October 3, 2011
Facebook Inc. is facing new scrutiny over its privacy practices after an Australian technology blogger posted a story noting the social network was gathering information about users whenever they visited web pages featuring Facebook’s Like button—even after they logged out of the social network.
“With my browser logged out of Facebook, whenever I visit any page with a Facebook Like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook,” Nik Cubrilovic wrote in a blog post. “The only solution to Facebook not knowing who you are is to delete all Facebook cookies.”
That post led the co-chairs of the bipartisan Congressional Privacy Caucus Rep. Ed Markey (D-Mass.) and Rep. Joe Barton (R-Texas), along with the Electronic Privacy Information Center and 10 other privacy and civil rights advocacy groups, to send letters formally asking the Federal Trade Commission to investigate the social network’s policies.
“When users log out of Facebook they are under the expectation that Facebook is no longer monitoring their activities,” Markey and Barton wrote in a letter sent this week to FTC chair Jon Leibowitz. “We believe this impression should be the reality. Facebook users should not be tracked without their permission.”
Facebook places at least six cookies on a user’s browser whenever the user visits the social network, according to the Electronic Privacy Information Center’s letter. One of those cookies is a so-called “persistent identifier” that contains information about a user’s identity. That cookie reports information, such as when a user visits a site with a Like button, back to Facebook until the user closes his browser completely.
A Facebook spokesman acknowledged that it collects data via cookies, but says the transmission of information was inadvertent. "Like every site on the internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user," he says. "Three of these cookies on some users' computers inadvertently included unique identifiers when the user had logged out of Facebook. However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose."
A note in the site's Help Center further clarifies the social network's positioning. It reads: “If you’re logged out or don’t have a Facebook account and visit a website with the Like button or another social plug-in, your browser sends us a limited set of information. For example, because you’re not logged in to Facebook, we don’t receive your user ID. We do receive the web page you're visiting, the date and time, and other browser-related information. We record this information for a limited amount of time to help us improve our products. For example, we sometimes find bugs in the systems we’ve built to gather aggregate data on how people are interacting with sites that use the Like button or other social plug-ins. It’s helpful to be able to reference this anonymized information when investigating these bugs so we can find their source and fix them quickly.”
Following his initial blog post Cubrilovic wrote Facebook responded to his concerns by explaining that the social network has cookies that persist after a consumer logs out to track browsers for safety and spam purposes.
The attention being paid to the transmission of information is now even more prominent after Facebook’s f8 Developers Conference last week. The social network launched a slew of updates to its platform, including the Open Graph. The Open Graph broadcasts connections that users make between themselves and a variety of objects, web sites and activities through social applications that connect to a user’s profile and automatically shares information about the user’s activities, such as what film a Netflix user is streaming. That type of “frictionless sharing” creates a new stream of privacy and security issues for consumers, the EPIC letter says.
“Once social apps enter the picture Facebook users could unknowingly share information about nearly every aspect of their lives, ranging from embarrassing but otherwise innocuous revelation of questionable music taste to the potentially dangerous revelation that one is consuming the ‘wrong’ political or religious content,” the letter says.
The latest hubbub is not the first time the social network has attracted scrutiny for its privacy breaches. In May Representatives Markey and Barton sent a letter to the FTC about a security vulnerability on Facebook.com that provided advertisers, analytics firms and other third parties to access users’ accounts and personal information. They also wrote to the social network last October after several applications built on the Facebook Platform violated the social network’s policies by passing on consumers’ user IDs to ad networks.
The FTC could not be reached for immediate comment on whether it was pursuing an investigation.
Please be sure to fill in all information. Comments are moderated. Please no link dropping, domains as names; do not spam and do not advertise.