**SEE UPDATE AT BOTTOM OF POST**
Is Facebook tracking which websites users visit even after they've logged out of the service?
According to hacker and blogger Nik Cubrilovic: Yeah, it is. In a post to his personal blog, Cubrilovic writes that "[e]ven if you are logged out, Facebook still knows and can track every page you visit," pointing to Facebook cookies that remain active even after the user signs out. In his mind, this defeats the purpose of logging out of Facebook and presents a major privacy concern.
With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies.
This is all important because of Facebook's new frictionless apps, unveiled recently at Facebook's f8 Developer's Conference and rolling out now on the social network. Websites can write apps whereby all activity on their pages can be shared automatically to a user's Facebook profile. The aim is to make sharing more convenient, so that Facebook members can more easily browse what their friends are interested in and start conversations about common interests and activities.
Cubrilovic penned his post in response to another blog post by Dave Winer, in which Winer claimed to be "seriously scared" of the disclosures these apps would automatically make and that the only solution was to log out of Facebook when browsing.
Cubrilovic's post was a warning that logging out was not enough.
In a comment on Cubrilovic's blog, a reader identifying himself as Gregg Stefancik ("an engineer who works on login systems at Facebook") refuted "some of the incorrect conclusions," stating that "Facebook has no interest in tracking people" and that Facebook's cookies "aren't used for tracking." Though Facebook could see when one of its users visited a partner site, Stefancik said, it could not see which user it was and that the only information sent back to them was the user's language, country and browser. Since Facebook "doesn't have an ad network and [doesn't] sell people's information," the logged out cookies were used for:
- Identifying and disabling spammers and phishers
- Disabling registration if an underage user tries to re-register with a different birth date
- Helping people recover hacked accounts
- Powering account security features, such as login approvals and notifications
- Identifying shared computers to discourage the use of “Keep me logged in.”
According to an answer of a commonly asked question in Facebook's Help Center, when one of its users visits a site with a Facebook social plug-in, whether logged in or logged out, Facebook receives information about "the date and time you visited, the web page you came from (commonly known as the referrer URL), and other technical information about the IP address, browser, and operating system you use."
"This is industry standard data," the Help Center answer continues, "that helps us optimize your experience depending on which browser you are using or whether or not you are logged into Facebook."
Essentially, Facebook is indeed tracking where its users go after they log-out, but it is claiming to do so for benign reasons.
Facebook, of course, is constantly battling against privacy concerns. Recently, the social networking giant has fought back against worries over its new auto-tag feature in early September, "epidemic levels" of bullying amongst teens on its site and its ability to make cyber-stalking easier.
UPDATE: Facebook emailed us the following statement, reiterating much of what Gregg Stefancik wrote in his comment on Cubrilovic's blog:
Specific to logged-out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for underage people who try to re-register with a different birth date, powering account security features such as second factor login approvals and notification, and identifying shared computers to discourage the use of "Keep me logged in."
Facebook recently revamped its own privacy settings for users who are logged in to the site. Take a look at the slideshow (which originally appeared here) to see the most important changes you need to know now.
First, navigate to the "Privacy Settings" tag which appears under "Account" at the top right-hand side of Facebook.com.
Click "How Tags Work" to change the settings and take avantage of the new feature.
You'll be presented with a window that offers five different options for controlling who can tag both you and the content you've posted to Facebook. Some of these settings are new, like "Profile Review," while others, like allowing others to check you in to locations, are not. If you'd like to be able to review photos and other posts you're tagged in before they appear on your profile, turn the first setting, "Profile Review," to "on." Turning on the second option, "Tag Review," lets you "review tags friends add to your content before they appear on Facebook," as Facebook explains. (I've left mine "off" as I, for now, trust my friends not to tag my posts in inappropriate ways). The last three are fairly self-explanatory: "Profile Visibility" controls who can see posts you've been tagged in, "Tag Suggestions" allows Facebook to use facial recognition technology to suggest tagging you in photos that appear to be of you, and the final setting lets others share your location via a Places check-in.
Once you've set the "Profile Review" option to "on," you'll see a "Pending Posts" notification appear when you've been tagged. Click on this tab to review and approve content before it appears on your profile.
In the "Pending Posts" tab you can look over all the posts in which you've been tagged. Clicking the checkmark will allow the content to appear on your profile. Clicking the "x" will keep the post from appearing on your profile, though it's important to note that you will not be detagged. If you want your name taken off a photo, you must click on the image, then "Report/Remove Tag." Facebook has also upgraded its detagging tool to give users far more options when it comes to removing abusive or annoying content. Now, users not only have the ability to remove a tag of themselves, but they can also flag the post for Facebook, alerting administrators that the photo is pornographic, contains hate speech, or is otherwise problematic. They can also contact the user that posted the photo to request that it be both detagged and removed (Find out more here or here).