Facebook Can Track Your Browsing Even After You've Logged Out, Judge Says (theguardian.com) 124
A U.S. judge has dismissed nationwide litigation accusing Facebook of tracking users' internet activity even after they logged out of the social media website. From a report: The plaintiffs alleged that Facebook used the "like" buttons found on other websites to track which sites they visited, meaning that the Menlo Park, California-headquartered company could build up detailed records of their browsing history. The plaintiffs argued that this violated federal and state privacy and wiretapping laws. US district judge Edward Davila in San Jose, California, dismissed the case because he said that the plaintiffs failed to show that they had a reasonable expectation of privacy or suffered any realistic economic harm or loss. Davila said that plaintiffs could have taken steps to keep their browsing histories private, for example by using the Digital Advertising Alliance's opt-out tool or using "incognito mode", and failed to show that Facebook illegally "intercepted" or eavesdropped on their communications.
Obviously. (Score:1)
Re: (Score:1)
Evidently you can sue people for making a working link.
Re:Obviously. (Score:5, Insightful)
It shouldn't be unreasonable to expect that logging out of Facebook caused them to stop treating that browser window as being "you" for their purposes as well as yours.
Re: (Score:1)
The only safe bet is to not click on any of their buttons. The metadata will get you every time. If you let the NSA do it, then everything is fair game.
Re: (Score:2, Informative)
You don't need to actually click on them to be counted, though if you do they can also update your psych profile based on what you are Like'n.
Re: (Score:1)
You need to use a tracking-blocker, that prevents the 'like' button from appearing (as in, prevent facebook's javascript from being loaded).
Facebook Blocker (Score:2)
Comment removed (Score:5, Interesting)
Re:Obviously. (Score:5, Insightful)
The only winning move is not to play. Seriously, I've never had a Facebook account and I pity those millions who do.
You're probably playing to some extent, whether you realize it or not [theverge.com]. I run No Script and an ad blocker, and I also don't have a Facebook account, so I'm probably better off than Joe Average when it comes to being tracked. I also do my best to make sure that friends and acquaintances don't post my name or picture. Even at that, I wouldn't be surprised to learn that FB knows a lot about me. If you think your abstinence from social media means you're not being tracked and commoditized, you're being naive.
Re: (Score:1)
Re: (Score:2)
It shouldn't be unreasonable to expect that logging out of Facebook caused them to stop treating that browser window as being "you" for their purposes as well as yours.
I agree; however, EVERY SINGLE browser enables this behavior by default. Firefox claims it has your privacy and security in mind and then writes cookie handling code that allows you to be tracked regardless of your wishes.
For myself, I do not blame Facebook for acting like an amoral and fiendish criminal, I blame the browser creators for enabling that behavior. Almost every business that is successful is only successful because they grabbed every resource they could regardless of legality. No moral business
Re:Obviously. (Score:4, Interesting)
Re: (Score:1)
Sleazy yes, but it's just something to be aware of and block. We don't need the frivolous lawsuits.
Re: (Score:3)
We do need lawsuits, because this is illegal. It is no doubt sensitive data, it is not just personalisable data, Facebook is actually working hard on making it personalised data. And there is no consent given. So Facebook does not have any right to do this.
Re: (Score:2)
Problem with solution (Score:1)
If you use "incognito mode" (Private Window) many websites stop working.
Re:Problem with solution (Score:4, Interesting)
Re: (Score:2)
...I can't recall seeing a Web site that refused to work when accessed via Incognito mode.
I can't either, and moreover, I don't understand why they wouldn't work; how could the website even know you're in incognito mode?
I was under the impression incognition* happens after the fact. I.e. the incognito window behaves as normal, but then once the window is closed / program exited, it then deletes a bunch of stuff (that it normally would not, and unbeknownst to all the websites you visited in that incog session). That's why you can even use, e.g., gmail, with all its myriad cookies flying all
Re: (Score:2)
how could the website even know you're in incognito mode?
Some browser behavior, such as visited-link highlighting and FileSystem API access, changes in incognito mode. JavaScript can be used to query whether these features work. If they're expected to work (browser version is high enough and HTML5 is supported, etc.) but they don't work, the website assumes you're using incognito mode.
Re: (Score:2)
netflix.
I often use the incognito mode to login to my stuff on other peoples computers. So that I know some cookie won't be left behind and it won't log them out if they use the same site and have a persistent session they likely want to retain. I realize this still isnt very safe for me or them but these are people like my father and my fiance, I would mostly trust with my accounts anyway.
Recently I wanted to show dad something on netflix I could not remember the title too, so I thought i'd just look at
Re: (Score:1)
Incognito mode is worthless for this. Facebook will still be able to see your IP on any site that uses their resources unless you explicitly block them or use a proxy. This Edward Davila character needs to stop pretending that he knows what he's talking about.
