Facebook fixes lingering cookie behavior, but that doesn't solve the problem

Facebook no longer keeps its cookies hanging around after you log off -- but don't think for one second you're surfing anonymously

Facebook drew a lot of heat for keeping personally identifiable cookies around even after customers logged off the service. Suitably contrite, Facebook fixed the logout issue last week, according to Nik Cubrilovic, who originally reported it.

I'm concerned, though, by all the bad advice I've seen floating around about this specific issue. The bottom line: Even without lingering cookies, Facebook can correlate an individual user's name and personal details with visits to many websites with very high accuracy. The technique is almost as old as cookies themselves, and I'm surprised that many otherwise-savvy techies don't get it. Worse, I'm alarmed at how many people have handed out bogus advice, claiming that their favorite technique will keep Facebook's tracking dogs at bay.

Here's how the interaction works, assuming you aren't behind a corporate firewall, and there's (almost) nothing you can do about it:

1. You surf to a website that has a Facebook Like icon on it

Facebook automatically retrieves the URL of the page you're on and your current IP address. You don't have to do anything -- don't have to click on the icon, don't have to stay on the page. As soon as you open it in your Web browser, bang, that info gets sent to Facebook.

2. An hour, a day, a week, or a month later, you log on to Facebook

Facebook automatically retrieves your IP address and your Facebook ID.

3. That's it. You've been DOXd. And you didn't need to do anything but visit some sites and log in to Facebook

By correlating the IP address you're using to log into Facebook with the IP addresses that have been squirreled away in Facebook's servers, Facebook can tell which Web pages you've visited and when, providing the page contains a Facebook Like button (or one of the less-common Facebook Social Plug-ins).

Granted, the IP address correlation isn't 100 percent accurate. Facebook can cross-check the IP address with the browser version, for example, or look at other information that's transmitted with every Web access and possibly discern among multiple individuals using the same Internet connection. But unless you've changed your IP address between the time you hit a "Like" page and the time you log into Facebook, the dots are all lined up and Facebook need only connect them.

Note that I didn't say anything about In-Private browsing, or Incognito mode. You can run in Private mode, if you like, but it won't protect you from this kind of correlation. I didn't say anything about blocking third-party cookies: Facebook doesn't have to plant a cookie on your machine in order to track you in this way -- third party or otherwise. You can block cookies till you're blue in the face but still fall into this tracking trap. I didn't even mention logging out of Facebook or closing down your browser, deleting temporary files, or shutting down your computer. Won't work.

This isn't a Facebook problem. It's simply the way the Internet works.

Google can do the same thing: It keeps track of your Google searches, correlating them with an originating IP address. When you log in to Google+, the folks at Google can compare your logged-on IP address with all of the IP addresses in their databases. Google also tracks all of those websites with DoubleClick ads. Again, the match isn't 100 percent accurate, but it's certainly good enough to prompt the Googlies to offer you a personalized ad.

Then there's Microsoft -- Bing searches, Windows Live logons ... you get the picture.

What can you do? The easiest way is to work from behind a multi-user firewall with a whole lot of Internet users sharing the same IP address. If you aren't behind a big firewall you can connect to a Virtual Private Network. Failing that, you can sometimes manually disconnect and reconnect your Internet service, and that may (or may not) reset your IP.

Most of all, you need to realize that you leave a trail behind wherever you go.

The next time someone tells you that you can can avoid Facebook lingering cookie-style problems by running Incognito, tell them how the Internet really works.

IP addresses aren't perfect identifiers, but they're close enough for advertising work.

This story, "Facebook fixes lingering cookie behavior, but that doesn't solve the problem," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies