More on Facebook’s privacy issues

I just want to address this assertion:

With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook.

That isn’t necessarily true. The way browsers are made today, all of the major ones severely restrict which cookies a website can access. As it is in modern browsers, only the domain for which a cookie was created can read the cookie after it is stored in a user’s browser. In other words, if Facebook creates a cookie and stores it under the domain http://www.facebook.com, then that cookie cannot be read by any domain other than http://www.facebook.com.

That means the Facebook Like and Share widgets would have to originate from http://www.facebook.com in order for them to read the cookies stored by Facebook. So the only way any widget can read the Facebook cookies is if the widget is actually a (tiny) Facebook webpage itself set inside an inline frame on a non-Facebook webpage (this is how Disqus does it). So you don’t have to worry about just any old widget reading your Facebook cookies–only Facebook webpages disguised as widgets can do that.

(Another option is for a script on a webpage you are viewing to send data about which specific webpage you are viewing over to a webpage on Facebook that can read http://www.facebook.com cookies and then integrate the information to register it on your account in Facebook, but in that case the non-Facebook website still has no clue what your Facebook cookies say [that is how Twitter Share buttons usually work and why they open up new windows or tabs].)

Otherwise, it’s standard practice to keep some cookies in browser memory even when logged out of just about any website. I guess you could think of it as tracking, but most of the time it is there for a better user experience such as remembering some setting that you would have to set again if the cookie were to be deleted. Like John Morales said, if you are worried about that or don’t trust a web service provider, major modern browsers now all support “safe” or “private” browsing which means that cookies and cache and history are all deleted after you close the browser or quit your session of “safe” or “private” browsing.

So, this is business as usual. I’m not sure this qualifies as a significant privacy issue unless there is some sort of backroom business going on where Facebook is making it possible for non-Facebook web services to match your usage of their service with your Facebook account.

Leave a Reply

Your email address will not be published. Required fields are marked *