Over the weekend, Dave Winer wrote an article at Scripting.com explaining how Facebook keeps track of where you are on the web after logging in without your consent. Nik Cubrilovic dug a little deeper, and discovered that Facebook can still track where you are, even if you log out. Facebook, for its part, has denied the claims. Regardless of who you believe, here's how to protect yourself, and keep your browsing history to yourself.
The whole issue has stirred up a lot of debate in privacy circles over the past few days. Here's what the fuss is about, and what you can do to protect your privacy if you're worried.
The Issue: Facebook's Social Apps are Always Watching
For quite some time now, Facebook's user tracking hasn't been limited to your time on the site: any third-party web site or service that's connected to Facebook or that uses a Like button is sending over your information, without your explicit permission. However, Winer noticed something mostly overlooked in last week's Facebook changes: Facebook's new Open Graph-enabled social web apps all send information to Facebook and can post to your profile or share with your friends whether you want them to or not.
Essentially, by using these apps, just reading an article, listening to a song, or watching a video, you're sending information to Facebook which can then be automatically shared with your friends or added to your profile, and Facebook doesn't ask for your permission to do it. Winer's solution is to simply log out of Facebook when you're not using it, and avoid clicking Like buttons and tying other services on the web to your Facebook account if you can help it, and he urges Facebook to make its cookies expire, which they currently do not.
Digging Deeper: Logging Out Isn't Enough
Nik Cubrilovic looked over Winer's piece, and discovered that logging out of Facebook, as Winer suggests, may deauthorise your browser from Facebook and its web applications, but it doesn't stop Facebook's cookies from sending information to Facebook about where you are and what you're doing there.
Writing at AppSpot, he discovered that Facebook's tracking cookies-which never expire are only altered instead of deleted when a user logs out. This means that the tracking cookies still have your account number embedded in them and still know which user you are after you've logged out.
That also means that when you visit another site with Facebook-enabled social applications, from Like buttons to Open Graph apps, even though you're a logged out user, Facebook still knows you're there, and by "you", we mean specifically your account, not an anonymous Facebook user. Cubrilovic notes that the only way to really stop Facebook from knowing every site you visit and social application you use is to log out and summarily delete all Facebook cookies from your system.
Why You Should Care
If you're the type of person who doesn't really use Facebook for anything you wouldn't normally consider public anyway, you should take note: everything you do on the web is fair game. If what Cubrilovic and Winer are saying is true, Facebook considers visiting a web site or service that's connected to Facebook the same thing as broadcasting it to your friends at worst, and permission for them to know you're there at best.
Facebook says that this has nothing to do with tracking movements, and that it has no desire to collect information about where you are on the web and what you're doing. They want to make sure that you can seamlessly log in at any time to Facebook and to sites and services that connect with it and share what you're doing.
In fact, a number of Facebook engineers have posted comments to Winer's original post and Cubrilovic's analysis pointing this out. There's also some excellent discussion in this comment thread at Hacker News about the issue as well. Essentially, they say this is a feature, not a problem, so if you have an issue with it, it's up to you to do something about it.
What Can I Do About It?
Regardless of how it's meant, simply logging out of Facebook won't stop this behaviour. Whether it's usability or tracking is irrelevant: if you don't want third-party sites to send data to Facebook, you have some options. You could scrub your system clean of all Facebook.com cookies every time you use Facebook, but a number of developers have already stepped up with browser extensions to block Facebook services. Here are a few:
- Facebook Privacy List for Adblock Plus is perfect for those of you who already have AdBlock Plus installed. Just download the subscription and add it to AdBlock Plus to specifically block Facebook plugins and scripts all over the web -- including the Like button -- whenever you're not visiting Facebook directly.
- Facebook Disconnect for Chrome keeps Facebook from dropping those tracking cookies on your system in the first place, and disables them when you're finished using Facebook-enabled services. It's essentially an on/off switch for third-party access to Facebook servers, meaning you'll still be able to log in to Facebook and use the site normally, but when you're visiting another site or using another application, that site or service won't be able to use your information to communicate with Facebook.
Disconnect for Chrome and Firefox is a new plugin from the developer behind Facebook Disconnect, but it doesn't stop with Facebook. Disconnect takes protection to a another level and blocks tracking cookies from Facebook, Google, Twitter, Digg, and Yahoo, and prevents all of those services from obtaining your browsing or search history from third party sites that you may visit. The app doesn't stop any of those services from working when you're visiting the specific sites, for you can still search at Google and use Google+, but Google's +1 button likely won't work on third party sites, for example. The extension also lets you see how many requests are blocked, in real time as they come in, and unblock select services if, for example, you really want to Like or +1 an article you read, or share it with friends.
Ultimately, the goal of all of these tools is to give you control over what you share with Facebook or any other social service, and what you post to your profile, as opposed to taking a backseat and allowing the service you're using to govern it for you. What's really at issue is exactly how deep Facebook has its fingers into your data, and how difficult it (and other social services) make it to opt out or control what's sent or transmitted. That's where extensions like these come in.
However you feel about it, Facebook likely won't change it in the near future. If you're concerned, you should to take steps to protect your privacy. As a number of commenters at Hacker News point out, it's not that there's anything inherently "good" or "evil" about what Facebook is doing -- that would be oversimplifying an already complex topic. It's really an opt-in/opt-out issue.
What do you think of the assertions? Do you think Facebook has a vested interest in knowing as much about you and your browsing habits as possible, or is this much ado about nothing? Share your thoughts in the comments below.