Security → Facebook claims "a bug" made it track nonusers

Facebook researchers have found “a bug” that caused it to track people, even if they had never visited its website, the social media giant acknowledged this week.

The bug caused the company to place cookies — a common way to track people’s browsing habits on the Web — on “some” people’s browsers, even if they had never visited Facebook.com to sign up for an account, the social media website's European Public Policy Vice President Richard Allan wrote in a blog post on Wednesday.

»thehill.com/policy/techn ··· facebook

The "blog"

»newsroom.fb.com/news/h/s ··· -report/

"Richard Allan, Vice President of Policy, Europe, suggests that many of the report's claims are erroneous..

"In response to claims that Facebook is using cookies to track users across the entire internet, he fails to rebut the claim itself, focusing instead on the fact that the company uses them to personalise a user's experience, help them when they wished to stay logged in and to deliver "interesting" adverts.

»nakedsecurity.sophos.com ··· -fixing/
-------------------------------
there may be a bug that generates cookies, but i believe that it is irrelevant and that facebook will continue to track people (if they can), regardless..

For non-users, here are the IP ddresses to block, in range form and in CIDR form. Here in Toronto, all the hits seem to be on 31.13.64.0/18. Other parts of the planet will be served by the other addresses in the list. After implementing the block, don't forget to remove all cookies from "facebook.com", "facebook.net", and "fb.com".

31.13.24.0 - 31.13.31.255
31.13.24.0/21
IE-FACEBOOK-20110418
Facebook Ireland Ltd
IE

31.13.64.0 - 31.13.127.255
31.13.64.0/18
IE-FACEBOOK-20110418
Facebook Ireland Ltd
IE

66.220.144.0 - 66.220.159.255
66.220.144.0/20
Facebook, Inc.
THEFA-3

69.63.176.0 - 69.63.191.255
69.63.176.0/20
Facebook, Inc.
THEFA-3

69.171.224.0 - 69.171.255.255
69.171.224.0/19
Facebook, Inc.
THEFA-3

74.119.76.0 - 74.119.79.255
74.119.76.0/22
Facebook, Inc.
THEFA-3

103.4.96.0 - 103.4.99.255
103.4.96.0/22
FACEBOOK-SG

173.252.64.0 - 173.252.127.255
173.252.64.0/18
AS32934
FACEBOOK-INC

204.15.20.0 - 204.15.23.255
204.15.20.0/22
Facebook, Inc.
THEFA-3

quote:

---

Facebook researchers have found “a bug” that caused it to track people, even if they had never visited its website, the social media giant acknowledged this week.

---

Dont believe a word they say.... THEY WANT TO DO THIS!!

How does this differ from every other web site with adverts, that places a tracking cookie on client computers?

FB data mining, which by extension leads to the good 'ol NSA & GCHQ, the merry-go-round continues.

If you have cookies set correctly in your browsers (although I recall Chrome never allowed a user to set cookies with proper permissions although Iron did...I don't know if Google ever decided to stop with their crap or not as both Chrome and Iron were too bare bones for me so I haven't used either in several years) this stuff from Facebutt could not happen. I suppose I should mention that Fx is just as despicable as Chrome in that default is to accept all third party cookies...sick, sick, sick...most browsers in their utter disdain for users safety and privacy as they know the ignorant of computers users will never even try to learn how to use cookies properly and retain privacy.

The first piece of software I ever bought was back in 1999, after I had my first computer a few months and read something that said to check cookies and I was utterly appalled by all the cookies (almost one thousand). I immediately tried to learn about cookies and that led me to my first purchased software...Cookie Crusher. If I, especially as an "older" user written off by Microsoft and others because older users were obviously too stupid to have computers much less learn about privacy and security, could learn these things and continue my learning all these years...well, all those ignorant of computers folks could learn ....they simply don't care (about anything that protects privacy)...and that is basically why I think Stansberry may be right and the death throes for our nation truly may happen in the next five years.

