
Facebook Defends Getting Data From Logged-Out Users - goldensaucer
http://blogs.wsj.com/digits/2011/09/26/facebook-defends-getting-data-from-logged-out-users/
======
tripzilch
Their defence doesn't hold much water. But then, I can't imagine any excuse
that would satisfy me.

They say “The onus is on us is to take all the data and scrub it,” said Arturo
Bejar, a Facebook director of engineering. “What really matters is what we say
as a company and back it up.”, except their track record on that matter isn't
exactly stellar.

We know they don't actually delete messages or things you delete on FB, they
just mark them "deleted". With that attitude to "deleting" things, what does
it even matter?

And I don't care if they promise the data is not used for targeting ads, that
is just one of the many ways this type of data can be abused.

The argument they use it to prevent "spam and phishing attacks" also seems
dubious to me. How does that work? And the cookie that's kept contains just
your facebook ID, so wouldn't that be trivial for spammers and phishers to
work around?

And the most important thing is, they might act all innocent about it _now_ ,
that they did it with the best intentions and not to continue tracking people
after they log out. Let's believe that and lets assume this behaviour doesn't
involve any other privacy implications: Facebook is by now well known for
their feature-creep, if we hadn't caught them red-handed now, what's to say
they wouldn't be using this data in a few months from now?

Sorry but it's all bullshit. Facebook doesn't care one bit about their user's
privacy, they've made that perfectly clear by now, and them pretending to do
otherwise in this article is absolutely laughable.

~~~
fl3tch
What if you delete your account entirely? Do they delete your data then?

~~~
CGamesPlay
Facebook does delete all data associated with an account after it is deleted.
An account is deleted after you indicate that you want to delete it (via a
form in your account settings), and 2 weeks passes without you trying to
reactivate the account (by logging into it). And yes, I do mean the permanent,
irreversible kind of deleting. (I work at Facebook.)

~~~
GeneralMaximus
I'd like to believe you. I really would, but I'm sorry to say that I can't.

About an year ago I deleted my Facebook account permanently. I even got a
confirmation email after 14 days telling me I had deleted it. However, three
or four months later I was forced to sign up for an account again[1]. After I
logged in, Facebook showed me a list of "suggested friends". Note that I had
zero friends at this point. Guess what, _every single person I had added as a
friend in my previous account was in that suggested friends list_. How is that
possible if Facebook is not retaining information about me? You guys are
obviously associating something with my name and email address. That, or
you're telepathic.

So no, I don't believe you. I don't believe Facebook deletes any information
at all.

\---

[1] The info for every event I wanted to attend was on FB. Classmates talked
about college and swapped notes on FB. People planned meetups and reunions on
FB. It's scary how much happens on FB instead of face-to-face/phone/email now.

~~~
djeikyb
Facebook could have stored your email address as part of your friend's
account, eg "an email address this person is friendly with". Your account,
posts and friends and all, are gone, but you leave traces of yourself with
your friends. These traces could be reconstructed.

~~~
CGamesPlay
Without knowing the exact details of your case, this sounds like the correct
explanation. The friends you saw were probably ones who have used Facebook's
contact importer, and so their accounts had a record that your email address
was a known contact. All of your wall posts, photos, friend lists, and other
activity were actually dropped from Facebook's databases.

------
iamleppert
Wow, has anyone here ever set multiple cookies? People are blowing this up
bigtime. Facebook sets multiple cookies, one for an active user session and
another token that serves to authenticate a user has previously logged into
facebook, so they don't need to enter extra security questions.

Who else does this? Major banks, forum software, etc. It's a common technique.
All that matters is what Facebook actually does with the data, and their
privacy policy, just like the Engineer stated.

If you're paranoid, either don't use Facebook or clear your cookies after you
log out. Don't you just love simple solutions?

~~~
spot
it's different because banks don't have "like" buttons that track your
browsing across the web.

------
FuzzyDunlop
The cookies are somewhat a red-herring when you consider how insignificant
they are compared to other methods of tracking.

They don't need a cookie in place to receive the IP of whoever loads a page
with a Facebook 'like' button on it.

They're a big enough company with smart enough people to develop algorithms
that can associate an IP address to a user account to at least a 95%
confidence interval. They've got all that stuff you type in your profile and
all the things you've shared to aid that, and the more you use your account
the better they can predict.

To that end I'd be surprised if they don't continue to track 'deactivated'
Facebook accounts. Not in anticipation of you going back to it, of course.

~~~
alastairpat
Tracking by IP is a ridiculous idea. My mobile phone provider uses transparent
proxying for its mobile Internet - I must share the same external IP as
thousands of other people when I browse the web via my phone. Not to mention
that households using NAT will have three plus accounts from the one IP, let
alone businesses with hundreds.

Internet-facing IP simply isn't unique enough for these purposes.

~~~
DougWebb
My inclination is to agree with you; the IP is hardly a unique identifier. But
they don't need perfection. Think about it: most people, most of the time,
will send requests to FB from just a few IPs and maybe one ISP proxy network
(which FB can recognize as a proxy.) They know that your account is associated
with these IPs based on tracking cookies. So, when they see a request from one
of these IPs without the cookie, they can do a reverse lookup to get a list of
possible accounts. That narrows the field. Next they can do a semantic
analysis of the page that had the Like button which sent the request, and
compare that to pages previously associated with the possible accounts. If one
of them stands out as a likely match, they can be pretty sure who sent the
request.

The more data they gather, and the more relationships they can record between
you, your friends, and the pages you visit, the better they will get at
tracking you without the cookies.

~~~
alastairpat
It's an interesting idea in theory, but I honestly think that the number of
people who care enough about privacy to want to log out (or otherwise stop the
cookies from being sent to Facebook) would be so low that it wouldn't be cost-
effective. My guess is that it would probably be confined to HN's demographic.

The sort of zeroing-in on individuals based on traits/information, however,
does kind of remind me of this: [http://adage.com/article/digitalnext/target-
a-facebook-ad-a-...](http://adage.com/article/digitalnext/target-a-facebook-
ad-a-specific-individual/132212/) \- not really relevant, but still kind of
cool.

------
lpolovets
_Bejar said Facebook is looking at ways to avoid sending the data altogether
but that it will “take a while.”_

Maybe I'm naive, but why would turning off the gathering of information take a
while? This reminds me of unsubscribing to email newsletters, where the final
goodbye says something like "you should stop receiving our emails within 6-8
weeks."

~~~
mnutt
Any code changes take a non-trivial amount of time. It sounds like the
solution is to delete more of the cookies on logout, but there may be other
Facebook services that use them and need to be transitioned away.

~~~
cbs
>Any code changes take a non-trivial amount of time

Thats a awfully cautions attitude and smells like a huge cop out for the well
known fly-by-the-seat-of-your-pants commit to live strategy that facebook has.

~~~
mnutt
I don't work there, but where I work we deploy 10-20 times a day and if
somebody asked me to change the way we store data in cookies, it would
probably take a bit of time to roll out.

I'm only defending them because it annoys me when people who aren't familiar
with the software internals tell me "this is a minor change, it should take
you less than an hour".

~~~
0x12
To be fair though, _not_ doing something is a lot easier to implement than to
add new functionality. As a minimal implementation they could err on the safe
side and stop tracking everybody for a bit until they've corrected their
error.

------
polemic
_The company says the data is sent because of the way the “Like” button system
is set up; any cookies that are associated with Facebook.com will
automatically get sent when you view a “Like” button._

They have a point. This is going to be the same for any site that has static
content served elsewhere with cookies attached to the domain. Hot link to an
image on my blog you commented on? OFFLINE DATA GATHERING ZOMG.

