CYBERSPACE—If you’ve ever had the feeling that Facebook was following you even when you weren’t logged on, the news, first reported Sunday, that FB tracking cookies were in fact keeping track of browsing activity even after users logged off the social network was a validation that probably came with a sick sensation in the pit of your stomach. That was certainly the reaction among federal lawmakers, a few of whom have asked the Federal Trade Commission to investigate the matter.
Today, however, Facebook announced that it had issued a fix for the problem, which it insisted never posed a privacy issue for its members. Nik Cubrilovic, the Australian blogger who first issued the alert regarding the cookies, also has weighed in on the fix after reportedly working with Facebook engineers to help identify the most problematic cookie, which is now “destroyed on logout.”
The initial warning on Sunday by Cubrilvic was alarming, to say the least. “Even if you are logged out,” he wrote, “Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.”
A Facebook engineer dissented right away, saying FB “cookies aren’t used for tracking,” but after working with Cubrilovic the company admitted that several cookies were saving user data following logout, though as of Tuesday stood by its claim that no identifying data was ever saved. The issue had to do with a timestamp included in the cookies.
"What interested me was that not only was the timestamp accurate to milliseconds (ie. thousandths of a second) but that an additional number was being added to it," wrote Cubrilovic. “My gut instinct was that the additional number ... was being added to make the timestamp unique for each and every request. Facebook confirmed this. I understand the technical reason for that—they can store the timestamp as a primary key in their logging backend and not have to associate benchmarking of each request back to a user. I believe Facebook here when they say that although this is a unique identifier it isn't used to link back to a user id—but it is definitely being logged and it can be linked to a user."
In an updated post, however, Cubrilovic says that the cookie he was most concerned about because it contained the users’ ID, is now destroyed on logout. Despite the fix, he says that caution on the part of surfers is still warranted.
“Facebook has changed as much as they can change with the logout issue,” wrote Cubrilovic. “They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons, etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and [not] to take initiative in remaining safe.”
It remains to be seen whether the peeved lawmakers have been mollified following the Facebook fix, or whether the perceived lackadaisical attitude by FB toward user privacy will prompt them to use this incident as an excuse to turn the tables on the social network monolith by forcing them to eat some very special (and intrusive) federal cookies, courtesy of the FTC.