Facebook can track your browsing even after you've logged out, judge says
theguardian.comFirefox has a pretty neat feature I discovered recently:
https://wiki.mozilla.org/Security/Contextual_Identity_Projec...
It lets you run multiple sessions in one window, where each tab belongs to a specific session with separated cookies and such.
I've got a bunch of tabs where I'm logged in to Facebook, another set where I'm logged in to Google and the rest of them where I'm not logged in to either. Of course they can still use IP matching to track me, but at least it's something...
Privacy Badger is also good for things like this: you can be logged into Facebook, but Privacy Badger will block requests to Facebook from third-party sites.
Privacy Badger is great and goes way beyond other anti-tracking and ad blockers. They also keep an eye on a lot of the CDNs to make sure they're not running sneaky stuff like canvas finger-printing or using local storage to bypass various protections.
I just wish Privacy Badger didn't force DNT to be enabled. Not only does the entire concept mean trusting the advertising companies implicitly, the header serves to differentiate your traffic.
You're worried about browser fingerprinting? Does any Firefox extension effectively counter that?
From my understanding blocking 3rd party JS is largely insufficient for accomplishing this, regardless of DNT settings.
You may be right regardless that it's better to appear as much like a stock browser as possible, in terms of privacy settings, so DNT should stay disabled. But in practical terms it might not make of a difference.
I don't know of any tools to block fingerprinting, but here's a cool tool by the EFF for testing how unique your browser is: https://panopticlick.eff.org
Panopticlick is a best guess, only. If you use exactly the same system twice, it should detect that. However, browsers and systems autoupdate frequently, and various other things that are fingerprinted are also not really fixed.
For a single browser session; this should work. Over months, it's harder. A tracker would needs to at least be quite aggressive and collect a lot of information to track you, and then be fairly clever in fuzzily matching that in the future if they want to track you over time.
Which isn't to say that short-to-medium term tracking is just fine, but it's not black and white either.
Yes, canvasblocker blocks one kind of fingerprinting. Combined with ublock (or privacybadger) + self destructing cookies and maybe decentraleyes, and a vpn, you are almost there...
Simple blockers actually do a lot of good here - because many of the things that will fingerprint you are not first party sites but 3rd party ad scripts.
None of these measures protect you against tracking, though. And if they don't, why use them? It's better to be honest with yourself and admit how effective tracking is nowadays.
Your user agent plus unique plugin installations plus fonts installed equals a unique fingerprint across IP addresses. The above isn't an exhaustive list, either. There are dozens of tricks to track you.
Facebook can't track you by those metrics if a filter like Privacy Badger blocks requests to their servers.
Is it really that effective? I admit I assumed it was hard to dodge the global advertisement apparatus, but maybe it's possible.
Example: jQuery is sometimes hosted on Google CDNs. You can't block that request without breaking the site, right? But that request sends all your info.
Yes, it's really that effective - blocking the facebook like button doesn't break most websites.
And typically a request for something like jquery from a CDN will contain little more than your IP address and cookies. You can even prevent the cookies from being sent if you want. The only way they could get away with more than this would be to modifying the resulting script to grab more info from your machine.
Isn't your IP address plus cookies enough to track you?
Yes, but they can be trivially blocked or discarded. My main point is that no advanced fingerprinting tactics can be used so the simple means work in the case of most site-breaking things. Privacy Badger eats CDN cookies - that's actually one of its main features, so it will prevent this kind of thing quite nicely without breaking websites.
The vast majority of people correlate 1:1 with IP address alone, so I'm not sure how effective this is. Nonetheless, that's pretty cool.
Privacy badger also blocks referrers to those sites - having only a connecting IP and asking for a copy of jquery isn't exactly privacy breaching in my eyes. Could be any one of many sites that wants it. Not much they can do with that information.
Only works on desktop browsers. Fingerprinting doesn't work on Safari iOS. Pretty sure stock Android is unreliable too.
You can also do that with uMatrix as well as with uBlock Origin.
Or Ghostery. I run it side by side with ublock Origin. It makes the web livable.
I use the Tor browser for just Facebook. Stymies IP tracking, and I expect it to do more of the right things to deal with fingerprinting too.
Plus it's super slow, encouraging me to not spend too much time on Facebook...
...in case you want to block all Facebook ip's to prevent any tracking (the method described is for macOS' firewall): https://www.perpetual-beta.org/weblog/blocking-facebook-on-o...
Do you use facebookcorewwwi.onion? Before I deleted my Facebook account last year that was the only way I connected to it.
Yes, although I'm not sure if there's any reason to.
Why not just quit Facebook?
For me, the reason is "Because there are people on Facebook that I want to communicate with".
I stayed for so long for that very reason. My usage went down so much, that the only time I logged on was to briefly look at the news feed (of which I hardly recognized anybody anymore. Just posts by peoples' friends of friends).
I decided to just cut it out and hope that I see those people again in real life. If not, then the road goes elsewhere. Feels a little more human.
>> Just posts by peoples' friends of friends
Yeah, I occasionally go through a lot of post and click "don't see any more stuff from MYCATS" or whatever. But it's gotten to the point where you just can't stop it that way either. I think "like" now means "see more crap from here" otherwise how would so many people be viewing so much junk.
I don't know any people around me that have facebook that don't have another way to be reached. So there is something else that makes you stay.
I'm not sure why you're being downvoted.
I'm in a similar boat. That's just how a lot of people I know communicate. Sure they have other ways to communicate, but they don't want to.
There's a large number of people on Facebook that I interact with that I don't have email / sms / whatever for. There's also a non-negligible number that I'm happy interacting with on Facebook but not on anything more personal.
> There's a large number of people on Facebook that I interact with that I don't have email / sms / whatever for.
You can ask said email/sms/whatever. If the communication matters, you should have them anyway. If not, then those persons are not that important.
> There's a large number of people on Facebook that I interact with that I don't have email / sms / whatever for.
There you go ! Here is one of the other reasons that I stated before. Not the "those people I can only reach through facebook" bullshit.
> If the communication matters, you should have them anyway. If not, then those persons are not that important.
Oh, I'd agree they're "not that important" but that doesn't mean "...and therefore I should cut them out of my life."
> Not the "those people I can only reach through facebook" bullshit.
It's not "bullshit" just because you disagree.
That's true for me, too. But I can communicate with those people via other means and have found no downside to doing so. I've been Facebook- free for years now.
Preaching to the choir, it's our friends who need convincing!
But they don't need convincing for us to leave Facebook. My friends who have Facebook also have text, email, phone, and sometimes WhatsApp, Signal, and/or Telegram. AFAIK I haven't ever convinced anyone to leave Facebook, but that hasn't been a barrier to me leaving Facebook at all.
It's necessary for event planning, at least in my social circles.
For everything else, there's email, sms, and a half dozen other social networks.
Messenger is the default mode of social organizing among almost all my friends, because everyone has it. I barely ever touch Facebook proper these days.
Gosh quitting Facebook has become the new going vegan. Can everyone just mind their own business?
If you truly wanted people to mind their own business, getting them off facebook would be a great start.
Facebook is the new smoking, where many users complain about how it clearly negatively affects their lives and then when someone suggests quitting as a solution, random other users who weren't involved jump in to tell them to mind their own business.
That's a slippery slope and you know it.
Are you going to follow everyone who's harming themselves in any way (alcohol, drugs, food, [insert any other vice]...) to chide about their behaviors?
I'm not chiding anyone about their behaviors. brainfire was saying how they solve their problems with Facebook, and I suggested an easier solution.
Lots of people have problems with Facebook, and I was suggesting a solution to their problems which many people think is untenable, but works well for me. If you don't have problems with Facebook, my comments weren't directed at you.
There's some irony in jumping into someone else's conversation to tell them to mind their own business and stop chiding people for their behavior.
Because it provides a useful service- for the first five or so minutes of a visit anyway.
The container tabs feature can also be enabled through the Firefox Test Pilot website (which has lots of other cool experimental features too).
Really love this feature. Incredibly useful for sticky accounts such as google, facebook, twitter, etc. Buttons and scripts follow you everywhere these days.
But it's not just that. It let you easily open several accounts in parallel. I have 3 github accounts, and can open 3 tabs in 3 clicks with the 3 account in parallel. Before than I had to use profiles and it was a pain.
I feel like my Linux user agent is nearly trackable across IP addresses, so few people I know run Linux with Firefox version whatever... but yeah same here: cookies are a non-issue for me. I use a different solution though: self-destructing cookies. Once you closed a tab for more than X seconds (I configured 90 seconds I think), it deletes all cookies (and localstorage etc.) from that domain.
> and localstorage
Just a warning: not if you have enabled multiprocessing.
SDC (and other similar addons) can't monitor LocalStorage when e10s is on, only cookies. (Source: "Frequently Asked Questions and Common Problems" at https://addons.mozilla.org/en-US/firefox/addon/self-destruct...)
As a Firefox on Linux user I checked one of those sites that tries to estimate how many bits each public aspect of your setup reveals about you. It turned out available fonts was by far the most unique aspect of my setup.