~~~
rhizome
Hotlink an image? That's now how the Like button works. It's more like linking
to an IFRAME _with its own javascript_. Slight diff.

~~~
polemic
The JS can't break out of it's frame, so that doesn't really matter. The
cookie comes with the request (image, html or JS, it doesn't matter).

~~~
rhizome
Gotcha. Interesting.

Thanks to both of you!

------
andrewpi
Another good reason to run something like ShareMeNot [1] - it blocks Facebook
from receiving anything unless you specifically click on a 'Like' button.

[1] <http://sharemenot.cs.washington.edu/>

------
rblion
"And earlier this year, Facebook discontinued the practice of obtaining
browsing data about Internet users who had never visited Facebook.com, after
it was disclosed by Dutch researcher Arnold Roosendaal."

I'm going to trust my gut on this one. I just get an uneasy feeling from their
track record of 'mishaps' and the excuses that follow. There is a lot of
stories that don't get enough attention or make enough people think...

Facebook might be called BigBrotherBlue when people look back one day.
BigBrotherBlue is always watching.

------
RexRollman
How anyone from Facebook could make those statements with a straight face is
beyond me. In my opinion, Facebook has a serious credibility problem.

------
thoradam
How about if browsers implemented this cookie system: Each time a cookie is
set, you could have the ability to mandate when that cookie is sent out. For
example with a Facebook cookie you could tell the browser to only send that
cookie when your address bar reads facebook.com. Problem solved?

~~~
executive
They do.. it's called disable third party cookies.

~~~
thoradam
No that's for setting cookies, so that website A can't set cookies on your
machine while you're visiting website B.

What I'm talking about is the ability to limit when cookies as sent out with
requests. Privacy wary users could perhaps have their browser set so that for
example Facebook cookies are not sent to Facebook just because you're visiting
a website that has code from Facebook on it, but only when you're actually
browsing Facebook.

------
jstanderfer
This is a great example of the inherent conflict of interest when your users
are not your customers, in fact they're your product.

[http://johnstanderfer.com/2011/09/26/facebooks-most-
importan...](http://johnstanderfer.com/2011/09/26/facebooks-most-important-
product-you/)

~~~
pork
Please don't take this personally, but the whole "you're the product" meme,
while it has a shred of truth in it, has been so re-hashed on the net that
it's no longer pithy or informative. Just google for "you're the product" and
you'll see what I mean.

~~~
jstanderfer
I don't take it personally at all. The meme is common among people familiar
with the internal workings of consumer web business models. My concern is that
its not well understood outside that group. I also think it's an interesting
way to view the rollout of Facebook's new features and public reaction to
them.

------
rumcajz
Isn't there a way to run specific web applications, like Facebook, in a
virtual sandbox? I.e. storing its cookies separately from other apps,
launching new unrelated browser instance if you browse facebook from/to some
other site etc.?

------
amnigos
If you want to stop pushing tracking data to Facaebook from your machine then
just add a local redirect in your hosts file for facebook.com to map to
127.0.0.1 and just comment it when you want to use Facebook site :)

------
0x12
The real winner here is Google. Facebook makes Google look good. And that's
pretty sad. When your users are logged out you have zero business tracking
them or trying to do so.

------
rwolf
I'd be interested to see how many competing social networks exhibit the same
behavior. Specifically, Twitter and Google+ has similar social buttons.

Imagine I wanted to do this but not be get caught. What would you improve?
Clearly the cookies will need to look different pre and post logout, but how
different?

~~~
pyrmont
Why do the cookies need to exist? If I log out from your service, why do you
need to keep a cookie on my computer?

~~~
rwolf
Hell, HackerNews leaves a cookie on your computer after you log out with some
opaque blob holding who-knows-what. Users like to complain about cookies when
you bring them up, but generally can't seem to bother. Including the two of
us.

~~~
ltamake
Hacker News doesn't have like buttons or other widgets all over the
Internet...

