Two Congressmen have written a letter to the Federal Trade Commission (FTC) asking the FTC to investigate certain websites’ use of “supercookies” to track the activities of website visitors after they have left the website and without their knowledge.
Which begs the question, who says you left the website? In today’s interconnected web/Facebook API you essentially never leave Facebook. If a website has Facebook’s API installed, you know, that innocuous little “like” and “share” buttons, you are on Facebook. Of course Facebook tracks you, you never left their site.
The web, in its most essential form, is just an interconnected series of HTTP calls via GET, HEAD, POST, PUT, DELETE. Any webpage can have resources linked to any other site. We have crammed a bunch of functionality into our venerable HTTP specification, but it’s essentially just that simple.
When you visit a website, you are not visiting a destination, you are visiting a virtual representation of resources fetched from all over the world, some of which are Facebook. Since you are using Facebook, they know what pages are using their resources, because the site operators opted in to their API. If you wish to avoid this, you will need to delete your cookies from Facebook and deny them the ability to place them. If you are a site owner and you are worried about your visitors’ privacy, you should remove the Facebook API calls from your site.