Why You Never Really Log Out of Facebook

Facebook admits it went too far. The social network is quietly retracting a cookie that continued to report your Facebook user ID even after you "logged out" of the site. But it's not sorry about five other cookies that persist after you sign off. What, you didn't think Facebook would ever let you actually for real seriously 100 percent sign out, did you?

When Australian programmer Nik Cubrilovic first blogged on Sunday about how Facebook logout didn't seem to actually, uh, log out, the company went into damage control mode, insisting that "Facebook does not track users across the web," which was pretty funny given that Facebook has a tracking feature its CEO literally calls "Facebook Across the Web." The company also said, "logged out cookies... are used for safety and protection..."
Except it turns out one cookie wasn't used for "safety and protection," as a Facebook engineer has admitted to Cubrilovic now that the press storm is subsiding. One cookie, "a_user," continued to report your user ID back to Facebook after you logged out, until you shut down your browser entirely. The cookie was only visible to Facebook, but the site could have used it to track your visits to other sites if it wished, since a great many websites feature "Facebook Connect" widgets that load content from facebook.com — transmitting cookies to Facebook each time they do so.
The social network, to its credit, now destroys "a_user" on logout.

But there are five other cookies that still remain after you "log out" of Facebook, and that stick around even after you restart your browser. Cubrilovic runs down what each of them is ostensibly for; Facebook says they, variously, track failed login attempts to thwart hackers, track new account creations to thwart spammers, track total logins to identify computers in internet cafés, remember your browser language, remember your device dimensions, and report the time, to the milisecond, of you last few browser requests, for performance reasons.

The problem is that, whatever it says about the intent behind these cookies, Facebook could be using — or decide in the future to use — some of them to track us for less noble reasons. The milisecond request log, for example, could be trivially traced back to a specific Facebook user using the company's server logs, as Cubrilovic points out. And given its long history of rolling back user privacy, do you really trust the social network? Cubrilovic:

These cookies, by the very purpose they serve, uniquely identify the browser being used - even after logout. As a user, you have to take Facebook at their word that the purpose of these cookies is only for what is being described.

Trust is nice, but concrete protections are nicer: Log in to Facebook using something like incognito mode, install a privacy plugin like disconnect.me to minimize the power of Facebook's cookies, and/or manually clear Facebook cookies in your browser preferences. Isn't social networking fun?!