
Facebook can track your browsing even after you've logged out, judge says - mattcoles
https://www.theguardian.com/technology/2017/jul/03/facebook-track-browsing-history-california-lawsuit
======
m_eiman
Firefox has a pretty neat feature I discovered recently:

[https://wiki.mozilla.org/Security/Contextual_Identity_Projec...](https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers)

It lets you run multiple sessions in one window, where each tab belongs to a
specific session with separated cookies and such.

I've got a bunch of tabs where I'm logged in to Facebook, another set where
I'm logged in to Google and the rest of them where I'm not logged in to
either. Of course they can still use IP matching to track me, but at least
it's something...

~~~
benevol
Wouldn't opening several "Private Windows" achieve the same situation? What
are the differences?

~~~
xz0r
Several private windows share the cookies. Try logging into a website in a
private window and open that website in another private window and you will be
logged in.

~~~
4ad
In Chrome. Not in Safari.

~~~
xz0r
Waoh. Never knew this. I would happily switch to safari, if only it has those
amazing extensions that I have in my chrome.

------
libeclipse
I have a few questions.

1) “Facebook’s intrusion could have easily been blocked, but plaintiffs chose
not to do so,”

This seems like a dangerous precedent. So if we can block surveillance
attempts and we don't try, then it's our fault?

> “The fact that a user’s web browser automatically sends the same information
> to both parties does not establish that one party intercepted the user’s
> communication with the other,”

This makes no sense. Nothing happens "automatically", someone wrote the code
for that to happen, in this case, Facebook.

But, at the end of the day it's just an embedded thing in a bunch of websites.
I don't see anyone suing Google about AdSense. I mean I despise Facebook, but
unless they're doing something more nefarious than getting a GET request on
page load, then I'm not sure that I care enough. Get a blocker.

~~~
drdaeman
> Nothing happens "automatically"

Actually, the problem is [add: after the website is created, and tracking code
is put there by someone] that it all happens automatically.

See, there is another perspective into this. Not exactly correct (I admit,
there _is_ some stretching and it's not all solid), but just the general
idea...

The semi-forgotten term for the browser is _user agent_. Point is, it really
should act on behalf of the user. It's an _automation_ that should be
programmed to do what _the user_ wants it to do (browsing the web, displaying
the pages, etc), sparing user of mundane choices and gory technical details.

If the agent is configured to willingly accept and execute arbitrary third-
party instructions, and provide detailed information - and it can be
configured differently - isn't the problem with the agent configuration? If
you didn't want that GET request, why agent did it? And it's not that the
agent was tricked (hacked) into doing so - all the APIs (cookies, XHR, etc)
are well-documented. Sure, there is some shady stuff sometimes going on - like
browser fingerprinting, but it's not the core issue.

Maybe we should actually start blaming browser vendors for shipping badly pre-
configured software with the defaults that consciously and willingly trade
privacy for "not breaking" the web?

Remove the automation and just imagine users themselves would somehow connect
to the web, and the site would tell "hey, now go talk to Facebook server and
do whatever they say" \- and they do. (And this is what actually happens!)
Surely, the tracking would be a non-issue.

~~~
_jal
> Maybe we should actually start blaming browser vendors for shipping badly
> pre-configured software with the defaults that consciously and willingly
> trade privacy for "not breaking" the web?

This.

The writing was on the wall when the conversation became about "balancing" the
interests of users and huge content factories. And now web-DRM is a standard.

Fuck that; my computer, my rules.

I had a funny conversation recently with someone who was arguing that I was
breaking etiquette, or perhaps an implied contract (it wasn't clear) by
messing with cookies. He realized the absurdity about the time I asked if I
was ethically obligated to back up and restore the cookies in case of drive
failure, but people have some really odd notions about their right to control
state on my machine.

In some ways I prefer the black-hat types; at least they're aware that they're
working against my interests and don't become indignant when I point it out.

------
tagawa
The article or the judge (not sure which) suggests using incognito mode. While
this will keep browsing history private for a particular session, it's only
effective locally. Tracking from the server is still possible either through
being logged in or through browser fingerprinting, which is surprisingly
accurate.

Here's a good demo which uses fingerprinting to show how ineffective incognito
mode is: [http://www.nothingprivate.ml/](http://www.nothingprivate.ml/)

~~~
threecheese
How does a user defend against this, without resorting to a nuclear option
like Tor?

