Nik Cubrilovic
Important Update: Facebook has responded and issued a fix for this issue. See the follow up blog post "Facebook Fixes Logout Issue, Explains Cookies"Dave Winer wrote a timely piece this morning about how Facebook is scaring him since the new API allows applications to post status items to your Facebook timeline without a users intervention. It is an extension of Facebook Instant and they call it frictionless sharing. The privacy concern here is that because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see.
The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to
facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions....and here is update 2:
Update 2: Followup
The reaction to this story has been amazing. I am writing a followup that will analyze both the data that I have collected as well as the response from Facebook (which you can read below in the comments). If you wish to view the raw logs, I have saved them here. Specifically thedatr and lu cookies are retained after logout and on subsequent requests, and the a_user cookie, which contains your userid, is only cleared once the session is restarted. Most importantly, connection state is retained through these HTTP connections. There is never a clean break between a logged in session and a logged out session - but I will have more on that in a follow-up post.Erratum: I refer to the wrong cookie name in the post above. I also say 'all sites' can be tracked, when I meant to say 'all sites that integrate facebook'.
Read The Rest
"Facebook Fixes Logout Issue, Explains Cookies"
Tweet