The only surefire way is to disable javascript, extensions, cookies, etc. https://browserleaks.com has a pretty good breakdown of the different techniques you can use. There's another JS technique that probes the hardware to fingerprint a browser too.
http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS1...
Use Tor Browser even if your not using Tor if you're looking for better privacy. It's modified to mitigate as much as possible. Facebook is just bad. Avoid it at all costs if you value privacy. And it's not just facebook. Sites like facebook, google, etc also use several 3rd party "advertising" (i.e. data gathering) companies to gather data and build profiles on users and share that data with each other. Even on your regular use browser I would highly recommend uBlock Origin and Privacy Badger.
But with such a unique browsing situation you're basically identifiable on that basis alone. Your best bet would be to have your browser present itself as a common browser on a common platform, and block tracking and ads.
UserAgent is still top culprit (16 bits of identifying information) followed by browser plugins (12bits) then WebGl (12b), canvas (9b), language (if not english nor chinese) and then fonts at 5bits.
Total is around 20bits (due to overlaps).
YMMV.
Could you share a link to this site?
I suppose it was https://panopticlick.eff.org
One thing I don't really like about that site is that it gives browsers worse scores for not unblocking third parties which promise to honor do not track. Surely you're more safe when you don't trust anyone instead of trusting that third parties which honor DNT actually honor it. It kind of reeks of pushing an agenda, which would have been okay (it's the EFF after all) if the tool didn't claim to score your browser on how well it protects you from tracking.
There are add ons to change the user agent to something more generic. You can even randomize it but it breaks many more sites than I was expecting.
I think randomizing the UA might actually be worse, since it would allow services to fingerprint you across calls more precisely.
The point is to not ever be different from others. Act like the rest of the crowd. By changing your UA every now and then, you stand out, and become easier to identify.
If by randomizing you mean random strings (and not from a list), then I think this is relevant:
Randomly selected from a pool of known UA.
I've been tempted to write something that goes a bit further. I'd like traffic to each site to be routed through proxies with different IP addresses. (Perhaps even to the point where my devices are automatically managing a set of nodes or Lambdas on AWS.)
Along with that, it will still be necessary to fix some browser information leaks that could be used for fingerprinting
If someone is tempted to beat me to it, go for it!
Thats going to break so many websites for you ... Pretty much any service that uses server side sessions across domains. Downloads are often whitelisted to a session, which get invalidated on ip changes.
For exactly those sorts of reasons, I don't expect to apply such a system universally any time soon. In practice I suspect it will only make sense to employ it with a modest number of problematic domains. Currently I use uBlock with javascript defaulting to disabled, manage cookies and local storage, disable referrer headers, etc., but there are still some huge privacy leaks.
On the other hand, it might be possible to devise a solution that works generally but employs white lists or other exceptions for sites that need certain IP-address behavior. That would take a fair amount of effort, but the approach has worked well in similar contexts, such as ad blockers.
Did you just described tor?
The new versions of Safari in iOS 11 and High Sierra have a similar feature by default to prevent tracking. First party cookies work, but third-party cookies are put in a virtual container, so tracking networks that are on NYT and Washington Post can't correlate the cookie. It's a bit more complicated than that in practice, but that's the idea.
Helpful. But I'm pretty sure their ability to track is more sophisticated than that. Per Chaos Monkeys, and I'm sure its gotten better since.
I do something similar with chrome users. I like it better because each 'user' is a separate window and I can color scheme which one i'm in with browser themes. The setup takes a while initially although.
Having multiple container tabs on the same window can be hard to manage & track, at least with the way brave presented it with their numbered session tabs.
Chrome has profiles for this as well. You can also use the PrivateInternetAccess addon which proxies all traffic for that profile alone, and a canvas blocker, in a dedicated Chrome profile. Font fingerprinting is still possible, but beyond that there is no way to associate that profile with anything else.
I wouldn't be so sure. Screen resolution, Machine time, flash version, fonts. Plus several others I forget
Old Opera used to have each tab being a separate environment. For some reason we are mostly back to "private windows" now, which aren't separate at all between each other.
We changed that for a reason. No use wants to be logged out that often. Actually most facebook user probably enter their password one time a month. Less if they use the mobile.
Wish it were still an option; I use quite a bit of RAM on multiple instances of browsers for this very reason.
Firefox is integrating a cookie feature from Tor called first-party isolation or double-key cookies. It will separate third-party cookies for each first-party site. If a.com and b.com both load images from evilcorp.com, Firefox will send evilcorp.com different cookies for requests from a.com and b.com. Blocking third-party cookies can break some site that rely on third-party resources, but first-party isolation should allow each site to work without cookie "crosstalk".
