Facebook Cookies Track Users Even After Logging Out 352
First time accepted submitter Core Condor writes "According to Australian technologist Nik Cubrilovic: 'Logging out of Facebook is not enough.' He added, Even after you are logged out, Facebook is able to track your browser's page every time you visit a website. He wrote in his blog: 'With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook.' After explaining the cookies behavior he also suggested a way to fix the tracking problem: 'The only solution to Facebook not knowing who you are is to delete all Facebook cookies.'"
My sure fire plan (Score:4, Insightful)
dont use facebook
Re:My sure fire plan (Score:5, Funny)
Re: (Score:2, Insightful)
normal email, im(google, msn, aim.), irc, mobile texting, phones, and the ever useful face to face. :P
Re: (Score:2)
There are some claiming the imminent demise of SMS, and that email is already dead. The argument is that sending SMS costs money and sends your message through a third party but somehow misses the point that Facebook/Google +/etc. cost money in data charges, send your message through several third parties, cost in loss of privacy, and ultimately line the pockets of the same telcos.
Hack : Wednesday 21 September
Could SMSing be dead within 5 years? The public launch of Google + draws the attention of some social media analysts who says texting and email are dead men walking. Also, we take a look at what the high profile Afghan assassination means for the war... and an Adelaide gaming bar runs into licensing dramas and not just because of its name: Pimp Pad.
download mp3: 12 MB [abc.net.au]
Re: (Score:3)
While the parent should have been modded Funny rather than insightful, your post actually completely misses how the various technologies work in social interaction.
Facebook does not replace Mobile Texting, Phones, or Face to Face.
Most people despite what the Slashdot crowd may thing do not use IRC.
Usage of Google MSN AIM ICQ etc has seen a steady downward trend across age groups typically replaced by chat functions in Facebook and the proliferation of free txt messaging and smartphones which treat a txt mes
Re: (Score:3)
the ever useful face to face
What app is that? Never heard of this protocol, F2F.
It's like P2P, but I'm better than my friends.
Re:My sure fire plan (Score:4, Funny)
But but but we need Facebook. How else are we supposed to communicate with our friends?
Sadly, while this was meant in jest, there is at least one person we know that fits this description. Leave voicemail or send email all you want, and it goes into a black hole. Send her a message on Facebook? Two hour turnaround!
Mind-boggling...
I'd respond to that but I can't find the "Like" button.
Re:My sure fire plan (Score:4, Informative)
There actually is no better way for me to communicate with some groups of friends than Facebook. In a group, some people rely on txts, some on email, some on FB itself. The group can collaborate, share links and between themselves easily, and easily communicate, even if they're not friends with each other.
Of course there are other ways to do this, and in a business environment most people will all have some software to do this (likely at a price). But if I'm throwing a birthday party or getting my family together, there is no better tool than Facebook.
Re: (Score:2)
I've just trained my friends to email me if they want me to know about something they've posted on FB, since I don't have an account. Otherwise, it's their fault for not telling me. Only time this didn't work was when a freind's fiance decided that putting the wedding travel/hotel/directions details only on FB was the best way to let everyone know. But then I just found out from everyone else.
I get grumbles. Even the occasional threat to make a page for me without telling me. But they know better.
I
Re:My sure fire plan (Score:4, Insightful)
...Aside from the fact that as this story proves, they gather *other* information as well!
Personally, my plan is as follows:
1. No FB account. Period.
2. RefControl set to fake referrers for 3rd party sites, which means that any FB image buttons that load won't send back the URL of the page I'm visiting(Instead it'll send back the root of the site, xyz.facebook.com).
3. NoScript set to block 3rd party scripts by default, which blocks FB *scripts* from running.
And I *should* be deleting any FB cookies as well... but even if not, *all* they have is a list of the times a FB image has been loaded and my IP.
Re: (Score:2)
Honestly, why not have an account? FB doesn't know anything about you that you don't tell it. As a social protest, all it seems to accomplish is annoying your friends and family.
You don't have to "submit to the beast" - just use it for what's convenient.
That's what I thought when I bought an Apple Mini-DVI to DVI conector as a gift.
------------
Sent from my iPhone
Re: (Score:2)
I signed up for the express purpose of untagging myself from all photos that include me. I've found, not even using the most strict privacy options, I've been able to limit the exposure of my privacy fine. Marketing companies can still deduce my friendship groups, where I work, my rough age, and where I went to school but all of that was public knowledge once FB became popular regardless of my participation.
In exchange for this it's facilitated my ability to keep up with friends across two continents.
Rega
Re: (Score:3)
Indeed, that's the other big issue here - if you totally remove yourself the internet (from Facebook and similar places), then someone else is in charge of what shows up online about you (unless you've got a great blog presence somewhere).
It's fine to pretend no one knows your name online, but it takes just one person somewhere to say you're a child molester or shitty employee for that to be the top result for a google search of your name.
Re:My sure fire plan (Score:5, Insightful)
As a social protest, all it seems to accomplish is annoying your friends and family
Which, as antisocial as it sounds, I would say is a good thing. The last thing we need is for people to simply assume that everyone has a Facebook account, and since that is what a lot of people assume now, they need to be annoyed and reminded that not everyone is on Facebook. Why should someone like Mark Zuckerberg be able to exert so much control over how people communicate?
You don't have to "submit to the beast" - just use it for what's convenient.
Any communication on Facebook is submitting to the beast.
Re: (Score:2)
Re: (Score:2)
It's like ten thousand spoons, when all you need is a knife....
Sorry, all of those "likes" in your post got that stupid song stuck in my head. Your post has more likes than facebook...
Ditto (Score:3)
Don't use Facebook with prejudice.
Avoid it like you would the black plague.
Purge it from your mind... face-wut?
It can only make you stupid.
Re: (Score:2)
Are you sure that works?
What's stopping any Facebook widget site from placing a cookie on your machine and tracking you? Sure they may not know who you are, but they can still collect all the same data. I don't know if they do this, but the whole Facebook network scares me.
Re: (Score:2)
Re: (Score:2)
That doesn't really help. They will still track you, they just won't be able to link that data to your user profile. It is valuable even without a user profile. Say they notice that you visit a lot of "gadgets" sites. They can sell you to Microsoft (who buys FB data) and Microsoft will know you're interested in gadgets, so they'll show you more gadget ads.
The only solution is block them through your hosts file, like I did, or at least block their cookies. That way your browser won't load their cookies and y
Re: (Score:2)
Don't use facebook
That is only half the battle...
Even deleting and/or blocking cookies does not work. A few months ago, it was reported that facebook tracks you based on ip address.
Anytime you request an image from facebook, you are being tracked, including "like" buttons.
I use DD-WRT and its access restrictions to block facebook.com at my router. Don't forget to block fcbkcdn.net as well.
If you can not block access from your router, you can add facebook.com to your hosts files to redirect facebook to ip 127.0.0.1.
I though so... (Score:5, Interesting)
Re: (Score:2)
WOOOWOOO!
Re:I though so... (Score:5, Insightful)
You better adjust your attitude, Mr Man. Those are the Job Creators you're talking about and you better start showing a little gratitude by letting them track your movements and have sex with your wife whenever they want.
Letting corporations fuck your privacy is the 2011 version of droit du seigneur.
Re: (Score:3)
Re: (Score:2)
Perhaps you should see what your ISP is doing.
Re: (Score:2)
Re: (Score:2)
Yeah, that came out wrong.
What I *meant* to write is that if you stay logged in, you should expect the plugin to recognize you, but don't be surprised if it does anyway based on your cookie.
It is even worse than that (Score:3)
Re:It is even worse than that (Score:4, Insightful)
yea I know how HTML works (Score:2)
!news (Score:2)
Thanks for this Slashdot! (Score:2)
Just Drop Them On Logout (Score:3)
Re: (Score:2)
You can configure firefox privacy options to drop most cookies when you log out. I trust a few sites to persist cookies in my browser, everyone else my browser accepts cookies from and quietly drops them on the floor when I exit. I don't know that it helps all that much but it's not that much effort to make it harder to snoop around at what I'm browsing.
