Facebook is no stranger to privacy-related controversies, and in the wake of last week's effort to expand the company's "open graph" concept, there are renewed concerns that the social-networking site is tracking your Web activity even after you log out of Facebook.
In a Sunday blog post, blogger and hacker Nik Cubrilovic tackled the concept of "frictionless sharing," or being able to share your non-Facebook activity with Facebook friends. He argued that Facebook can track your Web activity outside the confines of Facebook.com even if you have logged out of the service, something a Facebook engineer denied in the comments.
The idea of frictionless sharing was highlighted last week when Facebook teamed up with music sites like Spotify, Rdio, and Slacker to allow users to share listening habits. Those who download a Facebook-centric app from each of those services will share every single song they listen to with their Facebook friends. The same option will be available for Hulu and Netflix, at least outside the United States, as well as media sites like Yahoo News.
Facebook basically frames this as a hassle-free recommendation engine. You share your Web activity and maybe find some new artists, movies, or news stories based on what your friends are doing. Of course, the concern is that you might not want to share everything you're doing outside of Facebook. Does everyone need to know you listened to a Justin Bieber song, read an article about how to get over your ex, or watched cartoons on Hulu?
Software developer Dave Winer expressed concern, as did This is My Next blogger Laura June.
Facebook is "doing something that I think is really scary, and virus-like. The kind of behavior deserves a bad name, like phishing, or spam, or cyber-stalking," Winer wrote.
June, meanwhile, was irked by the lack of control she would have in sharing music via Rdio. "I liked the feature the way it was, and now Facebook has broken that for me. It's an 'all or nothing' proposition, and, on the internet (and honestly in life), I'm not one for all or nothings," she wrote.
Winer pointed out that users can avoid having their activity broadcast via Facebook by logging out of the service. But Cubrilovic said that is not the case.
"Even if you are logged out, Facebook still knows and can track every page you visit," he wrote. "The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions."
Gregg Stefancik, who identified himself as a Facebook engineer, posted a comment on Cubrilovic's blog post to deny the charges.
"Generally, unlike other major Internet companies, we have no interest in tracking people," Stefancik wrote. "Said more plainly, our cookies aren't used for tracking. They just aren't."
Facebook cookies, Stefancik continued, are used to provide custom content, like a friend's like within a social plugin, to improve the service, like measuring click-through rates, or to protect its users, like guarding against a denial of service attack or requiring a second-level authentication.
"The logged out cookies, specifically, are used primarily for safety and security protections," Stefancik said. That includes: disabling registration if an underage user tries to re-register with a different birth date; helping people recover hacked accounts; powering account security features, such as login approvals and notifications; and identifying shared computers to discourage the use of "Keep me logged in."
Maintaining cookie association between accounts and browsers, meanwhile, "is a key element of our phishing protections," but Facebook insisted that it deletes "account-specific cookies when a user logs out of Facebook. As a result, we do not receive personally identifiable cookie information via HTTP Headers when these users browse the web," Stefancik wrote.
Those who replied to Stefancik's blog post were not convinced, with one commenting that "it doesn't matter what they are being used for. The question is what they could be used for by someone who doesn't follow the protocol."
Cubrilovic, meanwhile, said he has been trying to alert Facebook about his findings for almost a year, but received little or no response. Stefancik said Facebook's new reporting and bounty feature will hopefully make it easier to contact the social-networking site.