Facebook has fixed their website cookies that were allegedly tracking users after the user had logged out of their Facebook account.Ever since Nik Cubrilovic brought it to light that he’d been attempting to notify Facebook of some of their questionable cookies since November of 2010, the question of whether or not the social networking site tracks user’s activity outside of Facebook.com has been under heated debate.
In his blog post on Sunday, Cubrilovic outlined the fact that instead of destroying all cookies upon logout, only a handful were deleted while 2 were given expiration dates and three entirely new ones were being set.
While some cookies seemed relatively harmless (‘locale’ for instance saves your language & country), some seemed a bit suspicious. Take the ‘act’ cookie for example, which had every request timestamped down to the millisecond and had a unique identifier – thus identifying you as a Facebook user – even after you’d logged out.
It just so happened that Cubrilovic’s post caught the attention of Gregg Stefancik, who identified himself as a Facebook engineer and commented on the post saying that Facebook’s cookies aren’t used for tracking. "They just aren't."
In his comment, Stefancik wrote:
The logged out cookies, specifically, are used primarily for safety and security protections, including:
- Identifying and disabling spammers and phishers
- Disabling registration if an underage user tries to re-register with a different birth date
- Helping people recover hacked accounts
- Powering account security features, such as login approvals and notifications
- Identifying shared computers to discourage the use of “Keep me logged in.”
Many people didn’t seem to buy it, as subsequent comments picked Stefancik’s words apart.
Either way, the post made enough waves to get Facebook to take action and after 48 hours of research and constant contact with Nik Cubrilovic, Facebook updated their website and clarified what actually happens when users logout.
Cubrilovic even took the courtesy of posting a follow-up blog entry outlining the cookies that do remain after logout, which include dar, lu, p, L, & act:
- datr – helps identify suspicious login activity (failed login attempts/multiple spam acct creation)
- lu – helps protects people using public computers
- act – helps Facebook monitor site performance
The remaining cookies were said to be for less interesting things, like setting your browser language & device dimensions. Other cookies mentioned, which are the a_user cookie that contains the user's ID, along with the a_xs cookie used to prevent cross-site request forgery, are both said to be destroyed upon logout.
Despite the changes, it’s still recommended that users either delete all cookies following a Facebook logout or simply use a different browser for Facebook interaction and regular web browsing.
What's your take on all of this? Do you think Facebook is really tracking users to serve better ads? Or do you think it's for another reason?
Photo Credit: Truthout.org
No comments:
Post a Comment