Recently Facebook has explained why they
track users store long-term cookies on users’ browsers even after they log out from the social network site. The reasoning behind this is that it helps them to record a behavioral profile of the device which will allow them to identify well-behaving devices / users.
An example would be a user who always logs into Facebook using the same two devices from IP addresses located within a small area. If someone tries to log in using his account details from a previously unknown device (one without Facebook long-term cookie ‘datr’) from an unusual place, e.g. from Lagos, Nigeria instead of Wichita, Kansas, then this raises some alarms in Facebook’s systems. In such a case the user will still be able to log in, but only if she’s able to solve some ‘social captchas‘.
Having their ‘datr’ cookie justified this way could also allow Facebook to fulfill section 66 of the EU directive 2009/136/EC, the so-called ‘EU Cookie Law’ which states:
(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
As users explicitly request Facebook’s service and Facebook claims that setting the long-term identifying cookie is required to keep the service secure it could be allowed for Facebook to legally set the cookie without asking the user for permission. Two birds with one stone. Clever, isn’t it?