Ten consumer and privacy advocacy groups sent a letter to the U.S. Federal Trade Commission (FTC), asking it to investigate Facebook’s use of supercookies—secret trackers that could follow people as they browse the Internet even after they have logged off the social media site.
The groups, which include the American Civil Liberties Union and the Bill of Rights Defense Committee, have joined the chorus started by Congress members Ed Markey (D-Mass.) and Joe Barton (R-Texas), calling on the FTC to launch an investigation into the matter.
Facebook is breaching agreements it made with its 800 million customers, the groups argue, while violating the company’s statements on its privacy. Nearly 200 million Facebook users are in the U.S. and are under the jurisdiction of the FTC.
“Although Facebook has partially fixed the problem caused by its tracking cookies, the company still places persistent identifiers on users’ browsers that collect post-log-out data and could be used to identify users,” reads the letter, which was hosted by Electronic Privacy Information Center.
The FTC should determine if Facebook’s changes violate its privacy policy, groups said. If that is the case, it could be violating U.S. law.
Earlier this week self-proclaimed hacker Nik Cubrilovic wrote that he checked into Facebook’s code and found that the cookies tracked users’ Internet consumption.
“Facebook has made changes to the logout process,” said Cubrilovic on Monday. The company contacted him and said that their most problematic cookie is now destroyed after users log out, but explained that there are still five others that remain for performance and security reasons.
But advocacy groups still question the remaining supercookies. “There is no technical reason why they could not be used to track a user’s identity in a manner similar” to the cookie that was fixed, reads the letter.
The coalition also asked the trade commission to look into new features, “Timeline” and “Open Graph,” recently rolled out by the social media site, which are designed to broadcast users’ Internet activity and online interests.
“These changes in business practices give the company far greater ability to disclose the personal information of its users to its business partners than in the past,” the letter reads, and added that it is “confusing” for users to change the privacy settings on the two new features.
In a comment posted on Cubrilovic’s blog, Gregg Stefancik, an engineer with Facebook, wrote the company’s “cookies aren’t used for tracking. They just aren’t.”
“Instead, we use our cookies to either provide custom content (e.g. your friend’s likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location),” he wrote.