Re: (Score:2)
Incognito mode is worthless for this. Facebook will still be able to see your IP on any site that uses their resources unless you explicitly block them or use a proxy. This Edward Davila character needs to stop pretending that he knows what he's talking about.
I doubt they use IP address to track users -- too many people share the same IP (for example, everyone in a family or office), and they don't want to reduce the accuracy of their user profiles by tracking the wrong user. They can track 99.9% of their users with tracking cookies, no need to resort to much less effective IP tracking.
Re: (Score:2)
They use IP addresses (and other fingerprint stuff like browser agent, etc) - even if it's not always accurate, it's better than nothing. The worst thing they do is serve you an incorrectly targeted ad. You don't notice it, and those kinds of things just somewhat lower the effectiveness of targeted ad buys. There's an accepted, if difficult to accurately measure, margin of error in targeting that advertisers and ad publishers accept in media buys.
Block early, block always (Score:5, Insightful)
Block all ads, all 3rd party scripts. All the time, with no exceptions.
If the site won't load without ads and 3rd party scripts enabled, then you don't need to see that content.
Re:Block early, block always (Score:5, Informative)
It's amazing how many anti-ad-blocking tools that websites use don't work and let you read the content unmolested if you disable JavaScript.
Re: (Score:3, Interesting)
We have Google to thank for that. The Googlebot doesn't like having to run Javascript just to see content and down-ranks sites heavily because of it. In order to be found sites have to offer content to Javascript-free clients, including you.
It's kinda scary how much power Google wields, even when it does work in our favour.
Re: (Score:3)
Re: (Score:2)
CDNs tend not to serve ads, so they are usually safe to let through. Any that start serving ads start getting blocked.
Actually I had been expecting ads to start getting served from the primary site's domain since that would make them hard to block. For 10 years now, and it still hasn't become a popular thing.
Re: (Score:1)
It's also easy to isolate your other browsing from your Facebook activity. Use a separate browser.
It's even easier on KDE (use the Facebook widget) or Android (use Tinfoil).
Your best choice (Score:5, Insightful)
As a safeguard, you should just never login to Facebook.
Re: Your best choice (Score:2)
Re:Your best choice (Score:5, Interesting)
Hell I bet they even know what you look like, all it requires is someone you know who is on Facebook to upload photos with you in it.
From there they can start doing a process of elimination.
Because they look at the sites you visit they can tell your gender (50% reduction in the unknown just with that item)
Age, race, religion, political ideology, income, and where you live are also discernible with enough data. And its not just the data they get from Facebook , they will have scraped data from phone directories and other public facing databases, they would also have paid for other information from other sources such as store loyalty cards, frequent flyer lists, etc etc etc etc etc.
They also "sell" that information,based on their data are you currently looking at going on a holiday, those web sites can then bump up the prices slightly because they too know your income, etc.
And not once have you ever had a Facebook account.
If you think simply not having a Facebook account is all it takes then flying is just the art of aiming at the ground and missing.
Re: (Score:2)
Facebook share links/buttons are on many, many websites. Most people haven't figured this out yet. But they can still use it to build a profile about you.
Re: (Score:1)
You don't even need to be a member of Facebook for them to track you. Any site that has Facebook stuff on it is tracking you even if you disable Javascript.
Email Scanning (Score:1)
I don't use Facebook at all. I was researching hotels in a particular city in another state and emailed some info to another person. Before they read the email, their Facebook started showing ads for that particular hotel, and other attractions in that particular city.
sooo... (Score:4, Interesting)
once again lawyers file silly suits without knowing how technology works.
Re:sooo... (Score:4, Insightful)
If you sign up for Facebook, you have no expectation of privacy.
When using their site - with that caveat I'd agree with you. Affirmatively and explicitly choosing to log out of Facebook should restore that expectation of privacy, even if at some random point in the past you had indeed signed up.
Re: (Score:1)
When using their site - with that caveat I'd agree with you.
That's not how the web works. Domain X can refer to content from domain Y. By loading their "like" buttons, you ARE using their site.
Whether the browser loads Y's content is up to the browser and the user, but if it is loaded, then Y can see and track the request. If you do not want that, then do not load the content from Y. Otherwise, you have no reasonable expectation that Y will not see and log your request. Of course they will! It's fundamentally how the web works.
Your approach is one of "magical
Re: (Score:2)
By loading their "like" buttons, you ARE using their site.
Why did the "like" button work if the person logged-out of the site?
It sounds like the log out button just pretends to log you out by making the login prompt appear next time, but it still leaves a cookie saying who you are. If someone else used my browser, and clicked the "like" button, then that person just did something that affected my account, even though I am logged out.
block facebook with (Score:2)
Re: (Score:2)
In particular, redefine the following host names (e.g., to 0.0.0.0) in your /etc/hosts file:
connect.facebook.com
connect.facebook.net
graph.facebook.com
Re: (Score:2)
The trouble is that blocking all of these additional addresses will stop you from logging into and using Facebook normally. If you still want to use Facebook, but also want to stop other web pages from contacting it, then just blocking the various "connect" domain names might be sufficient.
Complain to site owners (Score:2)
Tell them you won't visit their sites anymore if they continue to facilitate Facebook's or Google's or anyone else's cross-site cyber stalking.
If your going to sue anyone consider directing your legal efforts at site owners for facilitating cyber stalking. Don't waste your time with Facebook.
Contribute to public awareness campaigns that equate Facebook logos on websites with eye of Sauron in the minds of users. The thing cyber stalking firms fear most is sunlight... an informed public knowing they are bei
Re: (Score:1)
I would actually like to read that arxiv but you've given insufficient information to find it.
Expectation of privacy? (Score:3)
Ummm... I logged out of Facebook. How is that not an expectation of privacy?
Re: (Score:2)
Because you (well, your agent: your computer) kept going to the extra trouble to send additional data to Facebook, even after you logged out. If you had expected privacy there is no way you would have kept sending them data. Ergo, you didn't expect privacy.
Re: (Score:2)
Did the users type in their user name and password when they clicked the like button?
Re: (Score:2)
As the script that shows the button is loaded from Facebook website, your browser SENDS to Facebook your IP and other information (e.g. Facecbook-domain related cookies containing your user id) while merely displaying the button.
If you logged-out of facebook, how is it sending facebook domain-related cookies containing your user id? Logging out should eliminated those cookies. That's the entire point of logging out!
Re: (Score:2)
Don't be absurd; they didn't do anything so relatively anonymous as merely typing their name and password and DoB and SSN and uploading their scanned retina image. The user sent a unique key that Facebook had offered them earlier, and that the user stored on their computer until the time came to send it back to Facebook along with their favorite URLs.
And what's this nonsense about clicking the like button? The user sent th
Re: (Score:2)
The counter-argument to that is: You use Microsoft operating systems. You have explicitly given permission for every action you take to be logged somewhere and examined later at the pleasure of Microsoft. Using Facebook is merely a subset of using a computer (which has a Microsoft Operating system on it) therefore, you have already given up any expectations of privacy. Logging out of Facebook is not sufficient to prove that you would have an expectation of privacy since you abandoned all expectation of priv
Credit cards track you, too (Score:2)
Re: (Score:1)
Paranoia FTW! (Score:2)
Re: (Score:2)
The usual misleading headline (Score:2)
The judge didn't say Facebook "can do" anything. The judge said the plaintiffs can't pursue certain specific legal theories against Facebook, but can pursue others:
The plaintiffs cannot bring privacy and wiretapping claims again, Davila said, but can pursue a breach of contract claim again.
There's a book for that... (Score:2)
Facebook is already doing that with advertising, taking your interactions with Facebook and combining it with third-party personal data to track you on the Internet. Read that in "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley" [amzn.to] by Antonio Garcia Martinez. The author sold his engineers and company to Twitter and got hired by Facebook in a three-way deal.
This is the flip side of "information wants to be (Score:2)
Information does indeed want to be free, in that like water it is very hard to contain for long, and it will flow wherever it can as fast as it can through the smallest open channels.
I was thinking you could claim harm by starting up a company that explicitly sold your data so someone else having it would diminish the value, but that seems contrived and would probably not help since others collecting your data would not mean the paid source could not still collect it...
Safe web browser (Score:2)
Use a web browser that's designed for privacy, like Brave (company founded by Brendan Eich [brave.com]).
Here's how to stay private (Score:1)
Re: (Score:3)
It doesn't matter if you never, ever log in to facebook, they can still track you. Any time you visit any web site that has a "Like us on facebook" icon (or other completely hidden scripts), it sends information to facebook that you (some anonymous person with a unique identifier) visited their site. Now, you visit another such site, and that icon sends facebook your unique ID, along with information that you logged in to that site. Eventually, they can piece together enough information to connect your uniq
Unanticipated consequences? (Score:1)
speaks of incognito etc mode, it seems really an encouragement (if not a directive) to use ad blockers. If the official legal opinion (in a silicon valley court, no less) is a variation of caveat emptor (browser beware), that can't be particularly good for legitimate folks.
Yeah, I know many folks here are already big advocates of ad blockers, and I'm aware every sizable nation state on the planet i
Don't you live in a place where (Score:2)
two click fix (Score:1)
c't fixed it in 2011
https://www.heise.de/ct/artike... [heise.de]