European Internet Users Urged To Protect Themselves Against Facebook Tracking

An anonymous reader writes: Belgium's Privacy Protection Commission says that Facebook tramples on European privacy laws by tracking people online without their consent and dodges questions from national regulators. They have issued a set of recommendations for both Facebook, website owners and end users. Net-Security reports: "The recommendations are based on the results of an extensive analysis of Facebook's revised policies and terms (rolled out on January 30, 2015) conducted by the inter-university research center EMSOC/SPION, which concluded that the company is acting in violation of European law. According to them Facebook places too much burden on its users to protect their privacy, and then doesn't offer simple tools and settings to do so, and sets up some problematic default settings. They also don't provide adequate information for users to make informed choices."

Re:Facebook isn't free

[AmiMoJo]

Even if you don't sign up or consent they collect data on you. Those like "like" buttons on every page are spying on you, tracking you.

Install uBlock and Privacy Badger to opt out.

Re:Facebook isn't free

If you'd read TFA you'd notice that Facebook tracks the activity of non-users. Pages with Facebook widgets on them create a cookie with a UUID that allows them to follow your activity to all other pages that have those widges.

Facebook is a honeypot

The only way to win is not to play.

K-line their links and widgets in your browsers. Don't feed the beast.

Re:Facebook is a honeypot

[Wootery]

These are both good approaches. They're the first 2 on Schneier's list of the 4 ways to "protect yourself from digital surveillance".

Re:Facebook isn't free

[Polyneikos]

(1) Facebook is tracking people who didn't "sign a contract" (as others have said), and (2) FB can't contract with people to do something illegal. The EU has privacy laws, and any contractual clause(s) which violates them is void.

Lost link to report found, and "site owners"

[colfer]

The link to the actual report in TFA is broken, as it was on the Belgian commission's own site until a few moments ago. So here it is:
http://www.privacycommission.b...

The recommendations for site owners is to enhance the cookie opt-in banner that you already see on European sites. A cookie for cookies! It's buried deep in the heavily enumerated document, so I'll quote it in full:

To Website Owners
Relating to website owners or webmasters who wish to use the social plug-ins offered by Facebook, the Privacy Commission refers to its own-initiative recommendation on the use of cookies, in which it stipulates that owners must properly inform visitors of their website and obtain the latter's specific consent for cookies and other meta files of which they may not control re-use. In this context, the Privacy Commission refers to social networks, among others, and recommends that social network buttons are not activated until users have given their specific consent. The current integration possibilities of social plug-ins offered by Facebook, however, do not meet these criteria yet. For the time being, the Privacy Commission therefore recommends to use tools such as "Social Share Privacy" ( http://panzi.github.io/SocialS... ) as a way to obtain user consent. By using a tool such as "Social Share Privacy", third-party plug-ins do not connect to third-party servers (and consequently data are not sent to third parties) until users have clicked on the social plug-in.

/etc/hosts file paranoia

[NoNonAlphaCharsHere]

The one (microscopically tiny) thing APK isn't batshit crazy about:

127.0.0.1 www.facebook.com facebook.com
127.0.0.1 www.static.ak.fbcdn.net static.ak.fbcdn.net
127.0.0.1 www.login.facebook.com login.facebook.com
127.0.0.1 www.fbcdn.net fbcdn.net
127.0.0.1 www.fbcdn.com fbcdn.com
127.0.0.1 www.static.ak.connect.facebook.com static.ak.connect.facebook.com
127.0.0.1 www.static.ak.facebook.com static.ak.facebook.com

I'm European and I don't care. EU is hypocritical

[cloud.pt]

I believe most companies nowadays are using opt-out, "bad user default settings" schemes and most of them simply won't move away from it, well, because it just works so well with their ad-based and big data business model. And you know what? I'm fine with that, it's so much better than a subscription. With that said, there There are only 2 reasons why people deserve the privacy violations they are put through:

1. 1. It is fundamented payback for something morally wrong they have done, like a fair court order on suspicious activities
2. 2. THEY ARE IGNORANT TO THE POINT THEY WILL DISREGARD ALL WARNING AND CIRCUMVENTION MEASURES AVAILABLE AGAINST SUCH VIOLATIONS

So, to be totally honest, I know the harm I'm put through while using Facebook, I know ways to circumvent most of it, and the harm I can't avoid is my own damn fault for posting socially awkward information/comment/photo of myself.

The bottom line is that Facebook-user relations aren't much different from a state-citizen one: when I go about my life in my country of "choice" (i.e. where I happened to be born or end up), I am also supposed to have some kind of omniscience of all types of law, such as fiscal (taxes), penal (crimes), environmental, etc, and even all my own damn rights. Either that or to have the income to hire "omniscient entities" in each of those fields. Only then I become a "perfect citizen" in the eyes of the state, as I abide to every form of policy my country, the EU, and the F'ing UN imposed on me. So the EU doesn't like Facebook for pretty much acting the way they do. That is a load of bull.

Re:Facebook isn't free

[Xest]

Because even if they were just tracking data of users who sign up, contrary to popular myth, peddled mostly by people who think they know the law but apparently don't, contracts are not magical legal instruments that overrule everything ever.

In just about every jurisdiction in the world contracts have limits. They cannot overrule statutory rights, you cannot sign away your life in a contract, you cannot sign away your legal responsibility for a crime onto someone else poor and desperate enough to be willing to take it for money.

Hence, it doesn't matter what is in a contract, if that contract doesn't adhere to the laws of the country in which the agreement is made then either the whole or that portion of the contract are meaningless and irrelevant.

Facebook doesn't get to rewrite the law, so rather than blaming users for agreeing to a section of a contract that has no legal merit in the first place, you should be asking, "Why can't Facebook adhere to the laws of the countries in which it chooses to operate if it wishes to operate there?". That's the real question- you see, your question is meaningless; Europeans ARE abiding by the contract they wilfully sign because it's a meaningless contract with large portions that hold no legal merit in the first place. It's not their fault Facebook wrote a contract that tries to claim rights that it has no legal standing to claim - that's Facebook's fault, they should've drafted a contract that's wholly enforceable within the confines of the law.

Most companies manage, but it seems a number of tech companies really struggle with it, because profit.

Re:I'm European and I don't care. EU is hypocritic

The problem is that FB also tracks non-fb-users. You can't opt-out from this.

Re:Facebook isn't free

[Blaskowicz]

Perhaps Privacy Badger is great but there are a few issues : knowing the extension du jour, possible browser slowdown (well, I think Mozilla Lightbeam did it), danger of launching an unprotected secondary browser or profile.

You can do something like this at the hosts file : perhaps this one has unnecessary duplicate entries but it works (in particular "connect", "login" and cdn" are blocked out)

127.0.0.1 www.facebook.com
127.0.0.1 facebook.com
127.0.0.1 static.ak.fbcdn.net
127.0.0.1 www.static.ak.fbcdn.net
127.0.0.1 login.facebook.com
127.0.0.1 www.login.facebook.com
127.0.0.1 fbcdn.net
127.0.0.1 www.fbcdn.net
127.0.0.1 fbcdn.com
127.0.0.1 www.fbcdn.com
127.0.0.1 static.ak.connect.facebook.com
127.0.0.1 www.static.ak.connect.facebook.com
127.0.0.1 threatexchange.fb.com
127.0.0.1 fb.com
127.0.0.1 www.fb.com
127.0.0.1 newsroom.fb.com
127.0.0.1 internet.org
127.0.0.1 facebook.net
127.0.0.1 www.facebook.net

Re:Facebook isn't free

[Sique]

To use a real world analogon: Burglary is still a crime, even if someone didn't lock his front door. Yes, you should lock the door. But it's still a crime to steal, even if you don't lock it. The Belgian Privacy Protection Commission now has listed some ways to lock your door - basicly they did already what you repeat now. Thus your remark could be rated "redundant".

