Facebook Fixes Cookie Privacy Issue
Facebook has changed the way it handles cookies, after accusation that it leaked personal data
Facebook has fixed an issue that it admitted could have allowed users to be identified and tracked after they had logged out of the social network, via their cookies.
Cookies are bits of code that websites leave on a user’s system in order to customise the user’s experience. On Monday Australian researcher Nik Cubrilovic reported that three Facebook cookies remaining on a user’s system following logout could be used to identify a user and link back to his or her Facebook account.
Personal data
The problem has now been fixed, according to Facebook, which said the issue had been caused “inadvertently”.
The cookies involved included a_user, which is the user’s Facebook ID. Facebook said this cookie is now destroyed when the user logs out.
“When Nik provided us with the additional information that allowed is to identify these three cookies, we moved quickly to fix the cookies so that they won’t include unique information in the future when people log out,” Facebook said in a statement.
The company acknowledged that users’ principal privacy fear is that Facebook itself might misuse such information to track users’ activities elsewhere on the Internet. The company argued that because this was not the case, no security or privacy breach had in effect taken place.
“Facebook did not store or use any information it should not have,” the company stated. “We did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose.”
However, the company acknowledged that the cookies included “unique identifiers” that could have been misused by third parties. In response Facebook said it had taken measures to fix the issue.
However, Cubrilovic advised users not to place their faith entirely in Facebook.
“I would still recommend that users clear cookies or use a separate browser,” he said in a Wednesday blog post. “I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues.”
Widespread issue
Sophos researcher Paul Ducklin argued that long-lived cookies of the type identified by Cubrilovic are common.
“If you’re worried about this sort of thing, routinely delete all cookies from your browser. This means that you dispose of all your no-longer-anonymous cookies,” he wrote in a blog post. “Your favourite websites will no longer have cookie-based history about you, so you’ll get newly-generated anonymous cookies next time you visit each of those sites. Most browsers – Firefox, Chrome, Opera and Internet Explorer, for instance – have an ‘automatically delete cookies on exit’ option. I recommend using it: you don’t have to keep remembering to delete old cookies by hand.”
Sophos earlier this year took Facebook to task over its privacy issues, outlining specific steps the company needed to take to improve security.
Earlier this month Lord Richard Allan, Facebook’s head of European public policy, admitted that the threat of account hacking to scam users out of money has become a “major issue” for the social network.
New cookie regulations
In May legal changes came into effect on the way companies may use cookies, deriving from an amendment to the EU’s Privacy and Electronic Communications Directive, which require companies to get permission from users before tracking their activities with cookies. Previously companies only needed to inform users they were using cookies, and provide information on how they could opt out.
The Information Commissioner’s Office (ICO) has said it is planning to bring in enforcement of the new rules in phases, and does not expect companies to immediately achieve perfect compliance. At the same time, companies must be seen to be making an effort to work out how they will deal with the new law, the ICO said.