Facebook admits to constant "tracking" users web-surfing

[Virus Guy]

"Beauregard T. Shagnasty" wrote:

> Each time you encounter that "f" icon at a site where you can
> click to "Like" the page, Facebook is informed you - yes,
> you with the Facebook cookies - visited the site.
>
> That "f" icon is in an <iframe> element and displays content
> directly from the Facebook servers. The Facebook page in the
> <iframe> reads your cookies and logs you.

So let me get this straight.

Any web-page that has the F icon also has code that causes your browser
to connect to certain facebook servers where a cookie exchange takes
place.

In the case of facebook, of what use would this tracking info be if you
don't have a facebook account?

This would be no different than any number of web-metrics, ad-servers
and tracking companies that also have embedded code (usually with no
visibility to end-users on the rendered page). Yes?

Why don't other tracking companies get the same blow-back or attention
from the media because their tracking URL's also appears on many web
pages and the same case for "tracking web users" could be made against
them?

> It is in the JavaScript of the page, and reports to
> a server at connect.facebook.net ...

I have hosts entries for

static.ak.connect.facebook.com
static.ak.facebook.com
error.facebook.com
facebook.com
www.facebook.com
api.facebook.com
graph.facebook.com
api-read.facebook.com
ads.facebook.com
ads.ak.facebook.com
creative.ak.facebook.com

but no entries for any facebook.net. Are you sure that
connect.facebook.net is a working domain?

PS: What does the "ak" indicate or stand for in those FQDN's?

[Beauregard T. Shagnasty]

Virus Guy wrote:

> "Beauregard T. Shagnasty" wrote:
>
>> Each time you encounter that "f" icon at a site where you can click to
>> "Like" the page, Facebook is informed you - yes, you with the Facebook
>> cookies - visited the site.

Addendum: ..and probably even if you didn't click the icon... after all,
the <iframe> was activated and content pulled from Facebook. To read the
Facebook cookies.

>> That "f" icon is in an <iframe> element and displays content directly
>> from the Facebook servers. The Facebook page in the <iframe> reads your
>> cookies and logs you.
>
> So let me get this straight.

Okay...

> Any web-page that has the F icon also has code that causes your browser
> to connect to certain facebook servers where a cookie exchange takes
> place.

So far so good.

> In the case of facebook, of what use would this tracking info be if you
> don't have a facebook account?

None. You wouldn't have facebook cookies; you're immune. Probably.

> This would be no different than any number of web-metrics, ad-servers
> and tracking companies that also have embedded code (usually with no
> visibility to end-users on the rendered page). Yes?

Yes, but much more popular due to Facebook's high number of subscribers.
And remember that ad servers abd tracking companies don't know your name,
but Facebook does.

> Why don't other tracking companies get the same blow-back or attention
> from the media because their tracking URL's also appears on many web
> pages and the same case for "tracking web users" could be made against
> them?

See above. The other companies don't know who you are. You're just a
computer to them.

>> It is in the JavaScript of the page, and reports to a server at
>> connect.facebook.net ...
>
> I have hosts entries for
> [snip]
>
> but no entries for any facebook.net. Are you sure that
> connect.facebook.net is a working domain?

I found that domain name in the cookie code in the JavaScript of a page
with an "f" icon on it. I doubt if there is any HTML page there for you
to look at.

Go ahead, do a whois for: facebook.net

> PS: What does the "ak" indicate or stand for in those FQDN's?

You'll have to ask Zuckerberg...

--
-bts
-This space for rent, but the price is high

[Bear Bottoms]

G. Morgan <G_Morgan@easy.com> wrote in
news:fjl987h96phf5gojusgd29h63s6ejqbo1m@Osama-is-dead.net:

> Retired wrote:
>
>>Been there. Nothing there about what to do with that purple box.
>
> Here is a screen-shot I made to illustrate:
>
> http://i56.tinypic.com/34jrt.jpg
>
> Hope that helps. Post back if those options are confusing.
>
> -G

Good illustration. If necessary I can make a flash exe of the screen to
explain this tech info to newbies.

--
Bear
http://bearware.info

[Bullwinkle.]

Cool. Will wait for official confirmation, rather
than take the word of one of bd's lackeys.


"FromTheRafters" <erratic.howard@gmail.com> wrote in message
news:j62k9k$um4$1@dont-email.me...
".Bullwinkle." <.BDTJ@loa..mo> wrote in message
news:4e8420b7@news.x-privat.org...
> Does MS encourage it's partners to be such condescending
> pricks?

Yes!!! They even have seminars on the subject <consults seminar
notes> - umm ... you *******!

[Bullwinkle.]

How about drugs?

Like morgan do you do drugs too?


