Facebook cookie complaints get the wrong end of the stick


The news wires are awash with stories about Facebook, cookies and privacy. The source of all this concern seems to be an article written by self-proclaimed “serial entrepreneur, writer and hacker” Nik Cubrilovic of Wollongong, New South Wales, Australia.

(Old-school network hackers will no doubt remember Wollongong from the University of Wollongong’s eponymous and once-widespread TCP/IP software stack.

Newer-school hackers will remember Wollongong as the home of Ashley Towns, author of the first in-the-wild iPhone virus.)

Cubrilovic has enjoyed dramatic media success with his concerns about Facebook cookies, but I think he’s been barking up the wrong tree.

The criticisms he makes against Facebook could – and perhaps should, though I don’t intend to argue that issue here – be levelled against any website operator that sets long-lived cookies aimed at identifying repeat visitors.

Indeed, cookies are text-based key-value data pairs which are included in HTTP traffic precisely so that web servers can keep track of a a user’s browsing session.

By design, HTTP is a stateless protocol. So, if you visit my web page twice in a row, those two requests are entirely independent.

By setting a unique cookie in your browser, which your browser will insert into all subsequent request headers, I can tie those two requests together on my server.

I might not know your identity, but I know it’s the same person – or at least the same browser on the same PC – coming back for more. So I can target the content I serve based on your previous browsing history. It might not be you, but it very probably is.

Cookies also permit the concept of a website login: the cookie very conveniently acts as a temporary access ticket to your account, so you don’t need to resubmit your login information on every page.

Cubrilovic’s critique of Facebook cookies seems to boil down to this: when you login, Facebook sets a bunch of cookies which identify your user ID and authenticate you to act as that user for the current session.

But when you logout, Facebook doesn’t unset all of the cookies set at login, so – argues Cubrilovic – you continue to identify yourself to Facebook in all subsequent traffic, even after you’ve logged out.

So what?

Any website which sets a long-lived unique cookie when you first visit the site can do just the same thing.

Try visiting Apple’s website, for example. (I don’t mean to criticise Apple, just to pick them as an example because I’m an Apple user, and I have an AppleID.)

On your first visit, Apple will set a browser cookie called s_vi, valid for five years, containing a random-looking string of hexadecimal digits. The value of this cookie is – at least as far as I can tell – unique to each brand-new visitor.

So, next time you login with your AppleID, Apple’s backend systems can now tie your general-purpose s_vi cookie to your AppleID.

In other words, Apple “knows” who you are every time you subsequently visit using the same browser on the same PC, even if you never log in again. (More precisely, Apple knows who last logged in to its site from your browser, which very likely was you.)

Cubrilovic has therefore rediscovered that long-lived anonymous cookies, once they’ve been associated with an exact identity, stop being anonymous.

So, if you’re worried about this sort of thing, routinely delete all cookies from your browser. This means that you dispose of all your no-longer-anonymous cookies.

Your favourite websites will no longer have cookie-based history about you, so you’ll get newly-generated anonymous cookies next time you visit each of those sites.

Most browsers – Firefox, Chrome, Opera and Internet Explorer, for instance – have an “automatically delete cookies on exit” option. I recommend using it: you don’t have to keep remembering to delete old cookies by hand.