Banging On About Facebook Round #247

So there’s a post written by a smart lad here. But he leads with a lot of technical proofs that will, I imagine, confuse the crap out of a number of people. So I’m going to bullet point the most pertinent parts of it. I’m not telling anyone what do to here, you understand. I am simply providing the facts as I understand them. You may make your own decisions.

  • If you visit a website that has a facebook “like” button on it, Facebook knows about it, regardless of whether or not you click said “like” button.
  • If you are logged in to Facebook when you visit that website, Facebook knows that you specifically have done it.
  • If you are not logged in when you visit a website with a like button on it, and subsequently log in to Facebook without first clearing out all Facebook cookies, then Facebook will know that you specifically have visited all the sites you visited while logged out.
  • As a result of the latest changes to the Facebook API, it is now possible for Facebook applications to post to Facebook on your behalf, without your specific consent – if you consent to an application posting to Facebook for you once, it can they do it at other times, without asking you.

That last item isn’t directly related to the first ones, except in this: how long do you think it will be for someone to think it’s funny to come up a honey trap application with a “post this test result to facebook” and then use that consent to later post someone’s complete browsing history, including all their porn? Yeah. And even if they don’t, do you really want Facebook knowing about all the sites you visit, in order to sell that information on to their advertisers?

If you wish to continue using Facebook, and avoid that risk, my best recommendation is that you download a new web browser – if you usually use Firefox, download Chrome. If you’re an IE user, get Opera (and add your own joke here). If you’re a Safari user, get Firefox. Or really any combination of the above, the point is simply to get a completely new web browser that you have never used before installed on your computer. Clear out all your cookies on your old browser, and then keep using it as normal for most sites. But never, ever log in to Facebook on it, and don’t allow anyone else to do so, either.

And, if you want to use Facebook, use this fresh new browser to do it in. Don’t ever visit any websites other than Facebook in this browser. Treat it like a quarantine zone.

Oh, and don’t ever log into Facebook on any public access computer. Otherwise Facebook will think that all the sites that the other users of that computer visited are sites that you’ve visited.

I hope this proves helpful to some of you.

5 Comments

  1. As an alternative to a separate browser, there are add-ons like ShareMeNot (http://sharemenot.cs.washington.edu/FAQ.html), which disable Facebook and other similar tracking bugs until you explicitly enable them, on a per page basis.

    I’ve never used Facebook: never had an account, never wanted one. But Facebook still knows who I am, knows my email address, and probably tracks me, since someone once tagged me in a photo, and the only way to get the annoying “Hey, so and so tagged you in a photo” emails to stop was to tell them not to send me emails. Note that there wasn’t an option to tell them to stop recording who I am, what I’m doing, or the like.

  2. Not sure where you get the idea that a malicious app could post your entire browsing history to your page – there’s nothing to suggest that third-party apps have access to browsing history; only Facebook itself has that.

  3. Alasdair

    @Tim: There’s a vulnerability in a number of older browsers that makes getting history possible outside of the data supplied by facebook. Looking at the stats for a some of the websites we deal with at work, it looks like somewhere north of 25% of web users are still vulnerable.

  4. Em

    I assume if Facebook is only accessed from a third party client such as Tweetdeck, that this helps prevent this? Or would I be wrong in thinking that?

  5. Alasdair

    @Em I think you’d be right, but I don’t know enough about the specific architecture of Tweetdeck of various OSes to be certain.

Leave a Reply

Your email address will not be published. Required fields are marked *