A Facebook engineer has said the social networking company does not use persistent cookies to track users when people are not logged in to Facebook.
Facebook cookies are primarily used for service and security reasons, Facebook login engineer Gregg Stefancik said on Monday.
"Our cookies aren't used for tracking. They just aren't," said Stefancik in comments on a blog post. "Instead, we use our cookies to either provide custom content (e.g. your friend's likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location)."
Facebook has been repeatedly criticised over user privacy issues, and chief executive Mark Zuckerberg has acknowledged that there is often a "backlash" against new Facebook features.
Australian researcher Nik Cubrilovic said in a blog post on Sunday that Facebook alters the state of cookies stored on a user's computer when they have logged out, but does not remove the cookies. Moreover, nine cookies, including account identification, are sent to Facebook every time a user visits a site with a Facebook 'like' button, Cubrilovic said.
"With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook," said Cubrilovic. "The only solution to Facebook not knowing who you are is to delete all Facebook cookies."
Cubrilovic said that he had discovered a cookie called 'act', which he claimed stood for 'account number', which allowed Facebook to identify logged-out users online.
Stefancik countered this claim in a comment on Cubrilovic's blog post by saying that 'act' in fact stood for 'action', and was a UNIX timestamp used to measure and optimise the speed of the site. Moreover, Facebook deletes account-specific cookies when a user logs out, said Stefancik.
A Facebook spokeswoman on Monday confirmed that Stefancik had commented on Cubrilovic's blog.
Facebook cookies are primarily used for service and security reasons, Facebook login engineer Gregg Stefancik said on Monday.
"Our cookies aren't used for tracking. They just aren't," said Stefancik in comments on a blog post. "Instead, we use our cookies to either provide custom content (e.g. your friend's likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location)."
Facebook has been repeatedly criticised over user privacy issues, and chief executive Mark Zuckerberg has acknowledged that there is often a "backlash" against new Facebook features.
Australian researcher Nik Cubrilovic said in a blog post on Sunday that Facebook alters the state of cookies stored on a user's computer when they have logged out, but does not remove the cookies. Moreover, nine cookies, including account identification, are sent to Facebook every time a user visits a site with a Facebook 'like' button, Cubrilovic said.
"With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook," said Cubrilovic. "The only solution to Facebook not knowing who you are is to delete all Facebook cookies."
Cubrilovic said that he had discovered a cookie called 'act', which he claimed stood for 'account number', which allowed Facebook to identify logged-out users online.
Stefancik countered this claim in a comment on Cubrilovic's blog post by saying that 'act' in fact stood for 'action', and was a UNIX timestamp used to measure and optimise the speed of the site. Moreover, Facebook deletes account-specific cookies when a user logs out, said Stefancik.
A Facebook spokeswoman on Monday confirmed that Stefancik had commented on Cubrilovic's blog.
Twitter 
Linkedin 
ZDNet UK App 
Facebook 
RSS Feeds 
Newsletters 
Talkback
Hi there,
I wanted to send along a note on behalf of Facebook Communications.
Facebook does not track users across the web. Instead, we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.
Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of 'keep me logged in'.
One of our engineers, Gregg Stefancik, also posted a longer and more technical explanation on the original blog post: http://nikcub-static.appspot.com/logging-out-of-facebook-is-not-enough
@andrewnoyes Thanks for your comment. I'm a bit puzzled as to what it actually adds to the story as reported. The blog post says everything that you mention, plus it links to the Stefancik blog post you include.
If Facebook Communications would like to talk to us about privacy and data handling on the service, we'd be happy to talk. If you're posting prepared comments on news sites, it looks like you do want to be heard.
My wife and youngest daughter use Facebook and never log out. I will not use Facebook because I have an old fashioned view to privacy and control of my data. My older children, now with families of their own, also use Facebook and I doubt they log out either.
In addition, I frequently close my browser to clear all data having configured the browser accordingly. I'm the only person I know who takes these precautions, that is unless I set it up for them.
Maybe I'm paranoid, but I don't have many problems with my computers and data.