Facebook drew a lot of heat for keeping personally identifiable cookies around even after customers logged off the service. Suitably contrite, Facebook fixed the logout issue last week, according to Nik Cubrilovic, who originally reported it.
I'm concerned, though, by all the bad advice I've seen floating around about this specific issue. The bottom line: Even without lingering cookies, Facebook can correlate an individual user's name and personal details with visits to many websites with very high accuracy. The technique is almost as old as cookies themselves, and I'm surprised that many otherwise-savvy techies don't get it. Worse, I'm alarmed at how many people have handed out bogus advice, claiming that their favorite technique will keep Facebook's tracking dogs at bay.
Here's how the interaction works, assuming you aren't behind a corporate firewall, and there's (almost) nothing you can do about it:
1. You surf to a website that has a Facebook Like icon on it
Facebook automatically retrieves the URL of the page you're on and your current IP address. You don't have to do anything -- don't have to click on the icon, don't have to stay on the page. As soon as you open it in your Web browser, bang, that info gets sent to Facebook.
2. An hour, a day, a week, or a month later, you log on to Facebook
Facebook automatically retrieves your IP address and your Facebook ID.
3. That's it. You've been DOXd. And you didn't need to do anything but visit some sites and log in to Facebook
By correlating the IP address you're using to log into Facebook with the IP addresses that have been squirreled away in Facebook's servers, Facebook can tell which Web pages you've visited and when, providing the page contains a Facebook Like button (or one of the less-common Facebook Social Plug-ins).