Hacker News new | past | comments | ask | show | jobs | submit login
Stack Overflow lets Facebook track users across their sites (stackoverflow.com)
384 points by Thorondor 9 days ago | hide | past | web | favorite | 48 comments

I have a Facebook account, this creates limitations when it comes to blocking (e.g. I cannot use a DNS block/piHole).

What I found works for me is to use Multi-Account Containers with Facebook being forced-open in a specific container (that's only for Facebook) and then using Firefox's built in Content Blocking to block trackers in other containers (Content Blocking -> Custom -> In All Windows).

This allows you to use Facebook but makes it significantly harder for them to track you across other sites (via shadow accounts or your actual profile).

For example this works for Stackoverflow where I see:

> The resource at “https://graph.facebook.com/[xxxx]/picture?type=large” was blocked because content blocking is enabled.

On mobile I simply don't install Facebook's apps and use the mobile web browser and still receive notifications via that.

I love how browsing the web now is like gearing up for war. Need our anti tank and our anti air of course.

It's kind of terrifying how one sided it is. The only browser that matters for standard setting, the one used by the vast majority of users, is built for and by one of the largest advertising and data collection firm.

Although, the situation will start to unravel very fast for all these companies if people start aggregating the house address, telephone number, social network handles, names of relatives and estimated net worth of everyone who works at these places based on publicly available information, and posts them all in one place. For a change, it will be nice to watch the executives of these companies scramble once they realize exactly how it feels to be on the receiving end of such violations.

And if setting up Multi-Account Containers just for the one scenario of sandboxing Facebook sounds too complicated, Mozilla have put together a Firefox extension that does all the setup for you: https://addons.mozilla.org/en-US/firefox/addon/facebook-cont...

(Which, don't get me wrong, I think MAC is a great feature and use it myself for all sorts of sites. But it can be complicated to get your head wrapped around, particularly if you're not a professional nerd. Which is why this kind of set-it-and-forget-it alternative has some value.)

I'm a huge fan of Firefox's first party isolation (FPI) and using Containers to control Google. FPI kills trackers and Containers allow me to stay logged into certain Google services without having things like my search history tracked.

I was a huge fan too. I had a lot of containers set up on three different machines and they all got wiped out last week. I haven't put in all the work to rebuild them yet and I'm losing the wherewithal to keep putting up with Firefox.

Yeah I lost my main container last week as well.

Containers are okay, but, I wish they had their own database for things like saved passwords and addresses. I still end up using a separate profile for work, because I don't want _anything_ from work on my personal profile. Although, if entire container profiles can disappear with an update, that could be even more of a hassle.

I still don't understand why disabling the MAC extension nukes your settings where seemingly every other extension keeps its settings when toggled.

To be clear though, FPI is the real weapon here against things like Facebook tracking.

This alone won't be sufficient. I have a fake FB account which I haven't used in ages, which has only been accessed from my laptop. Somehow they managed to tie the fake account to my mobile device. I suspect they are using the apps that are constantly pinging graph.facebook.com to build a comprehensive profile of devices and accounts.

When I was visiting a foreign country I began receiving emails from facebook to try and get me to login, with FB marketplace results customized for the region I was in... this was very concerning and shows they are not only collecting vast amounts of data, but they have a good mechanism in place for persistent tracking of devices & users all over the planet

> On mobile I simply don't install Facebook's apps and use the mobile web browser and still receive notifications via that.

And you're also tracked across (basically) all websites, because they all have this "helpful" Like button embedded.

On Android, on Firefox you can add NoScript, PrivacyBadger, AdblockPlus (plenty of lists here [1]), and if you go all the way and root it, you can replace the hosts file [2]. I personally use zero FB products, and use NoRoot Firewall with global rule to block 31.13.x.x and a couple of other FB IP ranges. That also means that I exclude myself from WhatsApp and Instagram.

[1]: https://filterlists.com/

[2]: https://someonewhocares.org/hosts/

Why use AdBlock Plus (an advertising industry product) instead of uBlock Origin? It's compatible but massively more efficient.

Add Decentraleyes, self-destructing cookies, and randomized user agent.

If SO wanted to make a goodwill gesture they'd get rid of ajax.googleapis.com for their jQuery source. It's 2019, just replace it with vanilla.

one browser for botnet shit like fb/socials

firefox focus for somewhat botnet-free browsing

Alternatively there's https://facebookcorewwwi.onion

> I have a Facebook account, this creates limitations when it comes to blocking (e.g. I cannot use a DNS block/piHole).

Why not? I have an actively used Facebook account, and also run all my traffic through PiHole.

I like self hosted avatars. From the title I thought SO purposefully lets Facebook track us, perhaps through a like button, but instead the complaint is that they don't have a domain blacklist on user avatars, which sounds silly to me.

I care about privacy but there are bigger fish to fry. This is not structural and hosting your own stuff (like your avatar) is a part of the old Internet I miss.

Is there a significant bandwidth advantage by allowing users to host their avatar image on 3rd party site rather than self-hosting it? I too am a believer in self-hosted content, but I don't have any site that gets any kind of traffic to worry about costs so I have no insight on if avatars add up to make this a thing.

Seems like it would be a good idea to add crossorigin="anonymous" referrerpolicy="origin" attributes to user-provided images. This would prevent any 3rd party tracking or referrer leaking.

One might reasonably argue that this should be the default.

The most popular browser is made by an ad targeting company.

It would be foolish of them to enable this by default.

Install Privacy Badger.

"Privacy Badger automatically learns to block invisible trackers." https://www.eff.org/privacybadger

Stack Overflow does not honor Do Not Track [0] and in response to a question [1] indicated that they don't intend to do that either.

Tracking (including third-party tracking) seems like a feature.

[0] https://en.wikipedia.org/wiki/Do_Not_Track

[1] https://meta.stackexchange.com/questions/237062/does-stack-e...

Safari has even removed Do Not Track because it can be used for fingerprinting.


Almost no one does.

> including third-party tracking

I don't see how this follows. What does SO have to gain by allowing FB to track SO users? Just seems like laziness to me.

Maybe an EU law will require sites to honor do not track or face stiff fines.

Won't the privacy filterlists in uBlock Origin fix this?

They should. I use the Fanboy Anti-Facebook list (https://www.fanboy.co.nz/) and the avatars from FB on SO don't load for me.

You might like umatrix (same guy afaik). Change settings to load only first-party sites then unblock other sites as necessary.

Yeah I love umatrix. Sometimes it's awful and it takes an extra few minutes to figure out the magic combination of things to allow. Sometimes it breaks a page altogether and I use an un-Matrix'd Chrome as a last resort (which I wipe after use). But I think it's worth the hassle.

I believe that one day boycott will help them reconsider these practices.

"One day boycott" reads as if the boycott lasts one day and that's it, you are back to normal, using the site, getting tracked. So I don't think I would be too scared if I were a business.

Pretty sure they meant "one day a boycott."

Yes, it does not work if it is not coordinated but if significant number of users stops the service at the same time then it will leave sizable tent in the revenue.

are you talking about boycotting Stackoverflow or Facebook? I could reasonably boycott Facebook, sure. But the day Stackoverflow gets boycotted is the day no code gets written. /s

I know this is sarcasm but I’d like to add something anyway: I don’t know if it’s just experience or if the quality of non-Stackoverflow resources has increased but I find myself needing it less and less in the past couple years.

I see this as 2 options-

>If you don't like Facebook, get rid of it. I have. And I still have friends.

>Let Facebook advertise really specific to you. Weirdly specific, it might be useful. *

*might get blackmailed later if you were doing socially unacceptable things.

But you could not participate in Facebook, the same company you are trying to avoid.

> But you could not participate in Facebook

That doesn't stop Facebook from tracking you, though. It only makes the tracking a bit coarser.

Of course, most all Web sites add in third-party tracking through HTTP requests, in one way or another. Offhand, HN is the only site that comes to mind as not doing that. (I've been working on anti-tracking for a long time, and my current hand-edited ruleset has over 10k rules, which I usually have to look at multiple times each day.)

Firefox’s containers really should be a standard browser feature at this point.

That may be the "Microsoft buys GitHub" moment of StackOveflow: people realizing the power we gave to this private company and migrating to non-profit-managed website instead (like https://framagit.org)

But I do not see a good alternative to StackOverflow available now.

I noticed this last week in my umatrix blocked domains. Its pretty terrible. Hopefully this gets reverted and doesn't signify the downfall of stack exchange because its a super important resource on the internet.

What options does a Safari user have to prepare for war on the web?

While Safari lacks in certain features, it’s a reasonably mainstream browser which is a very good thing against browser fingerprinting. I use Safari combined with AdGuard to block cancer. It’s not perfect but I think it’s better than let’s say Firefox (you’d get more “blocking” power thanks to better extensions like uBlock Origin, but you get fingerprinted very easily by trackers that slip through the blocking).

Collection of tools to protect privacy online.


Just start saying really inappropriate things into the microphones that are not there... LOL

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact