Lawmakers seek FTC probe of Facebook post-log out tracking

Facebook says it's not storing any data, but lawmakers say user browsing activities shouldn't be tracked at all without permission.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
Lawmaker letter to the FTC complains about Facebook tracking users after they log out.
Lawmaker letter to the FTC complains about Facebook tracking users after they log out. Representatives Edward Markey and Joe Barton

Two U.S. congressmen today asked the Federal Trade Commission to investigate Facebook's practice of tracking users even after they have logged out.

"When users log out of Facebook, they are under the expectation that Facebook is no longer monitoring their activities. We believe this impression should be the reality. Facebook users should not be tracked without their permission," said the letter (PDF) sent to the FTC by Edward Markey, a Massachusetts Democrat, and Joe Barton, a Texas Republican.

"Facebook was able to obtain this information when users visited websites that connect with Facebook, including websites with 'Like' buttons," the letter said. "There are an estimated 905,000 sites that contain the 'Like' button."

Asked for comment, a Facebook spokesman said the company did not store or use any information it should not have.

"There was no security or privacy breach. Facebook did not store or use any information it should not have," Andrew Noyes, manager of Public Policy Communications at Facebook, said in an e-mail.

"Like every site on the Internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user," he wrote. "Three of these cookies on some users' computers inadvertently included unique identifiers when the user had logged out of Facebook. However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose."

When the problem was discovered by an outside party, Facebook got information from that person that allowed the company to identify the three cookies, according to Noyes. "We moved quickly to fix the cookies so that they won't include unique information in the future when people log out," he wrote.

But Facebook cookies will remain on computers of logged-out users, at least for now. Arturo Bejar, a Facebook director of engineering, told The Wall Street Journal on Monday that changing that would "take a while."

But lawmakers Markey and Barton said they were concerned about how quickly Facebook plans to address that. "Facebook should consider this problem a top priority and should allocate the resources necessary to safeguard consumers in an expedited fashion," they wrote in their letter to FTC Chairman Jon Leibowitz.

The problem was noticed by Australian technologist Nik Cubrilovic who wrote about it on Sunday in the wake of privacy concerns related to the new Facebook Timeline feature. He said he had known about the problem for a year and had failed to get a response from Facebook about it until after he published his initial blog post on it this week.

In response to his post, a Facebook representative told Cubrilovic that the company had fixed the issue.

"Facebook changed as much as they can change with the logout issue," Cubrilovic wrote in a follow up post. "They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe."