Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Jams Facebook's Web-Tracking Tools (bbc.com)

Posted by BeauHD on from the right-to-privacy dept.

The next version of iOS and macOS "will frustrate tools used by Facebook to automatically track web users," reports BBC. At the company's developer conference, Apple's software chief Craig Federighi said, "We're shutting that down," adding that Safari would ask owners' permission before allowing the social network to monitor their activity. BBC reports: At the WWDC conference - held in San Jose, California - Mr Federighi said that Facebook keeps watch over people in ways they might not be aware of. "We've all seen these - these like buttons, and share buttons and these comment fields. "Well it turns out these can be used to track you, whether you click on them or not." He then pointed to an onscreen alert that asked: "Do you want to allow Facebook.com to use cookies and available data while browsing?" "You can decide to keep your information private."

Apple also said that MacOS Mojave would combat a technique called "fingerprinting", in which advertisers try to track users who delete their cookies. The method involves identifying computers by the fonts and plug-ins installed among other configuration details. To counter this, Apple will present web pages with less details about the computer. "As a result your Mac will look more like everyone else's Mac, and it will be dramatically more difficult for data companies to uniquely identify your device," Mr Federighi explained.

42 of 117 comments (clear)

  1. Source by Aadarshkothari · · Score: 1

    Can we also track the source of the traffic?

  2. Browsers and OS should do this by AHuxley · · Score: 2

    Not a member of a social media brand?
    Ban it from the browser, OS until a user wants to register a social media account and be spied on.

    --
    Domestic spying is now "Benign Information Gathering"
  3. Re:Do this by AmiMoJo · · Score: 4, Interesting

    Firefox can do this already, but it's not that effective unfortunately.

    The real problem these days is fingerprinting. Particularly installed fonts and user agent strings. Those two alone are often pretty unique, and combined with canvas fingerprinting and IP address are very powerful tracking mechanisms.

    Unfortunately no browser can block them, and I have not found any plug-in except for NoScript that can block getting a list of installed fonts. There is a tool called "fluxfonts" that randomly installs and removes fake fonts in the background, but it would be nice if a mainstream browser did something about this.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Re:Do this by Mordaximus · · Score: 5, Informative

    The real problem these days is fingerprinting. Particularly installed fonts and user agent strings. Those two alone are often pretty unique, and combined with canvas fingerprinting and IP address are very powerful tracking mechanisms.

    They are addressing this as well in Mojave. Slimmed down system information, it only reports system fonts. Essentially one MacBook will look like the next, etc. In theory, anyway

  5. Native in Browsers by johnsie · · Score: 3

    Various plugins do a good job of this, but some sort of blocking should be a native optional feature in major browsers. I've already refused to accept the new privacy policy from Facebook as I refuse to let that company turn my data into a product. People let them go to far. There must be an option to choose which companies are not allowed to collect your data, and that's why GDPR is a good thing. Facebook tried to avoid data privacy by moving millions of accounts out of Europe/

  6. Don't think this is the right way to fight it by Solandri · · Score: 4, Interesting
    There are two ways to fight this:
    • Try to stop these tracking methods. Which just results in the people doing the tracking coming up with new tracking methods. That kicks off an endless arms race where each side keeps countering the move the other side makes.
    • Pollute the data. Let them collect the data, but the browser should surreptitiously add fake data. Either generated by randomly crawling linked pages in the background, or by sharing anonymized sites other users have browsed. The moment the "user's" browsing data is no longer an accurate representation of the sites the user is actually browsing, that data loses its advertising value. And advertisers will be forced to place ads based on the type of people who like to visit a certain site (e.g. GPU ads on a gaming site), rather than trying to display ads targeted at the person browsing regardless of what site they visit.

    The first method is a never-ending game of leapfrog. The second method favors users because there are a lot more of them than companies tracking this data. They can generate fake browsing data faster (up to the limit of their Internet bandwidth) than these companies can filter it out.

    1. Re:Don't think this is the right way to fight it by johnsie · · Score: 4, Informative

      It'll still be an arms race. They'll try and find ways around it. GDPR has shown that strong legislation is probably going to be the best way to prevent this sort of tracking.

    2. Re:Don't think this is the right way to fight it by Anonymous Coward · · Score: 1

      On the eve of the GDPR I received an email from an affiliate organisation extolling how they would be complying with the law and be able to track users using such methods as the opt out of tracking cookies and industry wide opt ins (eg; agree with one website you agree with them all).

    3. Re:Don't think this is the right way to fight it by alvinrod · · Score: 2

      The problem with your proposed solution is that you assume that these same tracking companies would be wholly incapable of cleaning the polluted data. All they would need is access to the browser that does the polluting and enough time to see how it works and they could probably get above 95% accuracy in terms of removing the fake, polluted data.

      It's always a game of cat and mouse. The only way to really stop it is to make a user's data so worthless as to remove the economic incentive to attempt to track them. Unfortunately, that doesn't seem all that likely either.

    4. Re:Don't think this is the right way to fight it by AmiMoJo · · Score: 3, Interesting

      Pollution is quite effective. For example, there are various add-ons for popular browsers that add random noise to canvas elements, changing the fingerprint every time. Even if they are tracking you by other means such as detecting installed fonts, the random canvas fingerprint and maybe a random user-agent pollutes their data.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Don't think this is the right way to fight it by 6Yankee · · Score: 1

      I'll let you send them my font list if I can send them yours...

    6. Re:Don't think this is the right way to fight it by jbmartin6 · · Score: 1

      You may be right about data pollution, although I have often wondered how easy it would be to tune out what you suggest. If my device randomly visits a needlepoint site, then a site about making home made sake, then FIVE sites about playing chess, it's pretty easy to figure out I like to play chess and the other ones were red herrings. My point is things that are true would rise above the noise of various random hits and would be easy to figure out based on timing, frequency, etc. Now, if I could create various fake personae and have an AI add their activity in the background to my own, probably better. If AI existed. On the other hand, what if there is something you just don't' want them to know? I may not want them to know I like chess, regardless of whether or not I fool them into thinking I also like needlepoint.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    7. Re:Don't think this is the right way to fight it by sinij · · Score: 1

      I think technical term is poisoning the data. It is brutally effective, and not because it hides your own data, it also makes entire data set less valuable by contaminating it with fake data.

    8. Re:Don't think this is the right way to fight it by sit1963nz · · Score: 1

      This is currently the same tactic being used by spambots and anarchists
      Look how many garbage posts are made in discussion forums, and they are growing in number.

      The idea is to pollute sites where people can have reasoned, intelligent discussions with so much junk that it destroys the forum and drives the thinkers away.

      This "normalises" abuse, hate, lies, anger, etc etc and that becomes part of normal society IRL.

      Without rational discussion, "fake news" will rule because there will be nowhere to discuss truth and facts, provide evidence, and highlight the benefits of logical thought. People will become even MORE partisan, where right and wrong are replaced with left and right where both sides are wrong.

      Back some 20-30 years ago news reporting was far less biased, they were far more interested in the facts and the truth. Now days when a news item does not conform to the bias that media outlet has the story is ignored, or simply buried and trivialised. This is dangerous , without knowing the truth no one can make and informed decision , and that truth is now being decided by a smaller and smaller cabal of wealthy people who have their own agenda. And when that happens democracy looses.

  7. For other platforms... by Gravis+Zero · · Score: 3, Informative

    If you aren't already, you should be using SafeScript which allows you to block lots of fingerprinting stuff. If you think you don't need it then you should check out BrowserLeaks to see how horribly wrong you are. :)

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:For other platforms... by Ol+Olsoc · · Score: 1

      If you aren't already, you should be using SafeScript which allows you to block lots of fingerprinting stuff. If you think you don't need it then you should check out BrowserLeaks to see how horribly wrong you are. :)

      And how! Early on in using NoScript I did an inventory of what was blocked. Facebook was the champ of tracking scripts, and a lot of those addresses the scripts reported to were obscured - ie not obviously facebook. And there were several FB trackers on most the sites that had them. Google had a number of scripts - at least they had the decency to make that clear. several ad providers, the font trackers, and a few I never figured out. My biggest haul for one page was over a hundred scripts.

