As anyone who frequents HN would notice, I do not care for Facebook. I don't like it as a company and I do not care for its founder. But with that said, I am glad to see that Facebook addressed this issue.
"There is a bug where a_user was not cleared on logout. We will be fixing that today."
PR speak. This seems much less like a bug to me, more like a poorly contemplated decision.
What seems more likely is that they were contemplating what they should do, and given the general direction Facebook is headed, they probably thought little of just leaving it in.
I love the facebook guys, but calling it a bug as opposed to a non-malicious decision is just PR speak
They don't need the cookie to track you anyway. Cookie-less tracking is no problem. Not deleting the cookie was making the tracking just a little bit easier, but I am sure they track users anyway, as long as they download the like widgets that webmasters put on their pages.
Just so we are clear: we don't cookieless "track users anyway".
I suppose you guys can line up to say I'm lying like you did to the other engineers who posted yesterday, and it is quite obviously impossible for me to prove otherwise. But suffice to say our policies are rather clear on the issue.
While it's unfortunate you're being thrown under the bus for this issue (I cannot prove Facebook is tracking me via my browser headers or not, it's simply dependent on how much trust I give to your company), this is a really healthy and important development that people are coming to. Facebook isn't the -only- company which has the potential to track you across the web; it's incredibly easy to do with ads, Digg buttons, Tweet buttons, and whatever new social network hits the stage. Some of these organizations may not have had such high profile cases as Facebook, which for all of its mishaps has at least responded to user's concerns.
We need to enter into an awareness about how identifiable we are just browsing the internet. Average users need to know this. It's not like Facebook can force browsers to not send identifiable content and its refusing to--web browsing has been designed to allow third party content just like that. So we need to start exploring the ways in which this amount of trust to third party content isn't so implicit.
So you don't track users with the "like" widgets? Even when they don't click on them? That would contraddict everything I read from FB until now.
> I suppose you guys can line up to say I'm lying
I never sad you lied. I just sad what you explicitly state on your privacy policy:
"We receive data whenever you visit a game, application, or website that uses Facebook Platform or visit a site with a Facebook feature (such as a social plugin). This may include the date and time you visit the site; the web address, or URL, you're on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID."
> This may include the date and time you visit the site; the web address, or URL, you're on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID."
With the exception the the UserID for logged in users, all of this data is standard stuff that every browser sends to every server of any site on every request.
> If that's not "tracking" I don't know what is...
If basic http header stuff is "tracking" to you, then every site on the internet is tracking you.
> all of this data is standard stuff that every browser
> sends to every server of any site on every request.
Come on lbrandy, let's be honest. Are you telling me and to the HN audience that you don't use the data "that every browser sends to every server", analyze it, try to get unique users out of it, try to gather interest, browsing behavior, a lot of other stuff and sell it to advertisers?
Because that would contradict what you state in your privacy policy.
>> If that's not "tracking" I don't know what is...
> I believe the word I'd use is "http".
http is the protocol you gather the data with. Once you got it, you gather your stats from it. And thus track users with it. And you state so explicitly in your privacy policy. And there is IMHO nothing wrong with it. I adblock it anyway.
> Are you telling me and to the HN audience that you don't use the data "that every browser sends to every server", analyze it, try to get unique users out of it, try to gather interest, browsing behavior, a lot of other stuff and sell it to advertisers?
That's pretty much the definition of "cookieless tracking", isn't it? Feel free to read my original post.
> That's pretty much the definition of "cookieless tracking", isn't it?
Yes, it is.
"We will keep aggregated and anonymized data (not associated with specific users) [...]"
Ok.
So you partially confirm my point. You DO track users. But you say you don't keep the information associated with "y0ghur7_xxx", but with user_id:389472984.
At least on the FAQ. The privacy policy is not so clear.
lbrandy has it right here. If your definition of "tracking" is "web server log analysis," then nearly every web site you visit is tracking you.
It's really nothing to worry about though, unless Facebook is doing something to de-anonymize that (otherwise stateless) data. They could probably do that (by noting the IP and User-agent seen when logging out, for example), but they explicitly claim not to in a number of places, most recently by lbrandy in this thread.
> lbrandy has it right here. If your definition of
> "tracking" is "web server log analysis," then nearly every
> web site you visit is tracking you.
Of course. The "problem" is that the FB widget is all over the web, giving them the the possibility to track users not only on a single page, but on (almost) the whole web.