Your solution fails when dealing with Flash cookies, as those can't be removed via the browser, only through the Adobe Flash interface. This also explains why Facebook is so interested in Disqus and IntenseDebate market... they want to profiile everyone all the time.
Re: (Score:2)
Re: (Score:2)
people have been deleting their saves for Flash games and getting irritated at authors of said games for not being able to work around it.
Once the player turns 13 (COPPA age), the player can create an account on the game's server to save the player's progress there.
Ghostery (Score:2, Informative)
http://www.ghostery.com/ [ghostery.com]
For everyones reference, it's currently blocking facebook connect here on slashdot.
Re: (Score:3)
Why does Ghostery's home page have a "Friend me on Facebook" link?
Re:Ghostery (Score:5, Insightful)
Because it's about privacy, not against social media? You decide what level of privacy you want, and the can use safely Facebook (or whatever)? Facebook privacy concerns are not connected with the usefulness of the site.
We should know this (Score:2)
And like the previous time Ghostery is the preferred plug in to suppress it.
The only winning move is not to play (Score:3, Insightful)
Facebook is a website I refuse to have any relationship with. I do not have an account, nor will I EVER have an account. Their management is easily the most evil and anti-customer in the industry, constantly taking actions against their user's best interest.
This should surprise no one. I block their cookies in my browser and never intentionally go there.
I keep trying to tell the lemmings I know who pour their intimate personal information into Facebook that it is foolish to do so. The website's name should be "InfectMyPCWithAVirus.COM", or "StealMyIdentity.COM".
Zuckerberg better sell the damn thing before the inevitable class action lawsuit consumes the millions he's made off exploiting his customers. Of course, I hope he doesn't, he is one asshole I would very much love to see bankrupted and forced to get an honest job somewhere. I bet he ends up at Sony, developing rootkits...
Re: (Score:2)
Re: (Score:2)
Tom from MySpace has a Facebook account.
http://www.facebook.com/myspacetom [facebook.com]
Re: (Score:2, Insightful)
LOL. Moderated down by a Facebook lemming in denial no doubt. Go get your personal identity stolen. Go get your computer infected by a virus. The only thing Zuckerberg cares about is making as much money as he can off your information. Which is why he doesn't give a damn about security or keeping viruses off their web pages.
Re: (Score:2, Insightful)
Not anti-customer at *all*. You are NOT their customer.
You just lost the game (Score:4, Informative)
On the contrary, I view FB as a venue to advertise myself, my thoughts, and my interests to the world around me. I want to create influence, and if I don't want something to be known to FB I (wait for you mind to be blown...) simply don't post it. Amazing!
Oh, and that myth about lemmings committing mass suicide by jumping off of cliffs? That's complete nonsense fabricated for a nature film created by (wait for you mind to be blown a second time...) DISNEY! That's right, you've been successfully misled by MouseCorp/ABC.
You just got chumped, chump.
Re: (Score:3)
This. This is it. The ultimate Slashdot post. If Slashdot was a person, this would be the beating heart.
Re: (Score:2)
if i could mod you up i would. YOU are not the customer to Facebook. YOU are what Facebook sells to advertisers. From everything you put into your page to who you friend etc.
Confused... (Score:2)
So... facebook.com sets a cookie...
Site B has Facebook Like button - which presumably is sourced from facebook.com
And you're surprised that they don't check your cookies when sending the icon???
Where's the story?
Re: (Score:2)
Re: (Score:2)
Actually, yes they do. It's called "not accepting the cookie". Just because they've got their browser set to automatically accept every cookie ever sent to them doesn't mean they have no possible way to opt-out.