      And this was some years ago, long before I had to have a Facebook account for some projects I was working.

      Which is why I have told people for years that Facebook is tracking everyone, not having an account does not stop them from tracking anyone.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  8. Re:Do this by theweatherelectric · · Score: 5, Informative

    Hey Firefox, looking for something else to copy?

    What, you mean like how Firefox provides built-in tracking protection? Or how Firefox provides a Facebook Container which isolates Facebook from the rest of your browsing activity? Or how Firefox is developing an anti-fingerprinting mode? Or how Firefox is integrating Tor as a built-in feature?

    I don't think you know what you're talking about. The web browser is the most commonly used piece of application software. If there's one type of software you should educate yourself about, it's web browsers.

  9. Re:Do this by Plumpaquatsch · · Score: 1

    I bet you will be really pissed when you find out what Apple has announced for Safari. https://www.wired.com/story/ap...

    --
    Of course news about a fake are Fake News.
  10. Re:Do this by AmiMoJo · · Score: 1

    It's really good news that Apple is doing something about this.

    Hopefully others will follow. Their improvements seem to be based on research done by Mozilla, so perhaps at least Firefox will get something similar soon.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  11. Re:And by stealth_finger · · Score: 1

    That is some initial work until you have the 153 worst tracking companies.

    153? seems oddly specific.

    --
    Wanna buy a shirt?
    https://www.redbubble.com/people/stealthfinger/shop?asc=u
  12. Here's why I'm looking sideways at this - by sabbede · · Score: 3, Interesting

    I'm using pfBlocker to filter DNS on my home network. You know what doesn't work without being able to talk to tracking and ad-serving servers (including google's for some reason)? The iTunes App Store.

  13. Re: Safari? What about Facebook app? by vakuona · · Score: 1

    From TFS:

    The next version of iOS and macOS "will frustrate tools used by Facebook to automatically track web users,"

  14. Re:And by Plumpaquatsch · · Score: 1

    That is some initial work until you have the 153 worst tracking companies.

    153? seems oddly specific.

    Maybe he works for the 154th entry on the Forbes' 200 Worst Tracking Companies List?

    --
    Of course news about a fake are Fake News.
  15. Apple cart by spinitch · · Score: 1

    Don't upset the Apple cart? Wonder how far Apple evaluated their own SNS FB alternative? Seems time might be ripe to trip the FB giant.

  16. Re: Safari? What about Facebook app? by Megane · · Score: 1

    Exactly. This is about the web bugs and other things from Facebook that end up in other web pages, little things like "Share on Facebook" buttons. You see that little "f" icon? If it's served from facebook.com, your browser had to talk to them to get it.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  17. Legislation by JBMcB · · Score: 2

    Legislation may help, but the GDPR is a nightmare. This Week In Law had an entire episode critiquing it.

    --
    My Other Computer Is A Data General Nova III.
    1. Re:Legislation by dAzED1 · · Score: 1

      No, it's not. It also had years of warning, so I have zero pity for companies of any size that waited until the last few weeks to even think about it.

  18. Re:Are you French ? by Merk42 · · Score: 1

    "fighting is hopeless, do not do anything !!!"

    No, I guess you are a FB propaganda operative. Or one from Google, they do exactly the same $hit.

    Did you press the wrong button? GP never said that, nor even implied that.

  19. Re:Do this by cascadingstylesheet · · Score: 2

    The real problem these days is fingerprinting. Particularly installed fonts and user agent strings. Those two alone are often pretty unique, and combined with canvas fingerprinting and IP address are very powerful tracking mechanisms.