I put "problem" in quotes because it's only really a problem if users don't know that. And I think the vast majority of FB users don't know that FB knows almost every page they visit on the web. The same is true for google as well of course.
At prior jobs we would put similar language in our privacy policy, not because we did anything with the data, but because we didn't want someone to claim we violated the policy due to how web browsers worked. Either you trust Facebook to follow their privacy policy or you don't; short of auditing them there is now way to validate otherwise.
If you are really concerned about this why not use a browser extension that randomizes your HTTP headers?
The issue isn't that I'm tracked when I visit Facebook - that's normal. The issue is that I am (at least potentially) tracked when I don't visit Facebook due to your ubiquitous Like button.
That's the privacy-endangering activity that has resulted from your sheer size. Please don't pretend it doesn't exist.
But it is different from what a single site can do. Why do you muddy the issue? Was Google under discussion? No. So why turn this into a tribal identification game?
I was looking at it is a technical issue, not a tribal identification game. Any third-party that embeds stuff on any of the web sites that you visit has a capability of tracking you in some capacity.
That's a simple fact that sometimes gets lost when people are discussing Facebook. Lots of third-parties do this sort of thing and most of the time, nobody notices or cares. It feels odd to hold Facebook to a different standard.
That particular sentence does not describe "tracking", it describes "http". Those are just the data every browser sends to a server if it requests a resource hosted there. The sentence you cited is just a description of the behaviour of the protocol. Tracking only happens if the server logs these data, which it may or may not do, and the rest of the facebook privacy policy seems to say that they indeed want to do that, or at least keep the option to do so. But no matter what the server operator says it does, you cannot really check that.
No. FB does not just log the data without using it. And they state so explicitly:
"We use the information we receive about you in connection with the services and features we provide to you and other users like your friends, the advertisers that purchase ads on the site..."
You can view browser headers and see this for yourself, if you're curious. In Chrome, go to the Developer Tools -> Network Tab, refresh a page with the "like" button, look for "like.php" and all the corresponding resources loaded by it, and look at the "headers" tab for each. You can see what data is being sent to Facebook and draw your own conclusions about how anonymous it makes you.
But you do track users, and did track users in ways you've quickly stopped, so it's obviously not a moral issue. It's an issue of dodging blame for this or that specific tactic.
> you guys can line up to say I'm lying
You say that as if people should be ashamed for presuming the modern American corporation is lying to them. I've been directly and obviously lied to by representatives of many companies and they've all played the victim like you are.
If this is official have Zuckerberg say something legally binding.
> it is quite obviously impossible for me to prove otherwise.
Not at all. As a corporation, allow independent auditors to monitor certain key filtering systems to make sure you couldn't be receiving data you say you don't intend to log.
As an engineer you could leak the policy memos. And I mean leak, not get permission to post some redacted version.
Rails matches a session csrf token against form data to detect if someone is trying to submit a form without a proper token. This session data is stored in a cookie by default.
This functionality is referenced in the security guide.
From my reading of that link, in Rails it's not the CSRF token itself that's stored in the cookie, it's the secret used to verify the token. If Facebook is doing the same thing, there would be no need to store the secret after the user has logged out--just generate another secret the next time they log in.
So as long as you log in to Facebook often enough (more often than you install new browser plugins or fonts or whatever), they can cookieless-track you perfectly when you're logged out, by remembering the browser fingerprint you had when you were logged in. And even if the fingerprint changes a little bit, they could use something like Levenshtein distance, combined with statistics of frequently visited sites, to have a good chance of identifying you anyway. In the hypothetical world where Facebook was an evil monster of surveillance, of course. I'm not talking about the real world here ;-)
So what can you do when faced by a hypothetical monster like that? Disabling third-party cookies is only the first step. Is there any reasonable way to anonymize your browser fingerprint?
Is there any reasonable way to anonymize your browser fingerprint?
Maybe not totally anonymize, but a lot of the data that gets used for browser fingerprinting relies on flash to work, so if you run without flash on by default (click to flash, or whatever) that should help.
Definitely, most of the identifiability comes from data only available from JavaScript such as the combination of screen resolution and available fonts.
I got the same number as anonymous below me. The biggest cause of uniqueness was the installed fonts reported by the browser. I'm on Linux and we have some weird ones....
Yeah, between plugins and fonts, most browsers show up as "unique" in that tool which are merely unusual. I'm using a Firefox alpha build, and it says that alone is enough to identify me, even though obviously it isn't.
And thanks to Nik for bringing this to the light.