Tuesday, September 27, 2011

New FB Meme Goes Viral - Be afraid! Be very afraid!


I'm sure you've seen it by now. It's all over Facebook like a rash on the ass of the Intertubes. Facebook is tracking your every move, even when you're logged out!


Um, in a word, no. It's just another bogus FB scare. No, FB cannot see every site you visit, even when you're offline. It doesn't work that way. Even if it did, with 750,000,000 users, how the heck could they possibly even view such data, even if they were collecting it, which they're not, and why would they care what any given individual was doing?

They can't, they aren't and they don't. Yes, they track trends, as does everyone. Yes, FB does use tracking cookies, as do the majority of sites you visit. Yes, tracking cookies present some real privacy concerns. But this latest scare stems from a basic misunderstanding of what cookies are and how they work. One thing they don't and can't do is phone home with a log of your activity when you visit an unrelated site.

I'm a big online privacy guy. I'm not fond of tracking cookies. But FB isn't doing anything most everyone else is and they're not doing anything like what's been described. These hububs are often a product of hype from professional privacy advocates who have a vested interest in scaring the poop out of people. There's no way for the average user to know what threats are real and what are hype. The worst part of these scares is they tend to foster a boy who cried wolf reaction after a while, which makes it harder to get people to take the real threats seriously.

Facebook is very clear about privacy. From the Help Center...

We do not share or sell the information we see when you visit a website with a Facebook social plugin to third parties and we do not use it to deliver ads to you. In addition, we will delete the data (i.e. data we receive when you see social plugins) associated with users in 90 days.
Were they violating their own privacy policy you can be damn sure they'd be ass deep in lawsuits, and for good reason. But paranoia runs deep. So deep Facebook felt the need to issue an official response...
“Facebook does not track users across the web,” a Facebook spokesperson said in a statement. “Instead, we use cookies on social plugins to personalize content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.

Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of ‘keep me logged in’.”
Even so, FB isn't taking any chances. They've now changed their offline tracking cookie behavior to eliminate any cause for paranoia...

I’m an engineer who works on these systems. I want to make it clear that there was no security or privacy breachFacebook did not store or use any information it should not have. Like every site on the internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user. Three of these cookies on some users’ computers included unique identifiers when the user had logged out of Facebook. However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose. In addition, we fixed the cookies so that they won’t include unique information in the future when people log out.


As the Hitchhiker's Guide says on the cover in big friendly letters, don't panic. Instead, use a little common sense. Don't spread the latest dire warning of Bad Behavior by Them to everyone you know. If you're not a skilled network engineer, the odds are approximately eleventy bazillion to 1 against you discovering some new threat. You don't need to butter the latest scare story across the entire digital universe. Resist the temptation. Instead, wait for the facts. If it's a real threat, real warnings will come from really qualified people and groups backed up by real data.


Be responsible, folks. Don't spread FUD, especially when there's no way for you to know if the threat is real or not.

No comments:

Post a Comment

Comment Policy: Anyone can comment. Registration is not required. There is no moderation. We do not censor or remove comments. Your comment should show up immediately.

The only exception is we will remove any comment that identifies, targets, threatens or in any way harasses any private individual.

Comments that include excessive vulgarity, racial slurs, death wishes and WILD ALL CAPS RANTS may be featured.

In recognition of the fact that this is very probably an entirely unworkable policy so vague as to be completely meaningless and therefore ultimately unenforceable, we reserve the right to do whatever the bleep we might bleepity-bleep well feel like doing at any bleeping given time. Please adjust your clocks accordingly.

BTW, "we" is me. If you don't like it, feel free to complain. Make sure you include excessive vulgarity, racial slurs, death wishes and WILD ALL CAPS RANTS.