You can test first-party isolation now by flipping the about:config pref "privacy.firstparty.isolate" to true. Beware that there are still bugs that break some sites, which is why the feature is not enabled by default yet. If you find bugs, please report them in Bugzilla! Here is the Firefox bug tracking the integration and known bugs:
Thanks for the tip, I didn't know about that. I'll play with that this weekend. (Definitely not afraid of breaking sites; that's how I learn what they're up to.)
Safari in private mode operates that way if you're on Mac.
They can also use screen resolution, fonts you have loaded, plugin versions, canvas serial number, your gpu, and a whole lot of other cross browser things.
Wouldn't opening several "Private Windows" achieve the same situation? What are the differences?
Several private windows share the cookies. Try logging into a website in a private window and open that website in another private window and you will be logged in.
Which is a significant flaw in the way incognito windows work with Chrome. If you have a minimized or hidden incognito window, opening a new one beats the purpose of incognito windows…
At the least, you could imagine having a shared session for all the tabs in a same window. But a new incognito window should be clear of any history.
In Chrome. Not in Safari.
Waoh. Never knew this. I would happily switch to safari, if only it has those amazing extensions that I have in my chrome.
What about separate Chrome profiles?
Not quite the same in that saved history, password, etc are in separate profiles. Also, you can have tabs from different containers in a same window.
I don't think so: I'm currently logged in on HN. When I open a new private window, I'm logged in as well.
This is really annoying when you always use your web browser in private mode, but don't close it regularly. It means that e.g. youtube already builds a profile about me from my previous searches even though I'm not logged in. If I were that concerned I would close Firefox, but the usability issue is just too big for me. Having the best of both worls would be awesome.
> When I open a new private window, I'm logged in as well.
Not in firefox, or, at least not for me.
It depends on whether all private windows have been closed. If you open a new private window when another is already open, you remain logged into sites. If you close all your private windows and then open another, it's a clean slate. (At least for me.)
I can see why they do this but it is actually not what I expected. I'd expect all windows to have their own set of cookies and credentials and for all tabs associated with a window to share them.
Are you logged in in a private window? I use the setting "Always use private browsing mode" in FF52, so all of my windows are in private mode, but whenever I open a new (private) window, I'm still logged in. I suspect you'd get the same behaviour with the default settings, and opening two new private windows.
FF53 on Ubuntu, stock settings.
And yes, you're right if I log in on either one of two private windows then the other one is also logged in. That's actually a bug in FF afaic.
FWIW, Chrome has the ability to do multi-user. So I have different users for different accounts. I know that's not perfect but it does more or less force me to close and reopen. PITA but worth having nearly defined browser silos.
And in a VPN and I think you get at least some chance at some privacy. Hopefully.
I use QupZilla, a random Chrome-based browser because it starts a new session for every new window (not tab).
Even Internet Explorer has File > New Session.
Not exactly. I've a "work" container that retains my work-related sessions (on gmail, issue tracker, etc). So if I come back yesterday, I open a work container and I'm back to work.
Meanwhile, my personal container won't log me with my gmail/work account when I watch cat videos on youtube.
If I used facebook, I'd have a facebook-specific container. Just open a tab in it, and I'm logged in, but no cross-container tracking.
Also, history is retained, and all in one big pool (unlike having actual separate profiles).
Your browser (FF and Chrome, at least) only has a single private session, regardless of whether you have multiple windows in private mode or not.
I have a few questions.
1) “Facebook’s intrusion could have easily been blocked, but plaintiffs chose not to do so,”
This seems like a dangerous precedent. So if we can block surveillance attempts and we don't try, then it's our fault?
> “The fact that a user’s web browser automatically sends the same information to both parties does not establish that one party intercepted the user’s communication with the other,”
This makes no sense. Nothing happens "automatically", someone wrote the code for that to happen, in this case, Facebook.
But, at the end of the day it's just an embedded thing in a bunch of websites. I don't see anyone suing Google about AdSense. I mean I despise Facebook, but unless they're doing something more nefarious than getting a GET request on page load, then I'm not sure that I care enough. Get a blocker.
The most interesting thing to me about "Facebook's intrusion could have easily been blocked, but plaintiffs chose not to do so," is that it implies that users have a right to block tracking code.
If that isn't already enshrined in case law, hopefully it signals that we will not get laws passed requiring users to allow tracking, and the courts will hopefully invalidate terms and conditions requiring tracking.
Having lived through the rise of DMCA, I live in fear of an emboldened industry getting laws passed that make the use and distribution of blocking software illegal.
> Having lived through the rise of DMCA, I live in fear of an emboldened industry getting laws passed that make the use and distribution of blocking software illegal.
The day that happens I'm joining the dark side.
> The day that happens I'm joining the dark side.
Only if you make it past HR
Or past the firewall.
> Nothing happens "automatically"
Actually, the problem is [add: after the website is created, and tracking code is put there by someone] that it all happens automatically.
See, there is another perspective into this. Not exactly correct (I admit, there is some stretching and it's not all solid), but just the general idea...
The semi-forgotten term for the browser is user agent. Point is, it really should act on behalf of the user. It's an automation that should be programmed to do what the user wants it to do (browsing the web, displaying the pages, etc), sparing user of mundane choices and gory technical details.
If the agent is configured to willingly accept and execute arbitrary third-party instructions, and provide detailed information - and it can be configured differently - isn't the problem with the agent configuration? If you didn't want that GET request, why agent did it? And it's not that the agent was tricked (hacked) into doing so - all the APIs (cookies, XHR, etc) are well-documented. Sure, there is some shady stuff sometimes going on - like browser fingerprinting, but it's not the core issue.
Maybe we should actually start blaming browser vendors for shipping badly pre-configured software with the defaults that consciously and willingly trade privacy for "not breaking" the web?
Remove the automation and just imagine users themselves would somehow connect to the web, and the site would tell "hey, now go talk to Facebook server and do whatever they say" - and they do. (And this is what actually happens!) Surely, the tracking would be a non-issue.
> Maybe we should actually start blaming browser vendors for shipping badly pre-configured software with the defaults that consciously and willingly trade privacy for "not breaking" the web?
This.
The writing was on the wall when the conversation became about "balancing" the interests of users and huge content factories. And now web-DRM is a standard.
Fuck that; my computer, my rules.
I had a funny conversation recently with someone who was arguing that I was breaking etiquette, or perhaps an implied contract (it wasn't clear) by messing with cookies. He realized the absurdity about the time I asked if I was ethically obligated to back up and restore the cookies in case of drive failure, but people have some really odd notions about their right to control state on my machine.
In some ways I prefer the black-hat types; at least they're aware that they're working against my interests and don't become indignant when I point it out.
>The semi-forgotten term for the browser is user agent. Point is, it really should act on behalf of the user.
The user agent concept is long dead and buried. Modern web browser is more like a virtual OS, a platform for running arbitrary code loaded from the internet, a hosting environment for temporary lending computing power of user's device and its network access to whomever was able to lure the user to their website.
> This makes no sense. Nothing happens "automatically", someone wrote the code for that to happen, in this case, Facebook.
The website you are visiting has to deploy Facebook's code though. So the website owner has to allow it (assuming the know the implications of what they are doing).
> So the website owner has to allow it (assuming the know the implications of what they are doing).
You could assume it but it's not necessary the same people who designed the web page that add those facebok "features". From my impression, often than not you have some "social media marketing expert" that does this. And they do not give a rats ass about any nefarious tracking and will continue to be blissfully ignorant about the users privacy unless it becomes a corporate policy to care about those things.
The website owner still has the ultimate responsibility for what is served on their site.
If they employ some "social media marketing expert" who deploys tracking code, then that's still on them.
On the other hand, Facebook could design their social media widgets in a way that doesn't require the user to send a GET request to Facebook unless the user actively clicks to share.
Also know as a link. That's not Web 3.0 enough.
Most of these sites don't want you to navigate away from their page. They would rather you can share without leaving their site (i.e. a dialog pops up that allows you to create your Facebook "share" post, and submit it).
How do the courts rationalise privacy concerns of the less tech-savvy?
Do we assume everyone reasonably knows how to block surveillance attempts by Facebook/Google?
Shouldn't privacy be a default right, and that users can opt-in (to be tracked) with their expressed consent instead?
The opposite thinking is what lead to the EU cookie warnings.
Users can easily block cookies themselves, but that is no excuse for the cookie intrusion, so every single website must display a pop-up warning that it uses cookies.
Imagine that: every single website you visit shows a pop-over or an extra top bar that you have to close. Every website.
That's the online life of the European netizen.
Yes, actually! You have no expectation of privacy with a postcard or a conversation in a public place, therefore they can be legally intercepted. This precedent predates the internet by decades.
Whether you take reasonable steps to make something private does influence the degree of legal protection it gets.
>This seems like a dangerous precedent. So if we can block surveillance attempts and we don't try, then it's our fault?
If I can save your life, but choose not to, it's your fault.
Your confusing "letting somebody being harmed because he/she doesn't protect his/herself" and "taking advantage of the fact that somebody is being harmed because he/she doesn't protect his/herself".
The article or the judge (not sure which) suggests using incognito mode. While this will keep browsing history private for a particular session, it's only effective locally. Tracking from the server is still possible either through being logged in or through browser fingerprinting, which is surprisingly accurate.
Here's a good demo which uses fingerprinting to show how ineffective incognito mode is: http://www.nothingprivate.ml/
How does a user defend against this, without resorting to a nuclear option like Tor?
html5 canvas blockers / browser fingerprinting blocker for the site linked
your browser is leaking a lot of data, from the plugins you have installed to the fonts & you need to take initiative to patch the holes
here's a website you may find useful: https://browserleaks.com/
The Brave browser has an anti-fingerprinting feature in Preferences -> Shields. It's not enabled by default because of the likelihood of breaking some sites.
It's past time for Firefox to include tor as it's private browsing mode.
Maybe put it at a tier above private, "ghost" mode.
This BS has gone on too long
If you delete the Facebook cookie (i.e. are completely logged out including username), then click on a link in an email notification from Facebook, it will silently log you in again, restoring the cookie and web-wide tracking. This can be tested by pasting an email notification link to a new private browsing window.
If you use PrivacyBadger you don't have more facebook cookie on 3rd party websites, so they dont track you.
https://addons.mozilla.org/en-us/firefox/addon/privacy-badge...
https://chrome.google.com/webstore/detail/privacy-badger/pke...
also firefox "containers" now allow you to use a separate cookie set for different domains.
I used it a few weeks ago in test-pilot program, it was hard to use, difficult to open new tabs in container I wanted.
Yeah, it wasn't that helpful. In the last few weeks they made it so you can right click on a page once opened in a container and "always open in this container"
How do you login to Facebook when needed, if there is no cookie?
It only blocks third-party cookies, so you can login to Facebook. What it would block is Facebook tracking outside the Facebook domain. Another option is to use something like Self-destructing cookies, which would delete the Facebook cookie when you close the tab.
Edited comment to explain it affects 3rd party websites. Facebook works as usually and all content it the same.
Thanks for the pointer. Wish this worked on iOS, where the only option is to use a dedicated browser for accessing Facebook. Not sure how Brave deals with Facebook cookies on iOS.
Why can't you use firefox on iOS? All addons should work normally.
Apple does not allow browser extensions. Firefox (any non-Apple browser) on iOS is a wrapper around Mobile Safari.
So, they're spewing login credentials all throughout users' emails? How is their security team okay with this?
Do they require that it be from a previously used IP/user-agent or something?
Works with a VPN, so not linked to IP. URL includes email used for FB auth.
Edit: received FB email about "login from unknown device".
But that can easily be explained as a feature, not a bug.
Most other sites do not automatically transfer your username and password/token from (insecure) email to web. Most other sites require authentication for a fully-logged-out user.
That's not all. In NY state, they ruled that can artist can take pictures of you in your home through your windows:
https://fstoppers.com/photojournalistic/supreme-court-rules-...
And why not? It would forbid a lot of outdoor photography if I couldn't accidentally catch a photo of someone in their house. Google Street view would be gone.
There is actually a distinction between incidental photography and intentional.
not necessarily, they would be forced anonymize faces.
Like Google Street View already does.
I don't think they were forced. Google is based in the U.S. where it is legal to photograph people in public, yet Google still blurs the faces of those on sidewalks. That and things like license plates seems to me to be them preemptively trying to appease privacy concerns so that support to censor them legally doesn't form.
I believe the principle of the expectation of privacy forced them to blur the faces.
Not in the US at least. Expectation of privacy is an element of the test for determining whether a government search subject to the Fourth Amendment has occurred. As such, it only applies to government actors, not private parties like Google. And in any case, there is no reasonable expectation of privacy in a public place such as a road.
I beg to differ. For example in 12 US States you cannot record a telephone conversation without all party consent.
http://www.detectiveservices.com/2012/02/state-by-state-reco...
I don't see any problem with that.
It's not like people should have exclusivity over who has access to the photons that hit them...
This argument is not even wrong.
It's disingenuous because it reduced a social issue to that of particle physics. It's like me assaulting someone and saying "wow, they sure couldn't handle a collection of atoms exerting momentum on their face", or calling a tornado "some gusts of wind", or other ridiculous things.
Well if you don't want photos taken of you through your windows, then why do you even have windows in the first place?
