Facebook Remedies Tracking Issue, Cookie Is Now Destroyed After Logging Out
On Monday, we reported on some privacy concerns that involved Facebook tracking your Web browsing activity even if you were logged out of the social network. According to hacker Nik Cubrilovic, Facebook had a number of cookies in place that were only slightly altered when you logged out. This means that if you visited a website containing a Facebook widget or Like button, your information would still be sent back to Facebook even if you weren’t logged in. Since then, Cubrilovic has been in contact with Facebook and they’ve been working to fix this issue.
Facebook has 5 cookies regarding the logout process that persist: datr, lu, p, L and act. The 2 cookies that persisted after the logout were a_user and a_xs — a_user is your user ID and a_xs helps prevent cross-site request forgery. These 2 cookies have been removed upon logout and Facebook released this statement about the change:
What you see in your browser is largely typical, except a_user which is less common and should be cleared upon logout (it is set on some photo upload pages). There is a bug where a_user was not cleared on logout. We will be fixing that today.
Not all cookies are bad cookies, and the 5 remaining in place help protect your account, among other things. The datr cookie helps flag questionable activity like failed login attempts and attempts to create spam accounts. The lu cookie helps protect people using public computers by making subtle changes to the login form like allowing you to uncheck the “keep me logged in” option. The rest of the cookies involve various things like setting the language of your browser and your device’s dimensions.
Perhaps the most interesting cookie is act. It’s a timestamped log of page requests that’s used to measure performance. While this cookie isn’t tied to a user ID, it’s still being logged and can technically be linked to a user even though Facebook isn’t using it that way.
Facebook has taken these issues seriously and resolved as much as possible with the logout cookies without compromising security in other areas. Facebook still wants to keep the ability to track browsers after logout to protect users’ safety and prevent spam, and they want to log page requests to make sure their service’s performance is up to par.
If you’re still uncomfortable, there is a Google Chrome extension that blocks Facebook and other social networks from tracking your online activities by removing social plugins. You can also use privacy tools to remove all traces of your browsing activity.