    They are addressing this as well in Mojave. Slimmed down system information, it only reports system fonts. Essentially one MacBook will look like the next, etc. In theory, anyway

    Wouldn't that mean you only get to see system fonts then? (Assuming the reported list of fonts actually does something?)

    (I'd be fine with that, but will the public at large be fine with it)?

    Actually, since CSS lets you specify a list of fallbacks, why does the browser have to report fonts anyway? I have neglected to look into this little corner of madness ...

  20. Re:Do this by jbmartin6 · · Score: 1

    Firefox can do this already, but it's not that effective unfortunately.

    Could you clarify why you say this?

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  21. VPN Required? by atrex · · Score: 1

    I don't see how any of these methods put a stop to user tracking unless you're using a VPN to obfuscate your source IP address. So is Safari going to include it's own free VPN service like Opera? Or is this all just a bunch of noise to try and capitalize on the anti-Facebook sentiment and gain market attention?

    1. Re:VPN Required? by WinstonWolfIT · · Score: 1

      Astute. I rotate between Argentina and Albania which results in me being completely untrackable.

  22. Re:Do this by AmiMoJo · · Score: 1

    Try the EFF's Panopticlick.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  23. Re:Do this by Shotgun · · Score: 1

    Wouldn't that mean you only get to see system fonts then?

    If only we could be so lucky.

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  24. or virtual machines by goombah99 · · Score: 1

    if it's plug ins it's pointless. You might as well say, just run every browser window in a different virtual machine. It's so simple!!! not. Plug ins mean maintaining plugins over time and trying to figure out which one broke which website, maintainging a different whitelist for every plug in, and removing them when they go out of date, that's a mugs game.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  25. Re:Do this by spire3661 · · Score: 2

    All webpages should have an html fallback. If they dont, its not really a webpage.

    --
    Good-bye
  26. Re:Do this by Gr8Apes · · Score: 1

    Disabling JS makes the web browsable again for 99% of its pages. 99% of the web does not need JS, and never should have had JS installed with it.

    --
    The cesspool just got a check and balance.
  27. Re:Do this by Gr8Apes · · Score: 1

    Actually, since CSS lets you specify a list of fallbacks, why does the browser have to report fonts anyway? I have neglected to look into this little corner of madness ...

    I looked into this years ago, and there is absolutely 0 reason for this function to exist in today's world. If all browsers returned 0 fonts, the same style sheets still get served in 99.999999....% of the cases. So other than fingerprinting the machine, what purpose does this function serve?

    --
    The cesspool just got a check and balance.
  28. Re:Do this by Cajun+Hell · · Score: 1

    Someone remind me: why should javascript ever be able to know what fonts you have? Why would anyone care?

    Maybe browsers don't let you twiddle some config setting to deny font requests, but it could nevertheless be disabled in the browser's code. Is there any reason to even suspect that this might break anything? I wouldn't expect it to break anything. Being able to query fonts sounds like a totally useless feature anyway.

    --
    "Believe me!" -- Donald Trump
  29. Re:Do this by TheFakeTimCook · · Score: 2

    Firefox can do this already, but it's not that effective unfortunately.

    The real problem these days is fingerprinting. Particularly installed fonts and user agent strings. Those two alone are often pretty unique, and combined with canvas fingerprinting and IP address are very powerful tracking mechanisms.

    Unfortunately no browser can block them, and I have not found any plug-in except for NoScript that can block getting a list of installed fonts. There is a tool called "fluxfonts" that randomly installs and removes fake fonts in the background, but it would be nice if a mainstream browser did something about this.

    Apple has a solution to "fingerprinting". They return random data.

  30. HALLELUJAH ! by TheStickBoy · · Score: 1

    ^ what the subject said

  31. Re:Apple only targeted ad by TheFakeTimCook · · Score: 1

    In other news, Apple wants to be the only one to be able to track its demographic to perform targeted advertising.

    Except they don't. And the truth is in the fact that I have NEVER seen an Apple-related ad show up anywhere that wasn't completely expected.