Facebook’s Tracking Cookies and How the FTC Could Shake Off Privacy Fatigue


ADOTAS – Looks like the Facebook legal team is going to have to earn its holiday bonus this year. Five class action lawsuits have been filed against Facebook alleging the company violated wiretap laws by setting tracking cookies that contained user IDs and followed browser behavior on sites integrated with the social network — after the users logged out.

In other news, a woman in Michigan is suing the distributor of the recently released movie “Drive” because the trailer suggested it there would be more car chase scenes. I’d suggest the defendants cite “The French Connection” precedent — one great car chase is worth the entire film.

While the latter case will likely be thrown out immediately (if not un-filed in embarrassment), the five against Facebook may not have much of a chance either considering that similar suits brought against online companies for wiretap law violations were summarily dismissed — if not settled first. As Future of Privacy Forum Director Jules Polonetsky explained to MSNBC, in addition to lack of grounds for a wiretapping case, many of these suits get canned because the defendants can’t show harm.

There’s definitely a whiff of ambulance-chasing in the air. One of the suits seeks statutory damages of $100 per day for every member of the class (the lawsuit is trying to certify all 150 million U.S. Facebook members as a class — so $15 billion a day, huh?) or $10,000 per violation, plus punitive damages, attorney fees and court costs.

Evidence disclosed in these lawsuits (if they make it anywhere) could be quite useful in understanding how Facebook maintains collected browsing data, but there’s a third-party not looking for Facebook’s money that could prove to be a better auditor: the Federal Trade Commission. And its findings could shake Internet consumers and tech developers out of our online privacy malaise.

But What’s Facebook Actually Done Now?

Right as the addition of Facebook apps freaked out some users about how much data was headed back to Papa Zuck, Australian developer Nik Cubrilovic illustrated that when you log out of Facebook, nine cookies still hop on your browser including the one with your unique account number. These stay on your browser until deleted (think about if you access the social network from a public computer) and record whenever you hit a site integrated with Facebook (which is like the half the Internet, right?).

Probably because we haven’t had a good Facebook privacy scandal in a while, the story got picked up across the media and Zuck & Crew were forced to answer. First off, they changed the logout rules so the cookie containing the user id (A_USER) was deleted on sign-out, along with A_XS, which is used to stop “cross-site forgery.” Facebook explained that the rest of the cookies are used for security purposes — pretty much challenging hacking attempts by ensuring users are who they claim to be on login.

Well, that explanation hasn’t sat right with everyone. DATR, the cookie that sends data back to Facebook from Facebook-integrated sites whether they’re logged in or not, was first noted by The Wall Street Journal (complete with hyper-paranoid and obtuse/not quite correct headline: “‘Like Button Follows Users”) back in the spring, but DATR was removed before publication of the article.

It’s back now — Stanford Security Lab’s Jonathan Mayer noticed it had begun appearing a few weeks and Cubrilovic asked Facebook just what it’s doing with the data sent from third-party sites:

“Facebook keeps the data collected for up to 90 days and then delete it. I believe them when they say this and that they are not hiding anything, but I also believe that our definitions of tracking differ. If you set a cookie on a users machine from one website, and then read that cookie from that persons machine from another website, that is tracking (emphasis in original)…. [I]t is still tracking and still has the potential to violate the privacy of users simply by being collected.

“At a minimum they are tracking by reading the cookies, and if you look further into some of the patents that Facebook has filed, as well as their business model (advertising), it is not a big leap to make to conclude that Facebook are tracking users and analyzing that data.”

Yep — speculation that it’s being used or could be used for advertising purposes, but no smoking gun. If Facebook is even using the cookie for security purposes, it’s associating browsing data with specific users. However, there’s no evidence such profiling is being used for targeted advertising. All the targeted advertising on Facebook is based on user-submitted/shared information.

Ad Network? Nah…

And Facebook has a great counter to claims it’s building profiles of browsing data: We don’t sell the data to third parties or have an ad network that employs behavioral targeting, and we’re not building one.

Of course, many in the industry are incredulous about that plea. Why? Money: Facebook is reportedly set to bring in $4 billion in ad revenue from on-site advertising, but that’s nothing compared to what Google brings in during a quarter.

And as it hit the 800 million user mark (with about half the U.S. population on the network), questions arose about the future of the network in general — after seeing Badgeville’s easily insertable social layer, I could imagine activity on Facebook the site slowing down. I was impressed with the introduction of apps, which nearly effortlessly connects off-site activities with the social network, but I still wonder if it’s about to hit peak velocity.

