Search Icon

Facebook criticised for 'tracking' logged-out users

Facebook faces criticism over the way it continues to store and access information about users who have logged out of their account.

Facebook founder Mark Zuckerberg on stage at f8.
Facebook founder Mark Zuckerberg on stage at f8.

The controversy was sparked by Nik Cubrilovic, an Australian technology entrepreneur, who found that even after he logged out of the social network, it delivered “cookies” to his web browser that could be used to track visits to other websites.

Cookies are small text files used by websites to store user preferences and the contents of online shopping carts, among other functions.

When users log out of websites cookies are often deleted, but Mr Cubrilovic found that Facebook only altered them, while continuing to store data such as his account ID.This unique identifier could be used to track logged-out users when they visit other websites that have integrated Facebook functions, such as the “Like” button, he said.

“Logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com,” Mr Cubrilovic said in a widely-shared blog posting.

“The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.

"There is never a clean break between a logged in session and a logged out session."

In response, Gregg Stefancik, a Facebook engineer, denied the cookies were designed to track logged-out users.

“Our cookies aren’t used for tracking. They just aren’t,” he wrote.

“Instead, we use our cookies to either provide custom content (e.g. your friend’s likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location).”

He also emphasised that Facebook does not share or sell the information it gathers about users, and said that the information the cookies report to Facebook when a logged-out user visits a third party site is not “personally identifiable”.

But the explanation failed to placate Mr Cubrilovic, who also joined in criticism of Facebook’s new “frictionless sharing” features, announced last week, which shares details of what users are watching or reading automatically.

“The privacy concern here is that because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see,” he said.