The month is off to a bad start for Facebook. The social network is fighting a new class action suit over its non-logout logout. And now it's been busted for bringing back a cookie that tracks people who don't even use Facebook.
Facebook has resumed distribution of the "datr" cookie, which is set by those ubiquitous Facebook "like" widgets all over the web and thus can follow you from site to site. The Wall Street Journal reported on the cookie in May, noting that it follows all web browsers, whether logged in to Facebook or not. Facebook removed the cookie shortly after publication of the article, and after a formal bug was filed with its programmers. Some time between then and now the cookie returned, as entrepreneur and de facto privacy researcher Nik Cubrilovic reveals. The cookie was set by every widget-carrying website Cubrilovic tested.
What does the cookie do? For starters, it is used to associate your account with other people who use your computer, Cubrilovic believes, which is why your Facebook dossier includes a list of "associated users." It also indicates that Facebook was incorrect — knowingly or unknowingly — when it claimed last week that the cookie was set only "when a web browser accesses facebook.com (except social plugin iframes)," since it is in fact set from social plugin iframes. Its re-emergence also means Facebook quietly re-enabled — purposely or accidentally — a privacy bug they supposedly closed last May. And finally it means that Facebook collects raw data it could use to track big chunks of your surfing history, even though Facebook said last may that its intent was not to use the cookies for such a purpose.
News of "datr's" return comes after the chairmen of a Congressional privacy committee, plus 10 public interest groups, pushed the FTC to investigate all of Facebook's clingy cookies, which remain even after a user "logs out." It should only add to the pressure on Facebook, and to the evidence in a suit an Illinois law firm filed against Facebook in San Jose federal court Friday night. The suit, which is seeking class action status, accuses Facebook of misleading users about the meaning of "log off." Facebook promised to fight the suit "vigorously," which means the company thinks it can find someone somewhere who actually had a correct understanding of what actually happens when you "sign off" of Facebook. Sounds like a very expensive manhunt.
Update: In a comment on Cubrilovic's blog post, a Facebook engineer writes that the "datr" tracking cookie is a bug, but a limited one. Cubrilovic wrote that the cookie was "being set by all the third-party sites that we tested," but the engineer says "what you describe in this post is not a re-enabling of anything, but a separate issue involving a limited number of sites... We have moved quickly to investigate and resolve this latest issue which will be fully addressed today [Tue. Oct. 4... ] We still have a policy of not building profiles based on data from logged out users. Reports like this help us make sure we're adhering to that policy."
[Photo of Facebook CEO Mark Zuckerberg via Getty Images]