Anyhow, I have my browsers set to accept no third party cookes and to accept first party only after asking me the first time the cookie is encountered (and then in the future using the Exceptions list created by my actions when asked the first time). So, I am not asked constantly and it is no "burden". It is easy and simple and it does keep Facebutt from putting cookies surreptitiously on my computer. Granted, some method of blocking ads makes the amount of cookies that I need to say yay or nay to much less than if I had no ad blocking.

Of course, I also block facebook.com in my Hosts file so no way I could get any of this crap.

 
Do you just block facebook.com, or do you also block all the Facebook worker domains, e.g., facebook.net?

This comment from the Sophos article begs for major elaboration:

quote:

---

He (Dulles) did, however, confirm that Facebook continues to receive "web impressions" when people visit other sites featuring the company's social plugins and other "integrations". This, apparently, is not the same thing that the authors of the Belgian report call "tracking".

---

Hmmmm ....."Facebook on tracking accusations: report gets it “wrong multiple times” [ »www.slashgear.com/facebo ··· 0378504/ ]

It seems that any site that accepts a login from social sites like FB, G+ and now Pinterest, wants to know. I have Ghostery set to show everything and the names will show up in NoScript, too.

Since my kid uses FB, I can't ban it, I can't ban G+ as I use Android. I can, however, ban everything to do with Pinterest.

The big problem is that a lot of sites now do customer service on Twitter and FB. TMobile uses both (does have other options) and the price comparison site The Find has moved to Facebook.

I do allow cookies, but only until I close Pale Moon. If the site is aggressive, I just close and reopen the browser. If I use Yahoo or FB, I just close the browser when I'm done. Erases most everything. Better Privacy removes LSO cookies, too.
I don't keep history. That's what bookmarks are for. Yes, I have to log in every time and reset preferences, but that's a small price to pay for being a PITA.

You can do the same with Iron. Use incognito mode and check off all the boxes to delete everything when closing Iron.

I can't even set a permanent cookie in Pale Moon for the bank on Linux using exceptions with these settings.

 

Facebook and Twitter each has become a platform. They no longer are web sites.

Web sites are easy to block, platforms not so easy. As you have discovered.

 

I found that if I do something along the lines of the following:

- set "allow cookies until their expiration dates"
- access a site
- set site exception for the site's cookie(s)
- close Palemoon
- open Palemoon
- set "delete cookies when Palemoon closes"
- close Palemoon

The cookies for that specific site persist from one invocation of Palemoon to the next.

Note that you'll also have to set an exemption for the cookie(s) in any cleaning software (such as ccleaner) that you may use.

Wouldn't web impressions basically correlate to generic data? Not specific to any particular user but capturing browser user-agent, http referrer, screen res, etc.?

It all depends on what Dulles meant by "web impressions," and whether or not such a count is filtered down to a specific user. In ordinary terminology, an 'impression' is essentially a 'view' of a page or particular ad based on an essentially anonymous counter on the server providing the page or ad. But what that would have to do with Facebook and its unique tracking tools seems very unclear, hence the need for major elaboration as to just what they mean.

Add this to your host file and Zuckerberg will puke...

There are REALLY that many?

most the ones I checked go to Facebook....either way I think I got the bases covered.
»urlquery.net/report.php? ··· 91390155
»urlquery.net/report.php? ··· 91392178

I just added like 50+ more

*edit

Added more country codes

and akamai


PS
There are a few duplicates but since the file is read in order, the first matching result is read, and the rest are ignored. Having exact duplicates has no effect.
It's way too much work to weed though it all with notepad.

The FB site won't even work unless you also allow Akamai with NoScript. How many other sites work that way? What other services behave like Akamai? Who else uses it?

I've only seen it turn up on FB.

Assuming those were all legit Facebook entries, if you added those to your current file, there's a good chance you'd slow down the machine just to block Facebook via that method. There's TPL's and ad-blocking other than adding so many custom lines.

