IndustryFacebook’s Cookiegate: Controversial Tracking Cookie is Back

Facebook’s Cookiegate: Controversial Tracking Cookie is Back

Remember the tracking cookie Facebook exposed by Australian hacker Nic Cubrilovic last week - the one Facebook disabled? Well, it’s back and it’s doing exactly what it’s meant to do, according to Facebook’s “communicating information” patent.

The same Australian who blew the whistle on Facebook tracking logged out users last week discovered yesterday that although Facebook had “fixed” the problem, the tracking cookie has been re-enabled. According to Nic Cubrilovic, it was active on every third-party site he tested.

Contrary to their position that they only track user data to keep users safe and prevent abuse, Facebook’s lengthy new patent document shows they’ve been laying the groundwork for extensive and sometimes surreptitious user tracking since February 2011. Facebook has spoken out to deny the allegation that the data gathered is used to target advertisements, but had removed the cookie in question last week, anyway. So why is it back and active on third-party websites?

As we reported last week, lawmakers are pushing for an FTC investigation into Facebook’s privacy and data collection practices. Europe has been a bit ahead of the game and yesterday, we showed you some of the contents of a user data file, obtained by the group Europe v. Facebook under European privacy law. The files contained GPS coordinates, IP address logins, and even messages users had deleted. Despite Facebook’s denial that the data is used to target consumers with advertisements, the user data they’re collecting and the patent awarded them September 22 tell a very different story.

Facebook’s Patent: “Communicating Information in a Social Network System about Activities from Another Domain”

Bill Slawski first raised questions about the purpose of the patent September 27. Specifically, the way some sections are worded makes it seem as though Facebook could collect data from logged out users, an allegation Facebook vehemently denies.

ZDNet’s Emil Protalinski contacted Facebook and received the following statement:

“Some people have suggested that this application is intended to patent tracking of logged out users. Nothing could be further from the truth. Instead, a careful reading of the portion of the application that purportedly describes tracking of logged out users (Paragraph [0099] shows that this excerpt is actually describing a fundamental part of Facebook Platform—social plugins that create social experiences across the web without logging into Facebook repeatedly or third party sites at all.”


This does just sound like the framework for the new Open Graph and “frictionless sharing” apps. We knew after the f8 developer conference that Facebook intended to track our activity across partner sites if we opted in to the new breed of social apps. So what’s the problem?

Well, considering we’ve just learned Facebook keeps a file several hundreds of pages long, with sensitive information users don’t even realize is being collected, certain sections of the patent start to make a lot more sense for tracking to target advertisements, which Facebook denies. It doesn’t make much sense as a method of preventing account hacking, anymore. The patent refers numerous times to “action log 160,” a collection of user data collected not only through their actions and posts on Facebook, but from “action terminals” and third-party websites.

The real meat in the patent is in the descriptions, and in the context of the patent as a whole. The entire document pertains to the process of collecting information and activity for the purpose of targeted advertising. But wait, Facebook has no interest in your activity in that way. This is all for your own good, all of this sneaky tracking and compilation of data you thought had been deleted. Right?

Now, I’m no lawyer, but I find that it gets really interesting in section [0054], where Facebook describes how a social network “may learn of the user’s actions on the third party website 140 via any of a number of methods.” These methods, for the record, may include JavaScript in the HTML that generates a tracking pixel that transmits information back to the social network “whether the user is logged into the social network system or not.” This information could include the user’s ID, product ID, and a timestamp.

How about section [0056]? “Another example illustrating real-world actions that may be tracked involves the user’s location. A user may configure a cellular phone having location technology (e.g., GPS) to communicate the user’s location to the social network system 100. This may be accomplished, for example, by downloading an application to the cellular phone, where the application polls the location unit in the phone and sends a message containing the user’s location to the social network system 100. This may be performed periodically or upon certain triggering events associated with locations.”

The patent document lists a number of scenarios in which a device may become an “action terminal 150,” used to transmit user and activity data back to the social network. An action terminal 150 could be, according to the patent:

  • Your cell phone
  • Your television
  • A credit card company’s computing system
  • “A limitless variety of other applications may be implemented to capture real-world actions associated with a particular user and send that information to the social network system.”

So, pretty much anything, really.

But Why, Facebook?

“Action log 160,” is the place where all of this information ends up. This action log, it says, will contain information from third-party sites as well as data collected from ad clicks. “The action log 160 thus contains a very rich set of data about the actions of the users, and can be analyzed and filtered to identify trends and relationships in the actions of the users, as well as affinities between the users and various objects.”

How can Facebook still tell us it isn’t using tracking for advertising purposes? At this point, the cat is out of the bag… in fact, the cat tore the bag to shreds, fingerpainted it, and Mark Zuckerberg is wearing it this year for Halloween. What’s with the charade?

In the statement to ZDNet, the Facebook spokesperson said:

“There are other things mentioned in the patent application and, for many of those, it’s important to understand how companies use patents. That is, technology companies patent lots of ideas. Some of these ideas become products or features and some don’t. As a result, current functionality and future business plans shouldn’t be inferred from our patent applications.”

Current functionality, however, demonstrates that Facebook is already keeping far more information than users realize, as evidenced by the user files obtained by Europe v. Facebook.

So What’s Next?

Based on the language in the patent, I’ll make a few educated guesses:

  • Ads are going to be integrated into the newsfeed; this theme appears several times throughout the document, but [0090] describes it well. 
  • E-commerce websites with Facebook integration will send tracking pixels to Facebook to tell them about your purchases. [0054] 
  • Purchases will not be the only activities to trigger this tracking back to Facebook; it could apply to setting up an account on a website, subscribing to a feed, making a reservation, downloading content, or even something so simple as viewing an item online. [0097] 
  • The definition of “Friends” will be broadened, possibly to include those who are now Friends of Friends. [0036] 
  • To get around users’ browser security, third-party websites will use nested iframes within Facebook’s domain, providing a back and forth exchange of information that will allow them to determine if the user even has a Facebook account. [0099]

Much of this does make sense for users who have opted in to apps in the Open Graph ecosystem. However, it is clear that this new patent doesn’t apply only to those people when they’re planning on using nested iframes to circumvent user security settings and exchange data between Facebook and third-party sites just to determine if the person is even a user.

Also, there is a huge difference between opting in to having these activities published in the newsfeed and understanding that whether it is published or not, it’s being tracked, collected, and shared behind closed doors. Users don’t understand what is being collected, how long it is kept, or how Facebook disposes of the data, if at all.

In fact, the entire purpose of this data file, according to Facebook’s patent, is to gather and store all of this information and to use it for targeted advertising. Facebook continues to deny this, though the words “ad,” “advertisement,” or some variation thereof appear more than 500 times in the patent document.

Facebook’s patent is over 18,000 words of advertising legalese that may leave your head spinning. But don’t worry, they’re not interested in your information. They said so.


The 2023 B2B Superpowers Index
whitepaper | Analytics

The 2023 B2B Superpowers Index

Data Analytics in Marketing
whitepaper | Analytics

Data Analytics in Marketing

The Third-Party Data Deprecation Playbook
whitepaper | Digital Marketing

The Third-Party Data Deprecation Playbook

Utilizing Email To Stop Fraud-eCommerce Client Fraud Case Study
whitepaper | Digital Marketing

Utilizing Email To Stop Fraud-eCommerce Client Fraud Case Study