Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Can Track Your Browsing Even After You've Logged Out, Judge Says (theguardian.com)

Posted by msmash on from the at-their-will dept.

A U.S. judge has dismissed nationwide litigation accusing Facebook of tracking users' internet activity even after they logged out of the social media website. From a report: The plaintiffs alleged that Facebook used the "like" buttons found on other websites to track which sites they visited, meaning that the Menlo Park, California-headquartered company could build up detailed records of their browsing history. The plaintiffs argued that this violated federal and state privacy and wiretapping laws. US district judge Edward Davila in San Jose, California, dismissed the case because he said that the plaintiffs failed to show that they had a reasonable expectation of privacy or suffered any realistic economic harm or loss. Davila said that plaintiffs could have taken steps to keep their browsing histories private, for example by using the Digital Advertising Alliance's opt-out tool or using "incognito mode", and failed to show that Facebook illegally "intercepted" or eavesdropped on their communications.

63 of 124 comments (clear)

  1. Obviously. by BeauHD+is+a+retard! · · Score: 1

    This is news how?

    1. Re:Obviously. by fustakrakich · · Score: 1

      Evidently you can sue people for making a working link.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Obviously. by rjstanford · · Score: 5, Insightful

      It shouldn't be unreasonable to expect that logging out of Facebook caused them to stop treating that browser window as being "you" for their purposes as well as yours.

      --
      You're special forces then? That's great! I just love your olympics!
    3. Re:Obviously. by fustakrakich · · Score: 1

      The only safe bet is to not click on any of their buttons. The metadata will get you every time. If you let the NSA do it, then everything is fair game.

      --
      “He’s not deformed, he’s just drunk!”
    4. Re:Obviously. by Anonymous Coward · · Score: 2, Informative

      You don't need to actually click on them to be counted, though if you do they can also update your psych profile based on what you are Like'n.

    5. Re:Obviously. by Luthair · · Score: 3, Interesting

      Its not the link, its the fact that sites embed Facebook scripts that your browser requests and Facebook uses to track people browsing the web. When the user isn't logged in they still track them and attempt to associate it with an account later. Its pretty sleazy and why you should have Adblock block Facebook (and Twitter, and Google) domains on third party sites.

    6. Re:Obviously. by reboot246 · · Score: 5, Interesting

      The only winning move is not to play. Seriously, I've never had a Facebook account and I pity those millions who do.

      If one insists on being a Facebook minion, just use a different browser and dedicate it only to Facebook. Call it a "throwaway" browser. Then never use it for anything else but Facebook.

    7. Re:Obviously. by fustakrakich · · Score: 1

      Sleazy yes, but it's just something to be aware of and block. We don't need the frivolous lawsuits.

      --
      “He’s not deformed, he’s just drunk!”
    8. Re:Obviously. by jenningsthecat · · Score: 4, Insightful

      The only winning move is not to play. Seriously, I've never had a Facebook account and I pity those millions who do.

      You're probably playing to some extent, whether you realize it or not. I run No Script and an ad blocker, and I also don't have a Facebook account, so I'm probably better off than Joe Average when it comes to being tracked. I also do my best to make sure that friends and acquaintances don't post my name or picture. Even at that, I wouldn't be surprised to learn that FB knows a lot about me. If you think your abstinence from social media means you're not being tracked and commoditized, you're being naive.

      --
      'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    9. Re:Obviously. by davester666 · · Score: 1

      You need to use a tracking-blocker, that prevents the 'like' button from appearing (as in, prevent facebook's javascript from being loaded).

      --
      Sleep your way to a whiter smile...date a dentist!
    10. Re:Obviously. by thsths · · Score: 2

      We do need lawsuits, because this is illegal. It is no doubt sensitive data, it is not just personalisable data, Facebook is actually working hard on making it personalised data. And there is no consent given. So Facebook does not have any right to do this.

    11. Re:Obviously. by Luthair · · Score: 1

      Think about the near future - retail stores will be using facial recognition to build profiles on people who enter their stores and will attempt to associate those profiles with names & addresses.

    12. Re:Obviously. by strikethree · · Score: 1

      It shouldn't be unreasonable to expect that logging out of Facebook caused them to stop treating that browser window as being "you" for their purposes as well as yours.

