Facebook
Tracks its Users...!
Recently, it was
discovered that Facebook tracks its users. Here is posted a terrific analysis
looking at how Facebook uses cookies to track users even when they have signed
out of the service. Nik Cubrolovic's findings about Facebook cookie tracking
raises yet more red flags about subscriber privacy.
We earlier talked about
how Facebook is scaring us since the new API allows
applications to post status items to your Facebook timeline without a user's
intervention. It is an extension of Facebook Instant and they call it frictionless sharing. The
privacy concern here is that because you no longer have to explicitly opt-in to
share an item, you may accidentally share a page or an event that you did not
intend others to see.
The advice is to log out of Facebook. But logging out of
Facebook only de-authorizes your browser from the web application, a number of
cookies (including your account number) are still sent along to all requests to
facebook.com.
Even if you are
logged out, Facebook still knows and can track every page you visit.
The only solution is to
delete every Facebook cookie in your browser, or to use a separate browser for
Facebook interactions.
Here is what is
happening, as viewed by the HTTP headers on requests to facebook.com.
First, a normal request to the web interface as a logged-in user sends the
following cookies:
the values of each
cookie have been fuzzed.
The request to the
logout function will then see this response from the server, which is
attempting to unset the following cookies:
To make it easier to see
the cookies being unset, the names are in italics. If you compare the cookies
that have been set in a logged-in request, and compare them to the cookies that
are being unset in the log-out request, you will quickly see that there are a
number of cookies that are not being deleted, and there are two cookies (locale and lu) that are only being
given new expiry dates, and three new cookies (W, fl, L) being set.
Now I make a subsequent request to facebook.com as a
'logged out' user:
The primary cookies that
identify me as a user are still there (act is
my account number), even though I am looking at a logged-out page. Logged-out
requests still send nine different cookies, including the most important
cookies that identify you as a user
This is not what
'logout' is supposed to mean. Facebook are only altering the state of the
cookies instead of removing all of them when a user logs out.
With my browser logged
out of Facebook, whenever I visit any page with a Facebook Like button, or
Share button, or any other widget, the information, including my account ID, is
still being sent to Facebook.
You can test this for
yourself using any browser with developer tools installed. It is all hidden in
plain sight.
Specifically the datr and lu cookies
are retained after logout and on subsequent requests, and the a_user cookie,
which contains your userid, is only cleared once the session is restarted. Most
importantly, connection state is retained through these HTTP
connections. There is never a clean break between a logged in session and a
logged out session.
There are serious
implications if you are using Facebook from a public terminal. If you login on
a public terminal and then hit 'logout', you are still leaving behind
fingerprints of having been logged in. As far as I can tell, these fingerprints
remain (in the form of cookies) until somebody explicitly deletes all the
Facebook cookies for that browser. Associating an account ID with a real name
is easy -- as the same ID is used to identify your profile.
Facebook knows every
account that has accessed Facebook from every browser and is using that
information to suggest friends to you. The strength of the 'same machine' value
in the algorithm that works out friends to suggest may be low, but it still
happens. This is also easy to test and verify.
Facebook are front-and-center
in the new privacy debate just as Microsoft were with security issues a decade
ago. The question is what it will take for Facebook to address privacy issues
and to give their users the tools required to manage their privacy and to
implement clear policies - not pages and pages of confusing legal
documentation, and 'logout' not really meaning 'logout'.
|