Facebook: you can check out but you can never leave

Facebook has agreed to fix a an issue with its system that meant it continued to track the online activity of users even after they had logged out of the site.

The issue was discovered by Australian security blogger Nik Cubrilovic, who wrote this week about Facebook’s privacy settings after a debate broke out about the site’s plans to let third party applications post to a user’s timeline without their explicit case-by-case approval.

While some sources have suggested users should evade this by logging out of the site after each session, Cubrilovic noted that as things stand this wouldn’t be enough. He examined cookies on his computer both while using Facebook and after logging out. In the latter case, rather than all the cookies being removed as you would expect, some remained active with only minor changes. Some cookies had their expiry date extended and there were even three new ones created.

In total, there were nine cookies still being accessed after logging out, including those that specifically identified him as the user. These were accessed whenever he visited a third-party site containing a Facebook “Like” button or similar tool. And, of course, if he’d been using a public terminal, subsequent users would have been falsely identified as being him by Facebook.

Cubrilovic says he e-mailed Facebook about this issue last November and again this January, receiving no reply. He notes starkly “They really need to get their shit together on reporting privacy issues.”

Since posting the blog, Cubrilovic has had a 40-minute discussion with Facebook engineers and staff in the US. He says the company tells him that within 24 hours it will alter the cookies setup: they will remain in use but will no longer personally identify the user.

Facebook itself has told the Wall Street Journal that the cookies are needed to avoid bogus logins, and to make it easier for people to use the “Like” button without the need to type in login details everytime. It says it deletes the data received this way immediately and that none of the information is used to target advertising.