Facebook’s new Frictionless Sharing feature allows Facebook to track every website you visit; everything you do online… even when you’re not logged into Facebook. Nik Cubrilovic, who shows the code and describes how to replicate his findings states, “Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.”
Logging out of Facebook does not end your communication with Facebook according to Cubrilovic’s tests. When logging out of Facebook instead of deleting their cookies, they are simply changing them. Your account information and unique identifiable tokens are still available in these cookies, the implication is that any time you visit a web page with a Facebook button your browser is still sending personally identifiable information back to Facebook. In other words, just because you’re logged out of Facebook they still know what articles you’re reading… and let’s face it most news sites have the Facebook Like button on their site.
The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user. This is not what ‘logout’ is supposed to mean – Facebook are only altering the state of the cookies instead of removing all of them when a user logs out. With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies.
Cubrilovic says the tests are repeatable by anyone with a browser that has development tools installed.
Facebook’s new “open graph” apps can report what you are reading or listening to in real time without requiring you to click the Like button. So now things like the media you consume is added to your profile as an update… without your explicit permission.
If you don’t want Facebook tracking your across the web you need to use a separate browser for your Facebook activities or delete all Facebook-related cookies after you logoff. Hacker News is reporting that if you use the browser extension AdBlock Plus by adding the following rules (note that I haven’t tested this myself yet to confirm it works):
Read the full scoop on Nik Cubrilovic’s post Logging out of Facebook is not enough.
UPDATE: Word on the net is that Facebook has changed this behavior based on the outcry of users on the Internet. I haven’t confirmed this myself but that would be a welcome change to their handling of cookies.