By Dave Winer on Saturday, September 24, 2011 at 10:52 AM.Yesterday I wrote that Twitter should be scared of Facebook. Today it's worse. I, as a mere user of Facebook, am seriously scared of them. Every time they make a change, people get angry. I've never myself been angry because I have always assumed everything I post to Facebook is public. That the act of putting something there, a link, picture, mini-essay, is itself a public act. This time, however, they're doing something that I think is really scary, and virus-like. The kind of behavior deserves a bad name, like phishing, or spam, or cyber-stalking. What clued me in was an article on ReadWriteWeb that says that just reading an article on their site may create an announcement on Facebook. Something like: "Bull Mancuso just read a tutorial explaining how to kill a member of another crime family." Bull didn't comment. He didn't press a Like button. He just visited a web page. And an announcement was made on his behalf to everyone who follows him on Facebook. Not just his friends, because now they have subscribers, who can be total strangers. Now, I'm not technically naive. I understood before that the Like buttons were extensions of Facebook. They were surely keeping track of all the places I went. And if I went to places that were illegal, they would be reported to government agencies. Bull Mancuso in the example above has more serious things to worry about than his mother finding out that he's a hitman for the mob. (Both are fictitious characters, and in my little story his mom already knows he's a hitman.) There could easily be lawsuits, divorces, maybe even arrests based on what's made public by Facebook. People joke that privacy is over, but I don't think they imagined that the disclosures would be so proactive. They are seeking out information to report about you. That's different from showing people a picture that you posted yourself. If this were the government we'd be talking about the Fourth Amendment. Also, I noted that I had somehow given access to my Facebook account to ReadWriteWeb. That's puzzling because I have no memory of having done that. And when I went to see what other organizations I had given access to my graph, there were lots of surprises. I think there's a good chance that by visiting a site you are now giving them access to lots more info about you. I could be mistaken about this. And, until Facebook owns the browser we use, there is a simple way to opt-out, and I've done it myself. Log out of Facebook. And if Facebook had a shred of honor they would make their cookie expire, right now, for everyone, and require a re-log-in, and a preference choice to stay permanently logged-in. With a warning about the new snooping they're doing. Probably a warning not written by them, but by Berkman, the EFF or the FTC. (Yes, dear Republicans, I trust a bureaucrat more than I trust a tech exec in Silicon Valley.) One more thing. Facebook doesn't have a web browser, yet, but Google does. It may not be possible to opt-out of Google's identity system and all the information gathering it does, if you're a Chrome user. PS: There's a Hacker News thread on this piece. It's safe to click on that link (as far as I know). Update: Nik Cubrilovic says that logging out of Facebook is not enough. [URL="http://scripting.com/stories/2011/09/24/facebookIsScaringMe.html#p9619"]
25th September 2011#Dave Winer wrote a timely piece this morning about how Facebook is scaring him since the new API allows applications to post status items to your Facebook timeline without a users intervention. It is an extension of Facebook Instant and they call it frictionless sharing. The privacy concern here is that because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see. The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests tofacebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions. Here is what is happening, as viewed by the HTTP headers on requests to facebook.com. First, a normal request to the web interface as a logged in user sends the following cookies: Note: I have both fudged the values of each cookie and added line wraps for legibility
Cookie:datr=tdnZTOt21HOTpRkRzS-6tjKP; lu=ggIZeheqTLbjoZ5Wgg; openid_p=101045999; c_user=500011111; sct=1316000000; xs=2%3A99105e8977f92ec58696cf73dd4a32f7; act=1311234574586%2F0The request to the logout function will then see this response from the server, which is attempting to unset the following cookies:
