Oldspeak:“Whenever you visit a web page that contains a Facebook button or widget, your browser is still sending details of your movements back to Facebook. Even if you are logged out, Facebook still knows and can track every page you visit. When you log out of Facebook, rather than deleting its tracking cookies, the site merely modifies them, maintaining account information and other unique tokens that can be used to identify you. …the only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.” –Nik Cubrilovic The surveillance state as indispensable social network. Just a FYI.
By Asher Moses @ The Sunday Morning Herald:
An Australian technologist has caused a global stir after discovering Facebook tracks the websites its users visit even when they are logged out of the social networking site.
Separately, Facebook’s new Timeline feature, launched last week, has been inadvertently accessed by users early, revealing a feature that allows people to see who removed them from their friends’ lists.
Facebook’s changes – which turn profiles into a chronological scrapbook of the user’s life – are designed to let its 800 million members share what they are reading, listening to or watching in real-time. But they have been met with alarm by some who fear over-sharing.
Causing a stir … Australian Nik Cubrilovic first spotted the tracking issue. Photo: Flickr.com/e27singapore
Of course, Facebook’s bottom line improves the more users decide to share. Reports suggest that Facebook staff refer internally to “Zuck’s law“, which describes Facebook founder Mark Zuckerberg’s belief that every year people share twice as much online – a trend that has caused Facebook’s valuation to skyrocket towards $US100 billion.
“Facebook is a lot more than a social network and ultimately wants to be the premier platform on which people experience, organise and share digital entertainment,” said Ovum analyst Eden Zoller.
But in alarming new revelations, Wollongong-based Nik Cubrilovic conducted tests, which revealed that when you log out of Facebook, rather than deleting its tracking cookies, the site merely modifies them, maintaining account information and other unique tokens that can be used to identify you.
Whenever you visit a web page that contains a Facebook button or widget, your browser is still sending details of your movements back to Facebook, Cubrilovic says.
“Even if you are logged out, Facebook still knows and can track every page you visit,” Cubrilovic wrote in a blog post.
“The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.”
Cubrilovic is working on a new unnamed start-up but has previously been involved with large technology blog TechCrunch and online storage company Omnidrive.
He backed up his claims with detailed technical information. His post was picked up by technology news sites around the world but Facebook has yet to provide a response to Fairfax Media and others.
David Vaile, executive director of UNSW’s Cyberspace Law and Policy Centre, said Facebook’s changes were a ”breathtaking and audacious grab for whole life data”. In an email interview he accused the social networking site of attempting to ”normalise gross and unsafe overexposure”.
”While initially opt-in, the default then seems to be expose everything, and Facebook have form in the past for lowering protection after people get used to a certain level of initial protection – bait and switch,” he said.
Stephen Collins, spokesman for the online users’ lobby group Electronic Frontiers Australia, said he did not believe Cubrilovic’s revelations would see people turn away from the site in droves but he hoped users became more engaged with the issue.
”Facebook, once again, are doing things that are beyond most users’ capacity to understand while reducing their privacy. That’s just not cool. I’d go so far as to say it’s specifically unethical,” he said.
Collins said the only reason he still uses Facebook is to help his 14-year-old daughter on the site. He said it took him an hour to lock down his profile to his satisfaction following the recent changes.
”It’s just not good enough. The default setting for any site should be ‘reveal nothing about me unless I make a specific choice otherwise’,” he said.
Others have compared Facebook’s changes to Bentham’s panopticon – a design for a prison where the guards can see all inmates but where the inmates never know whether they’re being watched. The result, applied to Facebook, is that real-time sharing means we always feel like we’re being watched and this then influences our behaviour.
Cubrilovic said he tried to contact Facebook to inform it of his discovery but did not get a reply. He said there were significant risks to the privacy of users, particularly those using public terminals to access Facebook.
“Facebook are front-and-centre in the new privacy debate just as Microsoft were with security issues a decade ago,” Cubrilovic said.
“The question is what it will take for Facebook to address privacy issues and to give their users the tools required to manage their privacy and to implement clear policies – not pages and pages of confusing legal documentation, and ‘logout’ not really meaning ‘logout’.”
The Australian Privacy Commissioner, Timothy Pilgrim, would not comment specifically on Cubrilovic’s findings but said generally social networking sites need to clearly spell out when browsing information is being collected, the purposes for which it may be used and whether it will be disclosed to other organisations.
“Good practice would also be to allow for users to opt out of having it collected,” said Pilgrim.
The findings come after technology industry observer Dave Winer declared Facebook was scaring him because the new interface for third-party developers allows them to post items to your Facebook feed without your intervention. This has been dubbed “frictionless sharing”.
Meanwhile, Facebook’s Timeline feature, which shows users a timeline of their activity on the site throughout the years, has not officially been switched on but many are using it already. Instructions can be found here.
But inadvertently or by design, the Timeline feature also lets people see which users had “unfriended” them by following a few simple steps:
1. Enable the new Timeline feature.
2. Pick a year in the timeline and locate the Friends box.
3. Click on “Made X New Friends”.
4. Scroll through the list and when you see an “Add Friend” box, those are the people either you have unfriended or vice-versa.
However, it appears Facebook has now disabled this function, describing it to gadget blog Gizmodo as a “bug”.
Finally, security researchers were quick to hose down a hoax that spread through the social network, claiming that Facebook was planning to start charging users for the new features.
This reporter is on Twitter: @ashermoses