Hacker News new | comments | show | ask | jobs | submit login
Facebook Disconnect (chrome.google.com)
306 points by jmonegro on Sept 25, 2011 | hide | past | web | favorite | 92 comments

The author of Facebook Disconnect (Brian Kennish) has written another Chrome Extension called "Disconnect" (https://chrome.google.com/webstore/detail/jeoacafpbcihiomhla...). Disconnect not only deals with Facebook, but also Google, Yahoo, Twitter, and Digg tracking.

Also, he gave a great talk at DEFCON about his current project, attempting to document what websites do with your browsing data.


Kinda weird that this extension requires more access to your data (e.g. history) than the previous one. Surely they do the same thing? Note that I'm not questioning the authors motives/integrity...it just strikes me as somewhat random & ironic.

Just as an FYI, disconnect causes a number of login problems on a few of said sites rendering them unusable.

Yeah I just installed the firefox version, saw it blocked even google charts, and uninstalled it. If it had adblock like control to whitelist domains it might be ok but as it is, cool idea, but no thanks.

Have you reported the issues to the extension author?

What? I've been running Disconnect for probably over a year now and experienced zero side-effects and I use all of those services (minus Yahoo).


Another thing you can do is opening an incognito window for all your facebook/google sessions. Obviously, one must be sure to have deleted all cookies/etc after the last time one logged in to Google/facebook (that includes youtube).

"This extension can access: Your data on all websites"

This part made me chuckle a bit. We are so afraid of Google and Facebook tracking our searches/web pages, yet we freely install plugins from 3rd party developers that can easily gather everything that Google and Facebook can get, and more. In theory, I could make a Facebook Disconnect 2, which secretly sends data back home about what pages have been visited, and nobody except the most vigilant (enough to read the source of the plugin) would know.

Why do we not trust large corporations who have billions of dollars at stake, but trust independent developers who have little skin in the game? Is it because we are those developers, so there's some form of camaraderie?

My first thought when I saw this was: "I should check out the source first and see what it does". Here is the source:

  const DOMAINS = ['facebook.com', 'facebook.net', 'fbcdn.net'];

    Determines whether any of a bucket of domains is part of a URL, regex free.
  function isMatching(url, domains) {
    const DOMAIN_COUNT = domains.length;
    for (var i = 0; i < DOMAIN_COUNT; i++)
        if (url.toLowerCase().indexOf(domains[i], 7) >= 7) return true;
  	  // A valid URL has seven-plus characters ("http://"), then the domain.

  /* Traps and selectively cancels a request. */
  if (!isMatching(location.href, DOMAINS)) {
    document.addEventListener("beforeload", function(event) {
      if (isMatching(event.url, DOMAINS)) event.preventDefault();
    }, true);
I am not concerned with this plugin. It may break websites, but it does nothing malicious. It is no more dangerous than any other chrome plugin.

Yup, until the author uploads a new, more 'clever' version and chrome auto-updates your browser, without you knowing it (since permissions didn't change).

You can copy the source code and make your own plugin from it ;)

If you want to shut down facebook on your computer without a plugin just put those domains in your /etc/hosts:  facebook.com  facebook.net  fbcdn.net

I thought the goal of this plugin is to neutralize Facebook Connect (i.e. facebook on 3rd party websites), not to disable Facebook altogether?

Indeed, but my view is that if you don't trust Facebook, you don't trust Facebook.

Not quite. That won't block www.facebook.com or static.ak.fbcdn.com

Yeah, [unfortunately?] wildcards don't work here, so you can't do something like *.facebook.com.

You could either list out all the domains or use something like dnsmasq or another DNS proxy that lets you define more sophisticated rules.

Edit: the advantages of the /etc/hosts approach are it's simple, and it works without additional software.

If you want to avoid facebook completely, why not just deactivate your account, or completely log out and clear all cookies, then never log back in on your machine? I thought that point of this plugin was to let you use facebook normally without worrying that another site would post on your wall.

It looks like we need another plugin which will track the source changes of other plugings and report them.

