back to article Facebook admits it does track non-users, for their own good

Facebook's apology-and-explanation machine grinds on, with The Social Network™ posting detail on one of its most controversial activities – how it tracks people who don't use Facebook. The company explained that the post is a partial response to questions CEO Mark Zuckerberg was unable to answer during his senate and …

  1. Anonymous Coward
    Anonymous Coward

    Big Hoodie

    is watching you.

  2. big_D Silver badge

    Re: Big Hoodie

    That's why all Facebook domains are 0.0.0.0 in my hosts file...

  3. phuzz Silver badge

    Re: Big Hoodie

    Now all you have to do is make sure that any of your friends who do use use facebook don't have your phone number or email address, and that they never share a photo of you. Oh, and that you don't use any other service that integrates with facebook, and just hope that you blacklisted all their domains and didn't miss any like tfbnw.net or m.me.

  4. The Man Who Fell To Earth Silver badge
    FAIL

    Surveillance Capitalism

    There's a reason Facebook & Google's business models are known in economic circles as "Surveillance Capitalism". Ironically, the best way to learn about Surveillance Capitalism is to Google it.

  5. Anonymous Coward
    Anonymous Coward

    Re: Big Hoodie

    0.0.0.0? Does that mean Facebook is listening on all interfaces?

  6. big_D Silver badge

    Re: Big Hoodie

    In the Internet Protocol Version 4, the address 0.0.0.0 is a non-routable meta-address used to designate an invalid, unknown or non-applicable target.

  7. terrythetech
    Big Brother

    Re: Surveillance Capitalism

    Or use a different search engine. But in case you can't be a**ed.

    https://en.wikipedia.org/wiki/Surveillance_capitalism

    Google isn't the best way to do anything IMO

  8. Ian Michael Gumby Silver badge
    Boffin

    Cue the lawyers ... Re: Big Hoodie

    Depending on the site's ToS, the fact that FB is monitoring and tracking non FB subscribers may be a violation of the ToS and agreement w Facebook.

    Again this shouldn't be a surprise and why many w NoScript block FB scripts.

    Of course not all browsers work w script blockers and addons.

    This could be a major Class Action lawsuit against FB since none of those who were tracked gave permission for FB to track them.

    Again, lets ask El Reg why they run Google's Analytics given that in today's world, its very easy for a competent admin to write their own tracking javascript. Note: While not FB, its an example of a major corporation spying on you without your knowledge or approval. It is also one way that FB , Google and others can spy on you and track you without the use of cookies.

  9. big_D Silver badge

    Re: Surveillance Capitalism

    Interestingly, my wife came to me this evening and asked how she could remove "Google" from her smartphone...

    She now uses DuckDuckGo and Firefox with tracking protection turned on. Unfortunately, you can only do so much to shun Google and Facebook from your life.

    With NoScript, for example, most Google subdomains, like analytics, are blocked.

  10. GIRZiM

    Re: With NoScript, for example, most Google subdomains, like analytics, are blocked.

    They're not actually. they get loaded, they're just not allowed to run. So the fact that they get loaded allows tracking to happen. If you want to prevent them from getting loaded, you need uMatrix - which blocks them at the domain.

    You also want to use something like uBlock Origin for ads or (my personal choice) adNauseum.

    Add in Decentraleyes to deal with resources and CanvasBlocker to limit fingerprinting. LocationGuard can muddy the waters on occasion (just don't expect all sites to refrain from querying your IP).

  11. Dacarlo

    Re: Surveillance Capitalism

    Or duckduckgo it?

  12. big_D Silver badge

    Re: With NoScript, for example, most Google subdomains, like analytics, are blocked.

    Thanks for the pointer to Decentraleyes and CanvasBlocker.

    And yes, I realise that NoScript doesn't completely block analytics, but for me at least, it had more to do with not allowing scripts from third parties at the beginning. But as time goes by, I'm starting to rethink everything else.

  13. Anonymous Coward
    Anonymous Coward

    Re: Big Hoodie

    Or just don't associate with cretins that use Facebook?

  14. GIRZiM

    Re: With NoScript, for example, most Google subdomains, like analytics, are blocked.

    Thanks for the pointer to Decentraleyes and CanvasBlocker.

    If they ever make a return to FF Quantum, I'd also recommend Random Agent Spoofer, Google Disconnect/Twitter Disconnect and Calomel SSL Validation (possibly WorldIP as well).

    And yes, I realise that NoScript doesn't completely block analytics, but for me at least, it had more to do with not allowing scripts from third parties at the beginning. But as time goes by, I'm starting to rethink everything else.

    I only recently discovered the difference between the two thanks to NoScript not being available on FFQ and my having used uMatrix in Comodo's 'Dragon' browser for years in lieu of NoScript. So, I added UMatrix to FFQ rather than go without a blocker. Then I was reading something recently that explained how the two work and thought "Really? That's interesting.".

    I've re-added NoScript in the interim and use both now. Which is really annoying and often makes me want to hurl the computer out of the window if not hunt down the website designer(s) and do some very painful things to them for a very long time, get plastic surgery, a new identity, move to Peru, become a cocoa bean farmer and never use the Web again.

    It has been very informative, however.

    With just uMatrix enabled, if I go to Youtube and want to watch something, I need to authorise the *-aigd.googlevid XHR objects and nothing else.

    For one video, for instance, that was 23 objects out of a total of 146, including one cookie from www.youtube.com specifically (another ten from <somewhere>.youtube.com.), two stylesheets from www.youtube.com … (another two from fonts.gstatic.com.), thirteen objects from unspecified external sources that redirector.google.com will load, twenty unspecified ‘other’ things from www.google.com and all the other things I’m not going to bore us with by listing them here but 58 of which are cross-hosted.

    Meaning a minimum of 84% of the items coming with it serve you no purpose whatsover if all you want to do is watch the video. 84% (123 objects) are there for someone else’s benefit, not yours. I wonder what benefit they get from them … because they don’t display the video or let me control it in any way - that’s what at least some of the other 23 do. Those 23 also appear to enable the autoplay feature … because it still works if you don’t load anything else. At most twenty-three of them are necessary to watch the video, so what are the other thirty-five doing exactly - and why?

    So then, when it became available again, I added NoScript, because 23 unidentified XHR objects that seemingly do an awful lot more than I anticipated is a bit concerning - NoScript might identify them for me once they make it to the browser and I can be even choosier about what I authorise.

    And what I discovered was that there's an awful lot of youtube.com functionality hidden behind those 23 objects. If I go to youtube.com with just uMatrix, I see an awful lot of stuff load into my browser to give me a basic outline of the site. With NoScript running as well, I see virtually nothing at all and until I authorise the youtube.com and ytimg.com scripts in NoScript and scripts from s.ytimg.com in uMatrix that's how it will remain.

    So those 23 XHR objects seem to include scripts as well as video and other (control) elements - which, of course, isn't declared explicitly in uMatrix because it just lists them as XHR objects.

    It's interesting to see how many sites make use of google analytics too. I saw a recommendation for three new privacy orientated social networking solutions that referred to google analytics objects - I'm sure you can imagine how I laughed!

  15. big_D Silver badge

    Re: With NoScript, for example, most Google subdomains, like analytics, are blocked.

    Yeah, I always used Calomel and really miss it.

  16. Anonymous Coward
    Anonymous Coward

    Re: Big Hoodie

    It's also used to indicate a connecting listening on any IP, and in a joke about the pervasiveness of Facebook and their surveillance regime. Reach up a bit and you might catch it flying over your head.

  17. IGnatius T Foobar

    Re: Big Hoodie

    Yup. Blocking all of their domains at the network level is really the best way to make sure your computer isn't infected by the Facebook cancer. As long as you don't share a network with f*c*book users, it's best to block them at the router if you can.

    Another alternative is to install a f*c*book blocking extension in your browser.

  18. JWLong

    Re: Big Hoodie

    Re: Big Hoodie

    That's why all Facebook domains are 0.0.0.0 in my hosts file...

    You might want to add this to your hostfile, FarceBook is all over IPv6.............

    ::1 localhost #[IPv6]

    ::1 facebook.com

    ::1 www.facebook.com

    ::1 login.facebook.com

    ::1 www.login.facebook.com

    ::1 fbcdn.net

    ::1 www.fbcdn.net

    ::1 fbcdn.com

    ::1 www.fbcdn.com

    ::1 static.ak.fbcdn.net

    ::1 static.ak.connect.facebook.com

    ::1 connect.facebook.net

    ::1 www.connect.facebook.net

    ::1 apps.facebook.com

    ::1 edge-star6-shv-02-ams2.facebook.com

  19. ROC

    Re: Cue the lawyers ... Big Hoodie

    For that matter why does this article (and probably all other El Reg articles) have a FB icon at the bottom (aside from the actual www.facebook.com link at the farthest bottom) with this property?

    https://www.theregister.co.uk/design_picker/c00f80f04b0eaf0123d821f6c9488fc1cb55fd0a/graphics/icon/facebook.svg

    Kinda looks like it tracks something of interest to FB...

  20. ROC

    Re: With NoScript, for example, most Google subdomains, like analytics, are blocked.

    Even more fun is seeing how waiting for any of those extraneous objects to download delays the entire page (sloo connection, or simply lack of server response) - then multiply it by however many of them there are that delay the page in turn (if not in parallel)!

  21. Tree
    FAIL

    Re: Surveillance Capitalism

    To prevent tracking by FaceBUTT, Gurgle, etc., I use Remove This Permanently add-on to remove their "bugs" (the little f, p or g). If on of these appear on a site you visit, word will be sent to one of those companies saying that you landed on that page. This applies to you even if you never agree to anything. They are so sweet. They even know if you looked at a toilet, without clicking on anything. BTW, my browser is Pale Moon.

  22. Voland's right hand Silver badge

    When non-Facebook sites add a “Like” button (a social plugin, in Baser's terminology), visitors to those sites are tracked: Facebook gets their IP address, browser and OS fingerprint, and visited site.

    Not if Facebook is in the noscript kill list and that is one damn good reason for it to be.

  23. sabroni Silver badge

    It's a great solution, provided you don't mind the rigmarole of whitelisting a bunch of sites every time you visit somewhere new...

    Non-Facebook users shouldn't have to do anything at all to avoid being tracked.

    Who's going to cause a fuss about this if the people who understand the issues just use a plug in and leave everyone else to be spyed on?

  24. Pascal Monett Silver badge

    Re: "the rigmarole of whitelisting a bunch of sites every time you visit somewhere new"

    I don't need to, because the sites that have not been whitelisted by now are not going to be if I go to a new page and they are required.

    My NoScript is set exactly how I like it, with the sites I know and trust whitelisted, and everything else consigned to oblivion.

    That is how I surf in peace. If a website cannot work with my settings, it is not a website I wish to linger on.

    That said, I agree with you that I shouldn't have to do anything to not be tracked, but hey, this is the Internet. Anyone can do what they want, and most do exactly that.

  25. big_D Silver badge

    Not just NoScript, I use that as well, but if you don't allow scripts, they can still bung cookies and images at you.

    I route all Facebook domains (about 1500 of them) to 0.0.0.0 in hosts.

  26. bombastic bob Silver badge
    Devil

    "if the people who understand the issues just use a plug in and leave everyone else to be spyed on"

    well, activism and politics aside, it helps at least to spread the word about taking up a defensible position online...

  27. Peter2 Silver badge

    Who's going to cause a fuss about this if the people who understand the issues just use a plug in and leave everyone else to be spyed on?

    The people who understand the issues generally don't particually want to be hassle and timedrain of creating a political movement to protest against a company doing something that can be blocked by configuring your own software.

  28. Mark 85 Silver badge

    I route all Facebook domains (about 1500 of them) to 0.0.0.0 in hosts.

    Which works well until one goes to Win10. Then... not so much since HOSTS is ignored.

  29. JohnFen Silver badge

    Well, in all fairness, if you're the sort who is concerned about privacy and avoiding being spied on, then you should absolutely not be using Win 10 on any machine that has internet access.

  30. This post has been deleted by its author

  31. GIRZiM

    Re: they can still bung cookies and images at you.

    They can do that whatever you do: remember how much the EU legislation made? That's right, there's now just an annoying popup telling you that they've set cookies whether you like it or not and, no, you don't get to opt out, you just get to click the 'x' to make the popup go away.

    The best one I used to use was Cookie Monster but that's gone the way of the dodo. Now the best solution I've found is uMatrix - although I couldn't say it were as effective as CM was.

    I could do with a copy of your hosts file!

  32. GIRZiM

    Well, in all fairness, if you're the sort who is concerned about privacy and avoiding being spied on, then you should absolutely not be using Win 10 on any machine that has internet access.

    There, FTFY ; D

  33. JWLong

    Re: they can still bung cookies and images at you.

    "I could do with a copy of your hosts file"

    http://winhelp2002.mvps.org/hosts.htm

  34. ashton

    umatrix

  35. Anonymous Coward
    Thumb Up

    For maximum effect, block everything by default because there's so much crap out there, and not just Facebook. I also block 1st-party JS & cookies because it's gotten even more annoying than it was in 1999.

    Instructions for (paranoid) umatrix noobs: Click umatrix icon, click blue box at top left, select "*". On the "all" line, css & images are green; click them off (should be pink). On "1st-party" line, click bottom half of cookies & scripts (should be red). Click lock icon to save settings.

    Caveat: every time you visit a crap website, you have to open umatrix and figure out what to allow to make the site work. If that's too time consuming, ask yourself: why am I wasting my time surfing this Web of Shit?

  36. JohnFen Silver badge

    "ask yourself: why am I wasting my time surfing this Web of Shit?"

    This. I use NoScript rather than uMatrix, but the same principle applies. If I visit a site that doesn't work with my settings, and there isn't an extreme need to access that particular site, I just move on.

    It's the safest and easiest way of handling it, and really, I lose nothing in doing so.

  37. GIRZiM

    I use NoScript rather than uMatrix

    Use both - see my reply above.

    Don't forget to use uBlock Origin or adNauseum as well!

  38. JohnFen Silver badge

    For my purposes, uBlock does nothing that I need that NoScript doesn't do, so there's no point in running both.

  39. GIRZiM

    >For my purposes, uBlock does nothing that I need that NoScript doesn't do, so there's no point in running both.

    uMatrix stops them loading from the domain, NoScript simply prevents them from running.

    This means that the server can note which scripts are loaded into your browser using an "if this browser and version and this and that or the other" and then record that "I know this about you".

    So, if you're hoping that NoScript will prevent more than the excesses attendant upon running the script(s) think again. It won't, it'll only prevent the final 'payload'. In the background, however, the fact that those scripts were ever even requested is giving away an awful lot about you that you can't prevent with NoScript, only with uMatrix.

    Conversely, when you load the 23 objects hiding behind an 'XHR' or 'other' label, you have no idea what they are and are giving them carte blanche to do stuff without even knowing what class of object they are - NoScript will, however, prevent any loaded scripts from running.

    if your use case only requires that loaded scripts be prevented from running and any extra script-like functionality resulting from clever CSS manipulation is of no concern, then fine, NoScript is all you need.

    If, however, you wish not to be tracked or compromised in any other way, you need to be making use of a lot more than simply both but, at the very least you need to be using uMatrix to block stuff at source, including cookies, CSS, images, media, scripts, XHR and 'other' objects before they even reach your browser - otherwise, you might as well not even bother with NoScript either.

  40. JohnFen Silver badge

    "uMatrix stops them loading from the domain"

    I actually use firewalls to stop that -- all traffic, incoming and outgoing, is blocked by default. I have to whitelist sites I want to communicate with. I rely on NoScript to manage scripts (as well as prevent other common nastiness) coming from sites that I've whitelisted.

    NoScript (and firewalls, for that matter) is just one part of a much more comprehensive defense plan. I rely as little as possible on browser-based defenses because they only help when dealing with the web, but my use of the internet is more expansive than just browsing the web. Also, keeping most of your defenses in one place, such as your browser, is a security weakness itself. It's a single point of failure -- should the browser be subverted, all of those defenses are gone at once.

  41. GIRZiM

    Good points but they rely upon:

    1. your being the only one who makes use of your system(s) and being able to rule out Failbook activity.

