That ominous feeling of being stalked, have you ever feel it? I have, oddly by an ad for gaming mouse sold by Lazada when I was reading news on a indonesian news site. The same ad popped somewhere else, and follow me around that day.
How did that happen? Well it was actually Facebook, among others, that stalked me.
If you follow the news, you will notice that Facebook has recently been featured in multiple headlines about the leak of their user’s data. Here are several important cases that should require your further attention:
- Cambridge Analytica leak. The most prominent case where as much as 87 Million Facebook users have their data harvested and used, among others, for President Trump Presidential election campaign. It is said that as much as 1 Million are from Indonesia
- Facebook Phone-scraping scandal. When you install Facebook on Android, It asks for permission to access your contact. It so happen that on older version of Android, the permission also grants Facebook access to your call and text message logs. Which they don’t actually need, since the app’s iOS counterpart doesn’t have access to those dataset and still works perfectly. But they took it anyway.
- Login with Facebook data leak. It was recently discovered that a security hole allows a 3rd party advertisement platform to identify and harvest your Facebook profile without your permission through user account that you’ve created using “Login with Facebook” function that is commonly available on various websites. As much as 434 of the top 1 Million website have the malicious script embedded.
- Collection of non-user data. Yes, even when you are not a Facebook users, they still collect your data through visits to websites that use Facebook platform and build a profile about you.
We are aware that since Facebook isn’t charging us for using their stuff, so they must have made some money off of us and our data in some other way, right? And it seems most of us don’t really care how. That’s my main problem with Facebook. They are building their business based on their user’s ignorance. They are banking on the chance that in general, their target market will never read that long ass End User License Agreement (EULA) and disclaimer, that they will accept any default data privacy setting pushed by Facebook, not realizing what kind data and how much of their privacy they are giving up to Facebook. And what should bother you is not about what Facebook can do with those data, but whether they can keep it safe and ensure what’s private remain private, and whether they can prevent their partners from misusing them. And what even worse is that when something happen, there’s little to nothing that can be done to undo the damage.
To quote a comment made on Slashdot’s topic about Facebook security issue:
“Facebook has magnified the consequences of poorly placed trust far beyond most anyone’s worst nightmares”
Know Your Options
There are things that you can do to prevent, or at least minimize the data you share on Facebook. Let’s take a look at some of them:
Lock down your profile
Facebook provides an easy way to archive and download everything that they have on you. Follow the guide here. It’s a great way to review what you have been sharing on Facebook. When you finish reviewing them, let’s log into Facebook and start locking down your profile, click on each of the list to go directly corresponding setting page:
- Run Security Checkup. This step will check whether there’s an unused app or browser on some PC that has you logged in, setting up login alert, and create strong password
- Run Privacy Checkup. The Privacy Checkup process will run through three things: Who you are allowing to see your next posts, which apps and websites you use Facebook credential to login with, and what kind of personal info you are sharing through Facebook. For further information and settings, go to the next step
- Go to your profile page by clicking your name on the top bar of your feed, and press “About”. Over there you’ll find a list of private information that you have put on Facebook. You can decide whether you still want to put it on Facebook, and if you still do, who can see them.
- Privacy Shortcut. Facebook provides a shortened workflow version of your privacy settings. You can set to whom you’re going to share your future post. A more detailed list can be found on the next step
- Privacy Setting. The page contains a couple of important setting:
- Who can look you up using the email address you provided? Determine whether someone can find you in Facebook if they have your email address,
- Who can look you up using the phone number you provided? Same as the above, but with phone numbers
- Do you want search engines outside of Facebook to link to your profile? Basically whether Facebook can provide a link to your profile when someone search for your name on search engine like Google.
- Timeline and Tagging. This section controls how your timeline is shared. Who can read your post, who can read when someone post something on your timeline, whether you want to be notified and review when someone tag you in posts before they appear on your timeline.
- Apps and Websites. When you use login with Facebook on applications or websites, they are listed on “Active” tab. Remove anything that you think you no longer need. You can further remove the function to login with Facebook permanently by turning it off on the “Apps, Websites and Games” box.