      I agree; however, EVERY SINGLE browser enables this behavior by default. Firefox claims it has your privacy and security in mind and then writes cookie handling code that allows you to be tracked regardless of your wishes.

      For myself, I do not blame Facebook for acting like an amoral and fiendish criminal, I blame the browser creators for enabling that behavior. Almost every business that is successful is only successful because they grabbed every resource they could regardless of legality. No moral business can normally survive for long in that environment so they ALL break the rules and only the lucky ones survive.

      The browser creators appear to me to be like the rich uncle who gives his 3 year old niece a handgun to play with. Sure, the niece shot herself, but did you expect anything different to come of that situation? Do you blame the niece or the uncle?

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
    13. Re:Obviously. by peawormsworth · · Score: 1

      The only person without facebook is the easiest person in the world to track.

  2. Problem with solution by Anonymous Coward · · Score: 1

    If you use "incognito mode" (Private Window) many websites stop working.

    1. Re:Problem with solution by ewhac · · Score: 3, Interesting

      Not that I disbelieve you, but could you furnish a couple of examples? I can't recall seeing a Web site that refused to work when accessed via Incognito mode.

      --
      Editor, A1-AAA AmeriCaptions
    2. Re:Problem with solution by Anonymous Coward · · Score: 1

      Incognito mode is worthless for this. Facebook will still be able to see your IP on any site that uses their resources unless you explicitly block them or use a proxy. This Edward Davila character needs to stop pretending that he knows what he's talking about.

    3. Re:Problem with solution by phryxus · · Score: 2

      ...I can't recall seeing a Web site that refused to work when accessed via Incognito mode.

      I can't either, and moreover, I don't understand why they wouldn't work; how could the website even know you're in incognito mode?

      I was under the impression incognition* happens after the fact. I.e. the incognito window behaves as normal, but then once the window is closed / program exited, it then deletes a bunch of stuff (that it normally would not, and unbeknownst to all the websites you visited in that incog session). That's why you can even use, e.g., gmail, with all its myriad cookies flying all over the place, while incognito. I wouldn't know about fb (I don't even OWN a tv...)

      And yeah, maybe browsers normally send some flags over as well, but would those be distinguishable from normal do-not-track flags (that are sent in non-incognito sessions)? Maybe some websites are set up to break when they receive a do-not-track request (in which case see comments around here to the effect of **kbai**), but if so, probably the browsers could be tweaked (w/ extensions or whatever) to send no flags while incognito?

      *I demand this be a word

    4. Re:Problem with solution by hawguy · · Score: 1

      Incognito mode is worthless for this. Facebook will still be able to see your IP on any site that uses their resources unless you explicitly block them or use a proxy. This Edward Davila character needs to stop pretending that he knows what he's talking about.

      I doubt they use IP address to track users -- too many people share the same IP (for example, everyone in a family or office), and they don't want to reduce the accuracy of their user profiles by tracking the wrong user. They can track 99.9% of their users with tracking cookies, no need to resort to much less effective IP tracking.
       

    5. Re:Problem with solution by SirSlud · · Score: 1

      They use IP addresses (and other fingerprint stuff like browser agent, etc) - even if it's not always accurate, it's better than nothing. The worst thing they do is serve you an incorrectly targeted ad. You don't notice it, and those kinds of things just somewhat lower the effectiveness of targeted ad buys. There's an accepted, if difficult to accurately measure, margin of error in targeting that advertisers and ad publishers accept in media buys.

      --
      "Old man yells at systemd"
    6. Re:Problem with solution by DarkOx · · Score: 1

      netflix.

      I often use the incognito mode to login to my stuff on other peoples computers. So that I know some cookie won't be left behind and it won't log them out if they use the same site and have a persistent session they likely want to retain. I realize this still isnt very safe for me or them but these are people like my father and my fiance, I would mostly trust with my accounts anyway.

      Recently I wanted to show dad something on netflix I could not remember the title too, so I thought i'd just look at my recently watched list. Tried to do it in incognito mode, (so as not to log him out) and fail!

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    7. Re:Problem with solution by null+etc. · · Score: 1

      how could the website even know you're in incognito mode?

      Some browser behavior, such as visited-link highlighting and FileSystem API access, changes in incognito mode. JavaScript can be used to query whether these features work. If they're expected to work (browser version is high enough and HTML5 is supported, etc.) but they don't work, the website assumes you're using incognito mode.