Quitting facebook is not enough. I recommend blocking all via hosts file. https://github.com/jmdugan/blocklists/blob/master/corporatio...
Sometimes I think people need a little more "Black Mirror" to see how bad this is. One of the episodes has random people basically constantly looking at and filming a woman everywhere; certainly no less than what Facebook does every day, yet somehow it doesn't seem weird to anyone?
I can already tell Season 4 is gonna be awesome
Nice, if i don't lock my door, its my fault they steal my things.
That is the insurance industry's standard. Which makes bump keys a bit more dangerous, since they don't leave the usual marks indicating your lock was picked. And if you door wasn't locked, the insurance industry won't pay out for losses.
> Nice, if i don't lock my door, its my fault they steal my things.
In many, if not most European countries you can get a ticket for not protecting your vehicle. If you leave your car unlocked and someone steals it, it's your fault. Police if have to investigate it etc, but they also give you a ticket, because it not thoughtlessness, they wouldn't have to do it.
> If you leave your car unlocked and someone steals it, it's your fault.
Getting a ticket for that does not mean the theft gets blamed solely on the owner so that the thief is not even considered committing a crime. It's just the owner may have violated a law, too. How about you a.) quote those laws, and even assuming you are correct in how you put it, show how b.) one instance of victim blaming would justify another. To me that's like drinking a second bottle of bleach because you already downed one. That runs so much counter my own intuition I'm kind of intrigued.
Make today the day you delete you facebook account. Do it! Opt-out of this panopticon as best you can.
Block as many ads as you can, in order the starve the best.
I think EFF's privacy badger [0] can block this kind of tracking, depending on how sophsticated their tracking methods are.
Eff's approach often makes me feel they acquiesce that users should be the one hiding from those corporations. Why are we making shields instead of them putting guns down?
Is it instead? Since Facebook and their ilk are surveilling us largely out of greed, surely making the work less profitable for them has some merit as a tool for counter? As is often the case, a true solution probably does need to be political, but a technical one is valuable as a band-aid until/unless that can be achieved.
Seems very similar to the original Facebook Beacon, which they were forced take down.
>Australian internet security blogger Nik Cubrilovic first discovered that Facebook was apparently tracking users’ web browsing after they logged off in 2011
After reading that (in 2011) I decided to block all third-party cookies.
The other side is not stupid, there are far better ways to track users than cookies, and blocking them takes a lot of effort.
What better ways than cookies is there to track users ? AFAIK, it's the most unique fingerprint you can get of a user. Everything else is probably going to be a lot less precise.
I think browser fingerprints are quite a reliable way of tracking.
Sure, 'quite reliable' beats 'unique' every time!
Unique becomes unreliable the moment users delete their cookies.
Which they of course do much more often than change one of the finicky parameters that constitute these unique fingerprints (which in reality tend to not be unique to begin with)
You can get unique through things other than cookies. Like abusing ETAGS/If-Modified-Since.
Your ISP adding a header containing your subscriber ID to every request.
Can you provide links? I only saw
http://www.balough.com/internet-service-provider-must-disclo... in the case of an RIAA suit
https://news.ycombinator.com/item?id=8500131
Not uncommon in mobile carriers.
Thanks, is this done for advertisement purposes (selling data)?
While on the topic of tracking, is there a plugin that lets you delete cookies using rules on a per domain basis? for example, cookies are useful for some sites, and others they are useful for certain periods of time, and thereafter it would be nice to get rid of them (and yet more sites shouldn't be able to leave cookies at all). I know there are some plugins that let you block all cookies, or manage them after the fact, but I want something rule based and automated
Self Destructing Cookies is basically this. You can whitelist domains to keep cookies.
vanilla cookies in Chrome allows quick cookie clearing (one click) and you can customize rules to save specific cookies. Self Destructing Cookies on FF is fantastic also.
I use this [1] -- it's great. I have it set to delete any cookies not on the whitelist 30 minutes after last set. That way I can log into a site that's not on the whitelist and do something and after I've stopped using for 30 mins I'm logged out and cookies deleted. However - it's not perfect. It doesn't delete local storage, local databases, or Flash™ storage. There is a nest of Chromium issues [2] needed to be resolved to make this work. It looks like the most recent related work was done Sep 2016 [3] so maybe there's some hope, even though the issues have been open for 5+ years. Of course I have the option of working on it myself but having looked at the 5-10 related issues I think it would take quite some time to develop an understanding of all the APIs.
[1] https://chrome.google.com/webstore/detail/vanilla-cookie-man...
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=78093
[3] https://bugs.chromium.org/p/chromium/issues/detail?id=589586...
