Facebook cookie complaints get the wrong end of the stick

Filed Under: Facebook, Featured, Privacy, Social networks

The news wires are awash with stories about Facebook, cookies and privacy. The source of all this concern seems to be an article written by self-proclaimed "serial entrepreneur, writer and hacker" Nik Cubrilovic of Wollongong, New South Wales, Australia.

(Old-school network hackers will no doubt remember Wollongong from the University of Wollongong's eponymous and once-widespread TCP/IP software stack.

Newer-school hackers will remember Wollongong as the home of Ashley Towns, author of the first in-the-wild iPhone virus.)

Cubrilovic has enjoyed dramatic media success with his concerns about Facebook cookies, but I think he's been barking up the wrong tree.

The criticisms he makes against Facebook could - and perhaps should, though I don't intend to argue that issue here - be levelled against any website operator that sets long-lived cookies aimed at identifying repeat visitors.

Indeed, cookies are text-based key-value data pairs which are included in HTTP traffic precisely so that web servers can keep track of a a user's browsing session.

By design, HTTP is a stateless protocol. So, if you visit my web page twice in a row, those two requests are entirely independent.

By setting a unique cookie in your browser, which your browser will insert into all subsequent request headers, I can tie those two requests together on my server.

I might not know your identity, but I know it's the same person - or at least the same browser on the same PC - coming back for more. So I can target the content I serve based on your previous browsing history. It might not be you, but it very probably is.

Cookies also permit the concept of a website login: the cookie very conveniently acts as a temporary access ticket to your account, so you don't need to resubmit your login information on every page.

Cubrilovic's critique of Facebook cookies seems to boil down to this: when you login, Facebook sets a bunch of cookies which identify your user ID and authenticate you to act as that user for the current session.

But when you logout, Facebook doesn't unset all of the cookies set at login, so - argues Cubrilovic - you continue to identify yourself to Facebook in all subsequent traffic, even after you've logged out.

So what?

Any website which sets a long-lived unique cookie when you first visit the site can do just the same thing.

Try visiting Apple's website, for example. (I don't mean to criticise Apple, just to pick them as an example because I'm an Apple user, and I have an AppleID.)

On your first visit, Apple will set a browser cookie called s_vi, valid for five years, containing a random-looking string of hexadecimal digits. The value of this cookie is - at least as far as I can tell - unique to each brand-new visitor.

So, next time you login with your AppleID, Apple's backend systems can now tie your general-purpose s_vi cookie to your AppleID.

In other words, Apple "knows" who you are every time you subsequently visit using the same browser on the same PC, even if you never log in again. (More precisely, Apple knows who last logged in to its site from your browser, which very likely was you.)

Cubrilovic has therefore rediscovered that long-lived anonymous cookies, once they've been associated with an exact identity, stop being anonymous.

So, if you're worried about this sort of thing, routinely delete all cookies from your browser. This means that you dispose of all your no-longer-anonymous cookies.

Your favourite websites will no longer have cookie-based history about you, so you'll get newly-generated anonymous cookies next time you visit each of those sites.

Most browsers - Firefox, Chrome, Opera and Internet Explorer, for instance - have an "automatically delete cookies on exit" option. I recommend using it: you don't have to keep remembering to delete old cookies by hand.

, ,

You might like

34 Responses to Facebook cookie complaints get the wrong end of the stick

  1. www · 1037 days ago

    This is one cookie who was late to the jar and lost all his chocolate chips!

  2. DePar · 1037 days ago

    Mmm, I have had firefox automatically delete all cookies on exit ever since I found out about the feature (years ago) :) Good article though

  3. Jasjeev · 1037 days ago

    The reason why they leave your session valid is for some apps.

  4. THANK YOU THANK YOU THANK YOU!

    *Finally* someone to stand up and say 'so what?' to the rest of the world! This is old, old news, people. Nothing to see here, move along...

  5. Facebook uses beacon technology by way of the "like" button which appears on most large websites. Using the "like" button Facebook *can* keep track of our near every move across the internet regardless of whether we are logged in to Facebook or not.

    This is completely different to the Apple cookie. Apple does not serve its cookies from sites other than Apple. There is no beacon and thus the comparison is a bit empty....

    • This is the key point that is being missed here, thanks for making it.

      Apple don't have javascript from their main domain embedded on 7 million websites and most of the top 1000 websites, as Facebook does

      I was sent this post by an old client of mine who is a Sophos customer. His response was that he was 'concerned' that the point here was being missed.

      Sophos should be advising corporate customers to scrub cookies on all third-party requests, not shrugging this off.

    • not to mention that what makes this miss even more of a facepalm.jpg is that there are 7 different widgets embedded at the bottom of this page, including one from facebook. you would think that scrolling past that after publishing this post might be a lightbulb moment.

