Facebook Security – part 2 – Cookies

Part two in a series exploring security around the world’s most popular social network, Facebook.

Decorative Image - CookiesIn the first post of the series I outlined the main security settings for protecting your Facebook account.  This time I take a look at a more widespread problem that’s been brought into the spotlight amidst the recent Facebook changes… Cookies! In particular, tracking and persistent cookies, not the tasty crumbly chocolatey good ones.

Take a look at the Glossary page for some background on the meaning and purpose of cookies.

So what’s the problem?

One of the features that the new Timeline will introduce is easier sharing of what you’re doing around the web, news articles you’re reading, music you’re listening to, movies you’re watching. Once you’ve given a website permission to post updates to your Facebook page, under normal conditions they’ll be able to post an update about anything you do on that website at any time in the future, whether you’re logged into Facebook or not.

Facebook Cookies screenshot To clarify, updates will be posted to your Facebook page about what you’re doing around the web even if you’re not logged into Facebook. If you log into Facebook now, then log out, don’t use that PC again for a month or a year, then browse the web from that PC again without having logged into Facebook, you’ll get updates posted.

The screen shot shows two of nine cookies that Facebook places on your computer as soon as you log on. The first cookie expires “At End Of Session” so once you log out or shut down, the cookie becomes useless. The second cookie expires in two years. You can log out of Facebook, close the browser and power down the PC but when you next browse the web that cookie is still valid

One caveat is that you will have to give permission to a website before it can post updates to your Facebook Timeline but we’re all guilty of clicking away a popup box without paying attention, or forgetting what we’ve clicked on over time. Another concern with this caveat is that a website may be part of a larger consortium so authorising the Daily Telegraph might feasibly also authorise the Sun and BSkyB.

I mentioned earlier this problem is not specific to Facebook. Google uses cookies that expire in ten years!

Did you know Google records your search history? Something to try if you have a Google account and access to more than one PC; sign into Google on one PC, search for something and click a few of the links. Then sign in on the other PC and run the same search The links you clicked earlier are already highlighted as purple visited links. Google knows it’s you, they know what you’ve searched and where you’ve been. Spooked?

So what can you do?

Some of you won’t mind, sometimes this joined up web is convenient; being able to search and browse at work and having that history available seamlessly at home can be useful. Others of you might not be so comfortable. It’s not really paranoia if someone is actually watching everything you do. It’s also not shyness or indicative of misbehaving to not want everything you do to be publicly broadcast.

Clearing out your cookies on a regular basis can help reduce the problem but means you’ll also lose any logins or customisations each time. There are browser extensions such as Disconnect (add-on Firefox, extension for Chrome, usual disclaimer applies) that purportedly block such tracking cookies.

Alternatively, separate your web activities between two browsers. Cookies only apply to the browser that they are generated by so if you log into Facebook using Firefox and then do all of your other web browsing with Chrome, there’ll be no overlap. As an added protection use add-ons like LeechBlock or BlockSite to put a barrier in the way so you can only browse Facebook and related websites from one browser so that you can’t absent mindedly forget.

Is this a lot of effort? Not really but it is a little bit of effort. Is it worth the effort? Maybe, only you can decide what you’d be happy to share with your family and friends and the web using world at large.

As always, I hope this helps and if you have any questions please leave a comment down below…


Image Attribution: Thanks to Grant Cochrane @ FreeDigitalPhotos.net for the image

2 thoughts on “Facebook Security – part 2 – Cookies

  1. Cat

    Nice blog post, thanks for the clarification. So, what confuses me about this, is I thought earlier this year (or possibly last year.. I’m getting old) the EU published some new law that said something along the lines of a website having to tell you before it stores cookies.. right?

    So say you add the spotify app to your facebook, it doesn’t tell you in the permissions you accept when you add it, and I only noticed afterwards in the settings. Are they just getting away with it on the fact that when I signed up to facebook originally I presumably said it was OK or is this all just kinda dubious? Or did it not pass in the end?

    1. thegaryhawkins Post author

      Hi Cat,
      Good question and you’re not alone, there’s a lot of confusion over the new cookies laws. First of all here’s a website for more information on the “EU Cookie Legislation” http://www.cookielaw.org
      As it’s the EU cookie legislation, Facebook is hosted in the US so it’s exempt. Also, while the law came into effect in May 2011 companies have been given 12 months to comply. Doubly also, you’re probably correct in that the use of cookies will be buried deep in the T&Cs of the website but part of the legislation is that the use of cookies will need to be clearly announced on the front of the website.

      …and yes this website uses cookies (for comment logins) so I have some work to do in order to get cookie legal in the next six months 🙂

Comments are closed.