Facebook’s Hotel California: Cross-Site Tracking and the Potential Impact on Digital Privacy Legislation
Tracking of Logged Out Users
For its 800 millions users, logging out of Facebook is not something done idly. Closing the Facebook tab won’t do it. Closing your browser won’t do it unless you’ve adjusted the settings in your browser to clear cookies upon closing. And Facebook has buried the log-out button so that it isn’t apparent from your Facebook main page or profile page. This doesn’t mean that logging out of Facebook is difficult; it’s not. But this does indicate that when someone logs out of Facebook, they are doing so purposefully. They aren’t just stepping outside of Facebook; they’re closing the door behind them.
On September 25th, 2011, Nik Cubrilovic, a hacker and writer, published a blog post1 that showed that a particular Facebook session cookie wasn’t being deleted after a user logged out. He noted that the session cookie included your Facebook user id number, which would presumably facilitate Facebook associating any data they collected about your browsing the web with your Facebook account. Cubrilovic’s review showed that, based on what the cookies were transmitting, Facebook could easily connect some of your browsing habits to your unique Facebook account.
This set off a storm of media coverage, but much of it lacked a detailed analysis of what Facebook is actually tracking and an understanding of how this could influence pending privacy legislation in Congress.
What Does Facebook Really Track?
Facebook sets two types of cookies: session cookies and tracking cookies.
- Session cookies are set when you log into Facebook and they include data like your unique Facebook user ID. They are directly associated with your Facebook account. When you log out of Facebook, the session cookies are supposed to be deleted.
- Tracking cookies - also known as persistent cookies - don’t expire when you leave your Facebook account. Facebook sets one tracking cookie known as 'datr' when you visit Facebook.com, regardless of whether or not you actually have an account. This cookie sends data back to Facebook every time you make a request of Facebook.com, such as when you load a page with an embedded Facebook 'like' button. This tracking takes place regardless of whether you ever interact with a Facebook 'like' button. In effect, Facebook is getting details of where you go on the Internet.
When you leave Facebook without logging out and then browse the web, you have both tracking cookies and session cookies. Under those circumstances, Facebook knows whenever you load a page with embedded content from Facebook (like a Facebook 'like' button) and also can easily connect that data back to your individual Facebook profile.
Based on Cubrilovic’s recent findings, there was also a period of time when you kept a session cookie after logging out of Facebook, allowing Facebook to easily associate your web browsing history and your Facebook account. Facebook says they’ve addressed this issue, and that now all session cookies are deleted at log out.
But there have been other concerns around Facebook tracking, including an issue that has surfaced three times in the last year. Dutch doctoral candidate Arnold Rosendaal, independent security researcher Ashkan Soltani, and Stanford doctoral candidate and law student Jonathan Mayer have each discovered instances in which Facebook was setting tracking cookies on browsers of people when they visited sites other than Facebook.com. These tracking cookies were being set when individuals visited certain Facebook Connect sites, like CBSSports. As a result, people who never interacted with a Facebook.com widget, and who never visited Facebook.com, were still facing tracking by Facebook cookies.
But there’s yet another layer to this, a layer often glossed over by mainstream coverage of this issue: Facebook can track web browsing history without cookies. Facebook is able to collect data about your browser – including your IP address and a range of facts about your browser – without ever installing a cookie. They can use this data to build a record of every time you load a page with embedded Facebook content. They keep this data for 90 days and then presumably discard or otherwise anonymize it. That's a far cry from being able to shield one’s reading habits from Facebook.
For its part, Facebook admits they collected the data through the accidental setting of tracking cookies and the failure to delete session cookies upon log out - but says these were oversights. They say that the issues are now resolved. They expanded their help section and sent us this statement:
Our intentions stand in stark contrast to the many ad networks and data brokers that deliberately and, in many cases, surreptitiously track people to create profiles of their behavior, sell that content to the highest bidder, or use that content to target ads on sites across the Internet.
