"Facebook's tracking of post-log-out Internet activity violates both the reasonable expectations of consumers and the company's own privacy statements," the groups say in a letter sent to the FTC today. Groups signing the letter include the Electronic Privacy Information Center, ACLU, American Library Association, Center for Digital Democracy and Consumer Watchdog.
This week, Australian developer Nik Cubrilovic went public with research showing that Facebook could snoop on users whenever they visited sites with a Like button or other social widget -- even when the users had logged out. Cubrilovic said he had reported this to Facebook on two occasions in the last year, to no avail.
After he blogged about his findings, Facebook quickly said it would fix the "bug" that allowed it to receive data about logged-out users. (The company also denied "tracking" users, arguing that it never retained any data tying users' IDs to the sites they visited.)
But the advocacy groups are questioning whether Facebook completely resolved the problem. Cubrilovic said he found six separate cookies that could allow tracking by user ID. Facebook now appears to destroy at least one of those identifiers when users log out -- the one marked "a_user" -- but not all of the others.
The advocates are skeptical that destroying the a_user cookie alone will protect people's privacy. "Facebook states that the remaining identifiers are used only to improve performance and security. However, there is no technical reason why they could not be used to track a user's identity in a manner similar to the a_user cookie," they state. "Thus, just as before, consumers must rely on Facebook's assurances that the other identifiers are not being used for tracking purposes."
The groups additionally raise questions about other new Facebook features like "frictionless sharing," described in the letter as "a passive experience in which a social app prompts the user once, at the outset, to decide the level of privacy for the app (with 'public' being a common default) and then proceeds to share every bit of information obtained thereafter."
While people can opt out of sharing, doing so may prove to be complicated. The advocates say that people who use the Washington Post's Social Reader and don't want to engage in frictionless sharing must take at least seven steps to avoid it.
But at least people apparently can opt out of the new frictionless sharing regime. Until this week, users had no way to prevent Facebook from knowing what Web sites they visited, short of deleting their profiles. If Facebook took people's privacy more seriously, it would have fixed the bug that allowed it to tie people's IDs to their Web surfing behavior long before now.