Logging out of Facebook is not enough
September 27, 2011 1:49 AM Subscribe

Logging out of Facebook is not enough - Nik Cubrilovic demonstrates how, even after logging out, Facebook tracks every page you visit on sites that integrate Facebook services [via]
posted by Blazecock Pileon (123 comments total) 27 users marked this as a favorite

I read this article last night after a friend posted it on facebook (shocking).

Make sure you read the (first) comment below the article for a response from a facebook developer addressing the main points of the article. IMO, it remains to be seen whether that response adequately addresses the security issues in full, but it's certainly relevant.
posted by hootenatty at 2:05 AM on September 27, 2011 [2 favorites]

logging out of Facebook is not enough
they follow you wherever you go
they know what you eat on your pizza
and they know when you stub your toe
if you have a fight with your girlfriend
if you kiss and make up with your guy
they know it all, even before you do
but the question, of course, is... why?

why do they follow me everywhere?
do they really wanna know all that?
i mean, my life, in fact, is quite boring,
don't even wear an interesting hat
so i really don't think they should bother
cause there ain't no reason nor rhyme
but i'm sure they'll stop, once they realize
i'm just really not worth their time
posted by flapjax at midnite at 2:06 AM on September 27, 2011 [24 favorites]

"Facebook is scaring him since the new API allows applications to post status items to your Facebook timeline without a users intervention. " This is why you don't allow Facebook apps that want to post to your timeline.
posted by arse_hat at 2:07 AM on September 27, 2011 [1 favorite]

Frankly, I'm not sure I'm interesting enough for FB to waste their time following me. I only go to FB once a month or so.

arse_hat: "This is why you don't allow Facebook apps that want to post to your timeline."

QFT.
posted by arcticseal at 2:11 AM on September 27, 2011

Guess I'll have to steer clear of www.howtohaveanorgywithyourthreehottestnieces.com for a bit. Shame, as I was really active on the forums.
posted by tumid dahlia at 2:12 AM on September 27, 2011 [4 favorites]

Any site that you log into can do this if it doesn't delete all of their cookies when you log out. Even Metafilter!

The only way to be clear of this which doesn't involve reliance on the good intentions of others is to manually clear your cookies or use something like Ghostery, which is sort of like AdBlock for tracking cookies.

Hopefully this will raise the profile of these sorts of tracking mechanisms, but I kind of doubt it will have any real impact. If you take a look at the list of cookies Ghostery blocks you'll see that FB is just one of many doing things like this.
posted by feloniousmonk at 2:25 AM on September 27, 2011 [3 favorites]

To clarify, of course only sites which have widgets which appear on other sites would be able to get any useful information out of the tracking cookies, so whatever random site you log into (such as our dear Metafilter) that doesn't correctly remove their cookies when you log out is not going to have access to much useful information, but things like the ever-present social media sharing buttons, +1, Like, Reddit, digg, etc. or advertising networks know whenever you visit a site that hosts their widget.
posted by feloniousmonk at 2:28 AM on September 27, 2011 [1 favorite]

One more thing and I am done: Mefi is just being used an example of a site you might log into. It's not doing anything like this with your cookies and as far as I am aware is a good citizen in terms of removing them when you sign out.
posted by feloniousmonk at 2:31 AM on September 27, 2011

"but things like the ever-present social media sharing buttons, +1, Like, Reddit, digg, etc." This is why you block this stuff. I'm not saying this is optimal but you still need to be on guard when browsing the web. On the other hand it's not likely any of these folks' knowledge of you will ever really impact you.
posted by arse_hat at 2:34 AM on September 27, 2011

...The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.

See, this is kind of smart. Use, say, Chrome only for facebook and ta-da! You've isolated the creepy little parasite.
posted by From Bklyn at 2:40 AM on September 27, 2011 [2 favorites]

I'm glad people are becoming more aware of this, but this is in no way new, and in no way unique to Facebook. They're just the media attack target-du-jour and ignorant users are jumping on the anti-Facebook bandwagon without realizing (or caring) that sites like Amazon have been doing this for years. Heck, most websites don't invalidate cookies. They'll invalidate session tokens (on the server side) but the cookies remain.

In Firefox, just go to [Tools -> Options -> Privacy -> Remove individual cookies] for a gigantic list of all the websites that work in the exact same way. The big difference is that most of those sites don't have open APIs that allow other websites to add little "widgets" that link back to Facebook.

Thing is, there's no way to stop this. NO WAY TO STOP THIS. Oh, just clear your cookies!, I hear you say. Fine and dandy. So they'll just associate you with your IP. Put an image on a website that links to a facebook page, you're making a request to the facebook server, that request has your IP address, and viola! They know what image you're looking at. Add a unique token to the image and they can tell what page it's being served from (or just use the http-referer header).

Useless scare mongering.

