Facebook to Extinguish Bugs After Lawsuit Over Bad Cookie Behavior

5 minute read
Chelsi Nakano avatar

Facebook to Extinguish Bugs After Lawsuit Over Bad Cookie Behavior
Facebook privacy concerns-- they're like like a broken record. This time around the platform was sued over cookies, having been accused of tracking users even after they've logged out of the social network. 

In Your Internets, Tracking Your Datas

Cookies, or small pieces of data collected about your Internet activity, can be useful. They can remember passwords and settings so you don't have to re-enter them each time you visit a website. 

What blogger and hacker Nik Cubrilovic finds particularly interesting is that Facebook still collects these pieces of data when you've logged out of the site. For example, a cookie known as "datr" helps identify suspicious login activity, while another called "lu" protects those using public computers.

"These cookies, by the very purpose they serve, uniquely identify the browser being used—even after logout. As a user, you have to take Facebook at their word that the purpose of these cookies is only for what is being described," Cubrilovic said.

The issue at heart here is frictionless sharing, which was most recently highlighted last week when Facebook teamed up with music sites Spotify, Rdio, and Slacker. Users simply listen to the music they like on the aforementioned platforms and it's automatically shared with their Facebook friends via application. It's like a hassle-free recommendation engine.

Of course, the concern with frictionless sharing is that you might not want everyone on Facebook to to know what you're up to, especially when you're not on Facebook. There are also concerns about targeted advertising.

"[Facebook is] doing something that I think is really scary, and virus-like. The kind of behavior deserves a bad name, like phishing, or spam, or cyber-stalking," explained Software developer David Winer.

Facebook Acknowledges the Issue... Finally

While this might be the first time you're hearing about offline tracking, Cubrilovic has been trying to discuss the issue with Facebook for almost a year now:

Learning Opportunities

To clarify, I first emailed this issue to Facebook on the 14th of November 2010. I also copied the email to their press address to get an official response on it. I never got any response. I sent another email to Facebook, press and copied it to somebody I know at Facebook on the 12th of January 2011. Again, I got no response. I have copies of all the emails, the subject lines were very clear in terms of the importance of this issue.

In their long-awaited response, Facebook stated that they do not track users across the web: “...we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information." 

A Suit is a Suit, a Fix is a Fix?

The recent lawsuit, filed in the California district court by six Facebook users in Illinois, Hawaii, Virginia, and New Jersey, asks the court for damages, as well as an order that would require Facebook to stop installing cookies that track users after they log out of the service. 

To the surprise of pretty much no one, the platform team wasn't happy with the accusations. "We believe this complaint is without merit and we will fight it vigorously," a Facebook spokesman said in a statement. 

But then today it was reported that Facebook has confirmed a tracking cookie bug and said a fix is coming soon. Here is a comment made to Cubrilovic by Facebook engineer Gregg Stefancik:

I am a engineer at Facebook who works on Facebook’s login systems. Thanks for raising this issue. We still have a policy of not building profiles based on data from logged out users. Reports like this help us make sure we’re adhering to that policy which has not changed. As we discussed last week, we are examining our cookie setting behavior to make sure we do not inadvertently receive data that could be associated with a specific person not logged into Facebook.

We have been made aware of 2 instances in the past 2 weeks related to cookies which needed to be addressed. What you describe in this post is not a re-enabling of anything, but a separate issue involving a limited number of sites, including CBSSports. We have moved quickly to investigate and resolve this latest issue which will be fully addressed today. We encourage security researchers to test our practices and report them to us through our whitehat program which rewards people like you who identify issues.

Any thoughts on the issue? I'd like to hear what other people think about Winer's comment specifically. In signing up for platforms like Facebook I think it's important to acknowledge that you're giving up a great amount of information -- that's just the nature of social networks these days -- but there is, of course, a line. It's interesting how after being flamed so much in the past for related issues, that Facebook still appears to be crossing it.