Facebook’s security and their users’ privacy had been in question since the very beginning. And those issues were only aggravated with each major Facebook update, especially the auto photo-tagging feature that came out earlier this year.  Since then, some users got vigilant, scrutinizing every aspect of the social network.

A few days ago, Nik Cubrilovic, a blogger who deems himself as an entrepreneur, a hacker and a writer, made news when he exposed some of Facebook’s latest security flaws.  Cubrilovic stated that Facebook is still able to track their users even if they log out because of the Facebook cookies left in your browser’s history.  Cubrilovic examined the cookies while he was logged in and when he logged out.  He stated that the primary cookies that identified him as a Facebook user was still in the history, and that Facebook only alters the state of the cookies instead of removing all of them when a user logs out.  He recommends that you delete all Facebook cookies from your browser history to stop it from tracking all your browsing history.

The evidence Cubrilovic presented was the experiment he did with multiple fake accounts using one browser.  He was baffled as to how Facebook came to recommend his fake accounts to be added in his real account.  This suggests that Facebook monitors all their users’ activities.  He also added that he first informed Facebook of their security flaws back in November of 2010 and made a follow up by January 2011, but he got no response.

Cubrilovic’s accusations were answered by Facebook engineer Gregg Stefancik and said that Facebook doesn’t use the cookies to spy on their users but used “to either provide custom content (e.g. your friend’s likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location).”

As expected, commentators on Cubrilovic’s page stated their disbelief in Stefancik’s answer and some even went on to bash Facebook and stated the famous line “Remember, remember, the fifth of November” reminding them of hackers’ planed attack on Facebook.

Even if Facebook denied tracking their users when logged out, they still addressed the issue and Cubrilovic showed the changes in his blog post Facebook Fixes and Explains Logout Issue.  Simply put, Facebook destroys cookie identifiers when users log out.

Cubrilovic concluded, “Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.”