Logging Out Of Facebook Is Not Enough
You may know that your browser sends information to Facebook whenever you visit a web page that hosts a Facebook Like or Share button or other Facebook content.
That's true even if you do not have a Facebook account. If you do have a Facebook account and are signed in, Facebook gets to know which sites you visit and can link those visits with your account for a more accurate profile.
Some users may see this as a privacy invasion. The general advice that you get on the Internet is to log out of the Facebook account when you do not use the site. The reasoning here is that logging out should prevent the identification of users on third party sites that load Facebook content.
According to Nik Cubrilovic though this is not the case. Facebook can track logged out users as much as it can track logged in users. How do they do it? With cookies of course. One would assume that logging out would delete all cookies linked to the account.
This is apparently not the case here. Facebook is not deleting all cookies when a user logs out. Nik notes:
To make it easier to see the cookies being unset, the names are in italics. If you compare the cookies that have been set in a logged in request, and compare them to the cookies that are being unset in the logout request, you will quickly see that there are a number of cookies that are not being deleted, and there are two cookies (locale and lu) that are only being given new expiry dates, and three new cookies (W, fl, L) being set.
Cookies that identify users based on the account Id still exist, which means that Facebook has access to that data whenever a connection to the site is made (on Facebook itself or third party sites). This means that Facebook can still identify users even if they are logged out of the social networking site.
The only solution? To delete all Facebook cookies whenever possible. While you could do that manually every time you log out of Facebook, it is probably not the best solution in this case.
First, you have to do it every time after signing out on the site which can quickly become a nuisance, and second, you have to remember to do it.
Here are a few add-ons and extensions that take care of that for your:
- Facebook Blocker [Firefox] - Blocks all Facebook contents on third party sites from sending information. You can still interact with the elements if you want, but until you do, no information are submitted.
- Facebook Disconnect [Google Chrome] - Blocks all Facebook traffic from third party sites.
- Facebook Blocker [Opera] - Seems to be identical to the Google Chrome extension, blocks all Facebook third party traffic.
Have another add-on or tip on how to cope with the situation? Let everyone know in the comments.
Update: Facebook responded in an email. Here is their official statement:
Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of 'keep me logged in'.
What about AdBlock Plus?
I blogged about this earlier – see http://albosure.blogspot.com/2011/02/block-facebook-ads-on-other-websites.html for the details of the solution. In the article, recommend some custom AdBlock Plus tweaks to fix the problem. If you’re on firefox, I also highly recommend installing CSFire and blocking facebook requests with it (though the adblock plus tweak will work for facebook on its own, it will keep other big-brother types out of your hair too – see other posts in the blog for more details).
Thanks Martin, and thanks as well to Alexander Shenkin.
What do we not have to exercise nowadays on the Web in order to have simple tranquility when browsing, when even just connected? This is a mad and/or wild and/or man’s man’s world, isn’t it?!
For what it’s worth, Facebook denies all charges :D
h t t p :/ / www. theregister.c o.uk/2011/09/26/facebook_sees_logged_out_users/
Interesting. So they do not deny the possibility, but that they do it, if I understand that response correctly.
Thanks for the information Martin. Didnt knew about this. But I dont get the response mention in the link mentioned
I just have NoScript permanently block Facebook and Twitter.
Just blocking script from facebook ain’t gonna do it.
Please explain. Not a rebuttal here. Just want to know what you mean since I’m not aware of it.
Doing it manually is no problem once it becomes habit. I use Ctrl-Shift-Del as a matter of course after any website where I’ve input personal info. I’d use it in Facebook but I’m not an addict to that sad (and increasingly suspect) technology.
“You may know that your browser sends information to Facebook whenever you visit a web page that hosts a Facebook Like or Share button or other Facebook content” -> this affects people with and without facebook accounts
So I f you have NoScript with Facebook.net blocked those scripts may not get loaded… Please correct me If I din’t get it right.
But in the case of people that logged out of facebook, there will be as well cookies that may send information about the visited pages in addition to the “like” or “share” buttons/scripts on websites.
For Firefox Browser try ShareMeNot…
Designed to prevent third-party buttons (such as the Facebook â€œLikeâ€ button or the Twitter â€œtweetâ€ button) embedded by sites across the Internet from tracking you until you actually interact with them.
You are right, I think I reviewed it as well here a couple days ago.
Both Ghostery and RequestPolicy will also help you..
Interesting I can’t find this plugin on my comp as Widget or whatever. I did however install it for my Opera. Would you be so kind to explain where is it and how to uninstall it if I want to get rid of it?
It’s abundantly clear by now that Facebook never had nor ever will have any concern for their users’ privacy. If you use Facebook, accept this and stop acting surprised and aghast at the weekly privacy violation issues that are discovered. They are never going to change or become fully transparent. If you value your online privacy, then don’t use Facebook. Works for me.
Its best to use Cookie Swap Firefox addon , create a sep profile for FACEBOOK
Don’t you just love the reply from Facebook? Reminds me of Google’s “we’re not evil” mantra while contrary proof is frequently uncovered.
In the end you have to remember there’s a fine line between “being social” and “dropping your pants”. As long as I have a choice, I rather keep them on. That’s why I block facebook on a DNS level instead of hoping that some addon will do the job flawlessly. No connection = no tracking. Life can be simple if you let it… ;)