Security of people’s personal information on Facebook is again under the spotlight since the announcement of Facebook’s new ‘Timeline’ feature which tracks the digital history of its users, charting their online activity.

And in a shock revelation today Australian technologist, Nik Cubrilovic has revealed this tracking actually continues even after the user has logged out. Cubrilovic says tests he has conducted show that:

“when users log out of Facebook, rather than deleting its tracking cookies, the site merely modifies them, maintaining account information and other unique tokens that can be used to identify users,” his blog says.

An article in The Australian last week titled Every click you make, Facebook tracker will be watching you featured Australian Privacy Commissioner Timothy Pilgrim. He issued a warning to consumers on about the introduction of this new feature, and its privacy implications.

“I would strongly encourage people using social networking sites to make sure they know what information may be made publicly available on that site and to think carefully about the information they are sharing and who might have access to it,” Mr Pilgrim said.

With the new information that has come to light today, it would seem even more important for Facebook users to exercise caution around this new system.

The discovery is featured in The Sydney Morning Herald’s story Facebook tracks you even after logging out. The article quotes David Vaile, executive director of UNSW’s Cyberspace Law and Policy Centre. He says Facebook’s changes were a ”breathtaking and audacious grab for whole life data”. In an email interview he accused the social networking site of attempting to ”normalise gross and unsafe overexposure”.

”While initially opt-in, the default then seems to be expose everything, and Facebook have form in the past for lowering protection after people get used to a certain level of initial protection – bait and switch,” he said.

Cubrilovic says he has been sitting on this information for over a year, despite notifying Facebook of his discovery at the time. He says the recent introduction and media coverage of the Timeline feature has prompted him to reveal his findings.

Although there has been no ‘official’ response to media to date in response to the issue, a couple of engineers who work for Facebook have denied allegations they track cookies.

“I am a Facebook engineer that works on these systems and I wanted to say that the logged out cookies are used for safety and protection including: identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of “keep me logged in.”

Also please know that also when you’re logged in (or out) we don’t use our cookies to track you on social plugins to target ads or sell your information to third parties. I’ve heard from so many that what we do is to share or sell your data, and that is just not true. We use your logged in cookies to personalize (show you what your friends liked), to help maintain and improve what we do, or for safety and protection,” the engineer writes to Emil Protalinski for ZD Net.

Identity theft can be devastating for the victim, and many times they face an uphill battle with their credit rating following it. If the crime is sophisticated – the virtual stealing of someone’s good name can go undetected for a significant time. Often it is not until the victim applies for credit somewhere and is refused that they realise their personal information has been stolen and identity fraud has been committed against them. People may have credit applications as a minimum and possibly defaults, mortgages and mobile phones attributed to them incorrectly.

Once any account remains unpaid past 60 days, the debt may be listed by the creditor as a default on a person’s credit file. Under current Australian legislation, defaults remain listed on the victim’s credit file for a 5 year period.

What is not widely known is how difficult recovery from identity theft can be. Unfortunately there is no guarantee defaults can be removed from a person’s credit file. The onus is on the identity theft victim to prove to creditors they didn’t initiate the debts in order to succeed with the credit repair. But for the victim who is virtually robbed of their financial freedom, it is a point worth fighting for.

Signs which may alert people to possible identity theft:

– Money missing from bank account/s
– Suspicious entries on credit card statements or bank statements.
– Statements for strange accounts.
– Missing mail such as bank statements or Centrelink statements.
– Credit refused somewhere.
– Mail about new credit applications.

For more information on identity theft, or for help with credit repair following identity theft, visit the MyCRA Credit Repairs website.

Image: jscreationzs/ FreeDigitalPhotos.net