Nothing you can do, nothing! can stop Facebook from doing this. The only solution is to <gasp!> stop using Facebook you fucking addicts. Choose your social media connection with a little more care next time. Even Google+ (which undoubtedly does things similar) would be a better choice. Because at least Google understands that users don't like this shit.
posted by Civil_Disobedient at 2:43 AM on September 27, 2011 [34 favorites]

I don't think using a separate browser is necessarily always going to be safe. There's a decent chance that the really big sites like FB and Google are also associating your machine to your account based on other variables such as IP address and other mechanisms. I don't know if it's been seen in the wild yet, but researchers have created systems for developing "permacookies" which are effectively impossible to remove from your machine.
posted by feloniousmonk at 2:46 AM on September 27, 2011 [4 favorites]

And yeah, this stuff has been around since the early days of the commercial web in one form or another. I helped build a system which had similar features in 2004 and this was the 5th or 6th revision of it at this company, which was founded in the late 90s.
posted by feloniousmonk at 2:48 AM on September 27, 2011

@tumid dahlia

thats a weird name for an employee rights board or a public protest info site or a fucking leftie news site or literally anything that isnt fucking incest porn

its a good thing that only creeps care about this, huh

real good, really good work there
posted by This, of course, alludes to you at 2:49 AM on September 27, 2011 [1 favorite]

there's another interesting article about facebook over in projects
posted by 5_13_23_42_69_666 at 2:54 AM on September 27, 2011

Is this the sort of thing I'd have to make a snarky comment about not being on Facebook to...something?
posted by obiwanwasabi at 2:55 AM on September 27, 2011 [1 favorite]

Because at least Google understands that users don't like this shit.

So they just take pictures of unsuspecting people in the street?
posted by Skeptic at 2:59 AM on September 27, 2011 [7 favorites]

This explains why when I'm not on FB I keep seeing FB cookies
posted by infini at 3:03 AM on September 27, 2011 [1 favorite]

It's not so much the privacy I mind as the making my computer do things I didn't ask it to do. I mean, it's like I don't really care if someone wants to see my bedroom, but it annoys me when their camera is taking up floorspace and using my electricity.
posted by Segundus at 3:29 AM on September 27, 2011 [2 favorites]

So they just take pictures of unsuspecting people in the street?

Yeah, and then they tag the picture with the person's name and link it to their account.

Oh wait, they don't do that at all and your argument is completely invalid.
posted by Civil_Disobedient at 3:36 AM on September 27, 2011 [6 favorites]

Quick question - what's the situation with cookies if you're only browsing the webs via a smartphone (that's not Apple) ?
posted by infini at 3:40 AM on September 27, 2011

Useless scare mongering.

Can you explain in clear technical language how Nik Cubrilovic is scare-mongering? As near as I can tell, he's doing a pretty straightforward analysis.
posted by Blazecock Pileon at 3:47 AM on September 27, 2011 [2 favorites]

Don't overlook the author's correction at the end: "I also say 'all sites' can be tracked, when I meant to say 'all sites that integrate facebook'."

Minor point to be sure. :/
posted by marxchivist at 3:49 AM on September 27, 2011

I've all but stopped using FB since the privacy kerfluffles. Now, on the rare occasions I log in, I do it from a browser that I only use for FB, and I wipe everything every time. Sad thing is, I still don't think it's enough.

Instead, I think I need to employ my 89 year old father-in-law's option....when he got a Firefox warning for a vital flash update, he closed all his applications, shut down his computer, unplugged the router, unplugged the network cables, unplugged the modem, took out the coax cable and then called me to see if he needed to unplug his tv too. THAT is how I now feel about Facebook.
posted by nevercalm at 3:56 AM on September 27, 2011 [32 favorites]

I use a different browser on a different computer in a different building when I log in to Facebook. Also, I use someone else's identity on Facebook and I have friended only that person's actual high school friends so they all think I am him. No one knows I am me.

If you want to maintain your privacy, don't join social networks. They are data mining sites that infect your brain's Look At Me! center and get you to do the mining for them.
posted by pracowity at 3:59 AM on September 27, 2011 [11 favorites]

Quick technical point: logging out may either remove or alter a session cookie (depending on implementation) but there's another commonly-used function that requires that a cookie remain: "remember me". The site needs to store a cookie in order to pre-fill your username when you get to the login screen*. So if you check that little box on the login screen you are requesting that a persistent cookie be set. Whether or not a given site uses it to track you is another matter, of course, but the possibility exists for any site whose widgets are used elsewhere.

* Note that your browser also probably offers to do this; this is probably a better choice for those of you inclined to delete your cookies (unless you're on a shared computer).
posted by Songdog at 4:01 AM on September 27, 2011

This sounds like something that Close'n Forget and RequestPolicy could handle between them. I never see anything Facebook related on any other site, and I know that no Facebook cookies remain after closing the tab.
posted by Solomon at 4:26 AM on September 27, 2011 [2 favorites]

Yeah, and then they tag the picture with the person's name and link it to their account.

Perhaps not, but they do (did) intercept your WiFi traffic. But don't worry, it was a mistake, because the Chocolate Factory does not, will not do evil.
posted by Skeptic at 4:26 AM on September 27, 2011 [2 favorites]

Unlike most people on the Internet, I don't think I'm all that interesting. If Mark Zuckerberg wants to know how long I spent watching Zero Punctuation this week, he's welcome to it.

