Thursday, February 24, 2011

Facebook is following you - here's how to stop them

I've written before about how to set up firefox to increase your privacy and security, and to keep corporate big brother from tracking your actions around the web. Now I want to step that up just a little bit.

With the previous setups I've mentioned, even if you see a facebook ad on some other website, facebook will have a difficult time knowing it's you, and knowing where the request came from. For example, let's say I visit lifehacker.com and I see a facebook ad. If I don't implement any security/privacy tools, I will send a cookie to facebook, and so facebook will know that I visit lifehacker (and which specific article I'm reading, and how often I visit, and at what times, etc - kinda scary, eh?). If, however, I implement the security precautions I lay out in my previous posts, I won't send facebook any cookies when I see their ad on lifehacker, and I won't send them a referrer string, so this makes it difficult for facebook to know just who it is that is viewing their ad.

Facebook still has at least one piece of information with which they could identify me - my IP address. (There are yet other ways they can still ID us: see EFF's Panopticlick and their paper for some awesome work on the subject). That is, as long as I'm viewing a facebook ad (and not using VPN or some proxy service such as TOR), facebook knows the IP address of the computer viewing their ad. If I'm behind a corporate firewall, with lots of other people viewing facebook and facebook ads, it will still be difficult for facebook to know who I am. If, however, I'm browsing from home or some other place where there aren't many folks viewing facebook with the same IP address, facebook has a much better chance of knowing that I'm viewing their ad, and perhaps from which site, even if I have all the other previously-mentioned privacy tools installed.

You might be asking yourself, "ok, so is there ANY way to be sure that facebook doesn't follow me around the web and build a more complete profile of me than perhaps even my best friends or spouse have?" The answer is yes, of course. If we completely block all requests to facebook when we're not on a facebook page, we'll never see the facebook ad in the first place, and facebook will never get a request from our browser when we're outside of facebook. Hence, they'll never know anything about us, except for what we explicitly tell them and do while on facebook.com itself. Here's how you do it:

First, install Ad-Block Plus in firefox or chrome if you haven't already. Go ahead and add the Easylist+Tracking filter while you're at it.

Second, click on the ad-block plus icon, then click preferences. Then click "Add Filter...", and add the following four lines, one by one
(props to Saudrapsmann and lifehacker):


||facebook.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

||facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

||fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

||fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net


And that's it. For the techy interested, you can read about ad-block plus filter syntax here. In essence, the domain right after the "||" is saying which domains to block. The "domain=" option specifies which domains this rule should apply do (i.e. only apply this rule when viewing a webpage from these domains). The tilde (~) is a negation argument, and hence this rule gets applied on all pages *except* facebook.com/net/fbcdn.com/net.

It wouldn't be a horrible idea to do this for other big-brother companies such as google as well, as long as not seeing their content on other pages won't kill you.

In the future, what i'd really like to see are tools to allow such content to be delivered to the browser, but through a TOR-like proxy architecture. That way, the increasingly-interconnected web won't completely break, but our privacy will remain more-or-less intact.