Facebook’s business is built on trust, but that trust has been shaken over the past few weeks by criticism and speculation regarding how it uses browser cookies to get data about users.

A lack of thorough documentation explaining what each of its cookies does has led some observers to assume that the company is tracking offsite browsing behavior in order to target ads. Facebook needs to provide explanations for both the average user and privacy researchers about how exactly its cookies work in order to prevent these press flare-ups from giving users a negative impression and bringing on regulatory scrutiny from governments.

Some bloggers claim cookies left by Facebook and third-party sites that integrate its social plugins indicate that the company is tracking users’ web browsing behavior, then using that data to target ads in a way that violates user privacy. Facebook has refuted the claims, saying that users agree to receive the cookies and that the cookies are used to enhance site security and power the social plugins, not create a profile of a user’s offsite behavior to better target ads against.

Unfortunately for Facebook, the claims are still giving off a negative impression of the service and sparking complaint letters to government agencies from privacy advocate groups. A patent application for the company’s social plugins that included language about tracking and targeting ads has also helped fuel the controversy.

While Facebook does currently include some explanation of how it uses cookies in its privacy policy and Help Center, this information clearly isn’t complete, comprehensible, or prominent enough to deflect criticism. Facebook engineer Gregg Stefancik, who has responded to critics on blog comments, even noted “we haven’t done as good a job as we could have to explain our cookie practices.”

Facebook could have avoided much of the crises by being more transparent about it how it uses cookies. We believe Facebook should consider drawing up two dedicated documents explaining how it uses cookies and tracks offsite activity. Much like its “re-imagined privacy policy”, there could be one simple version designed for the average user and a second detailed version for privacy advocates. The company also needs to demonstrate that is doing what it says it in a way that observable by outside parties.

Cookie Criticism: The Issues to Date

Since the launch of social plugins and before, Facebook has left cookies on the browsers of people who sign up for accounts as well as anyone else who visits Facebook.com. These cookies are used to protect the site against hacking attempts and to show logged in users what their friends have Liked on third-party sites, the company has repeatedly said.

Facebook’s privacy policy says the following: “We receive data whenever you visit a game, application, or website that uses Facebook Platform or visit a site with a Facebook feature (such as a social plugin). This may include the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID.”

The Help Center follows with more detail: “We use cookies to make Facebook better and easier to use, to provide you with a more personalized experience, to improve the ads that you see, and to protect you, others, and Facebook from malicious activity. We do not use cookies to create a profile of your browsing behavior on third-party sites or to show you ads, although we may use anonymous or aggregate data to improve ads generally.”

In May 2011, The Wall Street Journal reported that Dutch security researcher Arnold Roosendaal discovered that sites integrating Facebook’s social plugins were leaving cookies on the browsers of users who had never visited Facebook.com and were transmitting browsing data back to Facebook. Facebook said this was a bug and that it discontinued the practice of social plugins leaving the “datr” cookie.

On September 25th, 2011, Nik Cubrilovic wrote that Facebook was maintaining several cookies on the browsers of users even after they log out, and that these cookies include a User ID and could be used to target ads.

Facebook engineer Gregg Stafancik responded that the cookies were used for security purposes, not ad targeting, stating that “generally, unlike other major Internet companies, we have no interest in tracking people. We don’t have an ad network and we don’t sell people’s information.” He then outlined how Facebook uses its cookies:

The logged out cookies, specifically, are used primarily for safety and security protections, including:

– Identifying and disabling spammers and phishers

– Disabling registration if an underage user tries to re-register with a different birth date

– Helping people recover hacked accounts

– Powering account security features, such as login approvals and notifications

– Identifying shared computers to discourage the use of “Keep me logged in.”

He repeated that the cookie that identifies a user was the result of a bug. He noted “thanks, again for raising these important issues. We haven’t done as good a job as we could have to explain our cookie practices. Your post presents a great opportunity for us to fix that.” The information Stefancik detailed in the comments of the post about how cookies are used for logged out users currently appears in the Help Center, although it’s unclear if it was added here since Cubrilovic’s post was published.

On September 27th, Cubrilovic wrote that Facebook had fixed the bug causing the cookie containing UIDs to be retained after log out, and that this cookie was now destroyed after log out.

On October 1st, Uncrunched published an article titled “Brutal Dishonesty” outlining how Facebook had said it does not track users, but that on September 22nd filed a patent application that includes the line “A method is described for tracking information about the activities of users of a social networking system while on another domain.” The language in the patent indicated that the information at least had the potential to be used to target Facebook ads.

A Facebook representative commented on the post in an official capacity to say that the patent merely describes how Facebook’s social plugins work to show logged in Facebook users the Likes of their friends without them having to log into Facebook again on a third-party site. The comment downplayed the idea that Facebook is currently using the data to target ads — although we don’t have a way to independently verify if it is or isn’t, or that it won’t in the future.

On October 3rd, Cubrilovic wrote that he had discovered the datr cookie was still being left by some Facebook-integrated third-party websites. In response to Facebook’s claim that it doesn’t track users, he wrote “I believe them when they say this and that they are not hiding anything, but I also believe that our definitions of tracking differ. If you set a cookie on a users machine from one website, and then read that cookie from that person’s machine from another website, that is tracking.”

Stefancik then commented on the post on the morning of October 4th to say that “as we discussed last week, we are examining our cookie setting behavior to make sure we do not inadvertently receive data that could be associated with a specific person not logged into Facebook. We have been made aware of 2 instances in the past 2 weeks related to cookies which needed to be addressed. What you describe in this post is not a re-enabling of anything, but a separate issue involving a limited number of sites, including CBSSports. We have moved quickly to investigate and resolve this latest issue which will be fully addressed today.”

Facebook Needs Documentation to Refer to

The fact that Facebook had to comment directly on three blog posts in an attempt to debunk speculation shows there is a lack of clear documentation explaining its use of cookies. By publishing its responses as governing documents and making them easy to find, Facebook could address users’ questions before they draw their own, sometimes-negative conclusions about the company’s intentions.

We should note that a wide variety of other web companies, specifically online advertising service providers, have aggressively tracked and in many cases inappropriately used information about users, often aggregating and reselling user data without the user having any idea of what they are doing. Facebook wants to be seen as above the controversies surrounding the industry — and because so many users opt in to share their data to Facebook by joining and using the service, that claim appears to by and large be true. Yet the combination of unclear explanations, past issues, and the patent are getting in the way of its effort to explain its case.

The onus is now on Facebook to fully explain how it does and does not track users across the web and use that information back on Facebook — and prove what it says through the technology that it deploys across the web.