The only thing this will lead to is better targeted ads being caught by my AdBlock.
posted by unigolyn at 4:29 AM on September 27, 2011 [2 favorites]

-Useless scare mongering-

Well, I wouldn't say you're doing that exactly Civil_Disobedient, but you are sprouting some theoretical ideas -- i.d. by IP addi for eg. -- that we don't know lead to sharing of info via FB while we are logged out, beyond you asserting that it is, or maybe is, so.
posted by peacay at 4:31 AM on September 27, 2011

So, is there a list of domains anywhere to add to my hosts file?
posted by pompomtom at 4:31 AM on September 27, 2011

Is there anything that facebook can't do?
posted by the noob at 4:35 AM on September 27, 2011

Is there anything that facebook can't do?

Attach links to your status update without choking and dying.
posted by griphus at 4:38 AM on September 27, 2011 [13 favorites]

Nik Cubrilovic demonstrates how, even after logging out, Facebook tracks every page you visit on sites that integrate Facebook services

Whoa. This is almost as bad as having to turn off those god damn ads everytime I log into a forum.
posted by hal_c_on at 4:52 AM on September 27, 2011

Remember when cookies used to mean a delicious snack? Why does the internet ruin everything?

Priv3 a Firefox extension blocks Facebook, Google, Twitter and Linkedin from tracking you on other sites while staying logged into those sites. Unless you +1 or like something. (via)
posted by lilkeith07 at 4:55 AM on September 27, 2011 [3 favorites]

Any site that you log into can do this if it doesn't delete all of their cookies when you log out. Even Metafilter!

This is only partially true.

Cookies are domain-specific. Assuming the browser doesn't have a security issue with how it handles cookies, it's only supposed to give cookies back to the site that set them.

So, facebook can see these cookies if you visit its own site, or if you visit a site that loads pieces of facebook as advertisements, like buttons, etc.,

This would only apply to MetaFilter if a large amount of sites included Metafilter code snippets.

So, really this problem is specific to large social networking institutions like Facebook and Twitter - places that offer APIs and encourage other third-party sites to include their own code.
posted by odinsdream at 5:06 AM on September 27, 2011 [1 favorite]

So why not just disable third-party cookies?
posted by crunchland at 5:10 AM on September 27, 2011

I don't know if it's been seen in the wild yet, but researchers have created systems for developing "permacookies" which are effectively impossible to remove from your machine.

Evercookie

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

posted by odinsdream at 5:11 AM on September 27, 2011 [9 favorites]

This technique isn't new, and to reiterate odinsdream, it depends on having a large network of sites where your code is deployed (e.g. through javascript snippets, iframe tags, or even simple image tags). Facebook can tell when you're visiting one of those sites that has its code integrated; it can't see _all_ of the sites you're visiting (though for many people those two sets may be very close to the same).

This is basically how ad networks work. I'd guess that the network of sites that run ads served by, say, DoubleClick or Google Ads is much larger than the network of sites that have Facebook "Like" buttons, etc.
posted by sriracha at 5:17 AM on September 27, 2011 [1 favorite]

Robert Clayton Dean: What the hell just happened?
Edward "Brill" Lyle: I blew up the building.
Dean: Why?
Lyle: Because you made a phone call!
posted by OmieWise at 5:19 AM on September 27, 2011 [3 favorites]

sriracha: "This is basically how ad networks work. I'd guess that the network of sites that run ads served by, say, DoubleClick or Google Ads is much larger than the network of sites that have Facebook "Like" buttons, etc."

QFT. This is neither new nor unique to Facebook.

Civil_Disobedient: "Even Google+ (which undoubtedly does things similar) would be a better choice. Because at least Google understands that users don't like this shit"

I'm curious why you think this. Google's been at this game for much longer than Facebook.
posted by mkultra at 5:23 AM on September 27, 2011 [3 favorites]

Because at least Google understands that users don't like this shit --- So they bought Doubleclick, to save us from it, I guess.
posted by crunchland at 5:26 AM on September 27, 2011 [1 favorite]

You can actually stop this behavior with Adblock Plus on Firefox. Add the following rules:

connect.facebook.*
*.facebook.*/plugins*

Now, "like" buttons will not appear on the page and will not send any traffic to facebook (even if you're logged in). I verified this with Fiddler, which you should download if you're interested in being an educated and paranoid internet user.
posted by Jpfed at 5:28 AM on September 27, 2011 [27 favorites]

This is basically how ad networks work.

