I've generally been assuming that Phase Omega of the Facebook Directive will be that you now pay Facebook $5/month to keep them from making your Facebook browsing history public. Guess you'll be paying it whether or not you even have an account, now.
posted by a manly man person who is male and masculine at 1:15 PM on March 31, 2015 [4 favorites]

Here's an AdBlock Plus rule I installed years ago I think might block the tracking:
||facebook.*$domain=~facebook.com|~127.0.0.1

A similar rule was suggested in this comment. Maybe someone more savvy than me can speak to this more, but the idea is to block connections to facebook.com unless on that domain. See also here with more rules to include fbcdn.com and the .net variants of both.
posted by exogenous at 1:15 PM on March 31, 2015 [9 favorites]

Facebook is one of only thousands of sites that attempt to track you, many of which are 3rd parties who do so without you ever visiting "their site." Is there a buried story here, or is this not newsworthy?
posted by Ickster at 1:18 PM on March 31, 2015 [10 favorites]

LOLOPTOUT:

If you manage to navigate from the Facebook page about the privacy policy update, to the page about the DAA, to the Online Ad Choices Page, to the correct country, to the Your Ad Choices page and work out how to opt out of all of the individual companies then… then you will have had a cookie placed on your computer opting you out of advertising based on profiling.
The only way you can opt out across several devices is to repeat the exercise on each of your devices. And if you delete your cookies regularly, like many privacy-conscious users do, you need to go through the whole opt-out process again.

posted by Bangaioh at 1:19 PM on March 31, 2015 [3 favorites]

Kind of weird that they would qualify it as, "on its site." Facebook tracks you everywhere on the web that has those little "like" buttons, no matter if you don't have an account with them. I guess I should be thankful that they don't host any major JavaScript libraries for "free" like Google, or they could pretty much track all my browsing everywhere (*cough*metafilter*cough*).
posted by indubitable at 1:20 PM on March 31, 2015 [1 favorite]

I. Hate. Facebook.

It's as if we've all been cursed with an obnoxious vain stalker.
posted by bearwife at 1:23 PM on March 31, 2015 [13 favorites]

Facebook is one of only thousands of sites that attempt to track you, many of which are 3rd parties who do so without you ever visiting "their site."

Yeah for real. Sorry but data is being collected on you pretty much everywhere you go on the internet. If you clicked on that Guardian link you were hit with data collection pixels from Aggregate Knowledge, Bluekai, Audience Science, Datalogix, Liveramp, Nielsen and Comscore digital - all companies that sell data to advertisers.
posted by windbox at 1:25 PM on March 31, 2015 [14 favorites]

I love Facebook, I just wish it didn't love me quite so much that it wanted to follow me everywhere.

I use Ghostery and Adblock Edge to prevent this kind of thing on the desktop, but there are no good anti-tracking options for iOS. (There are various sucky anti-tracking options, no good ones).
posted by edheil at 1:27 PM on March 31, 2015 [2 favorites]

This is exactly why I deleted my Faceb.... aw, hell.
posted by resurrexit at 1:30 PM on March 31, 2015 [5 favorites]

The problem with the browser makers being tied to ad revenue is that they have no reason to build privacy into the browser.


There is no reason cookies need to be shared between websites for the typical web surfer.

There is no reason "super cookies" should be allowed or respected.

There is no reason they can't randomize the returned environment variables (font lists, etc...)

There is no reason that cookie management isn't made more privacy oriented (it's either all or nothing for keeping or deleting)


Why doesn't each browser tab have its own disposable context / environment that goes away at the end of the session.

I'm sure the back end folks can figure ways around this (based on IP and whatnot)


This is going to take privacy legislation AND technical solutions.
posted by bottlebrushtree at 1:38 PM on March 31, 2015 [3 favorites]

I use facebook block, a FF add-on that blocks all things FB. I have no idea if it actually works, but it claims that it does.
posted by If only I had a penguin... at 1:39 PM on March 31, 2015

Why doesn't each browser tab have its own disposable context / environment that goes away at the end of the session.

The incognito mode in Chrome, the private windows in Safari & Firefox do this; the problem is that they're inconvenient because they require users to enter passwords over and over again.

Maybe what's needed is for something that creates a new sandboxed session with some kind of state (some default cookies, some passwords stored or whatever) that doesn't allows for the option to persist any changes to state of the sandbox you're playing in?
posted by elsp at 1:45 PM on March 31, 2015 [1 favorite]

Third-party marketing scripts are a hell of a drug. Everybody thinks just one more can't hurt, next thing you know, your page weight has ballooned out of control because somebody thought it would be cool to ADD ALL THE TRACKERS. (It is no surprise the average page gets bigger every year. )

It's to the point now where Ghostery's business is tracking marketing scripts at the enterprise level, because nobody knows how many they have.
posted by fifteen schnitzengruben is my limit at 1:48 PM on March 31, 2015 [4 favorites]

I let the 10,000 monkeys out of the cage, randomly, once or twice a 24 hour cycle, to use my browser.

If I can't fight 'em, I may as well confuse 'em.
posted by infini at 1:48 PM on March 31, 2015 [2 favorites]

The problem with the browser makers being tied to ad revenue is that they have no reason to build privacy into the browser.

The Tor Browser is an attempt to do just that.
posted by Bangaioh at 1:50 PM on March 31, 2015 [1 favorite]

I assume uBlock + Ghostery pretty much cover 95% of the analytics that Google/Facebook/Amazon/et all can try to glean from you?
posted by vuron at 1:55 PM on March 31, 2015

Sort of related, I notice that when I switch out of FB to email or another app on my phone that the phone regularly tells me that FB is doing something with my location. The message I get from the little blue bar is clearly the old "you have no privacy from FB; get over it".
posted by immlass at 1:56 PM on March 31, 2015

I assume uBlock + Ghostery pretty much cover 95% of the analytics that Google/Facebook/Amazon/et all can try to glean from you?

I kind of doubt it.
posted by brennen at 2:03 PM on March 31, 2015 [4 favorites]

I guess this genie is fully and completely out of the bottle. Time to move on to the next losing battle!
posted by The Card Cheat at 2:04 PM on March 31, 2015 [1 favorite]

Aaaand this is why I have never, ever, ever used or visited Facebook on my phone and only turn on GPS when I need to use the maps. So yeah, they probably know more about my web browsing than I do and have a complete record of my every move, accurate to the millimeter, for as long as I've owned this device. Probably longer.
posted by sexyrobot at 2:13 PM on March 31, 2015 [1 favorite]

I noticed after the most recent software update on my android phone that I could not uninstall the Facebook app. I don't use it, but I also do not seem to be allowed to get rid of it. I found this disturbing enough to decide to delete my FB account and never look back.
posted by Golem XIV at 2:16 PM on March 31, 2015

brennen: “I assume uBlock + Ghostery pretty much cover 95% of the analytics that Google/Facebook/Amazon/et all can try to glean from you?

I kind of doubt it.”

Yeah, even with JavaScript disabled Panopticlick tells me my browser setup is 1 in more than 700,000. Still, disallowing JS and running Ghostery can't hurt.
posted by ob1quixote at 2:17 PM on March 31, 2015

I assume uBlock + Ghostery pretty much cover 95% of the analytics that Google/Facebook/Amazon/et all can try to glean from you?

Yep - Panopticlick, linked to by Brennan above, shows why device fingerprinting is even more effective for advertisers in identifying you:

Today, the most popular extension to Mozilla’s Firefox browser is AdBlock Plus, which rejects both ads and third-party cookies used for tracking. And recently developed tools like Ghostery and Mozilla’s Lightbeam reveal the number of trackers on each website and show how these trackers collaborate between seemingly unrelated sites. Finally, recent studies have shown that a large percentage of people delete their browser cookies on a regular basis, a fact that points to their having at least some understanding of how cookies can compromise privacy online.