Who will watch the watchmen?

You already trust Google to not do bad things inside Chrome; why not trust this guy, as well?

Because if google doesn't something that people find out about, there will be a firestorm. If this guy does... will it rise in the headlines anywhere? I doubt it.

Thumbs up. That's exactly what I did. It seems innocuous enough, I thought, but it's still interesting that we trust fellow developers so much. I just wanted to point that out, in case people missed it.

Yeah, Google doesn't really get it how to set permissions properly. They do this on Android, too, and freak people out when they see permissions that at least seem so general - like giving a SMS app "full Internet access" or "full SD card access" and so on.

The problem with naming them like that is that showing the permissions becomes pointless, because people will install them anyway seeing how 95% of the apps have that permission, so they might miss the malicious one that has that, too.

In order to block Facebook, this extension is injecting javascript into every page you load. It absolutely should come with a large warning.

People don't trust Facebook because they don't know what we (fellow Facebook Engineer[0]) know about what it's like on the inside. They don't believe that people are just legitimately interested in making stuff that people will like and use, that we obsess over the stats to make sure that we're making stuff that people and use (they think it's tracking them), and that ultimately, we just want to give people ads that they don't hate (for some reason this is called "selling data to advertisers").

Ultimately though, the opinions of Hacker Newsers (a group with which I've proudly associated for ~3 years now) are only a hint at how much we're helping (or hurting) the world, and while we should always keep it in mind, we need to recognize that this is a group which is accustomed to the IRC style of social networking.

I don't blame anyone at Hacker News for thinking "we" are evil, because we do a shitty job at communicating what we're actually doing and why[1] (and we can't really communicate everything anyway). Instead, we've just gotta try to address the problems that are legitimate and be as transparent as possible.

Shortly, if you call tin foil hat theories tin foil hat theories (even with sound logic as to why they are tin foil hat theories), all you're going to do is convince the tin foil hat theorists that it's yet another elaborate step in manipulating them into believing The Corporate Directive.

And, everyone else, for what it's worth, I'd much prefer it if we could just go back to hacker news on here. I'm a C Hacker first (before being assimilated, I contributed to open source projects like Chromium and Mongrel2, because I loved the problems (coincidentally the same reason I allowed myself to become assimilated into facebook -- I work on code that's hit my millions of users billions of times a day[2])

[0] Cache Infra in 1050 B2

[1] We've enabled applications to write to our network as they wish without introducing much friction or overhead (a single approval), but we've managed to communicate that in such a way that instead of leading people to believe that we've put the onus on developers (and users, as they must ultimately know which apps to trust), we've instead "put our tentacles" into yet another area and are again sharing without reason.

[2] memcache protocol stack stuff, we issue lots (and lots and lots) of requests per page load :)

A few weeks ago a close friend sent me a message on Facebook asking what I've been up to, and I told him about the startup I am working on.

As soon as I hit send I was hit with the impulse that I shouldn't have sent those kind of details over FB messaging -- thinking back to warnings such as (http://www.youtube.com/watch?v=2cdrCYrZIvI).

And sure enough a day and half later I received an email from a Facebook recruiter wanting to talk to me about a job.

Normally that would be fine, but the timing is so suspect. I asked around if anyone had heard of FB mining/reading users messages, and no was certain but reminded me that the FB privacy policy states that they own your data and an ex-FB employee said that many engineers have access to the DB.

Does FB mine or read user messages, and why doesn't it do more to prevent so many engineers from having access to the DB?

There's no chance that the recruiter contacting you had anything to do with the message you sent.

I have some insight into the safeguards in place to prevent any abuse of any access that an individual might have due to the nature of their work, and the character of the people who maintain them, and if I had any issues with either of them, I would not still be working at Facebook.

What type of safeguards? And are you saying Facebook messages are off limits from data mining?

Unfortunately, I don't feel I'm qualified to represent Facebook on this beyond what I've said (don't want a tech news article/blog post misconstruing something I said into something bad about the company).