Right, and ad networks don't even have the concept of logging in or out. You just happen to see their ad and this happens.
posted by smackfu at 5:34 AM on September 27, 2011 [1 favorite]

Sorry to sound dumb, but is there anythig you can do to prevent this if you're using Chrome?
posted by foxy_hedgehog at 5:55 AM on September 27, 2011

[I'm not sure why this topic is bringing out the jerk in people, but please maybe keep your weird offensive jokes to yourself? thank you.]
posted by jessamyn at 5:56 AM on September 27, 2011 [3 favorites]

is there anythig you can do to prevent this if you're using Chrome? --- You can do the same thing that Jpfed describes for Firefox, by installing Adblock for Chrome, and add the rule.
posted by crunchland at 6:00 AM on September 27, 2011

||facebook.*$domain=~facebook.com|~127.0.0.1
||fbcdn.*$domain=~fbcdn.com|~facebook.com|~127.0.0.1
posted by jeffburdges at 6:02 AM on September 27, 2011 [3 favorites]

Anybody got stronger facebook blocking rules than those? I suppose Facebook.com should not be given access to fbcdn.com's cookies really.
posted by jeffburdges at 6:05 AM on September 27, 2011

I've stopped going anywhere BUT Facebook, so I'm good.
posted by monospace at 6:08 AM on September 27, 2011 [7 favorites]

Make sure you read the (first) comment below the article for a response from a facebook developer addressing the main points of the article.

Ok, let's look:

Said more plainly, our cookies aren’t used for tracking. They just aren’t.

I can't help stopping there to ask a question: Is there anybody here who believes this? I have no idea where "an engineer who works on login systems at Facebook" fits in the company, but really? Facebook doesn't use cookies to track sites visited across its partner networks?

So, just to be clear, it's Zuckerberg's commitment to personal online privacy that prevents him from implementing that kind of profitable info-gathering? Is that what this engineer is asking us to believe?
posted by mediareport at 6:12 AM on September 27, 2011 [2 favorites]

Is that what this engineer is asking us to believe?

It's like that wide-eyed look of total innocence on your dog's face when you come home to find him in the living room surrounded by the torn-up kitchen trash. I mean, surely it was crazed intruders, right?
posted by elizardbits at 6:20 AM on September 27, 2011 [7 favorites]

Hang on a minute, imho, engineers will believe anything that marketing and sales tells them.
posted by infini at 6:21 AM on September 27, 2011 [2 favorites]

WSJ: Facebook Defends Getting Data From Logged-Out Users
posted by smackfu at 6:23 AM on September 27, 2011 [1 favorite]

But what about us non users who just stumble on those pesky like buttons everywhere?

(ja ja install the block suggested above)
posted by infini at 6:24 AM on September 27, 2011

engineers will believe anything that marketing and sales tells them

That was totally my first thought, too.
posted by mediareport at 6:25 AM on September 27, 2011

Said more plainly, our cookies aren’t used for tracking. They just aren’t.

I can't help stopping there to ask a question: Is there anybody here who believes this? I have no idea where "an engineer who works on login systems at Facebook" fits in the company, but really? Facebook doesn't use cookies to track sites visited across its partner networks?

I had this exact conversation at work today. People looked shocked I said that this was an outright lie.

I still can't believe that FB lets its engineers get on online forums and mouth off. What's the point of having an phalanx of PR flacks if you just let anybody say anything?
posted by His thoughts were red thoughts at 6:32 AM on September 27, 2011 [4 favorites]

The only solution is to delete every Facebook cookie in your browser

I do this every time I log out of Facebook anyway; it's something every reasonably savvy person does, isn't it? (Which isn't to defend Facebook, which is an annoying mess, or Zuckerman, who seems the kind of person who liked to pull the wings off flies as a child, merely to say, well, I thought every one did that?)
posted by octobersurprise at 6:33 AM on September 27, 2011

Is this the thread about how now you cannot join Spotify without a Facebook account?
posted by progosk at 6:37 AM on September 27, 2011 [1 favorite]

CTRL+SHIFT+DEL
posted by cog_nate at 6:38 AM on September 27, 2011

I still can't believe that FB lets its engineers get on online forums and mouth off. What's the point of having an phalanx of PR flacks if you just let anybody say anything?

Just because the commenter says he's an engineer doesn't mean he's not a PR flack. (nor does it mean that he is an engineer)
posted by device55 at 6:45 AM on September 27, 2011 [4 favorites]

On the other hand it's not likely any of these folks' knowledge of you will ever really impact you.

This. Please, people, read and remember this.

Even Google+ (which undoubtedly does things similar) would be a better choice. Because at least Google understands that users don't like this shit.

I'm not convinced that Google isn't doing something similar to this, to be honest with you, and I still don't care.

And on top of that, a social network is only useful if the people you want to be social with are on it. I use FB a couple times a month to keep up with out of town family members, cousins and aunts and uncles and such... They are all either too young (late teens/early 20's) or too old (late 40's/mid 50's) to care about online privacy, they just want a social network that lets them connect with people and/or play Farmville/Mob Wars. And that's why privacy issues like this just aren't going to matter too much in the long run, IMO.
posted by antifuse at 6:45 AM on September 27, 2011 [1 favorite]

I do this every time I log out of Facebook anyway; it's something every reasonably savvy person does, isn't it?

Why is this savvy? If you're only accessing FB on your personal devices, why do you logout in the first place?
posted by schoolgirl report at 6:47 AM on September 27, 2011

This is not what ‘logout’ is supposed to mean,” Cubrilovic wrote.

And that's the scare-mongering. All "Logout" is supposed to mean is that users of that client device can no longer see any of the private information or perform any of the privileged actions that logging in permitted.
posted by nicwolff at 6:47 AM on September 27, 2011

smackfu's WSJ link is really good, not least for pointing out clearly that Facebook's defense of this kind of tracking (sorry, Mr. Engineer, they do indeed track but swear they immediately delete all of the tracking info, honest!) is no defense at all:

Facebook acknowledges that it gets that data but says it deletes it right away.

*rotfl* Why the fuck on earth would they actually do that? Delete tracking information? Without a law telling them they have to? Oh man, I'm sorry for being this cynical, but the lies seem so fucking blatant here.

The company says the data is sent because of the way the “Like” button system is set up; any cookies that are associated with Facebook.com will automatically get sent when you view a “Like” button. “The onus is on us is to take all the data and scrub it,” said Arturo Bejar, a Facebook director of engineering.

Or you could not take "all the data" to begin with.

“What really matters is what we say as a company and back it up.”

No, what really matters is you're under no legal obligation to scrub it and are almost certainly fighting legislation to put you under that kind of obligation tooth and nail.

In a statement, a Facebook spokesman said “no information we receive when you see a social plugin is used to target ads.”

But it might be used to create databases of information that they can later make use of as they please - not quite "targeting ads," as a lawyer might explain.

Bejar said Facebook is looking at ways to avoid sending the data altogether but that it will “take a while.”

i.e., we created the cookies but can't control them.

So why does Facebook keep cookies after you log out in the first place? Bejar said that it’s to prevent spam and phishing attacks and to help keep users from having to go through extra authentication steps every time they log in. When a user logs in to Facebook from a new computer, the site will often make them take steps to prove that they are who they say they are, rather than someone attempting to log into an account improperly. Cookies allow Facebook to skip those steps when people are logging in from a computer they’ve used before, Bejar said.

That's it? That's the justification - that folks who log into Facebook from a *new* computer (and how often does that happen, exactly?) are being saved a few steps - for collecting traffic info on all users across all FB-connected sites? Jesus. And they can't possibly work out a way to not collect that info while saving those few users those steps? Riiight.
posted by mediareport at 6:49 AM on September 27, 2011

From the FB engineer's response:

The logged out cookies, specifically, are used primarily for safety and security protections, including:
- Identifying and disabling spammers and phishers Yeah, that's going to be really effective.

Because professional spammers and identity thieves totally don't know how to delete cookies. Great security measure there, guys. Really robust.

- Disabling registration if an underage user tries to re-register with a different birth date.

By what? Magic? Facial/age recognition? Leaving aside the fact that this is utter nonsense, FB aren't going to prevent multiple people from using the same browser and computer to access FB. They would have no way of differentiating between a 10 year who says they're 30, and a 30 year old.

- Helping people recover hacked accounts.

Again, ignores the fact that multiple people in the same household may use the same computer. Hardly very secure.
posted by His thoughts were red thoughts at 6:49 AM on September 27, 2011 [1 favorite]

I'm using Opera as my Facebook only browser, with adblock installed, and deleting all cookies on exit.
posted by COD at 6:51 AM on September 27, 2011

No, what really matters is you're under no legal obligation to scrub it and are almost certainly fighting legislation to put you under that kind of obligation tooth and nail.

They are starting a PAC
posted by device55 at 6:52 AM on September 27, 2011

I only use Facebook with Tor, over Lynx, via dialup, on a PDP-11 and while wearing a full zentai suit, rubber dishwashing gloves and a condom.
posted by griphus at 7:00 AM on September 27, 2011 [12 favorites]

Wise move.
posted by mediareport at 7:01 AM on September 27, 2011 [1 favorite]

You forgot the dental dam.
posted by middleclasstool at 7:05 AM on September 27, 2011 [2 favorites]

See, this is kind of smart. Use, say, Chrome only for facebook and ta-da! You've isolated the creepy little parasite.

Which one?
posted by grubi at 7:07 AM on September 27, 2011 [4 favorites]

QFT. This is neither new nor unique to Facebook.

Ad networks usually don't have all of your personal details, all of your friends' personal details and all of your family's personal details. Ad networks may be able to glean some of that info, but Facebook's ability to collate this information is mind-boggling.

<tinfoil>In-Q-Tel made a great investment.</tinfoil>
posted by ryoshu at 7:20 AM on September 27, 2011 [2 favorites]

Instead, I think I need to employ my 89 year old father-in-law's option....when he got a Firefox warning for a vital flash update, he closed all his applications, shut down his computer, unplugged the router, unplugged the network cables, unplugged the modem, took out the coax cable and then called me to see if he needed to unplug his tv too. THAT is how I now feel about Facebook.

