I wrote in January about the faculty Facebook may possess for tracking your browsing history. I made brief mention of the fact that logging out of Facebook may not prevent further tracking. It’s this last point that caused a stir this week as Nik Cubrilovic’s post got picked up by the press.
His follow-up post describes Facebook’s response, but the ‘tracking’ cookie to which I was referring has not been removed. According to Nik’s post, Facebook admit this will remain after logout to track the browser, but for ‘safety and spam purposes’.
According to this WSJ article, ‘not all of the data is logged’. That’s good.
The bottom line for me is that Facebook are so powerful that they need to be as answerable to their populous as a government. That means a certain level of transparency and being clear about their intentions. If they go back on their word, who holds them accountable? Are our laws even adequate? Should Facebook be audited, or should we just trust them?
I don’t expect I’d be too happy about having my servers audited, but I’m not Facebook. When nearly half a billion people log into your site each day to give you their data, you have a serious amount of responsibility on your shoulders.
As it happens, I couldn’t replicate Nik’s findings. He found that the user ID cookie was not deleted at log out and continued to be sent to Facebook. I can’t explain that; but regardless, my issue was with an anonymous tracking cookie that remains today.
Here’s a quick technical explanation of how this tracking would be possible.
The cookie I refer to is an anonymous identifier with the name
datr. This is set when you visit facebook.com, regardless of logging in. Once you do log in, its value does not change. Crucially, when you log out the value does not change either. This means that subsequent Like button impressions could be associated with your account despite your user ID no longer being sent along with it. If the full dataset was stored it would be trivial to associate this anonymous browsing data with your account.