Hidden (or at least untrumpeted) amongst all the new features in the latest Facebook upgrade is one deeply concerning issue: when you ‘logout’ of Facebook, Facebook will continue to track you. This fact has made it onto a few blogs (for example Nik Cubrilovic’s blog here) and is doing the rounds on twitter – but for those of us concerned with privacy, there should be a lot more noise about it, because it has huge implications. It flies in the face of what users expect and understand – and that should really matter.
The reality is that very, very few users ever check their terms and conditions – almost all of us scroll straight through the pages and pages of legalese (even those of us who work in the law!) and then click ‘OK’ at the bottom. Why? Because we want to use the service, and because we know we don’t have any real choice about what’s in those terms and conditions – and because we have a reasonable expectation that what is in those terms and conditions is at least in most ways ‘reasonable’, and will conform to what we expect and understand terms and conditions to be.
So the question of what would we expect to happen when we ‘logout’ of Facebook is one that matters. Most people, I suspect, would expect that ‘logout’ would cut our connection with Facebook, until we log back in. It should be like putting the phone down when we’ve finished a conversation – you don’t expect the person on the other end of the line to be able to hear what you say after you’ve hung up, let alone be able to keep a microphone open in your living room and record every conversation you have with anyone in that room. In fact, if you thought something like that was happening, you’d be outraged, and rightfully so, as well as having all kinds of opportunities to take legal action against the people who are, in effect, bugging you.
Of course what Facebook is doing isn’t quite the same – but in some ways it could be considered even more invasive of your privacy, because the opportunities to analyse and exploit the data gathered through their tracking are greater in some ways that a simple phone tap. The data they can gather can be aggregated and analysed – its digital nature, together with the vast volume of other such data that they gather, gives them an unprecedented scope for such aggregation and analysis.
This is hardly the first time that Facebook has tried to move the goalposts on privacy, and to set new norms. This attempted resetting of norms, so that tracking is normal, whether you’re signed in or not, and that it should (and will) happen all the time, is one that should be resisted very strongly. The opposite should be the case – we should be able to assume that tracking DOESN’T take place unless we explicitly allow it, and are reminded that it is happening. We should have a right to know when we’re being tracked, and a right to turn that tracking off, and people like Facebook should be required to offer their services without that tracking, at the very least when we’re not signed in to their service.
Like it or not, the use of Facebook has become effectively the norm. I have a new batch of undergraduate students arriving today, and if the experience of the last few years is anything to go by, it will be a rare student indeed who doesn’t have a Facebook account. That in itself should place demands on Facebook, requirements that they must meet. That should mean that they should, in general, understand and meet the expectations of their users – and, in this case, that should mean that logout should mean logout. Tracking should be turned off the moment we log out of Facebook. And we, the users, should demand that it happens.
UPDATE (with gratitude to Emil Protalinski at ZDNet for his blog)Facebook are denying that this is what is happening – they say “…the logged out cookies are used for safety and protection including: identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of “keep me logged in.”
We’ll have to see what comes of this – and whether the privacy implications are as significant as they seem. However, regardless of the technical details, the underlying point needs stressing: when we logout, we need to know that we’re no longer monitored or tracked, even for some of Facebook’s stated purposes. Stated purposes don’t always match with real uses… and function creep is hardly unknown in this context! For me, this underlines the need for clarity of rights and practices in this area. Facebook need to be told in no uncertain terms that tracking is not acceptable in these circumstances….