Facebook Struggles to Explain Its Web-Tracking Practices

Facebook’s business is built on trust, but that trust has been shaken over the past few weeks by criticism and speculation regarding how it uses browser cookies to get data about users.

A lack of thorough documentation explaining what each of its cookies does has led some observers to assume that the company is tracking offsite browsing behavior in order to target ads. Facebook needs to provide explanations for both the average user and privacy researchers about how exactly its cookies work in order to prevent these press flare-ups from giving users a negative impression and bringing on regulatory scrutiny from governments.

Some bloggers claim cookies left by Facebook and third-party sites that integrate its social plugins indicate that the company is tracking users’ web browsing behavior, then using that data to target ads in a way that violates user privacy. Facebook has refuted the claims, saying that users agree to receive the cookies and that the cookies are used to enhance site security and power the social plugins, not create a profile of a user’s offsite behavior to better target ads against.

Unfortunately for Facebook, the claims are still giving off a negative impression of the service and sparking complaint letters to government agencies from privacy advocate groups. A patent application for the company’s social plugins that included language about tracking and targeting ads has also helped fuel the controversy.

While Facebook does currently include some explanation of how it uses cookies in its privacy policy and Help Center, this information clearly isn’t complete, comprehensible, or prominent enough to deflect criticism. Facebook engineer Gregg Stefancik, who has responded to critics on blog comments, even noted “we haven’t done as good a job as we could have to explain our cookie practices.”

Facebook could have avoided much of the crises by being more transparent about it how it uses cookies. We believe Facebook should consider drawing up two dedicated documents explaining how it uses cookies and tracks offsite activity. Much like its “re-imagined privacy policy”, there could be one simple version designed for the average user and a second detailed version for privacy advocates. The company also needs to demonstrate that is doing what it says it in a way that observable by outside parties.

Cookie Criticism: The Issues to Date

Since the launch of social plugins and before, Facebook has left cookies on the browsers of people who sign up for accounts as well as anyone else who visits Facebook.com. These cookies are used to protect the site against hacking attempts and to show logged in users what their friends have Liked on third-party sites, the company has repeatedly said.

Facebook’s privacy policy says the following: “We receive data whenever you visit a game, application, or website that uses Facebook Platform or visit a site with a Facebook feature (such as a social plugin). This may include the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID.”

The Help Center follows with more detail: “We use cookies to make Facebook better and easier to use, to provide you with a more personalized experience, to improve the ads that you see, and to protect you, others, and Facebook from malicious activity. We do not use cookies to create a profile of your browsing behavior on third-party sites or to show you ads, although we may use anonymous or aggregate data to improve ads generally.”

In May 2011, The Wall Street Journal reported that Dutch security researcher Arnold Roosendaal discovered that sites integrating Facebook’s social plugins were leaving cookies on the browsers of users who had never visited Facebook.com and were transmitting browsing data back to Facebook. Facebook said this was a bug and that it discontinued the practice of social plugins leaving the “datr” cookie.