    2. your never needing to access the 'net from anywhere else - which is when a liveDVD (at a pinch USBkey) with a linux install come in handy (along with a second one running portable Windows apps, for when rebooting the system isn't an option).

    I take the point about single point of failure but that's why I don't use the 'net for anything but browser based activity (okay, OS updates too, but what you gonna do?) - the less I do and the more I limit access to a single vector, the smaller the attack surface and the more secure the system is.

    I too have a firewall and (on Windows at least) it's not only Transport Layer but also Application Layer enabled; on top of which (it being Windows and all) HIPS, sandboxing, etc. - there's no point blocking everything outside the perimeter only to get stabbed in the back by one of my own apps.

    But for your specific use case, yes, NoScript would seem sufficient; just bear the others in mind in case your circumstances should change (especially should it not be a matter of choice) - I recommend the belt and braces approach (it can't hurt).

  42. JohnFen Silver badge

    "your being the only one who makes use of your system(s) and being able to rule out Failbook activity."

    My firewall blocks all access to FB servers, so there's no risk there. I provide "red zone" internet access that is separated from my network for visitors who don't like my restrictions.

    "your never needing to access the 'net from anywhere else"

    When I access the net from somewhere else, I use a VPN that connects to my LAN, so all of my protections stay in place. I haven't needed to use someone else's machine for internet access (my smartphone does just fine, particularly when I connect a keyboard and mouse to it), but if I also carry a bootable USB stick as backup should I ever need to.

    "that's why I don't use the 'net for anything but browser based activity"

    Fair enough, but for me, that would eliminate about 75% of the usefulness of the internet. If I had to be browser-only, I may as well just stop using the internet.

    "I recommend the belt and braces approach (it can't hurt)."

    I agree. I don't consider security a "once and done" sort of thing. Threats change over time, and so security postures must as well.

  43. seven of five

    to say it with that nice song from the South Park movie

    Shut your *beep*ing face, Uncle *beep*a

    You're a *beep* sucking, *beep* licking Uncle *beep*a

    You're an Uncle *beep*a, yes, it's true

    Nobody *beep*s uncles quite like you

    no script all the way, it really _is_ worth the inconvenience.

  44. malle-herbert Silver badge
    Joke

    Re: to say it with that nice song from the South Park movie

    You mean :

    Mark Zuckerberg is a b*tch...

    He's a big fat b*tch...

    He's the biggest b*tch in the whole wide world...

    B*tch b*tch b*tch b*tch b*tch b*tch....

    He's a stupid B*******tch....

    Lalalala....lalalala....

  45. Horridbloke

    Re: to say it with that nice song from the South Park movie

    Blame Zuckerberg!

    Blame Zuckerberg!

    He's not even a proper person anyway...

  46. Teiwaz Silver badge

    Re: to say it with that nice song from the South Park movie

    Blame Zuckerberg!

    Blame Zuckerberg!

    He's not even a proper person anyway...

    I think he's the reincarnation of the Emperor Caligula....

    well, the commonly used side portrait shot reminds me of John Hurt from I Claudius.

    Not the recent ones of him looking both uncomfortable in a suit and in the company of old people.

  47. phuzz Silver badge
    IT Angle

    Re: to say it with that nice song from the South Park movie

    You can say 'fuck' and 'bitch' on elReg if you like.

    Just not B*lgium, you filthy fucks.

  48. eldakka Silver badge

    Re: to say it with that nice song from the South Park movie

    And for those of us who hate censorship, even self-censorship, let me help you out:

    Shut your fucking face, Uncle fucka

    You're a fucking sucking, ass licking Uncle fucka

    You're an Uncle fucka, yes, it's true

    Nobody fucks uncles quite like you

  49. Santa from Exeter

    Re: to say it with that nice song from the South Park movie

    Okay, so not South Park but I liked this one -

    http://www.geekculture.com/joyoftech/joyarchives/2505c.html

  50. Anonymous Coward
    Anonymous Coward

    Re: to say it with that nice song from the South Park movie

    Come on.. Caliguala went down in history for like, stuff - Zucker Fucker's gonna be forgotten in 20 years

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018