> people are just legitimately interested in making stuff that people will like and use

Even the best intentions won't help when FB is hacked, sold out to idiots or forced to hand out data to your gov't.

You simplify a complex situation into "good" and "evil" and characterise those suspicious of you as tin foil hat wearers.

Way to win our trust.

And I believe that you believe that argument. I believe even that Zuckerberg believes it. Very rarely is there a Gargamoyle sitting in a tower plotting the downfall of the smurfs. Most times it's just someone with the best of intentions.

In this case your argument is that you just want the information so as to provide people what they want.

Okay - fair enough. But there is a very obvious counter-argument - which has already been mentioned many times. It's that you don't make it easy for people to choose not to allow you to track this information if they don't want you to. And you KNOW that most people wouldn't opt-in to let you track them this way. So at best you make it opt-out - if you let people opt out at all. So - assuming that people know what they are doing and are making a rational decision about their choices, then you aren't ACTUALLY serving their desires at all.

And next comes the only real reply that's available to you. Either people are irrational for wanting to block information gathering that would help you satisfy their first order desires, or that facts like people keep using the service without trying to figure out how to opt-out, shows that they really don't have a problem with privacy issues - even if they state they do. And therein lies the paternalist rub of Facebook's decisions.

Now - you don't state anything directly paternalistic in your reply. To be honest - it's not that consistently thought through. But the germ of it is there when you state to the effect that - people can't understand what we do or why we do it. And thus you relegate them as other - as less informed, or less capable of choosing than the mighty facebook crew.

Sorry you need to try harder to see this from the other point of view. That's not going to be easy for you - because working at facebook must be an incredible experience. Who wouldn't want it to be a ethical easy zone. But you exhibit the clearest signs of someone who has too much of a vested interest to be able to critical engage with this ethical conundrum.

The first of these signs is the fact that you don't address the very obvious counter argument I just laid out. No one at Facebook ever seems to. It's such an obvious reply, and is mentioned so often - it appears disingenuous to continue to ignore it. I don't believe that Facebook consciously avoid replying to it. But the fact that they don't - while keeping the assumption that they mean well - suggests to me that their vested interest has clouded their judgement.

The second such sign of critical impairment is the fact that you are marginalising your opponents as "tin foil hat" people - or as ignorants who couldn't possibly understand. When you do this to a group of people who represent a particular point of view opposed to your own - you've ceased to engage with them - you've ceased to listen.

And that's exactly why people have their backs up. And if you can't see the intuitive force behind that - then people are going to start treating you in kind and start marginalising you in return. And of those who do subscribe to the tin foil hat view - that's exactly why they do.

It's a shame because Facebook probably has a lot to contribute. But if your PR folks (including yourself since you've just spoken for the company on HN) can't recognise the degree to which the discourse is becoming poisoned in this way - then things aren't going to go to well for you in the longer term.

People don't trust facebook because they (you) try to tell everyone what we are doing without our permission. It's really that simple. Stop it, please.

> and that ultimately, we just want to give people ads that they don't hate (for some reason this is called "selling data to advertisers").

As an aside: I'm happy with ad supported stuff. I never run any ad-blocking extensions or hide my data. But still many ads are lousy.

Any chance of a HN karma style thing to vote up / down ads? ("I hate this ad, it makes me want to leave the page -1", vs "I don't hate this ad, whether I click it or not +/- 0" vs "I like this ad whether or not I click it +1")

And I always like websites that allow paying members to turn off ads.

I'm guessing a -1 button would be only as attractive to FB as a dislike button.

With a -1 and dislike button comes a visible downside to being present on FB, especially for organizations, the potential to be unpopular in a tangible, measurable, way. Organizations would then think twice about being on FB when before it's might have been a no-brainer. Even if the number of dislikes is not publicly visible, it may be to the owner of whatever it is being unliked, or owners may request for it, and when an owner sees that number, may decide that it's bad to have a FB presence.

Considering the downsides of a -1/dislike button, why would FB want it from a revenue and growth point of view?

> People don't trust Facebook because they don't know what we (fellow Facebook Engineer[0]) know about what it's like on the inside.

