Friday, March 23, 2018

The social media scam


Karl Denninger has two excellent articles showing how social media (Facebook in particular, but also all, repeat, ALL other "big social" sites out there - Twitter, Instagram, Snapchat, old Uncle Tom Cobbleigh and all) are monitoring and "monetizing" you.

In the first article, "The REAL Social Media SCAM", he states:

So let's assume you're Facesucker.  You make it "easy" for site owners to put "likes" and even use sign-on features from Facebook's authentication on your page.  Say, you're a newspaper.

Ok, so I go to www.mylocalnews.dirtbag/my-local-jackass-city-council.html.

As the page loads it requests the "like" buttons from Facebook for the articles, and in addition requests the sign-in box for comments.  Both of those generate a request to Facebook's computers and in that request is the exact URL I am reading -- that is, from where the request came.

Now here's the important part: If I have signed into Facebook at any time in the past from that device then the company has stored one or more cookies on my machine that uniquely identify me.  Since the request to Facebook's servers match the place where the cookie came from they now get the exact article I was reading and my identity even though I did not sign into Facebook to read the article.  I have given no consent to this, I cannot opt out of it and every single place on the Internet that has these buttons and/or sign-on boxes causes this to happen.

What's even worse is that I don't have to actually have signed into Facebook, ever, or even have an account in order for this to occur.  The first time that request goes to Facebook if there are no cookies sent Facebook can assign me one and check my browser's characteristics, including the IP address I'm coming from.  I now am "branded", in that the same cookie will be used to track me forever, and if I at any time in the future sign into Facebook or otherwise use any of their facilities I will then retroactively associate all of that browsing data with my person.

Now you know why Facebook allows (for "free") the user of the OAUTH sign-on facility and promotes "like" buttons all over the web.  It is not about increasing your social experience.

It is about snooping on everything you do online so they can sell and use that data without your knowledge or consent and in fact it is impossible for you to give prior consent because you have no idea the buttons are there before you visit the page!

There's more at the link.

In the second article, "The OTHER Half Of The Social Scam", he goes on:

I know what you're thinking -- I'll just turn off "third party cookies" and all will be ok (in relation to my previous article.)

. . .

But ... this doesn't work.

The reason is an HTTP field called an "Etag."

. . .

The [Etag] can be attached to any resource, although it's usually attached to images.  The server sends down an Etag: field with the image in the HTTP headers, which is an opaque identifier.  In other words, from the browser's point of view it does not care what the string is; it doesn't represent a time, date, or anything other than a promise from the server that it shall change if the content has changed and needs to be re-sent.

If this sounds like a cookie that's because it can be abused to become one, and you cannot shut it off unlike cookies!

So let's say you disable third-party cookies.  Fine, you think.  Nope.

I have a "Like" button.  Said button has an image.  That image is the finger pointing up, of course, and you must transfer it at least once.  I send an Etag with it, but instead of it being a change index it's unique to you!

Now, every single time you request the button you send the Etag for the image.  If it hasn't changed (and it basically never will, right -- it's an upturned finger!) I send back "Not modified".  Except.... I just pinned to you, personally, that access to the page and you have third-party cookies turned  off!

So I send back "Not modified" but you just told me who you are, what web page you were viewing, and your browser ID and IP address.

I get all of this for every page you visit where such a button or function is present even if you never use it.

. . .

What this means is that you can be tracked specifically and individually, as you personally, with knowledge of who you are, where you are, when you clicked it and exactly what page you looked at, whenever you visit a page that has any such thing on it without your knowledge or consent should any such resource be included in that page.

Again, more at the link.

I highly recommend clicking over to Mr. Denninger's blog and reading both articles in full.  They illustrate how little, if any, online privacy we have these days.  That's why I have one browser set up to block all cookies, block trackers, block advertisements, block Flash and anything else obtrusive, etc.  I use it to visit sites I don't know or don't trust.  If the site won't load because I'm blocking too much, I don't load it.  Why give them free access to track my Web use?  It's none of their business!

(That's also why there are no advertisements on my blog.  I don't know what they'll serve up in the way of cookies, Etags, etc. - so I won't allow them here.)

Peter

3 comments:

Bob Mueller said...

Interesting to learn about the Etag. I suspect some news sites are starting to use that to defeat people sneaking past paywalls. I've taken to going to incognito mode to beat the free article limits at some sites, but lately a few places have caught that.

The local rag doesn't allow viewing in incognito mode now.

I note too that Elon Musk just killed SpaceX and Tesla Facebook AND Twitter accounts today.

Mike Suttles said...

I use Privacy Badger, from EFF. Drives 'em nuts.

CarlS said...

Try the Ghostery Browser, and ad Ghostery and AdBlockPlus to all others. Makes the web so much faster.