The Trust Gap
For users concerned about privacy, this statement is small consolation. It’s clear that Facebook does extensive cross-domain tracking, with two types of cookies and even without. With this data, Facebook could create a detailed portrait of how you use the Internet: what sites you visit, how frequently you load them, what time of day you like to access them. This could point to more than your shopping habits – it could provide a candid window into health concerns, political interests, reading habits, sexual preferences, religious affiliations, and much more.
Facebook insists they aren’t misusing the data they are collecting. The question is then: do we as Internet users trust Facebook? Do we trust them not to connect our data with our Facebook profiles, sell it to marketers, or provide it to the government upon request? If Facebook’s business model becomes less profitable in the coming years, do we trust them to continue to not connect tracking data to profiles? If the government brings pressure to bear on Facebook, do we trust Facebook to stand with users and safeguard the data they’ve collected? And, do we believe that Facebook isn’t actually connecting browsing data to profiles now, given their history of mistakes when it comes to tracking and the clear market incentive they would derive from that sort of connection?
This is the “trust gap”- the space between what Facebook promises they are doing with the data they are collecting and what we as Facebook users can reasonably trust them to do. And, when it comes to safeguarding the sensitive reading habits of millions of users, the trust gap is pretty wide.
Could Privacy Snafus Spur Privacy Legislation?
If you are uneasy with Facebook’s cross-domain tracking, you aren’t alone. This has led to a call from lawmakers as well as privacy advocates to have the FTC investigate whether Facebook deceived users by tracking logged-out users. And a group of 6 Facebook users has filed suit against Facebook over this issue.
This newest privacy snafu could prod legislators into moving on one of the many online privacy bills that have been introduced this year. Users’ unease with the quickly-evolving technical capabilities of companies to track users, combined with the abstruse ways in which that data can be collected (from social widgets to super cookies to fingerprinting), has resulted in a growing user demand to have Congress provide legal safeguards for individual privacy when using the Internet.
Unsurprisingly, Facebook hopes that its brand of data collection through ‘like’ buttons won’t be subject to federal regulation. According to AdAge, Facebook sent an “army of lawyers” to Washington to convince Senators McCain and Kerry to carve out exceptions to their recently introduced privacy bill so that Facebook could track their users via social widgets on other sites (dubbed the "Facebook loophole"). But while Kerry and McCain may have acquiesced to Facebook's requests, Senator Rockefeller did not. He introduced legislation that would empower the FTC to create rules around how best to protect users online from pervasive online tracking by third parties.
Facebook seems keen to influence future legislation on these issues. They recently filed paperwork to form a political action committee that will be "supporting candidates who share our goals of promoting the value of innovation to our economy while giving people the power to share and make the world more open and connected."
We hope that these efforts to influence politicians won't come at the cost of strong protections for user privacy on the Internet. As the situation currently stands, the resources available to governments and corporations to track users across the Internet far outstrip the resources of the average user to fend off such tracking. And from all appearances, self-regulation by industry is failing.
What You Can Do
If you find yourself creeped-out by being tracked by Facebook on non-Facebook sites, then you have a few options to protect yourself and voice your concerns.
- Install Firefox addons like Ghostery, ShareMeNot, Abine’s Taco, and/or AdBlockPlus to limit online tracking. None of these is perfect and each works a little different; check out this guide for a discussion. Also consider installing the Priv3 Firefox extension, which is still in beta.
- Use private browsing mode.
- Adjust the settings in your browser to delete all cookies upon closing. Clear your cookies when leaving a social networking site, and log out of Facebook before browsing the web. You should consider having one browser strictly for logging into your Facebook account and one browser for the rest of your web usage.
- Support privacy legislation like the Rockefeller Do Not Track bill, which will give users a voice when it comes to online tracking.
- 1. According to his blog, Cubrilovic says he’s been trying to inform Facebook of these issues since November 14, 2010