Bull. We don't trust Facebook because of its actions. Beacon, account deletion, random modification of privacy settings and policies. Facebook has done virtually nothing to earn trust, and taken several clear, conscious actions that violate trust.

Your perception of Facebook's intent does nothing to change what Facebook has actually done to its users.

I bet - as someone that respects what Facebook has crafted but really has no vested interest in their long term success - that Facebook internally feels that it has done a ton at demonstrating it's awareness and empathy towards users and their privacy and has concluded that actually, users as a meaningful percentage, do not give a crap about what Facebook does or doesn't do wit their data.

Also, it's not just what Facebook is currently doing or has done, but also what it _can_ do with my data.

Many of my friends trust Facebook.

I'm starting to think that those smug bloggers are in it for the traffic.

It all depends on your perspective I suppose.

I believe this is a problem with the extension API, where the extension needs to request "your data on all websites" in order to be able to run JS code in the context of the page/tab.

Technically if it's able to do this, then it is able to access the data on that page as well, whether or not the extension is doing so.

We freely install these plugins, yet we can't force ourselves to simply log out of Facebook[0], can we.

How ambivalent is that.

[0] http://news.ycombinator.com/item?id=3033385

Upd: They say now logging out is not enough (http://news.ycombinator.com/item?id=3035418), which partly invalidates my point.

He actually is doing this. Take a look at the source code. He has tracking javascript right at the bottom. Its sort of ironic...

Where? The source is exceedingly simple and there is no tracking JS:


I'm looking at the source code, and I'm not seeing what you're talking about. The code is only in content.js, and nothing is being talked to as far as I see. How is he sending out tracking data?

Edit: I'm sorry guys, I guess the file that the install button links to is not the addon itself like the Firefox addon site does, so saving it does not give you the addon. I'm retarded. He does not have tracking cookies, I apologize.

Also see http://www.ghostery.com/ if you don't want to be tracked by web beacons in a more general way, i.e. not only by Facebook.

There is also another interesting site:


This German site uses a double opt in button for button like "Like ". Press twice on the grey like button and then it only turns into a normal like.

How does Disconnect compare with Chromeblock?

I find it kind of amusing that facebook doesn't display integrated comments at all if you block their cookies. Not to worry, TechCrunch w/out comments ≈ TechCrunch with comments.

when i want to log in to fb i open an incognito window. i haven't looked into this myself but the assumption is that cookies from incognito will not leak into my normal session.

it would be great if chrome allowed users to create a separate "sandboxed" browser session in each window. i'd like to maintain just one session for each service i log into, including google/gmail.

hmm, maybe that's why they haven't implemented this.

Available for Firefox & Safari as well from the authors site: http://disconnect.me/

In Europe there is a similar movment but it comes from the EU. There has been a big change in the handling of cookies and other privacy issues, so that now you are only allowed to save data if when someone visits your site and selects some pop to allow the site to save it. big problems with analytics



The author of this extension is also the author of Disconnect.

This recent Facebook smear campaign is interesting to watch on HN. Is it the work of an organized group, or just the hivemind's gobbling up of anything anti-Facebook? Either way, it's poor form and not news, this plugin and its more broader 'disconnect' sibling have been linked before several times.

Nb: I have no skin in this game, I personally don't have a Facebook account, but it's not because I'm some anti-FB zealot.

The frontpage of HN has been very disappointing in the last week with non-substance links littering it, and even less worthwhile comments accompanying them. Let's try not to upvote such frivolous and low-signal links.

There's a fairly wide appreciation among technically aware people of just how deep Facebook is getting its tentacles into things. Sentiment has been turning anti-FB for quite some time; it's been aggravated by FB's blunders in the past, by defaulting to over-invasiveness, then dialing back in response to outcry. So whenever FB gets press for something that can be viewed in the same light, there's a lot of judging them by their past actions.

So while there may be an element of opportunism in covert anti-FB PR, it's working with dry kindling. There's real fire here, not just smoke.

