Apparently, Facebook has a lot of work to do on its privacy controls. In some cases, the new "frictionless sharing" features of Facebook can make it so that even when you're logged out of Facebook, your browser is still tracking every page you visit, sending that data back to Facebook.

According to entrepreneur and self-described hacker Nik Cubrilovic, who shows the code involved with this alleged security issue on his website, "Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions."

Oddly enough, Cubrilovic says this data is not even hidden, adding that "You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight."

Cubrilovic's interest was piqued after he read a post by Dave Winer on Scripting News, pointing out the specter of Facebook announcing the websites you're visiting and articles you're reading without your explicit permission or knowledge. Such capabilities are written into Facebook's new API, according to Winer. He says that Facebook scares him, writing, "I think there's a good chance that by visiting a site you are now giving them access to lots more info about you. I could be mistaken about this."

Winer's post was a reaction to one written last week by ReadWriteWeb, pointing out that the new "social reader" apps Facebook plans to launch soon (and are now available if you enable your Facebook Timeline) will be able to display what you're reading to your Facebook friends. However, we logged into one of those Facebook apps, The Guardian Social Reader, and noticed that it's easy to opt out of these "features" when we first began using it.

Even though you can opt out of much of this sneaky kind of sharing, we're thinking Facebook still has some work to do before everyone can feel perfectly secure with its apps and sharing capabilities. Perhaps it's a matter of educating users about Facebook's new capabilities. Meanwhile, it might be time for us to modify that old saying, "Don't write anything that you wouldn't want to have read in court." For the time being, must we change that to "Don't click on any website that you wouldn't want to have revealed in court?"

Update: Facebook engineer Arturo Bejar responded to the following question I emailed to Facebook Sunday afternoon: "Will users be able to completely prevent their browsing data from being sent back to Facebook, or from displaying on their feeds?":

"I am a Facebook engineer that works on these systems and I wanted to say that the logged out cookies are used for safety and protection including: identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of ‘keep me logged in”. "Also please know that also when you’re logged in (or out) we don’t use our cookies to track you on social plugins to target ads or sell your information to third parties. I’ve heard from so many that what we do is to share or sell your data, and that is just not true. We use your logged in cookies to personalize (show you what your friends liked), to help maintain and improve what we do, or for safety and protection."

You're invited to respond to Arturo's statement in the comments section below.

Photos: Facebook Timeline

Facebook Timeline: In-Depth

More F8 Coverage: