cares about is making as much money as he can off your information. Which is why he doesn't give a damn about security or keeping viruses off their web pages.

    • Re: (Score:2, Insightful)

      by fartrader (323244)

      Not anti-customer at *all*. You are NOT their customer.

    • by SendBot (29932) on Sunday September 25, 2011 @08:33PM (#37511228) Homepage Journal

      On the contrary, I view FB as a venue to advertise myself, my thoughts, and my interests to the world around me. I want to create influence, and if I don't want something to be known to FB I (wait for you mind to be blown...) simply don't post it. Amazing!

      Oh, and that myth about lemmings committing mass suicide by jumping off of cliffs? That's complete nonsense fabricated for a nature film created by (wait for you mind to be blown a second time...) DISNEY! That's right, you've been successfully misled by MouseCorp/ABC.

      You just got chumped, chump.

    • This. This is it. The ultimate Slashdot post. If Slashdot was a person, this would be the beating heart.

  • So... facebook.com sets a cookie...

    Site B has Facebook Like button - which presumably is sourced from facebook.com

    And you're surprised that they don't check your cookies when sending the icon???

    Where's the story?

    • The story is old, but it is this: Facebook can and does track your activity across the web, not just on facebook.com. People who would prefer to not be tracked in this manner have no way to opt-out and nobody is talking about making it opt-in. Since most people do not care about their privacy on the web, Facebook will continue to get away with this sort of behavior.
      • Actually, yes they do. It's called "not accepting the cookie". Just because they've got their browser set to automatically accept every cookie ever sent to them doesn't mean they have no possible way to opt-out.

  • In Opera, you can right click with Facebook loaded, select site preferences, cookies, and check "delete new cookies every time I exit Opera". Only deletes cookies from Facebook, so other sites won't break. Also, erase existing cookies. Won't stop the cookies during the same session, but it'll help. Also, Ghostery prevents this (as others have mentioned.) I use Facebook to stay in touch with friends, but that doesn't mean I want them to know anything about any other sites I visit, TYVM.
  • Oh God (Score:2, Funny)

    by DSS11Q13 (1853164)

    I don't want anyone to know I read slashdot

  • the crux, I think (Score:5, Insightful)

    by Bill Dog (726542) on Sunday September 25, 2011 @06:07PM (#37510450) Journal

    From TFA:

    This is not what 'logout' is supposed to mean - Facebook are only altering the state of the cookies instead of removing all of them when a user logs out.

    I don't have direct experience in this area so I'm wondering, why exactly is logout supposed to mean deleting cookies instead of just noting in them that the user is logged out?

  • I don't see why anyone is suprised about this behaviour when it's actually how the damn doubleclick and such manage to track people across the web. All of those damn Facebook Like/Add This button are simply doing what they're supposed to do. Call the Mothership so why are you suprised?

    The only way to prevent this is to block the damn button scripts along with their fbcdn connections.

    • by Mashiki (184564)

      Because in a lot of places outside of the US doing this is illegal. As in a federal crime illegal, with jail time and very steep fines.

  • I have done this ever since I joined FB due to friends and family over-bugging me to join: I installed the Opera browser, I got a new email that I use for FB; I've used Opera only to log into FB and into the email I use for FB. I use Chrome or Firefox for everything else. I just checked my Firefox, no FB cookies!
  • Notice (Score:5, Funny)

    by inode_buddha (576844) on Sunday September 25, 2011 @06:22PM (#37510540) Journal

    Notice how goatse doesn't have a FB "like" button? I think goatse needs a "like" button. C'mon, everybody, why don't we setup a shitload of goatse mirrors with "like" buttons? There's more than one way to poison a DB.....

  • I am sure I read about this (exactly as described in the summary) two years ago. The infamous Facebook cookies that track you even after you log out - yes, people have been taking this crap all this time. Maybe now it'll get a bit more air due to the existence of a legitimate contender (G+)?

    • I am sure I read about this (exactly as described in the summary) two years ago. The infamous Facebook cookies that track you even after you log out - yes, people have been taking this crap all this time. Maybe now it'll get a bit more air due to the existence of a legitimate contender (G+)?

      I've got to ask - why on earth would you assume Google isn't doing exactly the same thing?

  • This has been known since the Like button first appeared. Quit FB, or learn to use NoScript.

  • You could use a different browser for Facebook than for everything else you do. Say you normally use Firefox, you could use IE/Opera/Chrome/Safari/something else for Facebook only. Or set up a dedicated browser instance that runs in a VM, using that only for Facebook. My personal choice is even easier though - I don't use Facebook.
  • Well. i disabled facebook in noscript, just in case they miss it somehow that i have no account there.

  • Don't recall where I found this, but add this to user.action:

    # Facebook
    # This is used for blocking Facebook Open Graph stuff, where third party
    # sites include resources from Facebook.

    #See if the referrer is even set.
    {+client-header-tagger{referrer-set-facebook}} .facebook.com

    #If a referrer was set, block cookies.
    {+block{Facebook Open Graph blocked.} +crunch-outgoing-cookies}
    TAG:^referrer-set-facebook:

    #Except if it was referred by facebook, make sure we allow the cookies.
    {-block allow-all-cookies}
    TAG:^referr

  • by MBC1977 (978793) on Sunday September 25, 2011 @07:19PM (#37510866) Journal
    Why use any social networking site if your gonna isolate yourself? Don't get me wrong I do use facebook and am fully aware how the tracking system works (I personally enabled it on 20 sites I use this morning). It just seems like a lot of "the sky is falling" mentality. Not trying to troll or flame here, but it seems like if you don't want others to know what your doing, then you should unplug the computer and just use it as a standalone system. Could be just my old man point of view though. lol
  • This is common knowledge for damn near everybody on Slashdot, but for those who don't know:

    It's not the browser cookie that is tracking the browser activities, it is the Facebook included javascript that recognizes the fb cookie and reports that this particular browser has visited this website/page. The cookie is only data on the user's machine and that is used to log where that browser has gone to. That's why these social sites (and porn sites, etc.) are so insidious. You may think that no longer visit

  • Yeah, I saw this coming a mile away. You could also just disable cookies altogether, but for those that use them and don't want Facebook to track this, there's easy ways in pretty much every browser to *.* disable all Facebook cookies from ever installing/saving. That's what I'm going to do.
  • by tick-tock-atona (1145909) on Sunday September 25, 2011 @07:41PM (#37510972)
    In Firefox:
    • use the requestpolicy addon [mozilla.org]; whitelist fbcdn.net on facebook.com only. facebook.com is blacklisted for other domains automatically.
    • don't accept third-party cookies
    • set cookies and cache to clear when closing the browser (whitelist a couple of sites like slashdot)

    The end. No tracking, "evercookies" etc. Even blocks google tracking via google-analytics.

    • by Red_Chaos1 (95148)

      I'd mod this up if I had mod points right now. I was going to post exactly the same thing.

  • Not news. (Score:5, Informative)

    by znerk (1162519) on Sunday September 25, 2011 @08:10PM (#37511120)

    Tracking cookies track. This is not news, this is anticipated and expected behavior. This has been the status quo for over a decade.

    Cookies have a security feature in that they are accessible only to the websites that placed them, but advertising sites have been using tracking cookies for as long as cookies have existed, and getting around that security by placing a "bug" on third-party sites. They used to (and probably still do) implement this as a 1x1 "spacer" image the same color as the background, or simply by having an ad on the page you are viewing. When your browser requests the image/flash/javascript/whatever, the site it comes from is suddenly allowed to access their cookie.

    The solution has also not changed; either don't allow cookies, or delete them constantly. Anti-scripting addons are also helpful, as are black (or whitelists) of websites to disallow (or allow) access to your system. Modifying hosts files has been a semi-successful method, as well, in that requests sent to specific named addresses can be redirected to localhost (and therefore "blocked").

    I personally use NoScript and AdBlockPlus for precisely this reason (and to speed up my page loads), and I can't fathom why this information could be conceived to be news to any user with any amount of technical knowledge and a modicum of interest in their own privacy.

    • by pz (113803)

      1x1 "spacer" image the same color as the background

      GIF has a transparent color value, easing this issue for the nefariously inclined.