Sometimes I get a feeling that the hivemind of HN is critical of anything that is not associated google. I could be wrong as I am a fairly new user. But that's just what I have observed in last few weeks.

I don't see what Google has to do with this. Google gets roasted just as well as any other company around here. I've seen several articles get upvoted about google+ being a ghost town, and other critical articles.

Just try googling site:news.ycombinator.com google

From the first page I see:

6 discussions that are basically neutral

1 positive (Google puts Japan quake tsunami warning on their search page)

1 mix of positive and negative (people arguing both positions) (Goodbye, Google App Engine)

2 negative (Google: Bing Is Cheating, Copying Our Search Results, Google to announce "new programming language for structured web programming" )

I've never noticed a leaning towards favoring Google here. If you were arguing that YC funded companies get preferential treatment then you might have a case but I don't think your "I get a feeling that the hivemind of HN is critical of anything that is not associated google" is correct at all.

It's getting to the point with Google that I'm half-considering firewalling my day-to-day browser from my "real" Google account, and adblocking Google out of existence except when referred to by Google sites itself. I already block their analytics etc. whenever I can.

If the Google+ Like button appeared on anywhere near as many sites as Facebook, I'd be concerned about Google too.

I'm kind of surprised NoScript doesn't have an option of disabling scripts on a site-by-site basis. Ergo, if I have two tabs open, Google+ and some other page containing a Google+ Like button, I should be able to enable Google scripts on only the Google+ page. As it stands, when a script from a domain is enabled, it is enabled for any and all tabs you have open. I think that behavior can be improved.

I'd guess that Google Analytics and Google Adsense exist on more websites than Facebook like buttons, and they pose the exact same threat.


I agree this would be a nice feature to have.

In the meantime, you can use the RequestPolicy add-on in order to block cross-domain requests to G+ in your other tabs. In this case, NoScript won't even be needed because the script won't be loaded at all.

you,re forgetting about google adsense. google has been tracking you across the internets before fb even existed.

I voted your comment down.

I suppose it's good form to explain why - so here goes.

I guess I find your comment low signal as well. It doesn't help me understand why you think there is a smear campaign - or why you think it might be a conspiracy.

I personally don't want Facebook building a profile about me - and I don't trust them enough not to so act with their like buttons n whatnot. So this is a handy tool for me that I didn't know about before today.

I'm not sure why I have to be considered an anti-facebook zealot, part of the hive-mind, conspirator jerk just because I find such a tool useful.

I personally don't want Facebook building a profile about me

So don't have an account with them.

I deleted my Facebook account a few months back, but I'm also interested in how their new products work, seeing as how they affect millions of internet users.

I'm biased because I do think Facebook is lame, and that the amount of online profile wish-fulfillment is just creepy. Is this 'anti-FB zealotry'?

If you're going to meta-moderate HN, try to engage in less hyperbole than the 'smear campaign' you disagree with.

Your phrasing – “smear campaign”, “hivemind”, etc. – is unhelpful to reasonable discussion, whether or not you have “skin in the game”.

It's somewhat reminiscent of the anti-Groupon sentiment that began about the time some of the other major players started to get into the daily-deal game (however Groupon wasn't helping itself much either).

It has very little to do with Facebook. It's people who wish other people were more like them (concerned about privacy in this case) using some other event as an opportunity to push their agenda. It's a harmless circle jerk I suppose.

Same as you, no skin in this game. It Feels like I awoke up today & HN is having a Facebook special.

I thought it was fairly well established that FB is a privacy quagmire (logged in or otherwise), so this all seems a bit redundant.

Maybe I missed a memo…

I use WidgetBlock. I'm not sure if it does exactly the same thing, but I use it against sites that are heavy with widgets and scripts and make the site load 5x slower (like Techcrunch, although I barely even visit it nowadays).


I'm going to give Facebook Disconnect a try, too.

Ok so why would one use a browser made by Big Evil Privacy-hating Spy Firm #1 and then install an extension to prevent logging by Big Evil Privacy-hating Spy Firm #2?

I'd be very amazed if Chrome would not, now or at some point in the (transparently and unstoppably auto-updated) future, keep track of what you're doing, too.

If Google really did that with Chrome you would either A) know about it already, or B) find out later when someone discovers the secret logging mechanism.

Scenario B is so potentially devastating to Google that I highly doubt they would implement something like that.

Why would somebody write comments dissing Microsoft in Internet Explorer? Why would someone write an anti-Microsoft message in Word? Why would someone ask such arcane questions.

We trust the tools from Google, since it would be a huge backlash if they were caught doing something so nefarious as using Chrome to track people, without them knowing. And it is quite possible to test this.

I'd be very amazed if Chrome would not, now or at some point in the (transparently and unstoppably auto-updated) future, keep track of what you're doing, too.

If you'd like to put some money down, I'd take the other end of that bet.


I've already developed the habit of only accessing Facebook in an incognito tab, but cool extension nonetheless.

This broke parts of the Disqus admin page last time I tried it.

Does anyone know of an Opera Extension like this?

In order to block Facebook, this extension is injecting javascript into every page you load. It absolutely should come with a large warning.

You can copy the source code and make your own plugin from it ;)


You'll forgive those of us that aren't interested in becoming the digital equivalent of stylite monks, but by all means feel free to conduct your business in the public eye if that's what suits your fancy.

Absence of malicious history/intent doesn't render them incapable of being (directly or indirectly) dangerous. One could easily pose a rational argument for users to take prophylactic measures (e.g., Facebook Disconnect, Ghostery, and the other browser plug-ins) based solely on the increasing number of data breaches.[1][2]

However, this is a relatively weak argument, as it requires making an underlying assumption that the leaked data is dangerous. We have no evidence to support the assertion that leaked information of the kind shared on Facebook would pose any danger to the affected users. This is fundamentally different from the dangers of data breaches concerning health and financial records; these records contain information necessary to steal identities and engage in other nefarious operations. Facebook doesn't collect social security numbers or other extremely sensitive personally identifiable information.

Facebook does, however, collect evidence of our predispositions and predilections. Arguably, this information is far more dangerous than mere personally identifiable information, because rather than identifying us outright, it gets to the heart of what makes each of us unique. We are incapable of imagining the complete set of scenarios where this information could be used nefariously, and as such, its dangers fall within the scope of ``unknown unknowns''

Compare this situation to the case of a breach of financial data: the uses of this data are well-enumerated, and one could argue that the cost of the next health information data breach is a known unknown. Based on historical evidence, we know that another breach will occur, and we know how criminals use the leaked information. With data on Facebook, however, we don't know whether this information could be used maliciously. Moreover, if it could be used maliciously, we don't know how it might be used. Therefore, it deserves as much privacy (if not more) as one's financial and health records.

[1] http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC... [2] http://www.privacyrights.org/data-breach

We are so afraid of Google and Facebook tracking our searches/web pages, yet we freely install plugins from 3rd party developers that can easily gather everything that Google and Facebook can get, and more. In theory, I could make a Facebook Disconnect 2, which secretly sends data back home about what pages have been visited, and nobody except the most vigilant (enough to read the source of the plugin) would know.

I don't really like that he puts tracking javascript in his addons. Take a look at the source of this Facebook Disconnect addon, its at the bottom. Why don't people just write a simple bash script that toggles blocks for the facebook domains in the hosts file?

Can you link to that? The source of the extension is about a dozen lines and doesn't contain anything of the sort.


I'm sorry I was wrong. The file that the install button does not link to the addon like the Firefox addon site does, so saving the link is not the addon. I apologize.

Non programmers don't use bash scripts.

Heck, most programmers don't use bash scripts.

Edit: I'm sorry guys, I guess the file that the install button links to is not the addon itself like the Firefox addon site does, so saving it does not give you the addon. I'm retarded. He does not have tracking cookies, I apologize.

To my knowledge, you can't do any wildcards in a hosts file, and facebook already has a fair number of subdomains and can create more at will.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact