Out-Law News 2 min. read

Facebook refutes cookie-tracking claims


Facebook uses information stored about users in cookies even when they are logged out of the social networking site, the company has confirmed, according to media reports.

Cookies are small text files that record internet users' activity on websites.

Facebook uses the information it collects to protect users' accounts against hacking and for other "safety and protection" reasons, it said. The company was responding to claims made by a researcher who said Facebook used "logged out" cookies to track users' online behaviour. Facebook said it does not track users "across the web".

"Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of 'keep me logged in'," the company said in a statement, according to a report by ZDNet.

The social network said that it does use cookies to personalise some content on the site, but that this information is not used to serve users with targeted ads, is not sold on and is either deleted or anonymised within three months.

Publishers and advertising networks use cookies to track user behaviour in order to target adverts to individuals based on that behaviour.

"Facebook does not track users across the web. Instead, we use cookies on social plugins to personalise content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age)," the social network's statement said, according to ZDNet.

"No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information," it said.

Facebook issued its comments after researcher Nik Cubrilovic claimed that the company recorded information about users' internet activity even when they were logged out of the site.

"Logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to [Facebook's website]," the researcher said in a blog.

"Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions," Cubrilovic said.

The researcher later corrected his statement claiming that instead of being able to track users across all sites, Facebook only tracked users who access sites that "integrate" with the social networking site.

Facebook engineer Gregg Stefancik, responded to Cubrilovic's blog and said that most of the cookies the researcher had identified were "benign" and that company deletes "account-specific cookies" when users log out.

"As a result, we do not receive personally identifiable cookie information via HTTP Headers when these users browse the web," Stefancik said, according to the blog.
"Finally, we’ve confirmed that we don’t, and never have, used cookies to suggest friends," he said.

In its statement Facebook confirmed that Stefancik had responded to Cubrilovic's blog, according to ZDNet.

"Users are inherently nervous about the use of cookies to track their browsing habits and the possibility that their information may be passed to third party web sites without their knowledge or consent said Claire McCracken, a technology law specialist with Pinsent Masons, the law firm behind Out-Law.com. "This is the most common reason for people rejecting or fearing cookies. The recent changes to EU laws seek to address these concerns by providing that the users' consent must be obtained for a cookie to be set."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.