On Facebook's privacy policy (RE: Logging out of Facebook is not enough)
I just read Nik Cubrilovic's article on Facebook's cookie policy, and I was kind of intrigued at first. If you haven't read the article (which has incidentally gotten pretty popular), here's an excerpt:
The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests tofacebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.
Pretty interesting, huh? That's what I thought too, before I tried it myself and realized that it's completely false.
Proof
Here's what Nik claims:
The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a userAlright, well, let's see! I've set up a test user:
This is not what 'logout' is supposed to mean - Facebook are only altering the state of the cookies instead of removing all of them when a user logs out.
Our test user.
As you can see, its ID is 100002961711071. Remember that!
Alright, time to log out. Let's check our cookies:
Cookie=datr=BV0STs1KJ-9TZQmEFENbIuUV; lu=RAegvaZ2uSWW9zbsIgS6EKng; act=1317060248709%2F8; L=2; locale=en_US; p=156; W=1317060115; lsd=OwwXE; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3D79457e66353a0bed3befad8ff595ef78%26eu%3D3LaQKiL5jG5-uQghU2zlGw; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3D79457e66353a0bed3befad8ff595ef78%26eu%3D3LaQKiL5jG5-uQghU2zlGw; wd=1920x1050
So far so good. See the bold part? Let's remember what Nik said:
The primary cookies that identify me as a user are still there (act is my account number)
No...no it's not. Sorry. You know what the best part is? I didn't even have to prove this, since a Facebook engineer commented on his post, and explained this:
The poorly named 'act' cookie is a UNIX timestamp with milliseconds and a sequence number that we use to measure and optimize the speed of the site ('act' is an abbreviation for "action")
The conclusion? Facebook does not store any personally identifiable information once you log out. Well, never say never, but they certainly don't store it as Nik claimed.
Vlad is a totally cool guy who loves computer science, music, and philosophy.