- Ads. Some companies upload a list of e-mail addresses that they gathered from they got from their customers, so you’ll notice some familiar names there. There are a couple of things you can do on the page:
- Advertisers you’ve interacted with: You can set whether their advertisements is shown or hidden from your feed
- Your information: You can decide relationship status, who you work for, or your education can be shared to Facebook ad partners. And potentially leaked.. maybe.. Anyway, the default setting is to share everything.
- Add settings: You can decide whether your activities on Facebook can be used to tailor-made ads shown on to you by Facebook ad platform, on and off Facebook
Avoid Login With Facebook
Another thing that you can do if you have a Facebook account is to limit the exposure is by opting to register user account using email address instead of function like “Login with Facebook” or Google and Twitter. E-mail is (most of the time) free, and you can create separate e-mail address for app and website registration purpose, or even make one for each website or app that you’re registering to. You can turn this off permanently on Apps and Websites of Facebook settings
Use up to date Android version
If you use Facebook mobile app, have the budget and would prefer to stay on Android, consider moving to a handset with newer version of Android. Starting with Android version 6 or Marshmallow, Google introduced granular permission control. With this update you get to choose which of your phone resource Facebook has access to. For example, you can decide whether Facebook has access to location or text message.Go to Settings, and then Apps, and then scroll until you find Facebook, tap on it, and tap on “Permissions”
Switch off everything that you don’t want to share. At some point the app will stop working when you turn off some mandatory permissions. It’s your call.
Or you can switch to iPhone. Go ahead, I won’t judge.
Secure your browser
If you really, really have to use Facebook, my suggestion would be to use your browser, be it on your mobile phone, or your desktop and laptop. But this opens up a different set of can of worms. Here’s why:
Facebook offers a couple of services that can be embedded to a website. Ad platform for displaying ads, comment system, or a mere like buttons. A set of codes embedded on participating websites allows Facebook to detect your Facebook login session, if you happen to log into Facebook on another tab. This way, Facebook can track what you’re looking at and reading on at those website. Facebook uses the data gathered in these activities to build a profile on you, which may consists of your interest, which country you are living, and many more. This profile then can be used for various things, such as pushing ads about gaming mouse from a local online retailer that you’ve recently read a review about, or pushing relevant promoted pages on to your feed.
Firefox Lightbeam is a great tool to discover how companies such as Facebook and Google track and identify you on the internet. Take a look at the data I have gathered on a typical browsing session:
While I only visited 8 sites, My presence on the internet at the time was actually tracked by a total 68 3rd party entities through codes embedded on those 8 websites. “connect.facebook.net” hosts, among others, the Facebook Pixel, one of key component of Facebook ad platform that performs activity tracking and how visitor interact with Facebook ads.
Mozilla recently announced the availability of their Firefox Facebook Container. The extension allows Firefox to store and process your Facebook session on a separate “container”, effectively circumcising Facebook ability to identify you through your browsing activities
As you can see, while Facebook API is still there, Facebook itself is no longer in the picture, because it’s walled on a specific container. Which means Facebook can no longer tell other site who you are.
You can extend this kind of functionality to other ad and tracking platforms such as Google by using their Multi-account container extension. You can, for example, create a container specific for Google services so that Youtube and Gmail can share the login session, but they can’t share it to The Verge for example.
On the side of mobile device, Mozilla’s other gem, the privacy focused Firefox Focus will give you the same feature.
So let say that I’ve somehow managed to convince you to delete Facebook. Yay! Right? The thing is, Facebook recently admit that regardless whether you are a user or not, they will still track you. Yes, turns out you can’t escape Facebook.
Well, you can step up your game. Privacy badger is a project by Electronic Frontier Foundation that provides granular control over 3rd party access. You can get it as an extension for Firefox or Chrome.
Privacy Badger detects trackers embedded in a website and block their ability to track you by preventing them to write cookies. This is how Lightbeam looks like after I blocked Facebook APIs
As you can see, since I shut off the facebook API, the websites are now isolated from each other. Neat, right?
Do note that your use of these extensions may bork your internet experience. If a website stop working You might want to review the block list and adjust manually which 3rd party sites you want or need to block.
If you’re using Chrome, you can go with Disconnect for Lightbeam replacement. Privacy Badger is also available on Chrome