Yeah, that sounds sensible.
posted by grubi at 7:20 AM on September 27, 2011

What was Zuckerberg's comment about his users?
"They trust me. Dumb fucks."
posted by bitmage at 7:20 AM on September 27, 2011 [2 favorites]

Looks like there's a follow up post in which Facebook explains some of the cookies used, and uncovers a bug.

http://nikcub.appspot.com/facebook-fixes-logout-issue-explains-cookies
posted by device55 at 7:23 AM on September 27, 2011

Or, just turn your computers off. There, ftfy.
posted by TheBones at 7:24 AM on September 27, 2011

As you continue to use the internet, the probability that someone, somewhere will try to scam you with it, somehow, approaches 100%.
You can't know how they will scam you, but you do know that scams tend to work better when they're targeted at a particular person.
- They'll need different information on your browsing habits to know what sites to spoof.
- They'll need to try different attacks depending on what services you use.
- So they'll want to collect as much information on you as practical.
Highly targeted scams don't happen every day because they require a lot of time and money... mostly spent on questionably legal research.
- Finding security flaws, whether in human networks or in software.
- Finding marks whom you can feasibly scam with those flaws.
We can't rely on website owners to practice good security. The tools and instructions for secure hosting are widely available, but embarrassing hacks still happen all the time. So the scammer doesn't need to try very hard to find a website they can hack; they just can't be all that picky about which website it is.
So they need to spend most of their research budget finding a sucker.
- You don't need to be a sucker in general to be a sucker to these guys. All you need to do is put the wrong information in the wrong website at the wrong time.
That used to be difficult. Now we're just giving them the information they need. Well, not directly, but it's pretty easy to mine Facebook for data without Zuckerberg and company ever hearing about it. Make a reasonably popular game, or whatever, and access slightly more of the user's data than your game strictly needs.
Ultimately, users need to be responsible for their data.
- Guessing which of their data would be useful to a scammer running a scam that they don't know how it works.
- Keeping that data accessible to only those who need it.
Facebook makes a show of giving users that responsibility, with their elaborate privacy settings.
Then we find out that they're leaking identifying information into cookies that anybody can read.
It's not really any worse than what Google Analytics does (although is that an argument for Facebook or against Google?).
Even so, it makes you wonder where else Facebook is leaky, and how long after the scammers have found it will Facebook wait before patching the leak.

posted by LogicalDash at 7:32 AM on September 27, 2011 [4 favorites]

Why is this savvy? If you're only accessing FB on your personal devices, why do you logout in the first place?

Because I hate how Facebook-integrated websites greet me by name if I don't? Dunno. Why do you zip your fly?
posted by octobersurprise at 7:37 AM on September 27, 2011

What a strange land you must live in, where you greet strangers by waving your cock around.
posted by mkultra at 7:39 AM on September 27, 2011

Was that a joke or an invitation, mkultra?
posted by octobersurprise at 7:45 AM on September 27, 2011

Ask Facebook. Only they know for sure.
posted by mkultra at 7:57 AM on September 27, 2011

Oh, I see. You're being a dick. Carry on, then.
posted by octobersurprise at 8:02 AM on September 27, 2011

I DON'T KNOW WHAT WE'RE YELLING ABOUT

LOUD NOISES
posted by grubi at 8:04 AM on September 27, 2011 [1 favorite]

Relax, I'm just messing with you.
posted by mkultra at 8:06 AM on September 27, 2011

Is there anything that facebook can't do?

Line breaks in comments?
posted by ODiV at 8:07 AM on September 27, 2011 [1 favorite]

Line breaks in comments?

Shift+Enter.

So, yeah, it can.
posted by grubi at 8:12 AM on September 27, 2011

Line breaks in comments?

shift + enter
posted by marxchivist at 8:14 AM on September 27, 2011

Mark Harmon told me I could just unplug my computer.
posted by ricochet biscuit at 8:19 AM on September 27, 2011

And that's the scare-mongering. All "Logout" is supposed to mean is that users of that client device can no longer see any of the private information or perform any of the privileged actions that logging in permitted.

And if you had read the article, you'd have seen how one of the problems is precisely that so-called "privileged actions" take place even after you log out.
posted by Blazecock Pileon at 8:25 AM on September 27, 2011

I just read that same article a few minutes ago before logging into this site. nice coincidence , but its big news I guess.

I noticed the same thing on sites like Hub Pages which have facebook plugins.
posted by Hi Dan at 8:42 AM on September 27, 2011

Oh nice, thanks guys.

My next gripe is about people who comment on public posts and then complain that their privacy is being violated because everyone else can see it.
posted by ODiV at 8:46 AM on September 27, 2011 [2 favorites]

It doesn't seem to matter if you log out of FB or not. They've got cookies in the browsers of non facebook members with no logging in facility as well. (mine) And now they've been adding umpteen updates to wordpress very helpfully.
posted by infini at 8:53 AM on September 27, 2011

Because at least Google understands that users don't like this shit.

So they just take pictures of unsuspecting people in the street?

I was suspecting. The driver even smiled at me.
posted by mrgrimm at 8:58 AM on September 27, 2011

I was suspecting. The driver even smiled at me.

I smiled for the camera, but they blurred my face anyway.
posted by peeedro at 9:08 AM on September 27, 2011 [3 favorites]

And if you had read the article, you'd have seen how one of the problems is precisely that so-called "privileged actions" take place even after you log out.

