Martin Varsavsky´s Ruminations

Gregg Stefancik 4 hours ago

I’m an engineer who works on login systems at Facebook.  Thanks, again for raising these important issues.  We haven’t done as good a job as we could have to explain our cookie practices.  Your post presents a great opportunity for us to fix that.  At the same time, your post reaches some incorrect conclusions that I hope to clarify.  

Generally, unlike other major Internet companies, we have no interest in tracking people.  We don’t have an ad network and we don’t sell people’s information.  As we state in our help center (http://www.facebook.com/help/?…, “We do not share or sell the information we see when you visit a website with a Facebook social plugin to third parties and we do not use it to deliver ads to you.”

Said more plainly, our cookies aren’t used for tracking.  They just aren’t.  Instead, we use our cookies to either provide custom content (e.g. your friend’s likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location).  

The logged out cookies, specifically, are used primarily for safety and security protections, including:
- Identifying and disabling spammers and phishers
- Disabling registration if an underage user tries to re-register with a different birth date
- Helping people recover hacked accounts
- Powering account security features, such as login approvals and notifications
- Identifying shared computers to discourage the use of “Keep me logged in.”

Most of the cookies that you highlight have benign names and values.  For example, the “locale” cookie is simply user’s language and country. I do understand some of the confusion around the ‘act’ and ‘lu’ cookies.  The poorly named ‘act’ cookie is a UNIX timestamp with milliseconds and a sequence number that we use to measure and optimize the speed of the site (‘act’ is an abbreviation for “action”).  We use the ‘lu’ cookie to identify public computers and discourage the checking of the keep me logged in box.  On single user computers, we use the ‘lu’ cookie to prefill your facebook e-mail address on the login screen if you have *not* explicitly logged out. 

We also maintain a cookie association between accounts and browsers.  This is a key element of our phishing protections.  However, contrary to your article, we do delete account-specific cookies when a user logs out of Facebook.  As a result, we do not receive personally identifiable cookie information via HTTP Headers when these users browse the web.  

Finally, we’ve confirmed that we don’t, and never have, used cookies to suggest friends.  If you send us the user IDs of the test accounts you created, I’m happy to investigate further.

Again, my apologies that your previous concerns were not addressed.  Since your reports, we’ve introduced a bug bounty program to streamline and reward whitehat security reports (http://www.facebook.com/note.p….  I hope this more secure and reliable channel will be useful for you.  We really hope you’ll continue to let us know about issues you see.  

I hope these clarifications were helpful.  Please let me know if you’d like to discuss further.