
Dear Facebook: Stop cross site tracking by default - eternalny1
https://foundation.mozilla.org/en/campaigns/facebook-update/
======
dessant
We can only laud Mozilla for calling out Facebook over tracking, though I'm
always left with the impression that the pervasive tracking Google engages in
is a blind spot for Mozilla, at least in public statements.

One of the most unavoidable tracking services is reCAPTCHA, and the latest
version works best when it is embedded in every page of a site. reCAPTCHA v3
collects sensitive personal data, such as mouse movements (which may reveal
health issues), it maps how you interact with content, and your browsing
history can be reconstructed from the pages you visit. Think of it as Google
Analytics, but one from which you cannot opt out, because that means you're
denied service on the respective site.

Given reCAPTCHA's popularity, this is effectively an inescapable data
harvesting operation, since it uses Google's company-wide privacy policy,
which gives them the right to use your data for ad personalization.

The turning point for Mozilla would be to call _this_ out, and stand up
against personal data collection for which consent cannot be freely given.

------
jelv
Dear Mozilla, don't route all our dns request to Cloudflare. We don't need
more centralisation like Facebook, but decentralisation like Mastodon.

~~~
boardwaalk
Isn't this an option you have to turn on manually?

~~~
MikusR
It's an option you have to turn off manually

~~~
fittslickare
Since when?

~~~
MikusR
September

~~~
c0nducktr
Just checked on a brand new profile for the release AND nightly channels, and
neither have dns-over-https on by default.

------
zamalek
Mozilla are absolutely correct to ask for this. Luckily the Facebook Container
keeps Facebook out of my browsing habits.

At the same time Facebook doesn't really give a fuck what Mozilla, you, or the
EU, have to say. Maybe Mozilla is attempting to raise awareness with this
petition, instead of getting Facebook to stop.

------
dareobasanjo
Really weird to see this posted on a site that uses Google Analytics. I
performed a quick search and couldn't find a similar post from Mozilla
complaining that people can't opt-out from Google Analytics. I guess the >
$500M/year Mozilla gets from Google buys a bunch of selective outrage.

------
worg
Dear Mozilla: stop sending to google a unique ID for my browser on first
launch

edit: grammar

~~~
w0land
Genuinely worried, can you explain more? How does it work? HTTP headers i
don't think as i check them for work often. I'm all ears, thanks.

~~~
worg
This[0] thread should be enlightening. Also discussed here[1]

[0]:
[https://mobile.twitter.com/jonathansampson/status/1165858896...](https://mobile.twitter.com/jonathansampson/status/1165858896176660480?lang=en)

[1]:
[https://news.ycombinator.com/item?id=20794937](https://news.ycombinator.com/item?id=20794937)

------
rsweeney21
I support this, but not enough to give my name and email to Mozilla to sign a
petition. Am I being paranoid?

~~~
fittslickare
Yea. Mozilla is one of the very few good girls around, and your name connected
to your email is probably in every public email dump already like everybody
else's.

Edit: I changed my mind. Why is this page infected with google analytics?

------
MikusR
Dear Mozilla stop including unblockable Google analytics in your browser.

~~~
fittslickare
Please explain what you mean.

~~~
MikusR
[https://news.ycombinator.com/item?id=14753546](https://news.ycombinator.com/item?id=14753546)

------
generalpass
> You might have seen a Facebook ‘like’ button on websites outside of
> Facebook.

Why not address this to webmasters?

~~~
mthoms
Because it exists to raise awareness about FB's practices among the general
public.

~~~
generalpass
Why not raise awareness about webmaster practices among the general public?

------
jerome-jh
Log on Google/Facebook/whatever in a private tab, surf in a normal window
(with an adblocker): problem solved.

Alternative: log on in Chrome, surf with Firefox or the other way around.

------
dwheeler
It is quite possible to responsibly implement Facebook "like" buttons on your
own pages without violating your users' privacy. I wish more people would do
it. I suspect that including Facebook like Pages the way Facebook wants you to
do it could be considered a gdpr violation, if it were interpreted that way
perhaps people would actually fix it.

On the CII best practices badge site, we implement responsible links. As
explained in our security assurance case, "We do have links to social media
sites (e.g., from the home page), but we do this in a privacy-respecting
manner. It would be easy to use techniques like embedding images from external
(third party) social media sites, but we intentionally do not do that, because
that would expose to an external unrelated site what our users are doing
without their knowledge. We instead use the approach described in "Responsible
Social Share Links" by Jonathan Suh (March 26, 2015), specifically using share
URLs. In this approach, if a user does not press the link, the social media
site never receives any information. Instead, a social media site only
receives information when the user takes a direct action to request it (e.g.,
a click), and that site only receives information from the specific user who
requested it."

Source: [https://github.com/coreinfrastructure/best-practices-
badge/b...](https://github.com/coreinfrastructure/best-practices-
badge/blob/master/doc/security.md)

Suh's page: [https://jonsuh.com/blog/social-share-links/#use-share-
urls](https://jonsuh.com/blog/social-share-links/#use-share-urls)

I don't mind people sharing information on Facebook, as long as they choose to
do so. If they chose to do it, that's fantastic. What bothers me is Facebook
being able to track people without their consent.

~~~
8ytecoder
It's been a while but I remember going out of the way to strip all the JS
surrounding both Like and Share buttons for Facebook. It was trivial to
implement at the time. I did it because I didn't like being tracked and didn't
want to inflict that on the users either. However, I had to fight for it. PM
wanted the share count & page like count to show up. That can't be done
without FB JS code.

There's also the advertising trackers that track every aspect of your
website's users. These are usually added as is and for a variety of reasons -
measure conversion, tag a user as converted to not show them ads anymore,
retargeting...etc. Good luck convincing your marketing team to not add any of
these trackers.

~~~
dwheeler
I did not have that problem, but I'm sure others do. I think the long-term
solution is to make it clear that that is a gdpr violation, there is no reason
that an unrelated third-party should get that information. Once people start
getting serious fines, the bad behavior is more likely to stop.