Set-Cookie:_e_fUJO_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlyc_user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlyfl=1; path=/; domain=.facebook.com; httponlyL=2; path=/; domain=.facebook.com; httponlylocale=en_US; expires=Sun, 02-Oct-2011 07:52:33 GMT; path=/; domain=.facebook.comlu=ggIZeheqTLbjoZ5Wgg; expires=Tue, 24-Sep-2013 07:52:33 GMT; path=/; domain=.facebook.com; httponlys=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlysct=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlyW=1316000000; path=/; domain=.facebook.comxs=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlyTo make it easier to see the cookies being unset, the names are in italics. If you compare the cookies that have been set in a logged in request, and compare them to the cookies that are being unset in the logout request, you will quickly see that there are a number of cookies that are not being deleted, and there are two cookies (locale and lu) that are only being given new expiry dates, and three new cookies (W, fl, L) being set. Now I make a subsequent request to facebook.com as a 'logged out' user:
Cookie:datr=tdnZTOt21HOTpRkRzS-6tjKP; openid_p=101045999; act=1311234574586%2F0; L=2; locale=en_US; lu=ggIZeheqTLbjoZ5Wgg; lsd=IkRq1; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3Dbf0ed2e54fbcad0baaaaa32f88152%26eu%3DJhvyCGewZ3n_VN7xw1BvUw; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3Dbf0ed2e54fbcad0b1aaaaa152%26eu%3DJhvyCGewZ3n_VN7xw1BvUwThe primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user This is not what 'logout' is supposed to mean - Facebook are only altering the state of the cookies instead of removing all of them when a user logs out. With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies. You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight.
An Experiment
This brings me back to a story that I have yet to tell. A year ago I was screwing around with multiple Facebook accounts as part of some development work. I created a number of fake Facebook accounts after logging out of my browser. After using the fake accounts for some time, I found that they were suggesting my real account to me as a friend. Somehow Facebook knew that we were all coming from the same browser, even though I had logged out. There are serious implications if you are using Facebook from a public terminal. If you login on a public terminal and then hit 'logout', you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser. Associating an account ID with a real name is easy - as the same ID is used to identify your profile. Facebook knows every account that has accessed Facebook from every browser and is using that information to suggest friends to you. The strength of the 'same machine' value in the algorithm that works out friends to suggest may be low, but it still happens. This is also easy to test and verify. I reported this issue to Facebook in a detailed email and got the bounce around. I emailed somebody I knew at the company and forwarded the request to them. I never got a response. The entire process was so flaky and frustrating that I haven't bothered sending them two XSS holes that I have also found in the past year. They really need to get their shit together on reporting privacy issues, I am sure they take security issues a lot more seriously.
The Rise of Privacy Awareness
10-15 years ago when I first got into the security industry the awareness of security issues amongst users, developers and systems administrators was low. Microsoft Windows and IIS were swiss cheese in terms of security vulnerabilities. You could manually send malformed payloads to IIS 4.0 and have it crash with a stack or heap overflow, which would usually lead to a remote vulnerability. A decade ago the entire software industry went through a reformation on awareness of security principals in administration and development. Microsoft re-trained all of their developers on buffer overflows, string formatting bugs, off-by-one bugs etc. and audited their entire code base. A number of high-profile security incidents raised awareness, and today vendors have proper security procedures, from reporting new bugs to hotfixes and secure programming principals (this wasn't just a Microsoft issue - but I had the most experience with them). Privacy today feels like what security did 10-15 years ago - there is an awareness of the issues steadily building and blog posts from prominent technologists is helping to steamroll public consciousness. The risks around privacy today are just as serious as security leaks were then - except that there is an order of magnitude more users online and a lot more private data being shared on the web. Facebook are front-and-center in the new privacy debate just as Microsoft were with security issues a decade ago. The question is what it will take for Facebook to address privacy issues and to give their users the tools required to manage their privacy and to implement clear policies - not pages and pages of confusing legal documentation, and 'logout' not really meaning 'logout'.
Update: Contact with Facebook
To clarify, I first emailed this issue to Facebook on the 14th of November 2010. I also copied the email to their press address to get an official response on it. I never got any response. I sent another email to Facebook, press and copied it to somebody I know at Facebook on the 12th of January 2011. Again, I got no response. I have copies of all the emails, the subject lines were very clear in terms of the importance of this issue. I have been sitting on this for almost a year now. The renewed discussion about Facebook and privacy this weekend prompted me to write this post. http://nikcub-static.appspot.com/logging...not-enough
"The philosophers have only interpreted the world, in various ways. The point, however, is to change it." Karl Marx
"He would, wouldn't he?" Mandy Rice-Davies. When asked in court whether she knew that Lord Astor had denied having sex with her.
“I think it would be a good idea” Ghandi, when asked about Western Civilisation.
Such cookies [or similar code as a trojan or virus or just hidden in your computer somewhere in other software] could be used by other programs / websites / etc. to monitor all of one's browsing behavior - and report it to anywhere it chooses - even to the very center of information evil itself - TIA [or whatever they now call it]. Very scary times and only the advanced computer geek would know how to secure one's computer completely. For most of us, we live in various states of involuntary information sharing.
Flatly put - we are being increasingly spied upon. :darthvader:
"Let me issue and control a nation's money and I care not who writes the laws. - Mayer Rothschild
"Civil disobedience is not our problem. Our problem is civil obedience! People are obedient in the face of poverty, starvation, stupidity, war, and cruelty. Our problem is that grand thieves are running the country. That's our problem!" - Howard Zinn
"If there is no struggle there is no progress. Power concedes nothing without a demand. It never did and never will" - Frederick Douglass
26-09-2011, 09:16 AM (This post was last modified: 26-09-2011, 11:32 AM by Peter Lemkin.)
Ed Jewett Wrote:
Peter Lemkin Wrote:.. only the advanced computer geek would know how to secure one's computer completely....
a) Send one to my house.
b) Hold a seminar.
c) Point to locations, plans, tools, costs, and levels.
I am aware of some countermeasures, but they are not all easy [understatement!] to employ successfully or easily...or without disrupting, in part, the usual internet experience. Proxy servers that continually change their apparent location and your IP address are one technique...but they have their downsides too...and some are run by the bad guys. Very powerful Internet Security programs and anti-hacking software, are another. The better ones are a bit difficult to configure.
Special programs that watch cookies and other computer processes help...but take some advanced knowledge to interpret. For example, two such programs called 'Hack This' and 'Hijack Hunter' are very good....but most persons can NOT interpret the useful results...and they don't really provide a teach-yourself primer. Snort is another set of programs, very good, but very complex to set up. The cyber world now demands advanced skills for those of us posting or just looking at information at odds with the propaganda line.
Microsoft has long been suspect as having built in a trap-door in the programs...but this has not been proven.....but I believe it likely. I'd suggest switching to Ubuntu or other Linux system for starters....security is still needed, but more available and not needed at the same level, usually....unless you are a 'target'....as many of us on this Forum would logically be....along with a million others.
"Let me issue and control a nation's money and I care not who writes the laws. - Mayer Rothschild
"Civil disobedience is not our problem. Our problem is civil obedience! People are obedient in the face of poverty, starvation, stupidity, war, and cruelty. Our problem is that grand thieves are running the country. That's our problem!" - Howard Zinn
"If there is no struggle there is no progress. Power concedes nothing without a demand. It never did and never will" - Frederick Douglass
"It means this War was never political at all, the politics was all theatre, all just to keep the people distracted...."
"Proverbs for Paranoids 4: You hide, They seek."
"They are in Love. Fuck the War." Gravity's Rainbow, Thomas Pynchon
"Ccollanan Pachacamac ricuy auccacunac yahuarniy hichascancuta." The last words of the last Inka, Tupac Amaru, led to the gallows by men of god & dogs of war
I couldn't agree with you more! I will never have an account. Unfortunately, the feeble minded, dumb-downed, American youth--so full of themselves to be convinced that their every act on this planet is incredibly entertaining and very worthy of publication--have fallen head first into a trap that forever sacrifices their right to privacy. They are technologically savvy, but politically imbecilic.
GO_SECURE
monk
"It is difficult to abolish prejudice in those bereft of ideas. The more hatred is superficial, the more it runs deep."
"Let me issue and control a nation's money and I care not who writes the laws. - Mayer Rothschild
"Civil disobedience is not our problem. Our problem is civil obedience! People are obedient in the face of poverty, starvation, stupidity, war, and cruelty. Our problem is that grand thieves are running the country. That's our problem!" - Howard Zinn
"If there is no struggle there is no progress. Power concedes nothing without a demand. It never did and never will" - Frederick Douglass
Delete all you want, but Facebook never forgets. At least when it comes to your defriendings, pokes, and RSVPS, it doesn't. And it also has a keen memory for what computers you've used, and who you were sharing those computers with. Your Facebook dossier can easily run to hundreds of pages, as some European citizens have learned.
Across the pond, where regulators have teeth and where corporations don't get to rewrite the legal definition of "privacy," citizens can force Facebook to send them a dossier of everything it knows about them. Two anonymous Europeans have shared their database dumps publicly,Forbes reports. One of them ran to 880 pages.
For a user who joined the site in 2007, dubbed "LB" by Forbes, Facebook's data included the following:
Records of all friend requests LB rejected.
Records of the 12+ friends LB has unfriended over the years.
A list of devices from which LB logged in to Facebook, plus a list of other users on those machines. Meaning Facebook knows who spent the night at your place last night.
Records of more than 50 incoming "pokes" since 2008, including most often by a friend named "T.V."
Some 75 event invites, along with 38 RSVPs.
A history of messages and chats.
Facebook really does have us all by the nuts. Which is why it's comforting that the company routinely acts in the best interest of its users and their privacy, even when it means sacrificing revenue. Yay Facebook!
Jan Klimkowski Wrote:Facebook is a fascist wet dream.
I will never have an account.
My husband Erick feels the same way. Up until recently I have enjoyed sharing news stories with other like minded individuals and keeping up with old not- seen -in decades friends and family.
It became addicitive. But now they are doing very weird stuff. Like sending out things I post to others, annoying the other whe did not want to receive a Ron Paul video. So I am
not using it much now. I think I will take a fb holiday. I don't have a clue how to do the tech stuff like deleting cookies and the constant changes are beyond annoying. I had liked fb as I met many other
aware people that I would not otherwise have met. It gave me a (false?) hope that more were waking up to what really goes on in our world. Alas. The trade off is too high.
![[Image: sharpPermaLink3.gif]](http://scripting.com/images/2001/09/20/sharpPermaLink3.gif)
Every time they make a change, people get angry. I've never myself been angry because I have always assumed everything I post to Facebook is public. That the act of putting something there, a link, picture, mini-essay, is itself a public act. ![[Image: lucyCharlieFootball.gif]](http://scripting.com/images/2011/09/24/lucyCharlieFootball.gif)
What clued me in was an article on ReadWriteWeb that says that just reading an article on their site may create an announcement on Facebook. Something like: "Bull Mancuso just read a tutorial explaining how to kill a member of another crime family." Bull didn't comment. He didn't press a Like button. He just visited a web page. And an announcement was made on his behalf to everyone who follows him on Facebook. Not just his friends, because now they have subscribers, who can be total strangers. ![[Image: lucyCharlieFootball.gif]](http://scripting.com/images/2011/09/13/lucyCharlieFootballBig.gif)
What clued me in was an article on ReadWriteWeb that says that just reading an article on their site may create an announcement on Facebook. Something like: "Bull Mancuso just read a tutorial explaining how to kill a member of another crime family." Bull didn't comment. He didn't press a Like button. He just visited a web page. And an announcement was made on his behalf to everyone who follows him on Facebook. Not just his friends, because now they have subscribers, who can be total strangers. 
:darthvader:
![[Image: xlarge_zuckgraph.jpg]](http://3.bp.blogspot.com/-Xfaelf5kedI/ToOeV9DrHzI/AAAAAAAACvg/corPDO625dE/s1600/xlarge_zuckgraph.jpg)
