Facebook responds to allegations of privacy violations via cookie tracking

Facebook has responded to claims that the company can track web pages a person visits even after logging out of the social network — something that could violate a person’s privacy rights.

Yesterday, VentureBeat reported on tests run by entrepreneur/hacker Nik Cubrilovic, who determined that Facebook merely alters its tracking cookies when a user log out, rather than deleting them. Those cookies still contain account information and other unique identifiable information, which means Facebook can track a person’s visits to any page with a Facebook button or widget.

A Facebook spokesperson sent us the following statement:

Facebook does not track users across the web. Instead, we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age).  No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.

Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of ‘keep me logged in’.

Regardless of why Facebook is keeping the information stored in those cookies, the information is still there and able to be exploited, according to Catalin Cosoi, head of Online Threat Labs for security software firm BitDefender.

“In the past, third-party groups could gain access to a users information regardless of if they were logged in because it revealed their individual token,” Cosoi said, who said he’s not certain that the cookies could be exploited in the same way. “But the fact that Facebook’s cookies retain some information… it’s certainly one more thing to consider given all of (Facebook’s) other changes announced at f8.”

BitDefender published a list of major security concerns that Facebook’s new OpenGraph platform presents. For instance, Smart Lists — lists based on a single identifying detail (like location, school, employer) that are automatically collected by Facebook — will make it much easier for data thieves to target users. Facebook’s new Timeline profiles present the same problem — giving scammers a hyper-detailed description of you life.

“For an attacker who wants to target a specific group of individuals, it makes his job a lot easier since you already have them clustered,” Cosoi said, adding that someone could pose as a member of a particular social group and gain access to all the other account info.

From there, Cosoi said compromised accounts would turn into spam bots that could theoretically pollute Facebook’s new real-time activity ticker. Also, Facebook’s new subscribe feature could increase the number of spambots — giving Facebook a problem that’s similar to what Twitter has to combat with its own subscription-based service.

With the increased ability to track a persons activity on a timeline, arguably one could make a case for Facebook’s cookie storing practice — especially if the account data is being used to make sure data thieves don’t gain access to an account and not for ad targeting. But it’s clear that Facebook users are a bit apprehensive about the idea of Facebook storing information that they have little control over.