    • Ah... I was wondering how this point could have been completely missed. The Like button is embedded on a ton of web sites which is very different from the Apple web site.

      Plus plus plus facebook has motive to track user across multiple websites(targeted ads, selling user profile data for millions *bru ha ha*) as opposed to apple which has nothing to gain from developing such an infrastructure.

  6. RichardC · 1037 days ago

    Au contraire mon frere, I think it's you that has the wrong end of the stick. As I understand it the issue is not that Facebook is using a long-lived cookie (as many websites do) but that the cookie also tracks page-hits from urchins embedded in 3rd party pages via the ubiquitous 'Like' button (as seen in this very page). Again, not the only org to do this (I'm looking at you Google) but Facebook is then (as I understand it) publishing this personal browsing history to the whole goddam world.
    And that's the point.

    • Paul Ducklin · 1036 days ago

      According to Cubilovic's article, which seems to be the one at the centre of all of this, the key issue here is not when Facebook can collect cookies, but which cookies it leaves set after you logout.

      From the very start of the article: "[after] logging out of Facebook a number of cookies... (including your account number) are still sent along to all requests to facebook.com. **Even if you are logged out, Facebook still knows and can track every page you visit.**"

      [Original author's emphasis.]

      And my point is, "This is true for any site which first sets an anonymous cookie and then 'identifies' it because you later login whilst it's set."

      Different stick, brother.

    • lakawak · 1035 days ago

      Au contraire yourself. Facebook is NOT broadcasting it to anyone. (Google is, however.) It was just the tin foil alartmist who "discovered" cookies this week assumed they were.

  7. pwpslade · 1037 days ago

    Sorry Paul, I think you have the wrong end of the stick.

    The issue here is not that Facebook (or any other site operator) tracks return visits, it is that they can track visits to other sites via the appearance of the 'Like' button (or tweet, or inShare or +1) - you only need to view the source for this page to see this for yourself!

    • lakawak · 1035 days ago

      And Google does it with any page that has Analytics in their code, which is almost all of them. And unlike Facebook which said they don't use that information for marketers, Google DOES use it. And if you are one of the few who signed up for Google+, they now have a real name to go with your entire search history, and virtually your entire browsing history.

  8. Louise · 1036 days ago

    Was it necessary to suggest Wollongong is full of nasty people just because of a few bad apples?

    • A. Waggoner · 1036 days ago

      I don't think that's the case. Quite a few professors at MIT are responsible for some 'bad' things.

      I'd say Wollongong is just full of curious people. :)

  9. Peter Yates · 1036 days ago

    "Facebook Denies Cookie Tracking Allegations" ... http://www.zdnet.com/blog/facebook/facebook-denie... ... It's a shame that Facebook didn't respond to the enquiries *before these articles were published.

  10. Paul Ducklin · 1036 days ago

    See above.

    • pwpslade · 1036 days ago

      So, in essence, it is Sophos' fault for including the 'Like' button? (Along with every other site that has a 'Like' button or similar)

      My point is, that your article suggests that these cookies are used for tracing 'return visits' - "The criticisms he makes against Facebook could - and perhaps should, though I don't intend to argue that issue here - be levelled against any website operator that sets long-lived cookies aimed at identifying *repeat visitors*" (My emphasis)
      When in fact, the cookies could VERY easily be used to track everyone that surfs to a page with a 'Like' button whether logged out of FB or not.

  11. Liv · 1036 days ago

    I find your attitude quite offensive here. For someone who has criticized FB for breaches of privacy in the past you now seem to be saying "Eh, so what?" Personally I don't want my 'net surfing to be tracked by ANYONE, naive as that may sound, and logging out of my account should entitle me NOT to be tracked from then on. Yes, I'll make sure my cookies are deleted, etc, etc, but the whole point is it's my privacy, and my right to privacy which is at risk.

  12. Mele20 · 1036 days ago

    Yes, it is Sophos fault for including the Like button. Schleswig-Holstein one of the federal states of Germany has recently ordered all websites in Schleswig-Holstein to remove the Like button because it violates German privacy laws. This must be done by the end of September or further penalties will be placed on website owners for non-compliance. This policy will probably be extended to the entire nation of Germany in the near future.

    I say Bravo to this German state for standing up for privacy.

    • lakawak · 1035 days ago

      So, is Germany going to ban every site from being a Google Ad Sense member? Because every site that has analytics knows that you visited, and they tell Google that. And google takes that iformation and sells it to marketers. (The very same ones that Facebook does.) And if you have a Google+ account, they have a real name to go along with it.

  13. How can you delete cookie automatically on Internet Explorer? I can't find the option "automatically delete cookies when browser closes (only auto empty the temporary internet files upon browser closure). You better include the instructions of how to do that.