But when people started deleting their cookies, the companies involved in tracking didn’t just roll over.
posted by ryanshepard at 2:20 PM on March 31, 2015 [3 favorites]

So it looks like system fonts and browser plug-ins are the unique bits from a browser fingerprinting perspective. Just create a plugin to spoof, pad or re-arrange those values with random bits on each request and, bam, foiled.
posted by grumpybear69 at 2:25 PM on March 31, 2015 [2 favorites]

all companies that sell data to advertisers

OKAY BUT how does this actually affect me if I use adblock and basically never see any ads much less personally targeted ones? I would be more concerned if facebook was selling info about my $15 chzbrgr habit to my health insurance company, which tbh I am certain they are doing anyway by this point but I try not to think about it too much.
posted by poffin boffin at 2:35 PM on March 31, 2015 [1 favorite]

Within our dataset of several million visitors, only one in 5,528 browsers have the same fingerprint as yours.

Oh dear. Time for some jiggery pokery.

AJAX has a lot to answer for.

Accidental replacement of HTTP bit here
posted by infini at 2:40 PM on March 31, 2015

remember, if it is free, you are the product.
posted by Ironmouth at 2:43 PM on March 31, 2015 [6 favorites]

HTTP_ACCEPT Headers are how your browser tells a server what kind of content you are OK with receiving. They are (at least in theory) super useful for keeping things accessible to blind or deaf users, and supporting browsers with different degrees of fanciness.
posted by idiopath at 2:45 PM on March 31, 2015 [1 favorite]

if it is free, you are the product

This'd be slightly more comforting if we had the option to pay.
posted by CrystalDave at 2:45 PM on March 31, 2015 [7 favorites]

So it looks like system fonts and browser plug-ins are the unique bits from a browser fingerprinting perspective.

There are others, e.g. the user agent string, screen resolution, time zone, and cookies settings - see the EFF's 2010 "How Unique is Your Web Browser?" [PDF]. Mobile device sensors / GPS and minute, typically unique sensor imperfections are also an important vector for fingerprinting, something advertisers are already working to exploit.
posted by ryanshepard at 2:46 PM on March 31, 2015 [1 favorite]

Your browser fingerprint appears to be unique among the 5,163,008 tested so far.

Yeah, I kind of expected this was the case. So what does one do about that?
posted by If only I had a penguin... at 2:46 PM on March 31, 2015

Thanks idiopath, I accidentally ranted on top of my own question because I started reading the linked PDF and it gave me a partial answer but not as clear and succinct as yours. Thanks be to number one for the metafilter.
posted by infini at 2:47 PM on March 31, 2015

I'm using similar AdBlock+ rules but they appear outdated now. Anyone know good current rules for blocking facebook on non-facebook sites?
posted by jeffburdges at 2:57 PM on March 31, 2015

Isn't this how our little not-so-Infinite Fun Space funds, in an aggregate mold-like sense, it's own continued existence?

Some sort of publicly funded internet would have been great but we're stuck with the thing the capitalists foisted on us. Damage control for those at risk of harm from someone/thing seems like the only response? Maybe?
posted by Slackermagee at 3:12 PM on March 31, 2015

People are so precious.
posted by dry white toast at 3:14 PM on March 31, 2015

Bless the EU Privacy people for continuing their work. It really is the height of arrogance for Facebook to be tracking people who explicitly opt out of Facebook tracking. Not to mention illegal.

Ghostery really is worth running if this stuff interests you. The tracker-blocking mode causes bugs with enough frequency to be a real problem. But in passive mode it just counts up the little trackers all over the world. This very page on Metafilter has 3: ChartBeat, Quantcast, Google Analytics. A sleazy site like Huffington Post has 20.

The article mentions Privacy Badger; that's a new one on me. It's by EFF. It does some interesting things differently from Ghostery and friends, it looks to be a bit smarter.
posted by Nelson at 3:49 PM on March 31, 2015 [4 favorites]

You can choose to accept cookies, but not third party cookies. I took a look at Al Jezeera for the first time a couple of days ago. My android device went crazy trying to get me to do all kinds of stuff, setting off beeping alarms, trying tp hold open a window until I did what "they" thought I should do to protect my phone. I just cleared my private data in spite of it all and went back to browsing. Facebook is full of all kinds of people who fall for all kinds of data mining. I avoid quizzes, unfollow anyone but my besties, or slow posters. I change my passwords frequently, and post poetic nonsense, pictures of water. My tax dollars at work sponsoring corporate voyeurism.
posted by Oyéah at 4:21 PM on March 31, 2015

What about using multiple user profiles in a browser? For example, in the desktop version of Chrome one can create a profile for logging into a webmail account and nothing else. Another profile could be for FB, etc.

I know this only partially addresses the issues raised in the article, but would this be an effective way to isolate sites from knowing about your other browsing habits? And do we know if Chrome really does treat different profiles as if they're separate users?
posted by theory at 4:27 PM on March 31, 2015

An Verizon is inserting tracking IDs to all your mobile traffic to uniquely identify you as well

https://www.eff.org/deeplinks/2014/11/verizon-x-uidh
posted by bottlebrushtree at 4:42 PM on March 31, 2015 [1 favorite]

theory: I'd be more likely to trust Chromium, which is a "degoogled" Chrome (though part of the Chrome project, it lacks the tracking stuff that the Chromium browser has built in).
posted by idiopath at 4:45 PM on March 31, 2015 [2 favorites]

> Within our dataset of several million visitors, only one in 5,528 browsers have the same fingerprint as yours.

Oh dear. Time for some jiggery pokery.

That's actually a good result all things considered, it means lots of other people have identical browser fringerprints by EFF's metrics (a truly bad result would be a unique one, like If only I had a penguin...'s). Of course, the EFF test probably doesn't account for all possible fingerprintable info, and adding those and/or your IP address might still be enough to uniquely identify you online.


> So what does one do about that?

If you're willing to put up with higher latency, less bandwidth and a lot of captchas, using the Tor Browser would reduce your fingerprintability and provide IP anonymity.
posted by Bangaioh at 4:48 PM on March 31, 2015

Yeah, but ob1quixote has 1 in more than 700,000

Otoh, EU privacy laws apply to me, what else can I do other than slavishly follow mikko on twitter
posted by infini at 4:54 PM on March 31, 2015

The downside of Tor is that its become a honeypot.
posted by infini at 4:55 PM on March 31, 2015

dont use all kinds of blockers, all kinds of cookie erasing, etc... The more you hide, the more unique you get. Instead, spend five minutes every day open to ESPN, twenty minutes clicking through schlock at Perez Hilton, half an hour at Fox News, start purchasing 2 bunches of bananas every week from Amazon. If we all commit to that, our uniqueness vanishes in obscurity. Unique is unique. What you don't look at tells me just as much if not more about you once you do something I can track.

Be the product. Own what you are. And give them as little to differentiate you from everyone else as possible. It is the only way to hide from them.
posted by Nanukthedog at 4:58 PM on March 31, 2015 [2 favorites]

infini: “Yeah, but ob1quixote has 1 in more than 700,000

Otoh, EU privacy laws apply to me, what else can I do other than slavishly follow mikko on twitter”

Yes, but if I allow JavaScript I get the dreaded, "Your browser fingerprint appears to be unique among the 5,163,774 tested so far." At least part of that is because of the extensions I have installed I guess. I haven't installed any fonts on this computer.

It's a giant pain the ass to disallow JS by default, because every website wants to use JS for everything. Plus, they insist on hosting every script on its own domain. Video sites are the worst, because you wind up having to take multiple trips through the No Script window to figure out the magic combination of sites to allow scripts from. However the alternative is to be uniquely trackable.

If there were a tool I could use that gave me script-by-script control, that's what I'd use. For now, domain-by-domain is what I have to live with.

In conclusion, please open your MeFi hymnals to page 404 and join me in the first verse and a rousing chorus of, “Oh, How I Loathe The 21st Century.”
posted by ob1quixote at 5:50 PM on March 31, 2015 [2 favorites]

If there were a tool I could use that gave me script-by-script control, that's what I'd use. For now, domain-by-domain is what I have to live with.

You want uMatrix. Seriously, this is *the best thing* for fine-grained privacy controls. Bonus: It's much more lightweight than Adblock Plus, while being more powerful. (Especially when combined with uBlock)
posted by CrystalDave at 5:55 PM on March 31, 2015 [3 favorites]

But I already use NoScript.

Anyone know how NoScript's userbase breaks down across the same matrix of ID that EFF is using?
posted by infini at 6:21 PM on March 31, 2015

I found one quick and dirty way to double the pool but it broke my Metafilter experience. So well then that's that.
posted by infini at 6:35 PM on March 31, 2015

> Facebook is one of only thousands of sites that attempt to track you, many of which are 3rd parties who do so without you ever visiting "their site." Is there a buried story here, or is this not newsworthy?

If they are doing this they are disobeying the law. To me, it IS news that Facebook is a deliberate scofflaw in the EU, and the technical details are also interesting. If you had some secret conduit that told you this earlier, well...
posted by lupus_yonderboy at 6:37 PM on March 31, 2015

there are no good anti-tracking options for iOS. (There are various sucky anti-tracking options, no good ones).

For anyone interested, 1. Jailbreak. 2. Install Untrusted Hosts Blocker or alternately replace the hosts file right in the file system with various ad-blocking versions found on the net. 3. Consider the Firewall for catching mobile-specific tracking stuff not covered in hosts. 4. Consider the Adblocker, but if you have the previous two it is largely redundant and only has an effect in Web views.

If you can't jailbreak, use apps like Ghostery or "Disconnect".
posted by sylvanshine at 7:19 PM on March 31, 2015

I thought FakeBlock was supposed to take care of this, George Michael
posted by TheClonusHorror at 8:08 PM on March 31, 2015

Here's what I do in Firefox to try and balance privacy with convenience:

• Install AdBlock Plus and Privacy Badger.
• Set general.useragent.override in about:config to something common, like "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0" (Firefox 36 on Windows 7 x64)
• Set plugins.enumerable_names to an empty string (this blocks Panopticlick's "Browser Plugin Details").
• Disable Java. If you don't program in it yourself, and don't run something like Minecraft that needs the JRE, then uninstall it.
• Set all plugins, especially Flash, as "Ask to Activate". This prevents plugin exploits, like enumerating system fonts. You can also add the line "DisableDeviceFontEnumeration = 1" to the mms.cfg Flash config file to specifically prevent this (mine is at C:\Windows\SysWOW64\Macromed\Flash\mms.cfg).
• If you don't mind sites asking permission to run Javascript the way they do for plugins, install NoScript.

I found some other tips here, for things like hiding referrer information, disabling cookies, and so on. How far to take this depends on how badly you need privacy, of course: are you just trying to stop Google/Facebook/Amazon from building an ad profile of you, or do you want to be completely unidentifiable? For the far end of privacy needs, there's Tails, a whole operating system that runs all internet traffic through Tor and boots off a USB drive so as not to leave recoverable data on a hard disk.
posted by Rangi at 8:11 PM on March 31, 2015 [6 favorites]

I spend a lot of my time in the toilet so they are welcome to as much data about that as they like.
posted by turbid dahlia at 8:19 PM on March 31, 2015

Anyone know good current rules for blocking facebook on non-facebook sites?

Add "Fanboy's Annoyance List" to your adblocker plugin. It's blocked 9000 buttons from the big three tracking sites social media companies just since I reset the stats a few months ago.
posted by sylvanshine at 8:35 PM on March 31, 2015 [1 favorite]

CrystalDave: “You want uMatrix. Seriously, this is *the best thing* for fine-grained privacy controls. Bonus: It's much more lightweight than Adblock Plus, while being more powerful. (Especially when combined with uBlock)”

You think? Because that seems like it's still based on domains. I'd like to be able to choose which individual scripts to allow.
posted by ob1quixote at 8:39 PM on March 31, 2015

I use the Random Agent Spoofer plugin with Firefox. It supposedly spoofs your operating system, browser, and many other system giveaways like fonts, time zone, and others that Panopticlick measures.

My problem is that I have too many blockers installed and wonder if they interfere with each other, or what pared down list would still be as effective as possible.

...And then there is the leak, from Ed Snowden I think, that NSA, GCHQ, and likely all the other evil alphabets track everytime any user installs privacy/security apps or visits websites about privacy and security, and then monitors them even more closely.
posted by blue shadows at 9:13 PM on March 31, 2015 [1 favorite]

> I'd like to be able to choose which individual scripts to allow.

For Firefox you may try LibreJS. Good luck!


> NSA, GCHQ, and likely all the other evil alphabets track everytime any user installs privacy/security apps or visits websites about privacy and security, and then monitors them even more closely.

Not that much of a problem as soon as a large enough number of people do it, then you'll be like anybody else.


> device fingerprinting is even more effective for advertisers in identifying you

Indeed, and if people are not careful it defeats every other measure they have taken.

You may install all kinds of ad-blockers to stop Facebook, etc from tracking your normal browsing, but then you go to Amazon to buy a book and have it posted to your real address with the same "privacy-enhanced" browser. All Amazon has to do now is to cross-check the unique IP and/or browser fingerprint that just purchased the book with their records from sites you visit that serve content through their cloud services and that you are forced to whitelist because otherwise the site won't work at all. And then they share that profile of you with Google, who has all your email and knows lots of other sites you also visit that use ajax.googleapis.com. Bye bye, privacy.
posted by Bangaioh at 5:49 AM on April 1, 2015

“Online Porn Could Be The Next Big Privacy Scandal,” [Safe] Brett Thomas, 15 February 2015

Hacker News discussion of the above [Caution: Vaguely NSFW].
posted by ob1quixote at 4:07 PM on April 1, 2015 [1 favorite]

Even if we can't stop it or must learn to live with it, is there any way to tell if you've fallen under the spotlight?
posted by infini at 4:33 AM on April 2, 2015

Absolutely none. Actually that's the whole point of information asymmetry.

The short term solution is to take back our privacy with radical technological tools, like Tor, Pond, etc. And browser extensions that defeat trackers, cookie, fingerprinting, etc. for the high bandwidth items like movies, porn, music, etc. for which Tor is too slow.

The long term solution is to reverse the information asymmetry with radical transparency. We cannot allow powerful organizations like governments and multinational companies keep their regular operations secret anymore.
posted by jeffburdges at 6:13 AM on April 2, 2015 [1 favorite]

Twitter recently asked me for government ID. Its been a few days now, and while I've had weird things happening to my actual Twitter experience, there's been no official response to either the ID submitted for verifiation (there was an illiterate imposter) nor issue reported.

Now I wonder if the whole was simply social engineering.
posted by infini at 6:28 AM on April 2, 2015

An update on Microsoft’s approach to Do Not Track: they will no longer set DNT: 1 by default. The hope is this will make a DNT header look like a stronger statement of user intent, thereby putting more weight to the request. I had thought DNT was entirely dead because of this issue, but it turns out a few big sites support it, including Twitter and its ads as well as Pinterest. EFF's policy about DNT is worth a read.
posted by Nelson at 1:29 PM on April 3, 2015

There is no reason they can't randomize the returned environment variables (font lists, etc...)

Just found this, not quite the same thing but pretty exciting "Chameleon is a Chrome privacy extension that detects fingerprinting-like activity, and protects against fingerprinting, currently by making Chrome look like Tor Browser."

Without it, my browser looks similar to 1 in 5.1 million others according to panopticon. With it, my browser looks similar to 1 in 3400. Magic!

It looks like INRIA is collecting statistics for making a similar, randomized version.
posted by fivebells at 6:48 PM on April 3, 2015 [1 favorite]