Corrente

If you have "no place to go," come here!

Facebook tracks users even when they're logged out, and without telling them

[Welcome, Harvard and Montana FaceBook users. (Yes, I checked my SiteMeter log, and no, I don't track the records. But then, I'm not a humongous corporation trying to model you and your social network, and resell and repackage the results to, well, whoever, and store the information indefinitely, without giving you the opportunity to purge it. Of course, I'm sure you've never gone anywhere online that you wouldn't be totally OK discussing in a job interview, say. I know I haven't.*)]

I bet the social network analysts handling domestic surveillance are really enthusiastic about this! AP:

Facebook has confirmed findings of a CA security researcher that the social-networking site's Beacon ad service is more intrusive and stealthy than previously acknowledged, an admission that contradicts statements made previously by Facebook executives and representatives.

Stefan Berteau, senior research engineer at CA's Threat Research Group, wrote in a note about Beacon's until-then unknown ability to monitor logged-off users' activities and send the data back to Facebook.

Users aren't informed that data on their activities at these sites is flowing back to Facebook, nor given the option to block that information from being transmitted, according to Berteau.

If users have ever checked the option for Facebook to "remember me"-- which saves users from having to log on to the site upon every return to it-- Facebook can tie their activities on third-party Beacon sites directly to them, even if they're logged off and have opted out of the broadcast. If they have never chosen this option, the information still flows back to Facebook, although without it being tied to their Facebook ID, according to Berteau.

Facebook's admission over the weekend contradicts previous statements from the company regarding this issue. For example, in e-mail correspondence with Facebook's privacy department, Berteau was told, among other things, that "as long as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook."

A similar statement was made by a high-ranking Facebook official in an interview with The New York Times published Thursday.

"If I buy tickets on Fandango, and decline to publish the purchase to my friends on Facebook, does Facebook still receive the information about my purchase?," a Times reporter asked Chamath Palihapitiya, Facebook's vice president of product marketing and operations at Facebook

"Absolutely not. One of the things we are still trying to do is dispel a lot of misinformation that is being propagated unnecessarily," Palihapitiya replied.

Well, it's all very simple.

"Absolutely not" means "Yes, definitely!"

I always knew I hated that candy-assed Web 2.0 shit; their extreme hipness disguises their extreme willingness to sell anything about me to anyone and anybody without thinking twice or even letting me know. Heck, they'd sell their own grandmothers into a brothel, if they could resell her data.

NOTE * Without even giving you a cut for the sale of your own data, for pity's sake. I mean, the least they could do is tip decently, eh?

UPDATE Please note that this story broke after FaceBook placed limits on Beacon after users protested; this is new.

0
No votes yet

Comments

Submitted by [Please enter a... (not verified) on

Interesting that the default name is "anonymous coward".

Would you like to know more about me?

chicago dyke's picture
Submitted by chicago dyke on

i couldn't keep up, even if i tried, with all the "program/device/service X is more intrusive and stealthy than they first admitted" i have heard in the past few years. let alone take measures that would actually secure my data.

i just assume that anyone dedicated enough can read everything i've ever saved on a computer whenever i'm on the intertubes. privacy is a great idea, but one i don't see coming back for at least a while. there isn't yet a critical mass large enough to enforce it according to the reality of today's technology.

Submitted by [Please enter a... (not verified) on

since they just got bought up by Evil Red Commie Russians.

Having been caught up in the AT&T Southwest Region DSL Outage all night I am about to do that bow down and admit-I-am-powerless-against-my-addition routine in re: online access. Absolutely no alternative for DSL out here in the sticks where we only have copperline phone service because the FDR era rules mandate universal service. With circa 4 residents per square mile or so, and not all of them interested in the service, I don't expect WiFi to come charging in any time soon. :)

Submitted by [Please enter a... (not verified) on

Wonder who gets the info after Facebook and their advertisers? Actually the gov't probably gets the info first from Facebook. After all, corporations and gov't are merely quid-pro-quo whorehouses sold to the highest bidder. When the gov't needs illegal wire-taps, Verizon and Sprint allow them secret rooms to listen in on calls. When Haliburton (and KBR) need more revenue, the gov't hands out no-bid contracts. When the gov't dislikes literature, Amazon and Wikipedia ban the America Deceived (book) . We The People had our gov't sold out from beneath us.

Submitted by [Please enter a... (not verified) on

This is a bit off topic, but about a week ago i left the house and realized that at least 3000 people saw me walk around the city without my authorization. Is facebook responsible for this too?

Submitted by lambert on

No.

Your point?

We. Are. Going. To. Die. We must restore hope in the world. We must bring forth a new way of living that can sustain the world. Or else it is not just us who will die but everyone. What have we got to lose? Go forth and Fight!—Xan

Submitted by [Please enter a... (not verified) on

my point is that it's off topic,

so there.

Submitted by [Please enter a... (not verified) on

You're right, i apologize.

Submitted by [Please enter a... (not verified) on

It's not just Facebook, don't you realise that it is MySpace, bebo, tagged, etc as well as facebook. No matter how strong of security certificates you have on the internet. People can and will access you information.

It's just common sense.

Submitted by lambert on

... is what you allow to happen.

We. Are. Going. To. Die. We must restore hope in the world. We must bring forth a new way of living that can sustain the world. Or else it is not just us who will die but everyone. What have we got to lose? Go forth and Fight!—Xan

Submitted by [Please enter a... (not verified) on

A most elegant solution for you'uns is to have two computers:

You would have one computer that you use for all this crappy, trendy, allegedly "hip" garbage like myspace.com and facebook.com, et al, or any other sites/internet companies that have a reputation for installing/using spybots/ware against, or directly spying upon, their users. You would then NEVER use this first computer for general internet browsing, or anything else you don't want to get back to Facebook, etc.

Your OTHER computer would be used ONLY for your general web surfing (clear your cookies and cache ALOT!). You can anonymize your web surfing using the software available at the following sites:

http://www.mozilla.com/en-US/firefox/
http://www.torproject.org/
http://noscript.net/

Install Firefox FIRST (set it to clear all user tracks, cookies, etc, automatically every time the browser is closed), then Tor (The Onion Router, torproject.org), second. Tor uses a distributed network with onion routing to conceal your IP address when browsing the internet. Lastly, but most importantly, install NoScript. NoScript eliminates the activity of JavaScript, and many other scripts that can bypass Tor and reveal your real IP address! There are also ways you can use Tor to creatively foil spying scripts by having Tor establish a new network path, and thus new pseudo-identity, for you every few minutes, or between use of different Firefox windows.

You would then - and this is crucial - be very careful not to mix up the usage of your two computers!

You would do things like online banking, for example, ONLY on the second of these computers, but ONLY after thoroughly erasing your cookies AND browser cache! When you're done with your online banking, you would then clear your cookies and cache again before doing any general anonymous web surfing.

If you can afford only one internet connection, you have the added inconvenience of physically moving the connection back and forth between the two computers, but for the sake of PRIVACY (which when lost, these days, can often never be recovered), this added inconvenience is well worth it.

Use PGP (Pretty Good Privacy) also!

If you're really serious about protecting your privacy, understand that no plan to protect it is foolproof, but there are things you can do to GREATLY increase your privacy, if you just think, be creative, and use technology that is out there and available for your use.

So begin doing this, people.

Submitted by [Please enter a... (not verified) on

It's important that you think very carefully about, and watch, what you're doing online if privacy is important to you.

Be aware, that there are many other sites besides Facebook that can threaten your privacy. You should keep in mind that any web site, especially obviously commercial ones, may become less than completely trustworthy at any time.

Word to the wise...

Submitted by [Please enter a... (not verified) on

Please read the documentation on the Torproject web site. It's really good, interesting reading, and by doing that, you're learn how to more intelligently configure and use the software.

If you have trouble getting the Torbutton Firefox add-on to work, remember the following:

In Firefox Tools, Options, Advanced, Network tab, Connection Settings, select Manual Proxy Configuration, then set them as follows:

HTTP Proxy: localhost Port: 8118
SSL Proxy: localhost Port: 8118
FTP Proxy: localhost Port: 8118
Gopher Proxy: localhost Port: 8118
SOCKS Proxy: localhost Port: 9050

No Proxy for: localhost, 127.0.0.1

You can also use your firewall.. you ARE using a firewall, aren't you?!

You can also use your firewall program (or hardware firewall, or NAT router) to block, or disable Microsoft Internet Explorer and Outlook Express.

If like me, you're so stupid as to be using MS Windows at all - rather than Linux, or Mac - you should also definitely TURN OFF Instant Messenger, and use your firewall program to BLOCK as many Microsoft network access programs as you can without completely disabling all network access as such. Just block Internet Explorer and Outlook Express only, unless you know more about what you're doing.

Also: Here's where you all can get PGP:

http://www.pgpi.org/products/pgp/version...

Submitted by lambert on

I've read about Tor, and even posted on it, but doesn't Tor have a security flaw, in that somebody can sit at the endpoint where Tor connects back to the regular Internet, and sniff packets there? (If I have the terms of art right.) Is there a solution for that?)

We. Are. Going. To. Die. We must restore hope in the world. We must bring forth a new way of living that can sustain the world. Or else it is not just us who will die but everyone. What have we got to lose? Go forth and Fight!—Xan

intranets's picture
Submitted by intranets on

Yes, the last computers in the TOR network that interface the real world can sniff all in going and outcoming packets. The way you can break TOR security is by also having enough malicious TOR users who are scattered throughout, so you may not know where a packet is going, but since three of your neighbor connections are spies, they can figure out where those packets ended up.

By they way for any PGP advocates, you would soon be labeled a homegrown terrist. Just FYI, military grade encryption is immediate grounds for snooping into what you are up to.

Submitted by [Please enter a... (not verified) on

The "last computers in the TOR network", likely referring to exit nodes, can only sniff unencrypted traffic. If you are doing something that requires privacy and authenticity, browse to https sites (and turn off SSLv2 support in your browser; SSLv3 and TLS are ok).

Malicious Tor *users* (clients) cannot do anything to you. Perhaps you refer to Tor relay node operators. Even if all of your neighbours are spies, your own computer's Tor proxy ensures that your traffic is encrypted and onion-routed through 3 or more nodes on the way to its destination. Your neighbours cannot see where you are browsing.

Someone like the NSA which intercepts traffic at major ISP crossovers could do analysis of timing to track your traffic, assuming they cared to do so. The more people join up and use Tor, the harder this becomes.

Submitted by lambert on

I'm glad you guys are keeping up with this...

Any idea how much load a tor node puts on the server?

How do I go about estimating that?

[x] Any (D) in the general. [ ] Any mullah-sucking billionaire-teabagging torture-loving pus-encrusted spawn of Cthulhu, bless his (R) heart.