Facebook Defends Getting Data From Logged-Out Users

Their defence doesn't hold much water. But then, I can't imagine any excuse that would satisfy me.<p>They say “The onus is on us is to take all the data and scrub it,” said Arturo Bejar, a Facebook director of engineering. “What really matters is what we say as a company and back it up.”, except their track record on that matter isn't exactly stellar.<p>We know they don't actually delete messages or things you delete on FB, they just mark them "deleted". With that attitude to "deleting" things, what does it even matter?<p>And I don't care if they promise the data is not used for targeting ads, that is just one of the many ways this type of data can be abused.<p>The argument they use it to prevent "spam and phishing attacks" also seems dubious to me. How does that work? And the cookie that's kept contains just your facebook ID, so wouldn't that be trivial for spammers and phishers to work around?<p>And the most important thing is, they might act all innocent about it <i>now</i>, that they did it with the best intentions and not to continue tracking people after they log out. Let's believe that and lets assume this behaviour doesn't involve any other privacy implications: Facebook is by now well known for their feature-creep, if we hadn't caught them red-handed now, what's to say they wouldn't be using this data in a few months from now?<p>Sorry but it's all bullshit. Facebook doesn't care one bit about their user's privacy, they've made that perfectly clear by now, and them pretending to do otherwise in this article is absolutely laughable.

Wow, has anyone here ever set multiple cookies? People are blowing this up bigtime. Facebook sets multiple cookies, one for an active user session and another token that serves to authenticate a user has previously logged into facebook, so they don't need to enter extra security questions.<p>Who else does this? Major banks, forum software, etc. It's a common technique. All that matters is what Facebook actually does with the data, and their privacy policy, just like the Engineer stated.<p>If you're paranoid, either don't use Facebook or clear your cookies after you log out. Don't you just love simple solutions?

The cookies are somewhat a red-herring when you consider how insignificant they are compared to other methods of tracking.<p>They don't need a cookie in place to receive the IP of whoever loads a page with a Facebook 'like' button on it.<p>They're a big enough company with smart enough people to develop algorithms that can associate an IP address to a user account to at least a 95% confidence interval. They've got all that stuff you type in your profile and all the things you've shared to aid that, and the more you use your account the better they can predict.<p>To that end I'd be surprised if they don't continue to track 'deactivated' Facebook accounts. Not in anticipation of you going back to it, of course.

<i>Bejar said Facebook is looking at ways to avoid sending the data altogether but that it will “take a while.”</i><p>Maybe I'm naive, but why would turning off the gathering of information take a while? This reminds me of unsubscribing to email newsletters, where the final goodbye says something like "you should stop receiving our emails within 6-8 weeks."

<i>The company says the data is sent because of the way the “Like” button system is set up; any cookies that are associated with Facebook.com will automatically get sent when you view a “Like” button.</i><p>They have a point. This is going to be the same for any site that has static content served elsewhere with cookies attached to the domain. Hot link to an image on my blog you commented on? OFFLINE DATA GATHERING ZOMG.

Another good reason to run something like ShareMeNot [1] - it blocks Facebook from receiving anything unless you specifically click on a 'Like' button.<p>[1] <a href="http://sharemenot.cs.washington.edu/" rel="nofollow">http://sharemenot.cs.washington.edu/</a>

"And earlier this year, Facebook discontinued the practice of obtaining browsing data about Internet users who had never visited Facebook.com, after it was disclosed by Dutch researcher Arnold Roosendaal."<p>I'm going to trust my gut on this one. I just get an uneasy feeling from their track record of 'mishaps' and the excuses that follow. There is a lot of stories that don't get enough attention or make enough people think...<p>Facebook might be called BigBrotherBlue when people look back one day. BigBrotherBlue is always watching.

How anyone from Facebook could make those statements with a straight face is beyond me. In my opinion, Facebook has a serious credibility problem.

How about if browsers implemented this cookie system: Each time a cookie is set, you could have the ability to mandate when that cookie is sent out. For example with a Facebook cookie you could tell the browser to only send that cookie when your address bar reads facebook.com. Problem solved?

This is a great example of the inherent conflict of interest when your users are not your customers, in fact they're your product.<p><a href="http://johnstanderfer.com/2011/09/26/facebooks-most-important-product-you/" rel="nofollow">http://johnstanderfer.com/2011/09/26/facebooks-most-importan...</a>

Isn't there a way to run specific web applications, like Facebook, in a virtual sandbox? I.e. storing its cookies separately from other apps, launching new unrelated browser instance if you browse facebook from/to some other site etc.?

If you want to stop pushing tracking data to Facaebook from your machine then just add a local redirect in your hosts file for facebook.com to map to 127.0.0.1 and just comment it when you want to use Facebook site :)

The real winner here is Google. Facebook makes Google look good. And that's pretty sad. When your users are logged out you have zero business tracking them or trying to do so.

I'd be interested to see how many competing social networks exhibit the same behavior. Specifically, Twitter and Google+ has similar social buttons.<p>Imagine I wanted to do this but not be get caught. What would you improve? Clearly the cookies will need to look different pre and post logout, but how different?