Security Assessment of Facebook's datr Cookie

In the context of a legal case on the data-protection-compliant accessibility of Facebook websites, an expert assessment on the security mechanism of the so-called datr cookie was authored at the Chair for Privacy and Security. The datr cookie is a practically unavoidable and unique identifier, which is set in particular for visits to the Facebook website, regardless of whether an account exists. Therefore, it is of particular significance from a data protection perspective: the use of the datr cookie and the associated possibility of tracking visitors is justified if a legitime interest exists. Facebook states security interests for both Facebook itself and its users.

In our written expert assessment, we conclude that the protective effect of the datr cookie is very limited. Since cookies are generally managed locally in the browser and thus under the control of the user or attacker, they are easily modifiable. Although predicting valid cookies is not possible, new valid cookies can be requested from the server. Arguably, cookies can at best contribute to slowing down attacks. If the datr cookie is able to contributes more to security than we have concluded, an analysis is not possible without further disclosure of internal processes and protection mechanisms.

The expert opinion is  available online (in German).