You are correct. An "Impression" is not filtered to a specific user. Rather than my explanation here is Google's: »support.google.com/adwor ··· ctx=tltp (Other definitions also available on that page)

I occasionally use Google AdWords for my business and as you can see from the above stats, there are 197,957 "Impressions", but only 840 "Clicks".

When I go into Google Analytics, following is the "information" I receive about the person who actually "clicked" on a link:

(I do not have age and gender enabled for tracking):
It tells me the country, state and city.
It tells me if this is a "new" or "returning" visitor.
It tells me "how long" the person viewed the page.
It tells me which browser is being used (98.83% use Chrome) and the version.
It tells me which ISP was used.
It tells me which device is being used.
It tells me the page the visitor landed on and subsequent pages they visited.
And it tells me how fast my page loaded for the visitor.
And last but not least, it tells me how many of the "Clicks" followed through with a "Conversion". When one ad "Click" results in 3 sales, that counts as 3 "Conversions".

However, even in "Conversions", Google AdWords gives me no additional information on the person.

So, unless a person actually makes a purchase, subscribes to a newsletter, uses the contact us page, etc..., I have no "personally identifiable information".

So, generic data, not specific to any particular user?

Correct. All generic. Personally, I disable age and gender, because I have no need to know.

In most cases the DNS Client Service is not needed, it is recommended to turn it off. These instructions are intended for a single (home-user) PC. If your machine is part of a "Domain", check with your IT Dept. before applying this work-around. This especially applies to Laptop users who travel or bring their work machines home. Make sure to reset the Service (if needed) prior to connecting (reboot required) to your work Domain ...

To resolve this issue (manually) open the "Services Editor"

Start | Run (type) "services.msc" (no quotes)
Win8 users - Control Panel > Administrative Tools > Services
Scroll down to "DNS Client", Right-click and select: Properties - click Stop
Click the drop-down arrow for "Startup type"
Select: Manual (recommended) or Disabled click Apply/Ok and restart.
»winhelp2002.mvps.org/hosts.htm

It's a cache, so no, it's not needed. On the other hand, it does allow you to do a name lookup often without (a) going off-node, (b) going to disk.

The Wikipedia writeup is a good explanation.

So, I wouldn't recommend turning it off.

I'm aware that the client service has been known to go CPU-bound when faced with a bloated hosts file. That ought to be a hint to trim your hosts file.

Mines been disabled since Vista beta, no problems.
I just tested browsing with no host file and then my 682KB file.
No difference at all.

Sure, the system will operate without it - it is designed to do precisely that. I just wouldn't issue a blanket "recommendation" to turn off a useful cache.

My computers have always had it turned on: no problems

I helped write half of what you quoted from the MVPS site. A modern PC doesn't need to have the DNS Service tweaked. Automatic | Started is just fine.

What I was saying is adding that many lines to block a website is kinda dumb - to be perfectly frank. But I mean that in the nicest way possible.

There's *no* need for that many added lines. Folks do add lines for specific URL's but Facebook should not be one of them.

Lets get really crazy then...
This is the super-ultimate host file.
For ultra high advanced users only.

Here's the changes in DNS Client Service for Windows 8 and 8.1. Not much of interest for Win 8.0 Pro that I see but some useful additions/changes seems to me for 8.1.

»technet.microsoft.com/en ··· ient2012

I had a problem when I disabled it on Windows 8 (never had a problem with it disabled on XP Pro). I had to re-enable it on Win 8. I just checked the cache and very few entries and I have NOT flushed the cache in ages. Only two entries that were not redirects to my Hostsfile. Interestingly, there were about 3 redirects to Facebook in my hosts file. Do entries in the cache drop out fairly quickly?

I decided to disable it again. I can't recall what the problem was that forced me to re-enable it so if the problem is still there, I guess I'll find out soon enough.