At a Federated Media conference during Internet Week, Facebook Vice President of Global Sales Carolyn Everson strongly pushed the (relatively) new Sponsored Stories unit, suggesting that Facebook wanted to “partner with brands” on their advertising. Facebook has long eschewed typical online advertising products (Everson suggested homepage takeovers would never appear on Facebook — but what about sleeves like on MySpace? No on that too?) even when it lead to disasters like Beacon (which also got Facebook sued — successfully).

Sure, Mark Zuckerberg wants to innovate in the online advertising arena, but it’s still hard to believe that Facebook simply won’t take advantage of the huge revenue opportunity staring it in the face — it’s got the data, it’s got the reach, so where’s the behavioral targeting platform and display network?

On the other hand, Zuck may be more concerned about the long-term survival of Facebook the brand and the social network (or possibly as a deeply integrated social layer stretching the Internet) that he won’t take the money and run.

Also, if Facebook was to turn on an ad network tomorrow, the public ire at the about-face could be overwhelming. And now there’s a service around that disenfranchised users could arguably jump to.

Online Privacy Fatigue

I caught a GigaOm piece by Derrick Harris lamenting the lack of media coverage regarding The Wall Street Journal’s privacy policy update that included the use of new registrants’ personal identifiable information in building online profiles — for content purposes only, they swore. (I had an email give and take with a WSJ press person who denied me any clarification on whether profiles built with PII and browsing data would be used in selling Harris’ story targeted advertising.)

One paragraph of particularly grabbed me:

“I don’t particularly care that the WSJ expanded its data mining reach — it’s the company’s right as long as we treat personal data as property that can be contracted away — but I do care what the lack of discussion says about how we think about online data privacy. If this had been Facebook making a similar move — or, actually, making a much less aggressive move — you couldn’t escape the outcry.”

Interestingly, this story was published on Oct. 4, when the outcry over the logged-out cookies was starting to boil. I was one of the proud few who immediately jumped on that story because it sounded like the WSJ network was implementing a profiling system that WSJ reporters had sensationalized in the year prior.(I have no issues with WSJ’s data mining either.)

But I was actually going to leave the latest Facebook “privacy scandal” to sites like ZDNet and Inside Facebook, which have offered great analysis. Truth be told, I just wasn’t that interested in diving into this mess again, painstakingly reading all the coverage and research to figure out what the hell was actually going on — whose claims were overstated, whose were obtuse and what the data actually meant. I just did it with Apple onlocationgate” and Hulu/KISSmetrics in regards to e-tag tracking.

Just like a lot of the ambivalent people (consumers and OBA industry folk) out there that Harris is worried about, I got a bad case of online privacy fatigue. There’s so much back and forth and so many accusations shouted into the media megaphone, but nothing really ever happens. Nothing ever changes. E.g., Facebook shut down the DATR cookie after WSJ got word and now it’s back on duty.

Today a research paper is being released at an event in Washington, DC, sponsored by the ACLUCenter for Digital DemocracyConsumer ActionConsumer Federation of AmericaConsumers UnionConsumer WatchdogElectronic Privacy Information CenterPrivacy Rights ClearinghouseUS PIRG and World Privacy Forum. The press invite claims it will definitively prove that tracking methods aren’t anonymous. When I sent some feelers out to industry contacts for their takes, I mainly received back yawns. Oh, this shit again.

The keynote at this speech, however, is being given by Federal Trade Commission Chair Jon Leibowitz, who, according to the press invite, will “discuss the proposed FTC framework for protecting consumer privacy and ensure industry can continue to innovate on the Internet.”

It so happens, EPIC joined eight other online privacy advocates (almost all involved in the above event) in writing a letter to the FTC asking the agency to investigate Facebooks use of tracking cookies post-logout. I hope they plead their case again because an FTC investigation is the ideal solution for both examining Facebook’s data collection practices and stirring the online privacy fatigue.

While the evidence disclosed in the suits mentioned at the top could be useful, it’s hard to ignore the ulterior motive — the remuneration demanded (for what harm?) in the lawsuits kind of shoots them in the foot. On the other hand, an unmotivated, third-party auditor could show us just what browsing data Facebook has and what it is doing with it.

And it’s time for the FTC to talk less and act more. For at least two years, the FTC has been fanning consumer fires over privacy controls while promising OBA companies it won’t “strangle the golden goose.” But what’s it actually done? File suit against some affiliate marketers? Great — that totally solved the belly fat ads crisis.

Granted, I’ve gotten used to the speed of digital innovation and forgotten the lurching pace at which Washington moves. But agency members constant tsk-tsking about the industry pulling its act together has only highlighted the lack of progress in an OBA framework.

Well, here’s your chance for action, FTC — to actually show you’re protecting online consumers while insuring a fledgling (relatively) industry can continue to flourish. Investigate Facebook’s use of tracking cookies, give us a detailed report. And please don’t take two years to do it….



Please enter your comment!
Please enter your name here