How is Facebook different from other advertising networks. All of them track you across the web, on any site that use them. Why is FB a special case?
Does FB track by IP or cookie or both? I use different browsers for the more invasive tracking sites. For FB (which I use very sparingly these days to stay in touch with people I won't hear about in other circles) I currently use Safari. I log in and out and limit my use of that browser to FB and a handful of other sites.
since Chrome is such a memory hog on macs my principal browsers are opera and brave, both of which work very well on my elderly macbook air.
I have no idea if my somewhat paranoid tracking avoidance is effective against FB though. I see that when I go to the log in page in safari that FB knows how many 'posts' I have stacked up to consume (the little Pavlov's dog red circle with a number in it). I'm assuming I'm being tracked despite being logged out...
add facebook to your hosts file per: https://github.com/erwinbierens/Facebook-Hosts/blob/master/f...
My general fix for web tracking cookies:
HTTP requests sent from my browser page when viewing Foo.com to Bar.com have no cookies. Javascript is available to create an explicit pop-up requesting permission to share your cookies with Bar.com.
When I go to Foo.com, my relationship is with Foo.com. I'm okay with being tracked by Foo.com when I'm on Foo.com, but if bar.com is going to track me then I want to be asked.
That said, Foo and Bar could still share information about me directly without going through my browser, but without the cookie feature it would be very hard for Foo and Bar's profiles on the person Pxtl are the same person.
Clearly Facebook "can". The judge ruled that they "may".
That is why media struggles making money--it gives its audience for free to Facebook and Google with all that "free" share buttons and analytics. Why would an advertiser pay to a brand name media outlet money for displaying an ad if it could buy exactly this audience on Facebook or via Google much cheaper?
Media did it to itself--it just gave away it's audience for free. No wonder it can't make enough money via advertising.
I wish someone would build hardware that protected against this. A router for example that filtered all outbound traffic and blocked specific routes and packets destined for tracking.
Yes, you could do that all on the computer itself, no need to run it on the router. I guess the benefit of having it all on a router is that it would be a plug and play solution for the privacy conscious but technically limited individual.
Pi-hole (https://pi-hole.net/) does something like this. It's not plug'n'play though.
I usually stick with Safari as my browser, but Privacy Badger isn't available for it, so I use "Facebook Disconnect." Does anyone know how well it really works? (I don't have an account, and I don't want them tracking my activity for my old profile.) I'm surprised I haven't grep'ed anything about this extension in the discussion thus far, which makes me nervous.
Wouldn't something like Pi-Hole be a good network-wide way to manage this tracking? I know plugins are convenient but they all have to intercept and modify css/etc coming in on the fly which can lead to slower page loads. Plus I'd imagine some of those plugins will allow certain domains through regardless?
Or are the sneakier ways sites track users something that can get by the OOTB settings?
I don't even know what their logout button does. It puts me on the login page with my profile pic, and it displays the number of notifications I've received while logged out. There is a 'remove account' X overlay placed on the top left corner. I usually click it and hope it does something.
If the judge had ruled the other way, would that have been equivalent to ruling that all tracking is illegal?
It is interesting that the court was arguing that there are protection measures the plaintiff can take. Makes one wonder that the legal situation is for the folks that are circumventing the default browser protection mechanisms.
that awkward moment when the article itself has Facebook sharing buttons
Proper English should have been: "Facebook may track your browsing even after...".
The judge can rule about lawfulness, otherwise it looks like they are a investigative reporter that just found out about the technical capability to track users in such a way.
Oh, thanks, now I finally understand the title. Should be "may" or "It's legal to..." indeed.
Was confused about the headline as well, made it seem like this was uncovered by the judge during the course of some trial.
Interesting. For me, it's normal and understandable to use "can" to mean "is allowed to". I certainly know and understand the word "may", and I've heard it's technically more correct, but it feels a little antiquated or overly-formal, so I tend to not use it in conversation but might use it in writing.
One source that "can" is ok here: https://en.oxforddictionaries.com/usage/can-or-may
I didn't realize that this use of "can" is something that would cause confusion. Maybe there's a regional difference? I'm from the western United States.
I tried s/can/may/ above but it sounds archaic to my ear. It may be proper English but if it's fallen out of common usage, putting it up would be distracting too.
Not a surprise.
Facebook is a company, a superfluous one even, no need is forcing you to use it and there is no need for it. Don't like the don't use it. Don't like tracking configure your browser accordingly and get a blocker. It's easy and free.
You can't block if you don't know it happens (or that it even can happen), which is the case for most people. Very few people understand the concept of third-party tracking - nor should they have to.