And if you'd read my comment, you'd have seen that the privileged actions I'm referring to are those that users of the client device can perform only while logged in to their accounts. Once you log out of Facebook on a given device, users of that device can no longer post to your Wall, read your messages, &c.

That's all "log out" has ever meant on any system; the idea that logging out means deleting all identifying information from the client device is an invention of the writer, and the implication that Facebook is subverting some implied agreement with the user to do something sneaky or out of the ordinary is scare-mongering.

Any element of any Web page you visit can drop a cookie, this is just basic to how the Web works. If you don't like that the sites you visit have agreed to tell Facebook when you come by, then don't visit those sites – or block those elements. If you want to worry about being tracked, go see how many cookies you have called "scorecardresearch". Hi, comScore!
posted by nicwolff at 9:26 AM on September 27, 2011

Ad networks usually don't have all of your personal details, all of your friends' personal details and all of your family's personal details.

Except for Google, if you're a Gmail or Google+ (or other Google apps) user.
posted by antifuse at 9:42 AM on September 27, 2011 [2 favorites]

"Frictionless sharing". A.K.A. "We promise to use lots of lube."
posted by RobotVoodooPower at 9:45 AM on September 27, 2011 [2 favorites]

antifuse: "Except for Google, if you're a Gmail or Google+ (or other Google apps) user."

Even if you're not, it's a good bet that Google has created a heuristic profile based on all the searching and clicking you've done, that is not so far from that.
posted by mkultra at 9:48 AM on September 27, 2011

Why not just use incognito mode for Facebook?
posted by spiderskull at 10:27 AM on September 27, 2011

Why not just use incognito mode for Facebook?
posted by spiderskull at 10:27 AM

Because then Farmville doesn't work. But everything else facebook wants to work does.
posted by yesster at 11:07 AM on September 27, 2011

Skeptic: Perhaps not, but they do (did) intercept your WiFi traffic.

Did, fragments of, and it was unencrypted wifi traffic. If it's personal and private data, you probably shouldn't be doing the electronic equivalent of leaning out of the window and shouting it out in the clear to everyone in earshot.

With regards google advertising tracking cookies; you can officially opt out of the tracking here, which sets it per browser - with a 'dont track me bro' cookie, ironically.

Or, if you have multiple browsers and/or computers, there's an official add-on for ie, firefox and chrome that does the same, or you can use

You can also set the google no-track cookie, along with a bunch of others, at NAI's opt-out webpage.

There's a third party extension of google's chrome addon that adds a whole bunch more sites to your 'do-not-track-me' list, for chrome at least, keep more optouts.

Finally, there's ghostery for all major browsers, that blocks tracking cookies, web-bugs and all sorts of such crap from facebook, google and a ton of other places.
posted by ArkhanJG at 11:29 AM on September 27, 2011 [4 favorites]

Why not just use incognito mode for Facebook?

As long as you always login to facebook, every single time ever using it, that'd work.
posted by ArkhanJG at 11:30 AM on September 27, 2011

Addendum to the latter - make sure you also turn off instant personalization in facebook and/or don't visit any of those sites in the same incognito session.
posted by ArkhanJG at 11:34 AM on September 27, 2011

> See, this is kind of smart. Use, say, Chrome only for facebook and ta-da! You've isolated the creepy little parasite.

This works if nobody is using Flash cookies, which is readable and writable cross-browser.
posted by ardgedee at 12:14 PM on September 27, 2011

Anyone got nice adblock scripts for Google?
posted by jeffburdges at 12:21 PM on September 27, 2011

It appears the poor economy has popped the social media bubble. lol

I suspect this means that Wall St. has officially lost real money on this whole recession deal. A priori, what do you imagine those IPOs were worth to the financial sector?
posted by jeffburdges at 2:45 PM on September 27, 2011

Shame, as I was really active on the forums.

Convincing people it's not the right thing to do!
posted by tumid dahlia at 3:02 PM on September 27, 2011

I want real world Facebook integration. I want to look at people who are talking to me and know which random Facebook friend they actually are.
posted by Lovecraft In Brooklyn at 4:33 PM on September 27, 2011

This isn't new. This is true with Doubleclick or other web ad agencies as well. Any image being served by the domain in question can be used to track the site calling for the image load. Facebook already has your cookie and the Like button uses the same one.

This is used by a lot of sites other than Facebook, that's for sure.
posted by daHIFI at 4:57 PM on September 27, 2011

Facebook's ability to collate this information is mind-boggling

Only because you gave them the information in the first place! This line of thinking just blows my fucking mind. They didn't pull all this data from thin air. YOU told them who your friends were. YOU uploaded photos and then YOU tagged them with correlating information. YOU updated your status and YOU wrote on the walls of your friends.

All this was done by you, and then you act shocked! just shocked! that they "collate this information." Jesus H. Fucking Christ, people, have some fucking sense on me, free of charge.

Can you explain in clear technical language how Nik Cubrilovic is scare-mongering?

