Facebook tracks your external web browsing history through the use of their embedded buttons, and links that history with your profile. So even if you don't post private information to Facebook, they're tracking your private activity unless you take measures to block such buttons across the web.
> or specifically log out of Facebook when you're not using it
will probably not, because they set tracking cookies that remain even when you log out.
Complete speculation here, but if they're willing to do that, who's to say they don't link traffic from known IP addresses as well? It might be linked less strongly but in many cases could still be associated in some way. They track web browsing for non-users already anyway, so if they can connect that to existing users by IP I'd be fairly surprised if they didn't.
In order to prevent this, you have to block trackers in all your browsers and devices with Ghostery or similar tools.
With the immaturity of the app permissions model and Facebook's abysmal record, I feel like you're far better off using a mobile browser (in incognito, of course) than the mobile app.
Nope, not if you're outside the US. Seriously getting sick of repeating this, but whatever. Facebook Ireland (mmm, double Irish) is the data controller for all Facebook users outside the US, and they released a report which prevents facebook from doing this. AFAIK, they said that this data can only be retained for 30 days and cannot be linked to user profiles and/or used for targeted advertising.
For some strange reason, the same requirements do not apply to Google, and Twitter are currently being investigated.
Facebook tracks your external web browsing history through the use of their embedded buttons, and links that history with your profile
Not if you log out of FB. Conveniently, the "Like" button tells you when you're logged in and the "(Not You?)" link allows you to log out of FB whenever you notice you're still logged in. Hmm, this gives me an idea for an indicator browser extension.
They say they don't keep shadow profiles of your external Web traffic [though I can't imagine that's true].
In line with other responses, I use a browser plugin that blocks all traffic to Facebook when I'm not on a facebook.com domain, and I exclusively sign in via incognito mode so the session is destroyed when I'm finished.
Easy enough: I have a separate browser for connecting to Facebook. I also have the usual set of tracker-blocking plugins installed on Firefox, which I use for normal browsing.
How is it silly? When someone loads jQuery from Google, and their site depends on jQuery, do you expect the site to still work when you block Google's CDN?