  14. I tend to delete cookies/history/temporary internet file manually using the ctrl+shift+delete (or ctrl+t+d in Internet Explorer).

  15. JustSaying · 1036 days ago

    The cookies themselves aren't the story. It's about Facebook actively eavesdropping on users even when they're:

    a) not interacting with Facebook
    b) would normally believe they're not being observed by Facebook

    Also a little about Like buttons actually functioning as spyware.

    May I say - it's unsettling to see the Like button being used on this site, especially in this instance. Hearty applause for the level heads of Schleswig-Holstein!

  16. R0nin · 1036 days ago

    The problem I have is that they not only "track" you via the "Like" button, etc., embedded on other web pages-- in some cases, they also identify you and already have you logged on, on those other websites. I'm sick of not only being prompted to "log on via Facebook" everywhere I go on the web-- but actually having some websites already log me on with my Facebook identity, the first time I go there.

    I do not want to have Facebook track me wherever I go, so they can try to make more money off of me and my user information and surfing habits. And I certainly don't want Facebook (in partnership with these other sites) to determine what identity I will present on those sites.

    Perhaps if the majority of users realized that they are only a commodity to be profited from and then sold, we would hold FB's feet to the fire on these issues. But most (especially younger, in my experience) users don't seem to recognize this-- or are even fine with it. After all, what could possibly go wrong? /sarcasm

    • lakawak · 1035 days ago

      AGAIN...complain about Google doing this too then, otherwise you are being hypocritical. They have been doing it for a DECADE now.

      • Nessie · 1032 days ago

        Lakwak, could you please explain how did Google, in the past decade, log you in automatically with your full first and last name to sites you have never visited?

        I think you are a bit confused. Collecting usage information is, and SHOULD BE, a completely different story than using personally identifiable data (protected by data privacy laws in all civilized countries) to tie that usage data not with a BROWSER (by its useragent), not with a COMPUTER (by its IP addres), but with a living person (by their name and address).

        Facebook encourages, indeed, even forces you to open your account using your full, real name. Not a nickname, not a username. Your. Name. This information is sensitive, there is no "so what" about it. Facebook subsquently gives this information freely and without warning to external sites that are not Facebook and on which you never opened an account.

        Again: it's not about collecting information about what your browser is most often used to access. It's about associating that information with your REAL name and REAL address and REAL telephone number (information you are forced to give Facebook under ToU), and a password that protects your vital information. It's all fine and well if the sites you visit are clean, nice, and have no intention of stealing your data. But imagine one day they are not. Imagine they become compromised.

        Can you imagine an e-bank doing the same? Automatically following you around the Web and making your checking account information available to websites "in case you might want to buy something"?

        Other sites have used cookies "for decades", sure. But those other sites do not have the sheer scale of Facebook and don't force you to give up as much private information as Facebook. That's why it's Facebook that is in the crosshairs and that's why it's Facebook that has to protect this very sensitive data BETTER than those other sites.

  17. Eric · 1036 days ago

    I don't know about other browsers, but Opera has an option that allows you to block cookies from sites other than the one you're visiting. This usually doesn't affect functionality (although it can with sites that serve content from multiple domains).

    But potentially, at least, cookies aren't the main privacy threat. Check out, as one example, the Panopticlick site, which details a method for identifying the computer installation you're using. (My browser showed a unique profile among 1.8 million tested so far.) And few of us have an IP number that changes constantly, providing another method of tracking. And then there are the supercookies, which most Internet users don't know much about.

    Unless you're knowledgeable and determined enough to hide your tracks -- and it's difficult to be 100% effective -- you're probably best off assuming that your privacy is limited.

    • lakawak · 1035 days ago

      Don't kid yourself. Even if you have a dynamic IP, they can still know who you are. Your ISP keeps a record of at least 6 months (I think it is 12 months at least actually) of what IP addresses all their customers were assigned on any given date.

  18. Jim · 1036 days ago

    Wow, so much paranoia. Amazing!!
    Basic data collected by cookies and such is perfectly harmless, I don't mind if Facebook/Google/whoever know when I visit, what content I am accessing and how often; how's that going to harm me? "Hide your tracks"...why? What are you getting up to that you need to hide your tracks? As far as privacy concerns go, it's all pretty insignificant really.

    I'm with you Paul; a mountain out of a mole hill.

  19. Jan · 1035 days ago

    RE: How can you delete cookie automatically on Internet Explorer? I can't find the option "automatically delete cookies when browser closes (only auto empty the temporary internet files upon browser closure).

    On right hand side of page, internet explorer , go to tools dropdown menu, click on Internet opions..you will see browsing history, click on "delete browsing history on exit "

  20. Jan · 1035 days ago

    How does one go about using a seperate browser ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog