I routinely run with only direct cookies permitted (no third party ones) and with all cookies except those I have explicitly whitelisted being deleted each time my browser is closed.
I am not aware of any problem this has caused me for a long time, including on the sites you mentioned. Maybe there is some useful feature I'm not seeing at all because of the cookie restrictions I impose, but maybe they've just got better over time at not relying on cookies for things they shouldn't?
> maybe they've just got better over time at not relying on cookies for things they shouldn't?
It may be that. I just tried and Twitter is working perfectly without third-party cookies. Some months ago it didn't allow me to login.
With Google I had a similar problem, I couldn't login into my Google Account in sites that weren't the search engine (Docs, YouTube, etc). I just tried them, and again, it seems that it works now.
I use Chrome stable. Maybe something changed in the management of third-party cookies in recent releases?
Safari help says "Select to reject cookies from advertisers and from “third parties”—websites other than those you open. This might help prevent certain advertisers from storing cookies on your computer."
This might mean that they reject third-party cookies from being set, but not from being read. That is, once you get a cookie (e.g. signed in to Facebook), every other request to Facebook (even if it's through the "Like" button) will also send your cookie.
The flag that appeared in the latest Chrome beta specifically disables sending of cookies to third parties, even if you have them.
In the Firefox preferences go to the Privacy tab and select Use Custom Setting for History in the History section. From there you will see the check box to accept 3rd party cookies. Keep in mind this will prevent webmasters from using things like Google Analytics. Which you may want anyway but I thought it was worth mentioning.
Based on the small amount of testing I did on couple versions of Firefox, disallowing third party cookies means only websites you are directly visiting can read or write any cookies.
So if you go to facebook.com and it sets some cookies and later you go to somerandomblog.com that has some images from facebook.com, Firefox will not send cookies to facebook.com, since you are not visiting it directly.
Now obviously if somerandomblog.com has javascript from facebook.com on it, then that javascript can read cookies from somerandomblog.com and do pretty much anything it wants with that page.
Good question and I'm not sure. I would guess that if it doesn't accept them then it wouldn't read them either. The first step in the cookie transaction would be to check whether that cookie already exists (an attempt to read the cookie). It would seem easiest to stop that process at that point based on user preferences rather that just programming it to check at the actual write time.
I blackhole facebook.com at the domain level using pdnsd:
neg {
name=facebook.com;
types=domain;
}
I have no idea why people are so eager to give away their privacy to Facebook and others to sell and whore-out to the highest bidder. It's akin to getting a handful of bright, pretty beads for your property.
What sort of sales and whoring-out has Facebook done? Is there really any value in one's social graph, or do we just hope there is so we can hate Facebook for being evil instead of for making us realize how dumb our friends are?
As someone whose bought a ton of advertising on Google, and some on Facebook, there is a hell of a lot of value in the social graph.
With Google you bid contextually, that is, you are guessing that because the page is about (for example) "The Beatles" that the people there are interested in The Beatles. This is generally right. But, you have no idea about the demographics of the viewers. Just knowing if someone is under 18 or over 21 pretty much means whether or not they have any ability to purchase your product after clicking your ad. And these demographic/behavioral trends go much deeper.
On Facebook you buy an ad based on the users demographics (age, gender, etc.) and what they explicitly said they were interested in. Most people don't list every single interest. Facebook, by pulling in all this external data now has a shitload more stuff advertisers can target ads on. Instead of targeting the tiny fraction of people who put "The Beatles" as their interests, now advertisers will be able to target users that are likely interested in The Beatles because they do things like, listen to The Beatles every week, or all their friends listened to The Beatles this month.
Its very likely that Facebook will be able to beat Google's CPMs with this deep targeting ability. Whether or not its planned, I expect that Facebook will attempt to syndicate their advertising and compete directly with Google
Users should be very concerned. Advertisers can figure out a lot about you based on you clicking an ad that they targeted to a narrow set of specifications. You might think the ad is about free ipods but its really only being displayed to users that did a certain set of criteria. This can and will be abused. To a limited extent it already is.
Back when Facebook first rolled out their ad network, there was an advertiser or two who figured out you could target females that were engaged, and by insulting their weight get them to buy their weight loss pills.
As you can imagine, Google needs a large Google + user base so they can build their own dat aset to sell ads based off of.