Opera can stop this (sort of) (Score:2)
Oh God (Score:2, Funny)
I don't want anyone to know I read slashdot
the crux, I think (Score:5, Insightful)
From TFA:
I don't have direct experience in this area so I'm wondering, why exactly is logout supposed to mean deleting cookies instead of just noting in them that the user is logged out?
And you're suprised? (Score:2)
I don't see why anyone is suprised about this behaviour when it's actually how the damn doubleclick and such manage to track people across the web. All of those damn Facebook Like/Add This button are simply doing what they're supposed to do. Call the Mothership so why are you suprised?
The only way to prevent this is to block the damn button scripts along with their fbcdn connections.
Re: (Score:2)
Because in a lot of places outside of the US doing this is illegal. As in a federal crime illegal, with jail time and very steep fines.
Ok, this is my fix, for what it's worth. (Score:2)
Notice (Score:5, Funny)
Notice how goatse doesn't have a FB "like" button? I think goatse needs a "like" button. C'mon, everybody, why don't we setup a shitload of goatse mirrors with "like" buttons? There's more than one way to poison a DB.....
Very old news (Score:2)
I am sure I read about this (exactly as described in the summary) two years ago. The infamous Facebook cookies that track you even after you log out - yes, people have been taking this crap all this time. Maybe now it'll get a bit more air due to the existence of a legitimate contender (G+)?
Re: (Score:2)
I am sure I read about this (exactly as described in the summary) two years ago. The infamous Facebook cookies that track you even after you log out - yes, people have been taking this crap all this time. Maybe now it'll get a bit more air due to the existence of a legitimate contender (G+)?
I've got to ask - why on earth would you assume Google isn't doing exactly the same thing?
Nothing new.... (Score:2)
This has been known since the Like button first appeared. Quit FB, or learn to use NoScript.
One more solution (Score:2)
Ahem isnt that known for a long time? (Score:2)
Well. i disabled facebook in noscript, just in case they miss it somehow that i have no account there.
Privoxy can help this. (Score:2)
Don't recall where I found this, but add this to user.action:
# Facebook
# This is used for blocking Facebook Open Graph stuff, where third party
# sites include resources from Facebook.
#See if the referrer is even set. .facebook.com
{+client-header-tagger{referrer-set-facebook}}
#If a referrer was set, block cookies.
{+block{Facebook Open Graph blocked.} +crunch-outgoing-cookies}
TAG:^referrer-set-facebook:
#Except if it was referred by facebook, make sure we allow the cookies.
{-block allow-all-cookies}
TAG:^referr
Re: (Score:2)
https://bmearns.net/wwk/view/Privoxy [bmearns.net]
Why use a social networking site if... (Score:3)
Cookies tracking? (Score:2)
This is common knowledge for damn near everybody on Slashdot, but for those who don't know:
It's not the browser cookie that is tracking the browser activities, it is the Facebook included javascript that recognizes the fb cookie and reports that this particular browser has visited this website/page. The cookie is only data on the user's machine and that is used to log where that browser has gone to. That's why these social sites (and porn sites, etc.) are so insidious. You may think that no longer visit
Block Facebook Cookies (Score:2)
FFS it's not that hard (Score:5, Informative)
The end. No tracking, "evercookies" etc. Even blocks google tracking via google-analytics.
Re: (Score:2)
I'd mod this up if I had mod points right now. I was going to post exactly the same thing.
Not news. (Score:5, Informative)
Tracking cookies track. This is not news, this is anticipated and expected behavior. This has been the status quo for over a decade.
Cookies have a security feature in that they are accessible only to the websites that placed them, but advertising sites have been using tracking cookies for as long as cookies have existed, and getting around that security by placing a "bug" on third-party sites. They used to (and probably still do) implement this as a 1x1 "spacer" image the same color as the background, or simply by having an ad on the page you are viewing. When your browser requests the image/flash/javascript/whatever, the site it comes from is suddenly allowed to access their cookie.
