This latest blow-up concerns Facebook's widgets, such as the "Like" button. It's been known for at least one year that Facebook can track logged-in users across any site with a Like button, even if they don't click on the button. That revelation not only sparked a lawsuit (which is still pending), but also motivated Google engineer Brian Kennish to create a "Facebook Disconnect" app that blocks publishers from sending information to Facebook.
This weekend, Australian programmer Nik Cubrilovic reported that Facebook receives data about all users -- including ones who have logged out -- when they visit sites with a Facebook widget. "The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interaction," Cubrilovic wrote.
Facebook subsequently admitted that it gets data about logged-out users, but said it sheds the information. "The onus is on us is to take all the data and scrub it," Facebook engineer Arturo Bejar told The Wall Street Journal.
A different Facebook engineer, Gregg Stefancik, defended the company in a post on Cubrilovic's blog. Stefancik wrote that the company uses data from logged-out users for "safety and security" -- which includes "identifying and disabling spammers and phishers," "helping people recover hacked accounts," and "disabling registration if an underage user tries to re-register with a different birth date."
He also says that Facebook doesn't track users in order to sell information about them to advertisers.
But none of those explanations change Cubrilovic's findings: Facebook was receiving information about logged-out users from outside publishers.
Today, Cubrilovic posted an update stating that Facebook had reached out to him and is fixing the "bug" that enabled tracking information to be tied to users' Facebook IDs.
"Facebook has changed as much as they can change with the logout issue," Cubrilovic wrote today. "I would still recommend that users clear cookies or use a separate browser, though."