#Facebook is always hungry for all of your data.
The ecosystem maintained by #Meta will always try to scoop as much data as possible about you.
And they also love to spy on you while you’re not even using their services.
The “Meta pixel” has so far been adopted by ~20% of most visited websites.
It’s an invisible element rendered on all those webpages whose purpose is to spy on you. It’s thanks to these pixels that Meta probably has details about your tax returns and medical records.
But that isn’t enough for the espionage company better known as Meta.
After rolling out the tracking pixels about 10 years ago, many browsers and extensions have learned how to block them.
If you use Firefox in Strict mode, and/or the Facebook Container extension, and/or Privacy Badger or uBlock Origin, then chances are that your browser is blocking Meta’s creepy eyes.
Probably there aren’t a lot of people out there who take these measures, as they usually involve some degree of tech-savvyness. But the fact that there are still some people on planet earth that are trying to block their creepy eyes, some people whose tax returns, health records or sexual habits aren’t known to them, makes Meta uneasy. After all, it’s a company explicitly designed to know EVERYTHING about EVERYONE!
So what have they done?
Well, they basically opened a local backdoor on all Android phones that have some of their apps installed.
Usually a mobile app with INTERNET permissions can bind to any non-privileged TCP port on the local interface.
And that’s exactly what their mobile apps are doing.
They open a localhost socket, and then whenever you open your mobile browser on a website that has one of their trackers the JavaScript code tries to connect to that port to push scraped data from your browsing history to their apps.
They basically abuse the localhost sandbox, usually used by developers and less subject to the scrutiny of tracker-blocking software, to funnel private data scooped up from your usage of other websites, unencrypted, to their own apps, which in turn pushes it to their servers.
To be clear, this isn’t something new. Yandex has been doing it since 2017. And by now you probably shouldn’t trust any large-scale apps that come out of the US, Russia or China because they are all funded by State-sponsored programs whose aim is collective espionage and data collection.
If you want to protect yourself:
- Never use Chrome for browsing. Only use Firefox or one of its forks. And, since Firefox is the only mobile browser that supports extensions, don’t forget to install Facebook Container (which limits all activities related to known Meta domains in their own sandbox), Privacy Badger and uBlock Origin on it. And I would also recommend NoScript - better to explicitly whitelist all JavaScript content that you want to run on your devices than risking your data leaking to unintended actors. The way Meta exploits these loopholes in the browser to violate people’s privacy shows that it’s no longer tolerable to have browsers that don’t actively provide users ways to block trackers. Google acknowledged Meta’s abuse, allegedly provided a patch to close the localhost loophole, but still doesn’t provide privacy-focused features in their browser because they have a strong conflict of interests - because they also profit from violating people’s privacy. Ditching their products has now become a civic duty.
- Uninstall the Facebook and Instagram apps. Use the website instead. Webpages run in the browser’s sandbox and can’t just arbitrarily access the storage or start TCP services. I know that Facebook and Instagram in a browser suck, and that’s deliberate - it’s all part of Meta’s plan to force people to use their apps instead. But maybe it’s a good way to limit your usage of this crap.
- Avoid using WhatsApp through their app directly too if you can (sure, individual messages are E2E encrypted, but there’s plenty of juicy metadata that they can still scoop up from your app usage). I personally use Matrix with a WhatsApp bridge, so I can interact with my conversations directly from my Element app instead of using WhatsApp directly on the phone.
- Use Meta’s services as little as possible. If there’s some data point that they can harvest and sell about you, then rest assure that they will do. Moving to privacy-aware decentralized solutions like the Fediverse is now a civic duty. The more people move over their content, the more Meta’s services lose their value, the less people will be inclined to use them even if they hate them just because “everyone else is there”.
Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook – The Markup
The Markup found services including TaxAct, TaxSlayer, and H&R Block sending sensitive datathemarkup.org
brozu ▪️ reshared this.
Fabio Manganiello
Unknown parent • • •@rzeta0 my best solution so far is to convince those people to also use privacy-aware alternatives.
I’ve got all of my family’s phones connected over Wireguard to one of my servers, providing them my PiHole as a DNS - that’s something that probably even non-savvy people can do with just a bit of help from us.
I also run my Matrix server and I created accounts on it for my family members and some of my friends. Sometimes it can be a nuisance for them (“why do I need another app on my phone just to talk with you?”), but I prefer people to have another app on their phones to talk with me rather than compromising my own privacy for their convenience.
And I keep advocating for people to reach out to me through other means - Signal/Matrix instead of WhatsApp/Messenger, PGP-encrypted email to my private mail server instead of plain GMail, Fediverse rather than Facebook.
Of course it’s not completely sealed and probably it’ll never will. Whenever my wife tags me in an Instagram story I know that there’s more data about me leaking to them. But raising awareness of these issues with our network, and helping them by giving them access to the tools that we use, is probably the best we can do.
matthew - retroedge.tech reshared this.
Fabio Manganiello
Unknown parent • • •@rzeta0 I think it’s been the slowly-boiled frog principle at play.
It took two decades, but Big Tech has slowly eroded the idea that privacy is something that people need. And the whole industry has also been quite shady in the process - most of the people have never heard the name of a single data broker, even though those guys mostly know everything about everyone, because the industry has done a good job moving all the nasty parts into T&Cs that nobody bothers to read.
And eventually, if people don’t see their data flowing to others without their consent, if they don’t understand the implications, and if they just get a useful service in return, more and more are inclined to trade privacy for convenience, and go into “but all of my friends are there” or “but I’ve got nothing to hide” mode.
I feel that legislation can definitely help there by forcing tech companies to raise more awareness of their data usage.
For example, GDPR should probably be amended to force apps and websites that rely on data collection and 3rd-party cookies to also include a number and a full list of the data partners that they’ll share your data with. This is something that some websites are already doing, and it should be mandated by law. One thing is to bury the list of data brokers in a 100 pages T&Cs written in tight legalese. Another thing is to display just next to the cookie banner “we’ll share your data with our 850 partners”. That’s something that is far more likely to trigger people. More and more folks will probably click on that list to know why the hell your mobile game needs to share my data with 850 other companies, and many may also want to know what those businesses are (which may contribute to tear down the “wall of secrecy” that the data brokerage industry has created around itself).
And we should also probably mandate all major browser producers to either offer their users the possibility to entirely block trackers and 3rd-party cookies, or to support extensions (even on mobile) so people can more easily protect themselves.