  • This is exactly what the Sharemenot [washington.edu] plugin for Firefox is for. To protect against this type of thing.
  • I have always assumed that both, Facebook and Google have always done everything they can to track and identify me even if I am not logged in to any of their services.

    If there is a "Like" button, I assume its too late, Facebook tracked my visit. And if the site uses Google Analytics (and it seems everyone in the world does) I also assume Google tracked me and as soon as I log in they will tie up all collected data to my Google account, if they have not already tied the data to the last used account in in th

  • by Alphanos (596595) on Sunday September 25, 2011 @09:06PM (#37511436)

    This and many other privacy issues can and should be fixed by use of proper Firefox add-ons. Sure we can decry the practice and wish that in an ideal world corporations would not do such things, but that's a waste of time. Use things like Adblock Plus, Ghostery, Beef Taco, NoScript, and Better Privacy.

    I don't even see those Facebook buttons. Since in practice nobody will manually mess with their cookies each time they log out of a site, and may even want to visit other sites while still logged in, this is the only realistic solution.

  • by frozentier (1542099) on Sunday September 25, 2011 @09:37PM (#37511568)
    My sure fire plan is not to fucking worry about it. FB only posts what I tell it to post. So they know I went to a certain website? Honestly, it doesn't matter. I've never noticed it make a single change in my life other than giving me ads about stuff I'm interested in as opposed to ads I couldn't give a damn less about. Oooo, big bad facebook.
  • by Artifakt (700173) on Sunday September 25, 2011 @11:28PM (#37512158)

    ...Facebook.
    There is a lot of data that's exceptionally valuable for marketing, which companies can only get if they do tracking way beyond visits to their own web pages. That added value is perceived by advertising execs as literally enormous, so it should be assumed anyone who can implement this thinks they have a strong incentive. It's like, how common would bank robbery be if the penalty was 10 days in jail and the potential reward was a million dollars?

    To see how, lets take an example. A company may pay a few cents per for a list of valid e-mail addresses. Now, link one of those addresses to the information that the possessor of that address definitely orders things on-line, and it's a little more valuable. Add that the things ordered on-line include prescription drugs, and it's worth more. Now how much is it worth linked to the information that the person is not yet ordering any antidepressants, but has just spent several hours searching several terms relating to depression? A list of e-mail addresses that fit those criteria is generally estimated to be worth about $ 250 US per entry by the pharmaceutical firms. With the right combinations of information sources, essentially a matter of asking the right questions, this sort of data is at least perceived to be the holy grail of targeted advertising. Personally, I assume that any for-profit that isn't looking for this sort of data is only avoiding it because they doubt the American Advertising Council's estimates of how much business it can drive, and not because they have a moral objection. Yeah, maybe some of them are genuinely being ethical, but I recognize that the sheer scope of the temptation is bound to make many of them cross the line, and it's time to be a little paranoid about privacy.

  • Wiping your cookies, adblock, flashblock, etc - it's all worthless.

    Even if you remove all cookies, the iframe that is the 'like' button will set a new cookie. Facebook tracks these new 'anonymous' cookies centrally, and then when you DO login to your actual account, they can read this cookie and marry up your previous behavioral habits and sites you visited. The advice here leads people to believe you can fight this simply by erasing cookies. The only way to really make that effective is:

    1) Log out of Facebook
    2) Remove all Facebook cookies
    3) Browse around to other sites
    4) Clear all Facebook cookies AGAIN
    5) Log in to Facebook

    Without step #4 the rest of it is not doing you any good.

    The same is true of new signups, where your browsing history (before you even had an account!) is correlated to the new account to help build a profile of your activity.

  • by Khyber (864651) <techkitsune@gmail.com> on Monday September 26, 2011 @02:47AM (#37512954) Homepage Journal

    All of my friends have my phone number and e-mail. They've got data plans and smartphones. It's just that simple.

  • by Tom (822) on Monday September 26, 2011 @03:01AM (#37513006) Homepage Journal

    A german magazine has developed an answer to that about a month ago:

    http://www.heise.de/extras/socialshareprivacy/ [heise.de]

    Absolutely worth a read, and if you use a "like" button on your page and you're a geek, you should definitely use this.

If you're not careful, you're going to catch something.

Working...