~~~
propogandist
html5 canvas blockers / browser fingerprinting blocker for the site linked

your browser is leaking a lot of data, from the plugins you have installed to
the fonts & you need to take initiative to patch the holes

here's a website you may find useful:
[https://browserleaks.com/](https://browserleaks.com/)

------
walterbell
If you delete the Facebook cookie (i.e. are completely logged out including
username), then click on a link in an email notification from Facebook, it
will silently log you in again, restoring the cookie and web-wide tracking.
This can be tested by pasting an email notification link to a new private
browsing window.

~~~
akerro
If you use PrivacyBadger you don't have more facebook cookie on 3rd party
websites, so they dont track you.

[https://addons.mozilla.org/en-us/firefox/addon/privacy-
badge...](https://addons.mozilla.org/en-us/firefox/addon/privacy-badger17/)

[https://chrome.google.com/webstore/detail/privacy-
badger/pke...](https://chrome.google.com/webstore/detail/privacy-
badger/pkehgijcmpdhfbdbbnkijodmdjhbjlgp)

~~~
walterbell
How do you login to Facebook when needed, if there is no cookie?

~~~
akerro
Edited comment to explain it affects 3rd party websites. Facebook works as
usually and all content it the same.

~~~
walterbell
Thanks for the pointer. Wish this worked on iOS, where the only option is to
use a dedicated browser for accessing Facebook. Not sure how Brave deals with
Facebook cookies on iOS.

~~~
akerro
Why can't you use firefox on iOS? All addons should work normally.

[https://www.mozilla.org/en-GB/firefox/ios/](https://www.mozilla.org/en-
GB/firefox/ios/)

~~~
walterbell
Apple does not allow browser extensions. Firefox (any non-Apple browser) on
iOS is a wrapper around Mobile Safari.

------
titzer
That's not all. In NY state, they ruled that can artist can take pictures of
you in your home through your windows:

[https://fstoppers.com/photojournalistic/supreme-court-
rules-...](https://fstoppers.com/photojournalistic/supreme-court-rules-
photographing-neighbors-through-windows-legal-67925)

~~~
donatj
And why not? It would forbid a lot of outdoor photography if I couldn't
accidentally catch a photo of someone in their house. Google Street view would
be gone.

~~~
jgalt212
not necessarily, they would be forced anonymize faces.

~~~
AlphaWeaver
Like Google Street View already does.

~~~
cooper12
I don't think they were forced. Google is based in the U.S. where it is legal
to photograph people in public, yet Google still blurs the faces of those on
sidewalks. That and things like license plates seems to me to be them
preemptively trying to appease privacy concerns so that support to censor them
legally doesn't form.

~~~
jgalt212
I believe the principle of the expectation of privacy forced them to blur the
faces.

~~~
stult
Not in the US at least. Expectation of privacy is an element of the test for
determining whether a government search subject to the Fourth Amendment has
occurred. As such, it only applies to government actors, not private parties
like Google. And in any case, there is no reasonable expectation of privacy in
a public place such as a road.

~~~
jgalt212
I beg to differ. For example in 12 US States you cannot record a telephone
conversation without all party consent.

[http://www.detectiveservices.com/2012/02/state-by-state-
reco...](http://www.detectiveservices.com/2012/02/state-by-state-recording-
laws/)

------
owly
Quitting facebook is not enough. I recommend blocking all via hosts file.
[https://github.com/jmdugan/blocklists/blob/master/corporatio...](https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all)

------
makecheck
Sometimes I think people need a little more "Black Mirror" to see how bad this
is. One of the episodes has random people basically constantly looking at and
filming a woman everywhere; certainly no _less_ than what Facebook does every
day, yet somehow it doesn't seem weird to anyone?

~~~
Piccollo
I can already tell Season 4 is gonna be awesome

------
GrumpyNl
Nice, if i don't lock my door, its my fault they steal my things.

~~~
akerro
> Nice, if i don't lock my door, its my fault they steal my things.

In many, if not most European countries you can get a ticket for not
protecting your vehicle. If you leave your car unlocked and someone steals it,
it's your fault. Police if have to investigate it etc, but they also give you
a ticket, because it not thoughtlessness, they wouldn't have to do it.

~~~
thinkfurther
> If you leave your car unlocked and someone steals it, it's your fault.