Use their tracking agasint them

[GeekWithAKnife]

Just fill out false information, post pictures that are not you, tag things incorrectly, feed the bots dust til they choke.

If you think about it's possible to loop their own ads back to them...just help spread the advertisement.

They agreed to these conditions when they accept me as a user.

Here's the facebook part of my /etc/hosts

[ciaran2014]

Unhelpful people will point out that such a list isn't and can't be perfectly complete. That's true, but so what, this list blocks a ton of tracking. If I'm missing important domains, please tell me which ones. I've merged in the domains from Blaskowicz's list which weren't already in mine. (I've also heard conflicting opinions on using 127.0.0.1 vs 0.0.0.0. I don't know which is better but I do know the difference is insignificant.)

0.0.0.0 apps.facebook.com
0.0.0.0 connect.facebook.net
0.0.0.0 de-de.facebook.com
0.0.0.0 developers.facebook.com
0.0.0.0 error.facebook.com
0.0.0.0 es-es.facebook.com
0.0.0.0 facebook.com
0.0.0.0 facebook.net
0.0.0.0 fb.com
0.0.0.0 fbcdn-creative-a.akamaihd.net
0.0.0.0 fbcdn-profile-a.akamaihd.net
0.0.0.0 fbcdn.com
0.0.0.0 fbcdn.net
0.0.0.0 fbexternal-a.akamaihd.net
0.0.0.0 fbm.mysocialpixel.com
0.0.0.0 fbstatic-a.akamaihd.net
0.0.0.0 fr-fr.facebook.com
0.0.0.0 internet.org
0.0.0.0 l.facebook.com
0.0.0.0 login.facebook.com
0.0.0.0 newsroom.fb.com
0.0.0.0 nl-nl.facebook.com
0.0.0.0 pixel.facebook.com
0.0.0.0 s-static.ak.facebook.com
0.0.0.0 scontent-ams.xx.fbcdn.net
0.0.0.0 static.ak.connect.facebook.com
0.0.0.0 static.ak.facebook.com
0.0.0.0 static.ak.fbcdn.net
0.0.0.0 static.api.ak.facebook.com
0.0.0.0 threatexchange.fb.com
0.0.0.0 upload.facebook.com
0.0.0.0 www.connect.facebook.net
0.0.0.0 www.facebook.com
0.0.0.0 www.facebook.net
0.0.0.0 www.fb.com
0.0.0.0 www.fbcdn.com
0.0.0.0 www.fbcdn.net
0.0.0.0 www.login.facebook.com
0.0.0.0 www.static.ak.connect.facebook.com
0.0.0.0 www.static.ak.facebook.com
0.0.0.0 www.static.ak.fbcdn.net
0.0.0.0 1-edge-chat.facebook.com
0.0.0.0 2-edge-chat.facebook.com
0.0.0.0 3-edge-chat.facebook.com
0.0.0.0 4-edge-chat.facebook.com
0.0.0.0 5-edge-chat.facebook.com
0.0.0.0 6-edge-chat.facebook.com
0.0.0.0 7-edge-chat.facebook.com
0.0.0.0 8-edge-chat.facebook.com
0.0.0.0 9-edge-chat.facebook.com

Re:Here's the facebook part of my /etc/hosts

[AmiMoJo]

The advantage of using Privacy Badger is that it doesn't rely on a constantly maintained list. It looks at how domains are being used, if they are tracking you by pulling the same cookies on different sites, and if they offer anything useful. It then automatically blocks useless/invasive ones, all without any effort on your part.

If you are too lazy to maintain a list or want your non technical friends and relatives to be safe, it's a good solution. Use both, they complement each other.

New plug in

[goombah99]

I use the "strangers on a train" plug in. It exchanges all your facebook cookies every 5 minutes with another random person. It doesn't hurt your facebook login itself since you still need your password for that. It just scrambles your identity when you press like. If everyone used this then the "likes" would still add up to being meaningful but the user profiles would be completely homogenized and have no tracking value.

Re:I'm European and I don't care. EU is hypocritic

[Anonymous+Brave+Guy]

Tracking is not just web 3.0, it's society/globalization 101. One learns to live with it.

Or, like civilised people, we decide that some behaviour is potentially damaging and/or socially unacceptable, we make it illegal, and we punish those who continue to do it.

Also, your continued analogy between what governments do and what private businesses do is silly. Technology is not inherently evil. Storing data about someone is not inherently evil. How you use that technology and what you use that data for may be evil, or may not.

Re:Facebook isn't free

[Ol+Olsoc]

Those like "like" buttons on every page are spying on you

That's nonsense; they're not spying at all. In fact, they do nothing.

Amazing how people who are completely wrong can speak with such authority.

Re:Facebook isn't free

They are accused of tracking people who never signed up to Facebook and who never agreed to be tracked through the use of the like buttons. They don't need nor use cookies to track you. With a script they can reveal a lot of information of your browser, add ons, ip, operating system, last visited page, etc... That information is almost like DNA and can identify you while you browse the internet. This is how Facebook tracks you without ever needing to place a cookie on your computer. They create a shadow profile with this information which is saved on their server and not your computer. You can't request information of your shadow profile, nor delete that shadowprofile.
 
Facebook thinks they have every right to track everyone, even those who don't want to be tracked. The Belgian privacy commission says they go too far and that they invade the privacy of people who are not logged into Facebook. It is now up to the judge to decide whether Facebook is allowed to track everyone without consent or whether they breach privacy. The result of this case will have consequences for Facebook in the EU.

The only way to fool Facebook is to use multiple computers with different operating systems and browsers and different ISP's and not by deleting cookies.

Re:I'm European and I don't care. EU is hypocritic

[Halo1]

I do not disagree with you in your last 3 sentences. Other than that, I accept the fact that my social condition (that of a working, middle-class citizen, i.e. one vote) simply does not allow me to have that influence in communitary law-making.

As a 25 year old PhD student, together with a bunch of like-minded people that had no political clout or connections (many of which were students or PhD students), I managed to help block the EU software patents directive back in 2009. This directive had the full support of the European Commission, and initially also of the majority of the largest groups in the European Parliament (the Christian Democrats and the Socialists). Big IT companies (IBM, Microsoft, Nokia, ...) spent over 4 million euro on lobbying. And yet in the end (after 7 years of procedure) they all decided to go for cancelling the directive rather than risking it might get amended do something we may like and they might not.

For me, it started in a very silly way: I sent a mail to all Belgian MEPs, explaining them my view on the directive and on software patents. A week later, I got a call from an assistant of a number of MEPs telling me it was the first mail on the topic that made any sense to her, and asking me (a random student that just mailed them) how they should vote on the report that was being tabled the next week. I kind of panicked, told her I'd get back to her, looked on the Internet who could help me with that, ended up at the FFII and the rest is history.

Seriously, politicians and their aides are also also just people, and if you say something that makes sense, many of them will pay attention. There are of course always those who have made up their mind and won't care, but in my experience of 5 years of talking with them, I did not come to the conclusion that it's the majority of them. Not even close. Especially at the European level, where they are often happy that finally someone from the home country actually cares about what they're doing (as long as you're not sending template mails).

And yes, in the end it did cost lot of effort. But it is patently (hah!) false that there is nothing you can do influence or achieve at the EU level.

Democracy allows me this vote every now and then

That is just one part of democracy. It's an important one, but still just a part. A functional democracy requires way more effort than just voting every couple of years. And you can do it just as well as anyone else.