Ironically the next Facebook killer social network will likely have the main selling point of privacy. I'd sign up. Google + is not it.
You don't want Facebook to post an announcement say "I am watching a video on makeMEpleasure.xxx, and I like it because I visit this website ten times per day." or have Facebook recommend you with potential same-flavor friends or pages, which include something making more guys happy.
The more data we have about a user's behavior the more useful it is potentially for predicting future behavior; whether it's how likely they are to buy brand x from store y or who they will vote for in the next election, and how they influence their friends and family (or vice versa).
Right now machine learning is still a niche area for the majority of programmers. Looking at open source software landscape for ml, this is slowly changing. It's only a matter of time before people make breakthrough applications (that is if they haven't already).
I don't get why it's a big deal if Facebook knows who you're going to vote for or what brands you might buy.
I suppose that because people buy or vote for what they're told to buy or vote for, this will let those wanting to influence people more effectively spend their money. But the solution to that is not AdBlock, it's education. Smarter people mean less susceptibility to manipulation, which is what we are really trying to achieve, right?
> I don't get why it's a big deal if Facebook knows who you're going to vote for or what brands you might buy.
It depends on who buys the data and / or the interpretation of that data from them. Just imagine a country like China buying it to predict who will become a subversive and arresting them before anything happens, something akin to pre-cog crime. When I think about it, we can probably aleady do this somewhat accurately with all the data we can collect right now. We have all the tools: open (and affordable proprietary) ML software, open big data frameworks (hadoop, storm, actor model, cassandra), as well as the cloud (AWS, Rackspace). People just need a comprehensive set of data.
> Smarter people mean less susceptibility to manipulation, which is what we are really trying to achieve, right?
Not necessarily, you can't constantly consciously fight thousands of years of evolution; but that's another topic.
So the reason why Americans shouldn't use Facebook is because it's possible that some rogue government somewhere might oppress its people? Those governments seem to be doing a pretty good job already without Facebook's help.
Then there's the argument that in 30 years the US will be one of these countries, too. I wonder why people are so afraid of this, but not of the small chance that they'll be hit by a meteor when they go outside tomorrow to go to work. They've been hit by a meteor exactly as many times as their government has used a "social graph" to oppress them, after all.
For most of human history most people in the world lived under tyranny. In that light the freedoms we enjoy in the USA are a pretty small blip in the data. Why do we think it will always be so, especially with so many people apparently unconcerned about the unprecedented ability of both commercial and government organizations to accurately profile the public/citizens?
To be fair, the San Francisco BART protests come to mind when you talk about recent examples of government oppression. On the other hand, I don't know of anyone who has been hit by a meteor.
That's just one obvious example. As for your analogy, that's like saying people were already doing a great job communicating via phone and email, what's the point of IM, twitter, or social networks in general?
You're vastly underestimating the potential value of access and storage of more and more precise behavioral data combined with the innovation of a startup vs the stodgy, uncreative, stubborn ways of both old world telecom and finance corporations. Back then, even with access to people's purchasing data and past addresses, I would have had to do a lot more work and ask for larger increases to our budget to figure out people's relationships as well as non-purchasing behavioral data aside from traffic. Now I can potentially have access to people's preferences to stuff as opposed to just guessing. Today it's much easier and cheaper.
This protection is NOT about the value of the social graph. And neither is Facebook, BTW - that turned out to be a gambit to get where they are.
And where they are is that they know everything about you (biographical info, hobbies, affiliations, marital status, number of kids, sexual preferences, web sites you visit and when), independently of who you know.
Right now, fb are only (?) using it to target ads at you, but you can be sure that all three letter agencies are cc:ed on every database update
It's about not letting Facebook track your every move on the web and beyond (or, more accurately, not let every site snitch on you to facebook).
I also think that this is a bad idea. This form of cookie sharing has been done many years ago and I don't remember the details of the story tonight. In the end it really freaked people out when they suddenly had user priviledges of other users on popular websites.
In fact, deactivating/"quitting" your FB account is not enough, either.
I deactivated my FB account several weeks ago, not so much for privacy issues directly but out of concern of the overall psychological effect of so much sharing and the emphasis on superficial identity (something I don't see discussed much).
Anyway, I checked my cookies after reading this piece and, not surprisingly, FB didn't remove my old auth cookie (the one keyed 'datr') when I quit their site. I should have known better, but I still think it's shameful to some degree to track people after they've very clearly disengaged from the site and their FB "identity".
datr is not an auth cookie. xs is an auth cookie, and c_user is the cookie which stores your user ID. datr is a machine identifier, not a user identifier (multiple people using the same computer share a datr, but don't share accounts, while a single user using multiple computers or browsers will have a single account, but one datr per machine).
It makes me nervous that it hasn't been updated since July. I switched to adblock plus with the fb rules above, and "disable all third-party cookies" in about:flags.
I use 2 very simple adblock plus rules that deactivate all of facebook outside of the facebook website. Simple and straightforward and works fine for me.
If you're a Firefox user and you'd rather whitelist known good actors, than blacklist known bad actors, as per this example. Install the RequestPolicy addon.
Search that for 'face' and you'll find only 4 rules that would apply, and those are about removing pixel trackers whilst leaving content intact.
The rules above remove content, which is just as well as anything a pixel tracker can do content could do. Which is where the current paranoia level seems to be.
I think there's a start up opportunity - "A dead simple way to take control of your privacy". Perhaps a native tool for windows, mac and linux. Just install it, set the settings and forget it.
But you can't really use incognito mode all the time. It will log you out of all other 'legitimate' sites you want to be logged in forever, like Gmail.
also, currently, all incognito windows (in chrome) share the same cookie jar. so if you are using facebook in an incognito window while surfing other sites in other incognito windows, you have the same problem.
I've deleted all Facebook cookies from Chrome and Safari, and now I use Facebook exclusively with a Fluid.app SSB with private cookie storage.
I can recommend this setup for any Mac users willing to spend $5 for Fluid. Alternatively you could probably rig up a 'Facebook' script to launch Chrome with a separate profile to achieve the same results.
This would just do a zone transfer of facebook.com (plus delegations of sub-domains) not all zones on their nameserver. It is also normally deemed a security vulnerability to allow zone transfers to unauthorized clients, which is basically any client that isn't a secondary nameserver.
I always use 0.0.0.0 (which is really wrong) instead of 127.0.0.1 (which really exists, there is my local apache), this works on Linux and Windows systems.
Let me get this straight, this guy posts about how logging out of Facebook isn't enough, and how Facebook learning things about you that you don't want it to. The majority reaction is to adblock them and disallow them to do that to you.
But this isn't right. Go on Facebook and tell me how many of your friends wouldn't even know the first thing to do with one of these extensions. So now the computer literate people know how to protect their privacy, but what about everyone else?
Adblocking is a practical solution to something we see as a problem. Many people don't even think this is a problem and actively ignore people trying to educate them, so what do you propose the right thing to do here is?
> So now the computer literate people know how to do X, but what about everyone else?
This is only a problem that will get worse with time. Computer literacy is important to contemporary society.
Because the majority reaction to any HN post is a technical pissing contest you have to learn to ignore if you want to glean anything interesting from the thread. If you're not interested in that, or in showing-off your own geeky credentials, then you're mostly wasting your time participating in an HN "discussion".
To be completely honest, I don't really see why something like this is so novel and outrageous. It is as if everyone has forgotten why and how companies like Facebook, Google, Microsoft, Twitter, etc.. are able to provide what they do for free. The implicit contract is "you get all this for free, and in return we get to serve you ads that we target to you." Moreover, they all have much more information on you than your browsing habits.
It's because the actual terms of the exchange are so infuriatingly unclear. Also, because efforts to fix this are met with an endless stream of deflections and evasions, all of which signal an intrinsically untrustworthy character in the organizations making them.
To understand this a bit better, imagine going to the grocery story, buying milk, eggs, etc. swiping your card, and not getting a total.
"Don't worry about that" says the store "as long as we (and our unnamed affiliates) have access to your bank account, everything will be fine."
Going home to look at your statement, you see a bunch of debits, most of which seem reasonable enough on their own, but none of which have a clear relation to specific purchases. All you come away with is a general sense that "I should save more" or "I can spend more".
So here's the question: if people started pointing that this arrangement was highly damaging to people's economic autonomy, and wide open to abuse, what would you think of someone who says "yeah, well, stuff isn't free"?
Would you think that this was an honest, intelligent reply? Or would you note that the person making it has just evaded the original question, shifting the topic away from concern about the deliberately unmanageable terms of the exchange and onto the (uncontested) subject of underlying economics? Also, would you notice that the jerk responding in this fashion added an extra layer of insult by suggesting that the person who asked the question must be a bit of an idiot because they don't understand basic economics?
Toxic politicians do this all the time. They 'reframe' questions before answering, allowing them to 'respond' by answering questions that nobody asked, while dodging the ones they did. If they're especially nasty, the land a rhetorical punch in the process, providing a disincentive to any further questioning.
It's bullshit. And people know it's bullshit. Ergo, the growing outrage.
Good that you ran with it, though, and illustrated the point.
Perhaps a better headline would have been "Facebook is still tracking you across the web even after you log out", though. Generally it's only hackers that know what "enough" means in this context, and Facebook's market is, as we all know, much much bigger than us.
not that I want to turn this into a pissing contest, but I emailed this to them on the 14th of November 2010. I emailed them again on the 12th of January this year. I have been sitting on it for that long.
I updated my post to make that clear, that this is an issue that is almost a year old.
As for your specific claim about cookies, there is a little checkbox labeled "Keep me logged in" or "Remember me" on the login page. If you don't trust the terminal, don't check that box. Leaving it unchecked will set the personally identifiable cookies to expire at the end of your browser session.
This is the same advice given for any website about unsafe terminals, and anyone who has 15 years of security industry experience would be aware of cookie expiration. What exactly are you claiming here?
this has nothing to do with 'keep me logged in' and as I mentioned in the post I contacted a number of facebook contracts a number of times (including the standard security report track) and never heard back
A question: I periodically delete all cookies in Chrome, and only use Safari for visiting Facebook; this should be safe enough, right? I use one browser (Chrome) for work related things like GMail, Twitter, web search, HN, and customer sites. I use Safari for casual browsing (Facebook, Reddit, etc.) This way I sandbox web tracking to one browser.
I suppose that one big hole in this is tracking my IP address.
Even after deleting FB cookies, what prevents them from tracking you (with reasonably good accuracy) using your IP address. In that case, you might as well just blacklist all of facebook.com.
In my opinion, internet users must be aware that there is no easy way to be totally anonymous, whether it be Facebook, Google, etc. If you require complete anonymity, you might as well unplug your internet cable.
what prevents them from tracking you (with reasonably good accuracy) using your IP address
Dynamic IP addresses and use of the same IP address by multiple people.
All it takes is a couple of friends, acquaintances or others accessing using your home network and it'll confuse the hell out of the stats. And that's without going into IP ranges for universities, schools, offices large and small, and your local coffee shop.
Then add in IP address pooling by ISPs, where every time a user connects (or every week, month or year) they're issued a new IP, and you end up with an unclear situation.
I won't start on how cell/mobile phone networks further confuse the situation ;)
you're partly right - the only resolution here would be to disable javascript, which makes a great part of panopticlick work (identifying installed fonts, etc.). however I think this kind of user recognition would be an overkill for a site with so many impressions like facebook - the computational effort to assign an account to each set of features must be huge (thou maybe sometime later ... when privacy laws get more restrictive).
It is indeed sort of disturbing that panopticlick gives me the message "Your browser fingerprint appears to be unique among the 1,769,884 tested so far."
If you add any new plugins your print would be unique again compared to your previous settings, which would make you difficult to track. Stay unique, my friends.
But it's not that simple now, is it? Facebook infests your life whether you want it or not and does not have a 'no thanks' or 'yes please' option that will kill all their cruft on a thousand and one websites. On a typical day of surfing you probably load their widgets 100's if not 1000's of times through all the sites that place the cruft on their pages. Whether or not you hit a page with a facebook widget on it is unknowable before you hit the page and facebook does not have a list of domains/hosts to blacklist either. And blacklisting is already beyond the capabilities of most internet users (which is really a sad thing, but you can bet that only a very tiny portion of the netizens knows where to find their 'hosts' file and how to make it do stuff for them).
And even if you know where you can find the hosts file and know what it's good for, it is tedious to collect all the domains and subdomains and add them to the file. There is no wildcard mechanism like *.facebook.com to block all subdomains.
Another solution is to set up a local proxy and apply filter rules, but this is also complicated.
I would love to agree with everybody who says: You don't like Facebook, then simply don't use it. I don't have an account there, but their clutter is everywhere on the web, "like" buttons and stuff like that. I wish that people who maintain their own website or blog would think more about these things and their consequences, before they add fancy buttons to their page layout from a third party site.
The solutions based solely around cookies only will help with that particular mechanism. Over the last year, I've seen a couple of articles similar to the following:
Where "cookies" can be stored in more than just the traditional cookie.db. I haven't looked to see if FB is making use of these alternative mechanisms, but other sites have.
Between Google Analytics (which everyone seems to have nowadays), Adsense and now the +1 button, Google has been master of user tracking.
Facebook only has things I chose to share, but Google can tie everything to my private emails through Gmail and all the creepy search terms I might have ever used. How do we stop them?
I've been using Ghostery [1] to block Facebook tracking. While it's still a bit iffy in Chrome, it works quite satisfactorily in Firefox. I like it because it can be toggled on and off easily if you want to use your Facebook login on specific sites.
This seems like a gross privacy violation to not honor the logout button, and continue to track the account ID of the user. I would be very surprised if Google were doing this too. And I would be surprised if Facebook were not hauled into court over this (at least in the EU if not in the US).
Many users would be annoyed to lose their persistent login. Disabling 3rd party cookies globally will break many sites that use 3rd party services and may be against the site's TOS as it would negatively impact their ad revenue.
No one is "honor-bound" to report vulnerabilities; in fact, it seems unethical to expect any random person to try to fix any random problem they stumble upon, don't you think?
My philosophy: it's backwards to look down on those who don't report vulnerabilities; it's better to be pleasantly surprised when someone does.
But he's certainly not "hurting" anyone at all. He didn't disclose any details of the attacks.
He didn't put the bugs there, he only discovered information that already existed. He can't be blamed for hurting anyone.
It's easier to work for free like this if it is an open source group or a non-profit. It's a bit harder when it's a $100 billion company. If they don't compensate security researchers, let them find their own bugs.
I use the Android Facebook app not the browser so yesterday I looked at it but can't see any way to log off. I'll probably have to delete it. On my Facebook page all I have is stupid stuff but still I would like to log off.
I'm not surprised by this. I noticed for a few months that I would sign out, appear to be so, but navigating to the site again would magically get me back in. Sign out was broken!
Disappointing that Facebook won't do the honorable thing.
I am not aware of any problem this has caused me for a long time, including on the sites you mentioned. Maybe there is some useful feature I'm not seeing at all because of the cookie restrictions I impose, but maybe they've just got better over time at not relying on cookies for things they shouldn't?
thanks for the tip , facebook is now intruding in to every one's privacy, they want mobile phone numbers to register a profile. such measures of facebook seems to be ridiculous
Facebook doesn't require mobile phone numbers to register as a user and maintain a profile. What makes you believe that such a thing is necessary?
We also require some additional information from application developers.
We do offer a two-factor login authentication that sends a text message to your mobile phone, so that your username/password credentials aren't enough to log into Facebook by themselves if a login attempt is done from an unknown device.
so if someone introduced a way to be on a small local area network with just you and your friends/family, without involving any third party servers (no xmpp or whatever else), would you guys be interested? encrypted of course, but based on "real world" trust (you already know each other in real life, you share a passphrase in person, the old fashioned way, no online pki conundrums).
is there a demand for this?
are people annoyed enough with facebook that they're ready for this?
If you're a Firefox user and you'd rather whitelist known good actors, than blacklist known bad actors, as per this example. Install the RequestPolicy addon.
For Christ's sake, do we really need 4 or 5 anti-Facebook threads, especially when they haven't done anything malicious? This place is nearly as bad as Reddit. I am kind of upset about this.
Hi all.First things first;I'm a girl,totally dumb in hacking,technologies etc.Few days ago my FB page was fully COVERED with adverts that I was checed on the net few hours ago(like: french connection,michael korrs).The shocking thing was,it wasn't just the webpage of MK on my FB but the items what I've just checked as well.Blimey.Its scary,I hate it and its getting worse day by day.I have internet explorer browser(ok I also have Chrome,but I ve never used).My question is: how can I stop these adverts?can anyone explain to me step by step(yes I'm a dumb lol)what to do?Thank u so much:-)