"FromTheRafters" <erratic.howard@gmail.com> wrote in message
news:j62k9k$um4$1@dont-email.me...
".Bullwinkle." <.BDTJ@loa..mo> wrote in message
news:4e8420b7@news.x-privat.org...
> Does MS encourage it's partners to be such condescending
> pricks?

Yes!!! They even have seminars on the subject <consults seminar
notes> - umm ... you *******!

[Beauregard T. Shagnasty]

Beauregard T. Shagnasty wrote:

> Virus Guy wrote:
>> Any web-page that has the F icon also has code that causes your browser
>> to connect to certain facebook servers where a cookie exchange takes
>> place?
> [snippage]
>
> I found that domain name in the cookie code in the JavaScript of a page
> with an "f" icon on it. I doubt if there is any HTML page there for you
> to look at.

Here is some more info for you to play with.

Go to http://www.usatoday.com/ - a site that uses "f" "Like" icons
Use any tool to view all the JavaScript in the page.
(Firefox Web Developer Toolbar, for example)
Find this script call by usatoday:
http://connect.facebook.net/en_US/all.js

Search all that *140KB* script for various iterations of "facebook" and
see just how many different sub-domains are used to track you. Including
your Name if you are a subscriber. There is also the domain
static.ak.fbcdn.net and s-static.ak.fbcdn.net and more.

It might be possible (can't tell; I'm not that well-versed in JavaScript)
that the 140KB of script *creates* cookies to track you even if you do
NOT subscribe to Facebook.

It goes on and on.

--
-bts
-Some privacy may have existed
-prior to the invention of the computer

[Virus Guy]

"Beauregard T. Shagnasty" wrote:

> There is also the domain static.ak.fbcdn.net and
> s-static.ak.fbcdn.net and more.

The MVPS hosts file already has several fbcdn.net entries (I have an
old(er) version of that hosts file which only has 2 such entries).

Also note that FB uses Akamai to host some of their junk:

fbcdn-photos-a.akamaihd.net

Question:

If I have this in my hosts file:

127.0.0.1 fbcdn.net

Then does having that entry negate the need to also have, say these
entries:

127.0.0.1 ak.fbcdn.net
127.0.0.1 static.ak.fbcdn.net

Or do I have to have a separate entry for every complete FQDN?

> It might be possible (can't tell; I'm not that well-versed in
> JavaScript) that the 140KB of script *creates* cookies to track
> you even if you do NOT subscribe to Facebook.

I would expect such behavior from FB. It tells them something about
their market share.

I tried to access this URL:

http://developers.facebook.com/docs/share/

But (surprise) I wasn't able to bring it up (I'd have to suspend my
hosts file temporarily). There might be something interesting there on
the topic of the F share function.

> It goes on and on.

Is there any indication that these entities are hard-coding IP addresses
into their web-content as a way to get around HOSTS blocking? With
dynamic page construction, I would think that substituting an IP address
for an FQDN would be trivial to do.

Can you have IP entries in a HOSTS file?

Say I wanted to redirect 1.2.3.4 to 127.0.0.1. Would this work:

127.0.0.1 1.2.3.4

?

[Virus Guy]

"G. Morgan" wrote:

> http://www.ghostery.com/faq

See also:

https://addons.mozilla.org/en-US/firefox/addon/noface/

================================
About this Add-on

This add-on intercepts connections going to Facebook servers (currently
facebook.com and fbcdn.net and all subdomains) and blocks them (by
returning Host Not Found, so it's as if those servers disappeared from
DNS). The purpose of this is to prevent Facebook's servers from being
pinged at all as you surf the Web, thereby allowing them to track your
browsing (via Referrer headers).

It is intended to complement tracker-blockers like Ghostery, which are
great but --> don't block all of Facebook's tools. <--

If you have this add-on installed, Facebook will completely disappear
from your browsing experience, except for seeing some 'The server could
not be found' messages in iframes.

For more complete blocking, see RequestPolicy to block all cross-site
requests. This add-on is for when you don't want to take that drastic of
an action.

https://addons.mozilla.org/en-US/fir...requestpolicy/
==================================

[G. Morgan]

Virus Guy wrote:

>It is intended to complement tracker-blockers like Ghostery, which are
>great but --> don't block all of Facebook's tools. <--

It does, but in options you must enable: "Enable cookie protection
[experimental]"

[~BD~]

Virus Guy wrote:
> I tried to access this URL:
>
> http://developers.facebook.com/docs/share/
>
> But (surprise) I wasn't able to bring it up (I'd have to suspend my
> hosts file temporarily). There might be something interesting there on
> the topic of the F share function.

No problem reaching that URL here.

Might this item be of interest to you?

http://wordpress.org/extend/plugins/facebook-share-new/