The solution has also not changed; either don't allow cookies, or delete them constantly. Anti-scripting addons are also helpful, as are black (or whitelists) of websites to disallow (or allow) access to your system. Modifying hosts files has been a semi-successful method, as well, in that requests sent to specific named addresses can be redirected to localhost (and therefore "blocked").
I personally use NoScript and AdBlockPlus for precisely this reason (and to speed up my page loads), and I can't fathom why this information could be conceived to be news to any user with any amount of technical knowledge and a modicum of interest in their own privacy.
Re: (Score:2)
1x1 "spacer" image the same color as the background
GIF has a transparent color value, easing this issue for the nefariously inclined.
Re: (Score:2)
Always thought this was a given. (Score:2)
I have always assumed that both, Facebook and Google have always done everything they can to track and identify me even if I am not logged in to any of their services.
If there is a "Like" button, I assume its too late, Facebook tracked my visit. And if the site uses Google Analytics (and it seems everyone in the world does) I also assume Google tracked me and as soon as I log in they will tie up all collected data to my Google account, if they have not already tied the data to the last used account in in th
Fix This With Add-Ons (Score:3)
This and many other privacy issues can and should be fixed by use of proper Firefox add-ons. Sure we can decry the practice and wish that in an ideal world corporations would not do such things, but that's a waste of time. Use things like Adblock Plus, Ghostery, Beef Taco, NoScript, and Better Privacy.
I don't even see those Facebook buttons. Since in practice nobody will manually mess with their cookies each time they log out of a site, and may even want to visit other sites while still logged in, this is the only realistic solution.
My sure fire plan (Score:3)
This is probably much more common than just... (Score:5, Insightful)
...Facebook.
There is a lot of data that's exceptionally valuable for marketing, which companies can only get if they do tracking way beyond visits to their own web pages. That added value is perceived by advertising execs as literally enormous, so it should be assumed anyone who can implement this thinks they have a strong incentive. It's like, how common would bank robbery be if the penalty was 10 days in jail and the potential reward was a million dollars?
To see how, lets take an example. A company may pay a few cents per for a list of valid e-mail addresses. Now, link one of those addresses to the information that the possessor of that address definitely orders things on-line, and it's a little more valuable. Add that the things ordered on-line include prescription drugs, and it's worth more. Now how much is it worth linked to the information that the person is not yet ordering any antidepressants, but has just spent several hours searching several terms relating to depression? A list of e-mail addresses that fit those criteria is generally estimated to be worth about $ 250 US per entry by the pharmaceutical firms. With the right combinations of information sources, essentially a matter of asking the right questions, this sort of data is at least perceived to be the holy grail of targeted advertising. Personally, I assume that any for-profit that isn't looking for this sort of data is only avoiding it because they doubt the American Advertising Council's estimates of how much business it can drive, and not because they have a moral objection. Yeah, maybe some of them are genuinely being ethical, but I recognize that the sheer scope of the temptation is bound to make many of them cross the line, and it's time to be a little paranoid about privacy.
Don't get a false sense of privacy here... (Score:3)
Wiping your cookies, adblock, flashblock, etc - it's all worthless.
Even if you remove all cookies, the iframe that is the 'like' button will set a new cookie. Facebook tracks these new 'anonymous' cookies centrally, and then when you DO login to your actual account, they can read this cookie and marry up your previous behavioral habits and sites you visited. The advice here leads people to believe you can fight this simply by erasing cookies. The only way to really make that effective is:
1) Log out of Facebook
2) Remove all Facebook cookies
3) Browse around to other sites
4) Clear all Facebook cookies AGAIN
5) Log in to Facebook
Without step #4 the rest of it is not doing you any good.
The same is true of new signups, where your browsing history (before you even had an account!) is correlated to the new account to help build a profile of your activity.
No bother for me! (Score:3)
All of my friends have my phone number and e-mail. They've got data plans and smartphones. It's just that simple.
answer (Score:3)
A german magazine has developed an answer to that about a month ago:
http://www.heise.de/extras/socialshareprivacy/ [heise.de]
Absolutely worth a read, and if you use a "like" button on your page and you're a geek, you should definitely use this.