Getting a ticket for that does not mean the theft gets blamed solely on the
owner so that the thief is not even considered committing a crime. It's just
the owner may have violated a law, _too_. How about you a.) quote those laws,
and even assuming you are correct in how you put it, show how b.) one instance
of victim blaming would justify another. To me that's like drinking a second
bottle of bleach because you already downed one. That runs so much counter my
own intuition I'm kind of intrigued.

------
3uh5weutwehow
Make today the day you delete you facebook account. Do it! Opt-out of this
panopticon as best you can.

Block as many ads as you can, in order the starve the best.

------
ryan-allen
I think EFF's privacy badger [0] can block this kind of tracking, depending on
how sophsticated their tracking methods are.

[0] [https://www.eff.org/privacybadger](https://www.eff.org/privacybadger)

~~~
4684499
Eff's approach often makes me feel they acquiesce that users should be the one
hiding from those corporations. Why are we making shields instead of them
putting guns down?

~~~
etiam
Is it instead? Since Facebook and their ilk are surveilling us largely out of
greed, surely making the work less profitable for them has some merit as a
tool for counter? As is often the case, a true solution probably does need to
be political, but a technical one is valuable as a band-aid until/unless that
can be achieved.

------
jgalt212
Seems very similar to the original Facebook Beacon, which they were forced
take down.

[https://en.wikipedia.org/wiki/Facebook_Beacon](https://en.wikipedia.org/wiki/Facebook_Beacon)

------
r721
>Australian internet security blogger Nik Cubrilovic first discovered that
Facebook was apparently tracking users’ web browsing after they logged off in
2011

After reading that (in 2011) I decided to block all third-party cookies.

~~~
dvfjsdhgfv
The other side is not stupid, there are far better ways to track users than
cookies, and blocking them takes a lot of effort.

~~~
roblabla
What better ways than cookies is there to track users ? AFAIK, it's the most
unique fingerprint you can get of a user. Everything else is probably going to
be a lot less precise.

~~~
test1235
I think browser fingerprints are quite a reliable way of tracking.

[https://amiunique.org/fp](https://amiunique.org/fp)

~~~
tinus_hn
Sure, 'quite reliable' beats 'unique' every time!

~~~
braythwayt
Unique becomes unreliable the moment users delete their cookies.

~~~
tinus_hn
Which they of course do much more often than change one of the finicky
parameters that constitute these unique fingerprints (which in reality tend to
not be unique to begin with)

------
borne0
While on the topic of tracking, is there a plugin that lets you delete cookies
using rules on a per domain basis? for example, cookies are useful for some
sites, and others they are useful for certain periods of time, and thereafter
it would be nice to get rid of them (and yet more sites shouldn't be able to
leave cookies at all). I know there are some plugins that let you block all
cookies, or manage them after the fact, but I want something rule based and
automated

~~~
propogandist
vanilla cookies in Chrome allows quick cookie clearing (one click) and you can
customize rules to save specific cookies. Self Destructing Cookies on FF is
fantastic also.

~~~
tedd4u
I use this [1] -- it's great. I have it set to delete any cookies not on the
whitelist 30 minutes after last set. That way I can log into a site that's not
on the whitelist and do something and after I've stopped using for 30 mins I'm
logged out and cookies deleted. However - it's not perfect. It doesn't delete
local storage, local databases, or Flash™ storage. There is a nest of Chromium
issues [2] needed to be resolved to make this work. It looks like the most
recent related work was done Sep 2016 [3] so maybe there's some hope, even
though the issues have been open for 5+ years. Of course I have the option of
working on it myself but having looked at the 5-10 related issues I think it
would take quite some time to develop an understanding of all the APIs.

[1] [https://chrome.google.com/webstore/detail/vanilla-cookie-
man...](https://chrome.google.com/webstore/detail/vanilla-cookie-
manager/gieohaicffldbmiilohhggbidhephnjj)

[2]
[https://bugs.chromium.org/p/chromium/issues/detail?id=78093](https://bugs.chromium.org/p/chromium/issues/detail?id=78093)

[3]
[https://bugs.chromium.org/p/chromium/issues/detail?id=589586...](https://bugs.chromium.org/p/chromium/issues/detail?id=589586#c38)

------
blackoil
How is Facebook different from other advertising networks. All of them track
you across the web, on any site that use them. Why is FB a special case?

------
curiousgal
Meh [https://www.eff.org/privacybadger](https://www.eff.org/privacybadger)

------
olivermarks
Does FB track by IP or cookie or both? I use different browsers for the more
invasive tracking sites. For FB (which I use very sparingly these days to stay
in touch with people I won't hear about in other circles) I currently use
Safari. I log in and out and limit my use of that browser to FB and a handful
of other sites.

since Chrome is such a memory hog on macs my principal browsers are opera and
brave, both of which work very well on my elderly macbook air.

I have no idea if my somewhat paranoid tracking avoidance is effective against
FB though. I see that when I go to the log in page in safari that FB knows how
many 'posts' I have stacked up to consume (the little Pavlov's dog red circle
with a number in it). I'm assuming I'm being tracked despite being logged
out...

------
supernumerary
add facebook to your hosts file per:
[https://github.com/erwinbierens/Facebook-
Hosts/blob/master/f...](https://github.com/erwinbierens/Facebook-
Hosts/blob/master/facebook-hosts.txt)

------
Pxtl
My general fix for web tracking cookies:

HTTP requests sent from my browser page when viewing Foo.com to Bar.com have
no cookies. Javascript is available to create an explicit pop-up requesting
permission to share your cookies with Bar.com.

When I go to Foo.com, my relationship is with Foo.com. I'm okay with being
tracked by Foo.com when I'm on Foo.com, but if bar.com is going to track me
then I want to be asked.

That said, Foo and Bar could still share information about me directly without
going through my browser, but without the cookie feature it would be very hard
for Foo and Bar's profiles on the person Pxtl are the same person.

------
nemoniac
Clearly Facebook "can". The judge ruled that they "may".

------
Mikho
That is why media struggles making money--it gives its audience for free to
Facebook and Google with all that "free" share buttons and analytics. Why
would an advertiser pay to a brand name media outlet money for displaying an
ad if it could buy exactly this audience on Facebook or via Google much
cheaper?

Media did it to itself--it just gave away it's audience for free. No wonder it
can't make enough money via advertising.

------
rubicon33
I wish someone would build hardware that protected against this. A router for
example that filtered all outbound traffic and blocked specific routes and
packets destined for tracking.

Yes, you could do that all on the computer itself, no need to run it on the
router. I guess the benefit of having it all on a router is that it would be a
plug and play solution for the privacy conscious but technically limited
individual.

~~~
bguillet
Pi-hole ([https://pi-hole.net/](https://pi-hole.net/)) does something like
this. It's not plug'n'play though.

------
TheRealDunkirk
I usually stick with Safari as my browser, but Privacy Badger isn't available
for it, so I use "Facebook Disconnect." Does anyone know how well it really
works? (I don't have an account, and I don't want them tracking my activity
for my old profile.) I'm surprised I haven't grep'ed anything about this
extension in the discussion thus far, which makes me nervous.

------
mungoid
Wouldn't something like Pi-Hole be a good network-wide way to manage this
tracking? I know plugins are convenient but they all have to intercept and
modify css/etc coming in on the fly which can lead to slower page loads. Plus
I'd imagine some of those plugins will allow certain domains through
regardless?

Or are the sneakier ways sites track users something that can get by the OOTB
settings?

------
a_imho
I don't even know what their logout button does. It puts me on the login page
with my profile pic, and it displays the number of notifications I've received
while logged out. There is a 'remove account' X overlay placed on the top left
corner. I usually click it and hope it does something.

------
leereeves
If the judge had ruled the other way, would that have been equivalent to
ruling that all tracking is illegal?

------
heisenbit
It is interesting that the court was arguing that there are protection
measures the plaintiff can take. Makes one wonder that the legal situation is
for the folks that are circumventing the default browser protection
mechanisms.

------
leeoniya
that awkward moment when the article itself has Facebook sharing buttons

------
slitaz
Proper English should have been: "Facebook _may_ track your browsing even
after...".

The judge can rule about lawfulness, otherwise it looks like they are a
investigative reporter that just found out about the technical capability to
track users in such a way.

~~~
lucb1e
Oh, thanks, now I finally understand the title. Should be "may" or "It's legal
to..." indeed.

------
federicoponzi
Not a surprise.

------
necessity
Facebook is a company, a superfluous one even, no need is forcing you to use
it and there is no need for it. Don't like the don't use it. Don't like
tracking configure your browser accordingly and get a blocker. It's easy and
free.

~~~
icebraining
You can't block if you don't know it happens (or that it even _can_ happen),
which is the case for most people. Very few people understand the concept of
third-party tracking - nor should they have to.