  3. Block early, block always by nitehawk214 · · Score: 5, Insightful

    Block all ads, all 3rd party scripts. All the time, with no exceptions.

    If the site won't load without ads and 3rd party scripts enabled, then you don't need to see that content.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
    1. Re:Block early, block always by adturner · · Score: 4, Informative

      It's amazing how many anti-ad-blocking tools that websites use don't work and let you read the content unmolested if you disable JavaScript.

    2. Re:Block early, block always by Anonymous Coward · · Score: 1

      It's also easy to isolate your other browsing from your Facebook activity. Use a separate browser.
      It's even easier on KDE (use the Facebook widget) or Android (use Tinfoil).

    3. Re:Block early, block always by Luthair · · Score: 2

      CDNs do have some performance advantages since they'll often be edge cached. The issue really is third party content.

    4. Re:Block early, block always by AmiMoJo · · Score: 2, Interesting

      We have Google to thank for that. The Googlebot doesn't like having to run Javascript just to see content and down-ranks sites heavily because of it. In order to be found sites have to offer content to Javascript-free clients, including you.

      It's kinda scary how much power Google wields, even when it does work in our favour.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Block early, block always by nitehawk214 · · Score: 1

      CDNs tend not to serve ads, so they are usually safe to let through. Any that start serving ads start getting blocked.

      Actually I had been expecting ads to start getting served from the primary site's domain since that would make them hard to block. For 10 years now, and it still hasn't become a popular thing.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
  4. Your best choice by Kohath · · Score: 4, Insightful

    As a safeguard, you should just never login to Facebook.

    1. Re: Your best choice by dougdonovan · · Score: 2

      whats facebook. oh yeah, thats where everyones business is everyones business. probably why i dont have an account. its for kids and grandparents that dont know any better.

    2. Re:Your best choice by sit1963nz · · Score: 5, Interesting

      Irrelevant, Facebook still builds a profile, still tracks you and still updates its information about you.
      Hell I bet they even know what you look like, all it requires is someone you know who is on Facebook to upload photos with you in it.
      From there they can start doing a process of elimination.

      Because they look at the sites you visit they can tell your gender (50% reduction in the unknown just with that item)
      Age, race, religion, political ideology, income, and where you live are also discernible with enough data. And its not just the data they get from Facebook , they will have scraped data from phone directories and other public facing databases, they would also have paid for other information from other sources such as store loyalty cards, frequent flyer lists, etc etc etc etc etc.

      They also "sell" that information,based on their data are you currently looking at going on a holiday, those web sites can then bump up the prices slightly because they too know your income, etc.

      And not once have you ever had a Facebook account.

      If you think simply not having a Facebook account is all it takes then flying is just the art of aiming at the ground and missing.

    3. Re:Your best choice by Anonymous Coward · · Score: 1

      You don't even need to be a member of Facebook for them to track you. Any site that has Facebook stuff on it is tracking you even if you disable Javascript.

    4. Re:Your best choice by Lennie · · Score: 1

      Facebook share links/buttons are on many, many websites. Most people haven't figured this out yet. But they can still use it to build a profile about you.

      --
      New things are always on the horizon
  5. sooo... by TRRosen · · Score: 3, Interesting

    once again lawyers file silly suits without knowing how technology works.

    1. Re:sooo... by rjstanford · · Score: 3, Insightful

      If you sign up for Facebook, you have no expectation of privacy.

      When using their site - with that caveat I'd agree with you. Affirmatively and explicitly choosing to log out of Facebook should restore that expectation of privacy, even if at some random point in the past you had indeed signed up.

      --
      You're special forces then? That's great! I just love your olympics!
    2. Re:sooo... by Anonymous Coward · · Score: 1

      When using their site - with that caveat I'd agree with you.

      That's not how the web works. Domain X can refer to content from domain Y. By loading their "like" buttons, you ARE using their site.

      Whether the browser loads Y's content is up to the browser and the user, but if it is loaded, then Y can see and track the request. If you do not want that, then do not load the content from Y. Otherwise, you have no reasonable expectation that Y will not see and log your request. Of course they will! It's fundamentally how the web works.

      Your approach is one of "magical thinking". Magical thinking never, ever works. Avoid making requests to Y's domain if you do not want Y's domain to know you made a request.

    3. Re:sooo... by MobyDisk · · Score: 1

      By loading their "like" buttons, you ARE using their site.

      Why did the "like" button work if the person logged-out of the site?

      It sounds like the log out button just pretends to log you out by making the login prompt appear next time, but it still leaves a cookie saying who you are. If someone else used my browser, and clicked the "like" button, then that person just did something that affected my account, even though I am logged out.

  6. block facebook with by FudRucker · · Score: 1

    the /etc/hosts file

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:block facebook with by Ross+Finlayson · · Score: 1

      In particular, redefine the following host names (e.g., to 0.0.0.0) in your /etc/hosts file:

      connect.facebook.com

      connect.facebook.net

      graph.facebook.com

    2. Re:block facebook with by Ross+Finlayson · · Score: 1

      The trouble is that blocking all of these additional addresses will stop you from logging into and using Facebook normally. If you still want to use Facebook, but also want to stop other web pages from contacting it, then just blocking the various "connect" domain names might be sufficient.
       

  7. Complain to site owners by WaffleMonster · · Score: 1

    Tell them you won't visit their sites anymore if they continue to facilitate Facebook's or Google's or anyone else's cross-site cyber stalking.

    If your going to sue anyone consider directing your legal efforts at site owners for facilitating cyber stalking. Don't waste your time with Facebook.

    Contribute to public awareness campaigns that equate Facebook logos on websites with eye of Sauron in the minds of users. The thing cyber stalking firms fear most is sunlight... an informed public knowing they are being stalked everywhere you go by nameless creepers enmasse.

    If there is a price to be paid even a small one site may think twice before cut and pasting bug code especially where the same or very similar goals can be achieved without enabling Facebook stalking.

    1. Re:Complain to site owners by Anonymous Coward · · Score: 1

      I would actually like to read that arxiv but you've given insufficient information to find it.

  8. Expectation of privacy? by Dadoo · · Score: 2

    Ummm... I logged out of Facebook. How is that not an expectation of privacy?

    --
    Sit, Ubuntu, sit. Good dog.
    1. Re:Expectation of privacy? by Cajun+Hell · · Score: 1

      Ummm... I logged out of Facebook. How is that not an expectation of privacy?

      Because you (well, your agent: your computer) kept going to the extra trouble to send additional data to Facebook, even after you logged out. If you had expected privacy there is no way you would have kept sending them data. Ergo, you didn't expect privacy.

      --
      "Believe me!" -- Donald Trump
    2. Re:Expectation of privacy? by MobyDisk · · Score: 1

      Did the users type in their user name and password when they clicked the like button?

    3. Re:Expectation of privacy? by strikethree · · Score: 1

      The counter-argument to that is: You use Microsoft operating systems. You have explicitly given permission for every action you take to be logged somewhere and examined later at the pleasure of Microsoft. Using Facebook is merely a subset of using a computer (which has a Microsoft Operating system on it) therefore, you have already given up any expectations of privacy. Logging out of Facebook is not sufficient to prove that you would have an expectation of privacy since you abandoned all expectation of privacy merely by using the computer.

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
    4. Re:Expectation of privacy? by MobyDisk · · Score: 1

      As the script that shows the button is loaded from Facebook website, your browser SENDS to Facebook your IP and other information (e.g. Facecbook-domain related cookies containing your user id) while merely displaying the button.

      If you logged-out of facebook, how is it sending facebook domain-related cookies containing your user id? Logging out should eliminated those cookies. That's the entire point of logging out!

    5. Re:Expectation of privacy? by Cajun+Hell · · Score: 1

      Did the users type in their user name and password when they clicked the like button?

      Don't be absurd; they didn't do anything so relatively anonymous as merely typing their name and password and DoB and SSN and uploading their scanned retina image. The user sent a unique key that Facebook had offered them earlier, and that the user stored on their computer until the time came to send it back to Facebook along with their favorite URLs.

      And what's this nonsense about clicking the like button? The user sent this information to Facebook in order to request that the like button be displayed!

      --
      "Believe me!" -- Donald Trump
  9. Credit cards track you, too by DogDude · · Score: 1

    Credit cards track you everywhere you go, too. Online or off, merchant service providers are now starting to give full purchase history data to their customers. As a retailer, it's great to be able to track everybody.

    --
    I don't respond to AC's.
    1. Re:Credit cards track you, too by SnarkSide · · Score: 1

      Has that been publicly acknowledged by the card issuers? I try and limit what they know by opting for cash on some transactions. If you are saying they are putting it in the marketing database when you make a purchase each item you buy, not just what store you shopped at, even if you don't give a rewards card or number, then that is level of personal violation I haven't seen documented.

  10. Paranoia FTW! by thegreatbob · · Score: 1

    This is where domain blacklisting, referring removal/mangling and by-default JavaScript blocking start to sound real good. Very difficult to track us "paranoid" folk around unless you have access to all the random WWW logs out there.

    --
    There is no XUL, only WebExtensions...
    1. Re:Paranoia FTW! by thegreatbob · · Score: 1

      referrer, even.

      --
      There is no XUL, only WebExtensions...
  11. The usual misleading headline by SlaveToTheGrind · · Score: 1

    The judge didn't say Facebook "can do" anything. The judge said the plaintiffs can't pursue certain specific legal theories against Facebook, but can pursue others:

    The plaintiffs cannot bring privacy and wiretapping claims again, Davila said, but can pursue a breach of contract claim again.

  12. There's a book for that... by __aaclcg7560 · · Score: 1

    Facebook is already doing that with advertising, taking your interactions with Facebook and combining it with third-party personal data to track you on the Internet. Read that in "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley" by Antonio Garcia Martinez. The author sold his engineers and company to Twitter and got hired by Facebook in a three-way deal.

  13. Email Scanning by Anonymous Coward · · Score: 1

    I don't use Facebook at all. I was researching hotels in a particular city in another state and emailed some info to another person. Before they read the email, their Facebook started showing ads for that particular hotel, and other attractions in that particular city.

  14. This is the flip side of "information wants to be by SuperKendall · · Score: 1

    Information does indeed want to be free, in that like water it is very hard to contain for long, and it will flow wherever it can as fast as it can through the smallest open channels.

    I was thinking you could claim harm by starting up a company that explicitly sold your data so someone else having it would diminish the value, but that seems contrived and would probably not help since others collecting your data would not mean the paid source could not still collect it...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  15. Safe web browser by myid · · Score: 1

    Use a web browser that's designed for privacy, like Brave (company founded by Brendan Eich).

  16. Here's how to stay private by JohnScott1514 · · Score: 1

    Stay off social sites, don't join any social sites, don't ever believe the internet owes you privacy. Or any browser, operating system or software and apps. You want privacy it's you job to be selective on how you access the internet. Facebook is not there to protect your privacy since it provides you a service for free. Which you can freely decline to use if you do not agree with their agreements. Don't waste court time for frivolous whining about privacy.

    1. Re:Here's how to stay private by Tony+Isaac · · Score: 2

      It doesn't matter if you never, ever log in to facebook, they can still track you. Any time you visit any web site that has a "Like us on facebook" icon (or other completely hidden scripts), it sends information to facebook that you (some anonymous person with a unique identifier) visited their site. Now, you visit another such site, and that icon sends facebook your unique ID, along with information that you logged in to that site. Eventually, they can piece together enough information to connect your unique ID to your real identity.

      The only way to stay private is to never connect to the Internet.

  17. Unanticipated consequences? by davidjohnburrowes · · Score: 1
    Seems to me that while this

    that plaintiffs could have taken steps to keep their browsing histories private

    speaks of incognito etc mode, it seems really an encouragement (if not a directive) to use ad blockers. If the official legal opinion (in a silicon valley court, no less) is a variation of caveat emptor (browser beware), that can't be particularly good for legitimate folks.

    Yeah, I know many folks here are already big advocates of ad blockers, and I'm aware every sizable nation state on the planet is already watching what I do. But, to have the court pretty much say: "you are on your own here" starts the conversation about personal privacy at a pretty low bar.

  18. Facebook Blocker by Futurepower(R) · · Score: 1

    Facebook Blocker for Firefox and Pale Moon browsers.

  19. Don't you live in a place where by Maritz · · Score: 1

    ISPs can literally sell your browsing info to whoever the fuck they like? And this is somehow a problem but that isn't? Weird.

    --
    I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
  20. two click fix by weberjn · · Score: 1

    c't fixed it in 2011

    https://www.heise.de/ct/artike...