Re: (Score:2)
Got tired of slow loading Facebook apps on unrelated web pages, so I added a rule to Adblock for Facebook:
*facebook*
Since then, no problems.
haha, you still have problem (Score:3)
don't forget fbcdn.net and fb.com, maybe others
Re: (Score:2)
You'd be better blocking: ^facebook.com$
Faster, and does the job just as well.
Re: (Score:2)
How is this news anyway? FB have been doing it since the facebook social plugins took over, more than a year.
How hard is to set up a Firefox session exclusive for the use of this social media stuff? really? its faster and convenient that stacking layers and layers of blockers in the way of your everyday browsing. Or use different browsers for each task. Suckerberg sure it's amused by the time and effort some people put into staying away from facebook tracking WHILE having a facebook account.
Protip: The more
Re: (Score:3)
>How hard is to set up a Firefox session exclusive for the use of this social media stuff?
I don't know, but that is a great idea: to have a list of sites that you always want to be used in private mode. This calls for not completely separating private mode from normal mode (w/Firefox, it closes all other normal Windows until you stop private mode).
I imagine this functionality like how IE works. A small icon will tell you if the tab is in "private mode" (or sandboxed), and you can create rules to match th
Re: (Score:2)
> I imagine this functionality like how IE works.
Sorry, I meant "IE Tab" of course.
Re: (Score:2)
Chrome. CTRL+SHIFT+N:
You've gone incognito. Pages you view in this window won't appear in your browser history or search history, and they won't leave other traces, like cookies, on your computer after you close the incognito window. Any files you download or bookmarks you create will be preserved, however.
Because Chromium does not control how extensions handle your personal data, all extensions have been disabled for incognito windows. You can reenable them individually in the extensions manager.
Re: (Score:2)
Chrome. CTRL+SHIFT+N:
You've gone incognito. Pages you view in this window won't appear in your browser history or search history, and they won't leave other traces, like cookies, on your computer after you close the incognito window.
I'm not a Chromer user so this may be hooey: Issue 94206: Incognito "remembers" Flash Cookies when Flash is open in default profile http://code.google.com/p/chromium/issues/detail?id=94206 [google.com]
Re: (Score:2)
Re: (Score:2)
I don't have much sympathy for FB users when it comes to privacy. However, I do have a great deal of sympathy for folks like myself that have to go out of our way not to be tracked by FB, even though we don't have an account. If we wanted to be tracked or consented, we'd probably create an account.
Re: (Score:2)
Re: (Score:2)
I don't know if FB actually does this, but they could simply get the referrer and your user ID from an HTTP cookie using an image loaded from their websites. NoScript wouldn't stop that.
Re: (Score:2)
Privoxy can. And it's browser agnostic.
Re: (Score:2)
Even /etc/hosts can. NoScript just wasn't designed for that.
Re: (Score:2)
hosts wouldn't really work either, would it? If you add any facebook domains to it, you're going to break Facebook when you go to the actual site. Privoxy can detect any referrals to Facebook when you're on a non-Facebook domain, block it and block cookie info from being sent. If it detects you're actually visiting Facebook, it doesn't. That doesn't seem like something hosts can do.
Re: (Score:2)
Oh sure. I didn't consider waiting to go to the actual site ;)
Re: (Score:2)
It isn't OS agnostic though, it doesn't run on OS X, and hasn't for a couple of years.
Third-Party cookies (Score:2)
Yeah, blocking third-party cookies is a good thing to do. The third-party can still see your IP address every time you visit a page that embeds their content, but it at least provides a thin layer of anonymity on the web. Furthermore, it is far less painful than using no-script. The only think that I have noticed break is that embedded Vimeo videos won't play with third-party cookies disabled and you have to right-click and view them on Vimeo instead (or white-list them).
Re: (Score:2)
But test your browser to make sure the setting is actually honored. One closed-source browser, configured to reject third-party and advertising cookies, keeps downloading a cookie from doubleclick.net.