by Alan Henry
September 26, 2011
from
LifeHacker Website
Over the weekend, Dave Winer wrote
an article at Scripting explaining how Facebook keeps track of where
you are on the web after logging in, without your consent.
Nik Cubrilovic
dug a little deeper, and discovered that Facebook
can still track where you are, even if you log out.
Facebook, for its part, has
denied the claims. Regardless of who you believe, here's how to protect
yourself, and keep your browsing habits to yourself. The whole issue has
stirred up a lot of debate in privacy circles over the past few days.
Here's what the fuss is about, and what you can
do to protect your privacy if you're worried.
The Issue - Facebook's Social Apps are
Always Watching
For quite some time now,
Facebook's user
tracking hasn't been limited to your time on the site:
any third-party web site or service that's
connected to Facebook or that uses a Like button is sending over your
information, without your explicit permission.
However, Winer noticed something mostly
overlooked in last week's Facebook changes:
Facebook's new Open Graph-enabled social web
apps all send information to Facebook and can post to your profile or
share with your friends whether you want them to or not.
Essentially, by using these apps, just reading
an article, listening to a song, or watching a video, you're sending
information to Facebook which can then be automatically shared with your
friends or added to your profile, and Facebook doesn't ask for your
permission to do it.
Winer's solution is to simply log out of
Facebook when you're not using it, and avoid clicking Like buttons and tying
other services on the web to your Facebook account if you can help it, and
he urges Facebook to make its cookies expire, which they currently do not.
Digging Deeper - Logging Out Isn't Enough
Nik Cubrilovic looked over Winer's
piece, and discovered that logging out of Facebook, as Winer suggests, may
de-authorize your browser from Facebook and its web applications, but it
doesn't stop Facebook's cookies from sending information to Facebook about
where you are and what you're doing there.
Writing at
AppSpot, he discovered that Facebook's tracking cookies-which never
expire, are only altered instead of deleted when a user logs out. This means
that the tracking cookies still have your account number embedded in them
and still know which user you are after you've logged out.
That also means that when you visit another site
with Facebook-enabled social applications, from Like buttons to Open Graph
apps, even though you're a logged out user, Facebook still knows you're
there, and by "you," we mean specifically your account, not an anonymous
Facebook user.
Cubrilovic notes that the only way to really
stop Facebook from knowing every site you visit and social application you
use is to log out and summarily delete all Facebook cookies from your
system.
Why You Should Care
If you're the type of person who doesn't really
use Facebook for anything you wouldn't normally consider public anyway, you
should take note:
everything you do on the web is fair game.
If what Cubrilovic and Winer are saying is true,
Facebook considers visiting a web site or service that's connected to
Facebook the same thing as broadcasting it to your friends at worst, and
permission for them to know you're there at best.
Facebook says that this has
nothing to do with tracking movements, and that they have no desire to
collect information about where you are on the web and what you're doing.
They want to make sure that you can seamlessly log in at any time to
Facebook and to sites and services that connect with it and share what
you're doing.
In fact, a number of Facebook engineers have
posted comments to Winer's original post and Cubrilovic's analysis pointing
this out. There's also some excellent discussion in
this comment thread at
Hacker News about the issue as well.
Essentially, they say this is a feature, not a
problem, so if you have an issue with it, it's up to you to do something
about it.
What Can I Do About It?
Whether or not Facebook is tracking your
browsing even when you're logged out, if you don't want third-party sites to
send data to Facebook, you have some options.
You could scrub your system clean of all
Facebook.com cookies every time you use Facebook, but a number of developers
have already stepped up with browser extensions to block Facebook services
on third-party sites. Here are a few:
-
Facebook Privacy List for Adblock Plus
is perfect for those of you who already have AdBlock Plus installed
(get ABP for
Chrome or
Firefox). Just download the subscription and add it to AdBlock
Plus to specifically block Facebook plugins and scripts all over the
web—including the Like button-whenever you're not visiting Facebook
directly.
-
Facebook Disconnect for Chrome
keeps Facebook from dropping those tracking cookies on your system
in the first place, and disables them when you're finished using
Facebook-enabled services.
It's essentially an on/off switch for
third-party access to Facebook servers, meaning you'll still be able
to log in to Facebook and use the site normally, but when you're
visiting another site or using another application, that site or
service won't be able to use your information to communicate with
Facebook.
Disconnect for
Chrome and Firefox
is a new plug-in from the developer behind Facebook Disconnect, but it
doesn't stop with Facebook.
Disconnect takes protection to a another level
and blocks tracking cookies from Facebook, Google, Twitter, Digg, and Yahoo,
and prevents all of those services from obtaining your browsing or search
history from third party sites that you may visit.
The app doesn't stop any of those services from
working when you're visiting the specific sites, for you can still search at
Google and use Google+, but Google's +1 button likely won't work on third
party sites, for example.
The extension also lets you see how many
requests are blocked, in real time as they come in, and unblock select
services if, for example, you really want to Like or +1 an article you read,
or share it with friends.
Ultimately, the goal of all of these tools is to
give you control over what you share with Facebook or any other social
service, and what you post to your profile, as opposed to taking a backseat
and allowing the service you're using to govern it for you.
What's really at
issue is exactly how deep Facebook has its fingers into your data, and how
difficult they-and other social services-make it to opt out or control
what's sent or transmitted. That's where extensions like these come in.
However you feel about it, Facebook likely won't
change it in the near future. If you're concerned, you should to take steps
to protect your privacy.
As a number of commenters at Hacker News point out,
it's not that there's anything inherently "good" or "evil" about what
Facebook is doing-that would be oversimplifying an already complex topic.
It's really an opt-in/opt-out issue.
Update
Nic
Cubrilovic
has posted an update to his story after discussing the matter with
Facebook engineers.
They have agreed to make changes to the way their
cookies are stored and handled so your account information is not present
when you log out of Facebook.
However, while
Facebook has changed its cookie-handling process, the cookies are still
retained and not deleted after logout, and do not expire. They remove your
account information when you log out, but they still contain some
non-personal data about your browser and the system you're using.
Nic still
recommends you clear your Facebook cookies after every session, and we still
suggest that if you're concerned, that you do the same, and try one of the
extensions above, or
Priv3 or Firefox to protect yourself.