Yes. He made a post about something that has been a fact as long as the internet has been around. Why? "Oh, I was just pointing out what everyone already knew. What's that? You didn't!? WELL then!" It's like writing a post about how people can take pictures of YOUR CHILDREN in public and there's nothing you can do to stop them! Well of course you can. That's the way it's always been. But for some strange reason people get collective amnesia every five years and have to have their hands held like little babies and have the world explained to them all the fuck over again.

Perhaps not, but they do (did) intercept your WiFi traffic.

As pointed out already, your unencrypted traffic. You do realize that unencrypted WiFi is essentially your computer YELLING AT THE TOP OF ITS LUNGS (in relative electromagnetic spectrum comparison), right? Right?

And tell me, did they correlate this traffic to your public account and then make the data public? Of course not! Because, as I stated before, they're not fucking stupid. Unlike Facebook, et. al.

Same with the photos taken with their map-mobile. If you're walking around outside, in public, you have no expectation of privacy. Zilch. Nada. NONE. And yet even then Google does what they can to blur faces. Keep in mind, they have no legal requirement to do so, but they do it anyway just because they know nanny-state stupid-ass motherfuckers will scream bloody murder because they were outside and the Google mobile STOLE THEIR SOUL.

but you are sprouting some theoretical ideas -- i.d. by IP addi for eg.

Pshaw! Correlating by IP is hardly theoretical. Shit, it's a no-brainer. Now, correlating by, say, the info your browser sends with every request, that is more theoretical. And I didn't say that they did that, even though it would be fairly trivial to add to every log for every request.

I'm curious why you think this. Google's been at this game for much longer than Facebook.

Well, I'm curious why you disagree. Please show me where Google's gone and correlated your private data and made it public. I'm sure they could, but then the negative backlash would absolutely torpedo any chance of Google+ getting the groundswell of support necessary to beat Facebook. I'm not saying Google is all petunias and rainbows and that they would never do anything bad because they LUV YOU VEWY MUCH. I'm saying just in pure Machiavellian terms, they avoid such behavior because it would only hurt them. I mean just look at all this brouhaha against Facebook. It's like a bunch of crackheads complaining about being fucked up all the time.
posted by Civil_Disobedient at 8:07 PM on September 27, 2011 [1 favorite]

Civil_Disobedient: "Please show me where Google's gone and correlated your private data and made it public."

Huh? Show me where Facebook's done that.
posted by mkultra at 8:52 PM on September 27, 2011 [2 favorites]

Congressmen blast "supercookies" as privacy menace
posted by crunchland at 9:39 PM on September 27, 2011

This is good. It saves me the time it would take to update Facebook every hour.
posted by Lovecraft In Brooklyn at 9:45 PM on September 27, 2011

This is something I would be more alarmed by if platform apps were enabled?
posted by desuetude at 10:42 PM on September 27, 2011

But for some strange reason people get collective amnesia every five years and have to have their hands held like little babies and have the world explained to them all the fuck over again.

That is not a technical answer. Your repeated ranting is childish and obnoxious. Please threadshit somewhere else.
posted by Blazecock Pileon at 5:31 AM on September 28, 2011

I wrote a quick fpp about related topics, which ended up in the Facebook Disconnect thread. I'll paste it here as well since it's about the people behind this story.

Europe vs. Facebook's Max Schrems has filed several complaints about Facebook's data collection practices, including the like button tracking. His efforts have revealed how facebook considers your data to be their trade secrets. Max has filed another complaint about Facebook's construction of shadow profiles for non-users.
posted by jeffburdges at 9:15 AM on October 18, 2011

Yes, I've been following that Europe vs Facebook thing - much of what I'm reading seems to imply this is going to be a milestone
posted by infini at 11:45 AM on October 18, 2011 [1 favorite]

btw I should mention that your Max Schrems link has a great breakdown in a clear table of the various complaints and the timelines
posted by infini at 12:32 PM on October 18, 2011

We should probably still have a front page post about him, maybe once we've some newer status information about or change in one of his complaints.
posted by jeffburdges at 12:51 PM on October 18, 2011

Yes, I had thought of making an fpp on Europe vs Facebook but it slipped through the cracks - now with this disconnect perhaps its better to wait as you say - what's been striking about him is the identity blog talking about his sheer prowess on leveraging the power of social media. The European take on privacy is worthy of an FPP in its own right if its not already been covered - i was recently introduced to wetransfer - a free service to transfer very large files and I really liked that their privacy approach (they're Dutch) - they don't keep any track of the files you transfer nor store them. (a concern if its stuff under NDA)
posted by infini at 1:24 PM on October 18, 2011

There are more interviews with him, btw. How's your German? I donno if mefi has discussed shadow profiles anyways.
posted by jeffburdges at 5:59 PM on October 18, 2011

go ahead, I think that conversation is coming to a head anyways with all the surrounding threads on disconnect, fb, privacy and what not right now or wait for a break ?
posted by infini at 1:36 PM on October 19, 2011

« Older Roll Over America: a coast-to-coast mass Velomobil... | Security camera footage shows ... Newer »

This thread has been archived and is closed to new comments

Logging out of Facebook is not enough September 27, 2011 1:49 AM Subscribe

Logging out of Facebook is not enough
September 27, 2011 1:49 AM Subscribe