Facebook can track your browsing even after you've logged out, judge says

Firefox has a pretty neat feature I discovered recently:<p><a href="https:&#x2F;&#x2F;wiki.mozilla.org&#x2F;Security&#x2F;Contextual_Identity_Project&#x2F;Containers" rel="nofollow">https:&#x2F;&#x2F;wiki.mozilla.org&#x2F;Security&#x2F;Contextual_Identity_Projec...</a><p>It lets you run multiple sessions in one window, where each tab belongs to a specific session with separated cookies and such.<p>I&#x27;ve got a bunch of tabs where I&#x27;m logged in to Facebook, another set where I&#x27;m logged in to Google and the rest of them where I&#x27;m not logged in to either. Of course they can still use IP matching to track me, but at least it&#x27;s something...

I have a few questions.<p>1) “Facebook’s intrusion could have easily been blocked, but plaintiffs chose not to do so,”<p>This seems like a dangerous precedent. So if we can block surveillance attempts and we don&#x27;t try, then it&#x27;s our fault?<p>&gt; “The fact that a user’s web browser automatically sends the same information to both parties does not establish that one party intercepted the user’s communication with the other,”<p>This makes no sense. Nothing happens &quot;automatically&quot;, someone wrote the code for that to happen, in this case, Facebook.<p>But, at the end of the day it&#x27;s just an embedded thing in a bunch of websites. I don&#x27;t see anyone suing Google about AdSense. I mean I despise Facebook, but unless they&#x27;re doing something more nefarious than getting a GET request on page load, then I&#x27;m not sure that I care enough. Get a blocker.

The article or the judge (not sure which) suggests using incognito mode. While this will keep browsing history private for a particular session, it&#x27;s only effective locally. Tracking from the server is still possible either through being logged in or through browser fingerprinting, which is surprisingly accurate.<p>Here&#x27;s a good demo which uses fingerprinting to show how ineffective incognito mode is: <a href="http:&#x2F;&#x2F;www.nothingprivate.ml&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.nothingprivate.ml&#x2F;</a>

If you delete the Facebook cookie (i.e. are completely logged out including username), then click on a link in an email notification from Facebook, it will silently log you in again, restoring the cookie and web-wide tracking. This can be tested by pasting an email notification link to a new private browsing window.

That&#x27;s not all. In NY state, they ruled that can artist can take pictures of you in your home through your windows:<p><a href="https:&#x2F;&#x2F;fstoppers.com&#x2F;photojournalistic&#x2F;supreme-court-rules-photographing-neighbors-through-windows-legal-67925" rel="nofollow">https:&#x2F;&#x2F;fstoppers.com&#x2F;photojournalistic&#x2F;supreme-court-rules-...</a>

Quitting facebook is not enough. I recommend blocking all via hosts file. <a href="https:&#x2F;&#x2F;github.com&#x2F;jmdugan&#x2F;blocklists&#x2F;blob&#x2F;master&#x2F;corporations&#x2F;facebook&#x2F;all" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jmdugan&#x2F;blocklists&#x2F;blob&#x2F;master&#x2F;corporatio...</a>

Sometimes I think people need a little more &quot;Black Mirror&quot; to see how bad this is. One of the episodes has random people basically constantly looking at and filming a woman everywhere; certainly no <i>less</i> than what Facebook does every day, yet somehow it doesn&#x27;t seem weird to anyone?

Nice, if i don&#x27;t lock my door, its my fault they steal my things.

Make today the day you delete you facebook account. Do it! Opt-out of this panopticon as best you can.<p>Block as many ads as you can, in order the starve the best.

I think EFF&#x27;s privacy badger [0] can block this kind of tracking, depending on how sophsticated their tracking methods are.<p>[0] <a href="https:&#x2F;&#x2F;www.eff.org&#x2F;privacybadger" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;privacybadger</a>

Seems very similar to the original Facebook Beacon, which they were forced take down.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Facebook_Beacon" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Facebook_Beacon</a>

&gt;Australian internet security blogger Nik Cubrilovic first discovered that Facebook was apparently tracking users’ web browsing after they logged off in 2011<p>After reading that (in 2011) I decided to block all third-party cookies.

While on the topic of tracking, is there a plugin that lets you delete cookies using rules on a per domain basis? for example, cookies are useful for some sites, and others they are useful for certain periods of time, and thereafter it would be nice to get rid of them (and yet more sites shouldn&#x27;t be able to leave cookies at all). I know there are some plugins that let you block all cookies, or manage them after the fact, but I want something rule based and automated

How is Facebook different from other advertising networks. All of them track you across the web, on any site that use them. Why is FB a special case?

Meh <a href="https:&#x2F;&#x2F;www.eff.org&#x2F;privacybadger" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;privacybadger</a>

Does FB track by IP or cookie or both? I use different browsers for the more invasive tracking sites. For FB (which I use very sparingly these days to stay in touch with people I won&#x27;t hear about in other circles) I currently use Safari. I log in and out and limit my use of that browser to FB and a handful of other sites.<p>since Chrome is such a memory hog on macs my principal browsers are opera and brave, both of which work very well on my elderly macbook air.<p>I have no idea if my somewhat paranoid tracking avoidance is effective against FB though. I see that when I go to the log in page in safari that FB knows how many &#x27;posts&#x27; I have stacked up to consume (the little Pavlov&#x27;s dog red circle with a number in it). I&#x27;m assuming I&#x27;m being tracked despite being logged out...

add facebook to your hosts file per: <a href="https:&#x2F;&#x2F;github.com&#x2F;erwinbierens&#x2F;Facebook-Hosts&#x2F;blob&#x2F;master&#x2F;facebook-hosts.txt" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;erwinbierens&#x2F;Facebook-Hosts&#x2F;blob&#x2F;master&#x2F;f...</a>

My general fix for web tracking cookies:<p>HTTP requests sent from my browser page when viewing Foo.com to Bar.com have no cookies. Javascript is available to create an explicit pop-up requesting permission to share your cookies with Bar.com.<p>When I go to Foo.com, my relationship is with Foo.com. I&#x27;m okay with being tracked by Foo.com when I&#x27;m on Foo.com, but if bar.com is going to track me then I want to be asked.<p>That said, Foo and Bar could still share information about me directly without going through my browser, but without the cookie feature it would be very hard for Foo and Bar&#x27;s profiles on the person Pxtl are the same person.

Clearly Facebook &quot;can&quot;. The judge ruled that they &quot;may&quot;.

That is why media struggles making money--it gives its audience for free to Facebook and Google with all that &quot;free&quot; share buttons and analytics. Why would an advertiser pay to a brand name media outlet money for displaying an ad if it could buy exactly this audience on Facebook or via Google much cheaper?<p>Media did it to itself--it just gave away it&#x27;s audience for free. No wonder it can&#x27;t make enough money via advertising.

I wish someone would build hardware that protected against this. A router for example that filtered all outbound traffic and blocked specific routes and packets destined for tracking.<p>Yes, you could do that all on the computer itself, no need to run it on the router. I guess the benefit of having it all on a router is that it would be a plug and play solution for the privacy conscious but technically limited individual.

I usually stick with Safari as my browser, but Privacy Badger isn&#x27;t available for it, so I use &quot;Facebook Disconnect.&quot; Does anyone know how well it really works? (I don&#x27;t have an account, and I don&#x27;t want them tracking my activity for my old profile.) I&#x27;m surprised I haven&#x27;t grep&#x27;ed anything about this extension in the discussion thus far, which makes me nervous.

Wouldn&#x27;t something like Pi-Hole be a good network-wide way to manage this tracking? I know plugins are convenient but they all have to intercept and modify css&#x2F;etc coming in on the fly which can lead to slower page loads. Plus I&#x27;d imagine some of those plugins will allow certain domains through regardless?<p>Or are the sneakier ways sites track users something that can get by the OOTB settings?

I don&#x27;t even know what their logout button does. It puts me on the login page with my profile pic, and it displays the number of notifications I&#x27;ve received while logged out. There is a &#x27;remove account&#x27; X overlay placed on the top left corner. I usually click it and hope it does something.

If the judge had ruled the other way, would that have been equivalent to ruling that all tracking is illegal?

It is interesting that the court was arguing that there are protection measures the plaintiff can take. Makes one wonder that the legal situation is for the folks that are circumventing the default browser protection mechanisms.

that awkward moment when the article itself has Facebook sharing buttons

Proper English should have been: &quot;Facebook <i>may</i> track your browsing even after...&quot;.<p>The judge can rule about lawfulness, otherwise it looks like they are a investigative reporter that just found out about the technical capability to track users in such a way.

Not a surprise.

Facebook is a company, a superfluous one even, no need is forcing you to use it and there is no need for it. Don&#x27;t like the don&#x27;t use it. Don&#x27;t like tracking configure your browser accordingly and get a blocker. It&#x27;s easy and free.