Facebook circumvents browsers that block tracking cookies

Discussion in 'privacy problems' started by nicolaasjan, Oct 9, 2018.

  1. nicolaasjan

    nicolaasjan Registered Member

    Joined:
    Sep 23, 2018
    Posts:
    881
    Location:
    The Netherlands
    Hi,
    I read this on Security.nl (Dutch site).

    Translated:

    Facebook offers advertisers and publishers an option for browsers that block tracking cookies, so information about advertising on Facebook and analytics data can still be collected. For privacy reasons, Apple has decided to block third-party cookies in Safari. Mozilla also will implement this measure in Firefox. Only cookies from the primary domain are still accepted.


    This has consequences for parties that use third-party cookies. Facebook lets advertisers know, however, that it has found a solution. Once a user opens an ad provided by Facebook, a unique string to the landing page URL is added. When tracking pixels are hidden on this landing page and are set to share first-party cookie data with Facebook, the URL parameter is saved in the browser as a first-party cookie. The pixel includes the first-party cookie with all the information sends it to Facebook.

    In this way, according to Facebook, targeted advertisements, the measurement of advertisements and website analytics remain possible. Advertisers on Facebook can now indicate whether they want to set first or third-party cookies for the Facebook pixel. Companies have until October 24 to indicate that they do not want to use the first-party pixel at all. After this date, the first-party pixel will in fact be the standard for new pixels, so reports Marketing Land. However, this default setting can be adjusted.

    It sure looks like they are getting desperate.
    Hope that there will be a way to mitigate this shady tactic...
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    The privacy invasion attempts by Facebook, Google & Co. is getting worse and worse.

    https://marketingland.com/facebook-...eb-analytics-from-browsers-like-safari-249478

    And another article explains how Google Analytics 1st-party cookies work:
    I'm not quite sure that I fully understand how this techniques work. However, from the first article it seems that a combination of a Facebook ad and a pixel - probably a webbug pointing to Facebook - is used.

    The question is: How to deal with this new situation? Some thoughts:

    1. It seems to be important to not only block ads but any network request to Facebook etc. (in order to also cover those pixels). For uMatrix and uBlock Origin users that's easy enough: In uMatrix block facebook.com, facebook.net, fbcdn.net, fbsbx.com in the global scope, in uBO in the global column of Dynamic Filtering. The various Google services are already in the included filterlists/hosts files and, hence, blocked anyhow.
    2. Only blocking 3rd-party scripts with Noscript is probably not sufficient.
    3. People still using AdBlock Plus (for whatever reason) and Facebook should add rules like
    Code:
    ||facebook.com^$third-party
    ||fbcdn.net^$third-party
    
    etc.
    
    If you're not using Facebook, just add rules like
    Code:
    ||facebook.com^
    4. Blocking 1st-party cookies in your browser by default should also be an efficient counter-measure but requires a lot of micromanagement as many websites require, at least, session cookies in order to work properly. Even if they are regularly deleted by an add-on like Cookie Autodelete it's not guaranteed that above mechanisms are rendered void. Besides, it's possible that other fingerprinting techniques (not only cookies) are also used.
    5. An interesting question is if First-Party Isolation in Firefox is a sufficient defense against those techniques.
     
    Last edited: Oct 9, 2018
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    5 - No

    Read this guide:

    https://restoreprivacy.com/firefox-privacy/

    Contrary to the author, I think it is necessary, at least in my New Moon browser, what is written in the 3D below:

    https://www.wilderssecurity.com/threads/cookie-autodelete.409023/

    So currently in addition to specific internal settings my browser has the following extensions:

    HTTPS Always

    UBlock Origin
    Decentraleyes

    Self-Destructing Cookies

    Noscript

    No Resorce URI Leak

    In current versions of Firefox, all my extensions may be redundant.
    It's what I'd like to discover in the 3D that I opened.;):)
     
    Last edited: Oct 9, 2018
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    This is unnecessary, because if you use an adblocker, ads aren't loaded, hence no unique string being attached and passed on.
    Mrk
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, I'm not sure if this is the whole truth if it comes to, e.g., Google Analytics which is not necessarily related to ads. If a website uses GA, it has a GA-ID. It can write this ID to a first-party cookie using a first-party script.

    I read somewhere that the add-on Neat URL might protect aginst this as it removes known tracking parameters from the URL which prevents setting of related first-party tracking cookies.
     
  9. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    What is staggering is that FB keeps right on coming back at you to find more devious ways in, even though they've had numerous breaches of trust. What unbelievable arrogance. Google is no different.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    If they had have a freaking brain, which they can't because their conscious is seared with a hot iron, they would open dedicated websites just for advertisements. Then people could confidently (yet not anymore secure) browse their interest in products which they actually want or need.

    When social platforms gum up those user's view with interruptions of constant crappy advertisements, their just ticking a bunch of them off to look for alternative other social platforms where they don't have to put up with it. I say that coz we all know the now fully brainwashed social climate will never abandon the likes of instant communication on them. Just alternatives to save them from disruptions.

    One man's opinion :)
     
  11. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    @EASTER, well if they have a seared conscience with a hot iron, they have much more to worry about than their heinous scumbaggery money grubbing (as bad as that is). I've always said there's more to this than the mighty dollar though. Zuckerberg has made his billions as have others in the same category. As for pestilent ads they DO NOT work on me because I'm allergic to them - that is, unsolicited advertising. And the more crummy scumbag tactics they use to push this down my neck the more I'm turned off. So, serving me ads is TOTALLY pointless. Fortunately I see them extremely rarely.

    The level of addiction to a medium that is actually intrinsically hollow will not end well.
     
  12. 142395

    142395 Guest

    Maybe redirect option in uBO can be used to sanitize these URL parameter? Or it may be already implemented - quickly looked at resources.txt and found some GA related codes.
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes, but IMHO those rules are about 3rd-party scripts. So I don't think they would help here.

    However, uBO's URL Filtering comes to my mind. It allows to block, e.g., specific scripts or images (->pixels, webbugs). The problem is probably how to identify the relevant 1st-party scripts - and not only for single websites but across websites. This could also be done using the normal filter syntax (possibly using uBO's extensions), I guess. However, this assumes that common patterns can be detected in order to add corresponding rules to the filter lists.
     
  14. 142395

    142395 Guest

    Yup, adding all the sites to resources.txt is impossible unless there's obvious pattern in its path - but maybe adding some major sites if they use this will be good idea, as this is probably only way to sanitize URL in uBO so far. I wanna know how the param actually looks like. I once went the way of sanitizing but gave up as it caused quite many FPs. Maybe one way is using ML for sanitizing which Ghostery does.
    But it seems so far blocking bugs & ads are enough. Maybe it will change.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    And indeed, a new blocked parameter has been added to Neat URL to cover Facebook tracking. Additional parameters in order to block more trackers have also been added since. A new version of Neat URL is not yet out but you can manually add those parameters in the add-on settings.
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    For the less intelligent among us, if one would use Neat URL, would one still want to use Link Cleaner? Or Pure URL or Clean Links, or similar ...
     
  17. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    There's no consequences for multi-billion dollar corps. There used to be.
     
  18. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Is it just my imagination or do USA tech companies have different rules than others?

    I mean, if your car maker, for example, was found out cheating in tests or slurping user data or some other
    crooked thing, there would be bigger consequences right?
     
  19. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    Maybe they're blackmailing those that govern.
     
  20. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    As far as I can see you cannot edit the blocked parameters as in Neat URL. I haven't checked Clean Links and Pure URL yet.
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks @summerheat. I see the advantage now, switched.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.