Facebook rolls out Off-Facebook Activity controls
Facebook started to roll out a new privacy tool called Off-Facebook Activity to users from Ireland, Spain, and South Korea earlier today. Designed to give users of the site better control over data that Facebook collects about them while they interact with third-party sites, it is not exactly the tool that privacy advocates had hoped for.
The company plans to roll out the feature to users from other regions in the coming months. Last month, Facebook was told by the FTC that it had to stop certain privacy invasive practices.
First, the basics. Facebook collects data in several ways. It gets data from user activity on Facebook, e.g. what users like, comment on, view, or do on the site, and also from user activity on third-party sites or apps that have integrated Facebook services.
A Facebook user who is browsing NFL jerseys on a third-party site could get NFL jersey advertisement on Facebook if the app or site used to browse the items initially provided Facebook with the data.
Facebook notes that Off-Facebook Activity allows users of the site to "see and control the data that other apps and websites share with Facebook".
It includes options to "see a summary of the information other apps and websites have sent Facebook through" various services and tools, disconnect the information from the account, and choose to disconnect future off-Facebook activity from the account automatically.
The word disconnect highlights my main gripe with the tool. The data is not deleted, it is only disconnected. Here is what Facebook has to say about the process:
If you clear your off-Facebook activity, we’ll remove your identifying information from the data that apps and websites choose to send us. We won’t know which websites you visited or what you did there, and we won’t use any of the data you disconnect to target ads to you on Facebook, Instagram or Messenger.
The automated removal of identifying information never managed to protect some of the users whose data is purged from information from being identified; it seems unlikely that Facebook's processing will ensure 100% anonymity.
Facebook's engineering team published a technical overview of the entire process. The company associates actions with SIDs (separable identifiers), and users with UIDs (User IDs). When a user chooses to disconnect the data, the link between the SID and the UID is removed.
Facebook created a Measurement ID (MID) designed specifically to provide reports to businesses. When a Facebook user decides to disconnect off-site information, the mapping between the MID and the UID is removed and a new random MID is generated for that person. If a person decides to block off-site data going forward, a "bucketed MID" is assigned which does not represent individual users.
Facebook will still perform aggregated measurement operations on the data.
With this bucketed MID, we are able to perform aggregated measurement operations — for instance, we can conclude that one of the people in the bucket saw an ad and then visited the target website. We can then aggregate that observation with others who viewed the same ad — without determining exactly which person within the bucket took that action.
Tip: if you use Firefox, consider using the Facebook Container add-on to restrict Facebook's access to third-party data.
Closing Words
Facebook's new Off-Facebook Activity tool allows users to disconnect existing data and future data so that it cannot be associated directly anymore with the account. The data is not gone, however, and Facebook continues to use it for certain purposes.
Now You: What is your take on the Off-Facebook Activity tool?
If you use Brave or another Chrome variant you can install the extension Block Facebook: https://chrome.google.com/webstore/detail/block-facebook/gebclbfnlcebcljmgblacllmjkfidoef
It has a lot of host file entries, but as it is an extension you don’t need to edit your host file.
you can block all fakebook tracking,
with blacklist’s like these…tried and true
I never see any fakebook IP’s show up on my
netlimiter connection history list…there
are many more blacklists like these as well
put these in yer host file blocker
0.0.0.0 webdav.facebook.com
0.0.0.0 z-m.c10r.facebook.com
0.0.0.0 z-m.facebook.com
0.0.0.0 nl-nl.facebook.com
0.0.0.0 pl-pl.facebook.com
0.0.0.0 edge-sonar-shv-01-ams2.fbcdn.net
0.0.0.0 edge-sonar-shv-01-ams3.fbcdn.net
0.0.0.0 edge-sonar-shv-01-ash5.fbcdn.net
0.0.0.0 scontent-vie.xx.fbcdn.net
0.0.0.0 scontent.fsjc1-2.fna.fbcdn.net
0.0.0.0 scontent.fsnc1-1.fna.fbcdn.net
0.0.0.0 scontent.fams1-2.fna.fbcdn.net
0.0.0.0 scontent.xx.fbcdn.net
0.0.0.0 sonar-iad.xx.fbcdn.net
0.0.0.0 sphotos-a-ams.xx.fbcdn.net
0.0.0.0 z-m.facebook.com
0.0.0.0 beta.facebook.com
0.0.0.0 pl-pl.facebook.com
0.0.0.0 nl-nl.facebook.com
0.0.0.0 scontent-vie.xx.fbcdn.net
0.0.0.0 scontent.fsjc1-2.fna.fbcdn.net
0.0.0.0 scontent.fsnc1-1.fna.fbcdn.net
0.0.0.0 scontent.fams1-2.fna.fbcdn.net
0.0.0.0 scontent.xx.fbcdn.net
0.0.0.0 sonar-iad.xx.fbcdn.net
0.0.0.0 sphotos-a-ams.xx.fbcdn.net
for unlockoriginal
copy past this in “my filters”
* facebook.com * block
* facebook.net * block
* fbcdn.net * block
put this in “3rd party filters”
chrome://ublock0/content/asset-viewer.html?url=fanboy-thirdparty_social
for pihole
https://raw.githubusercontent.com/imkarthikk/pihole-facebook/master/pihole-facebook.txt
@11r20:
There’s a much, much, MUCH longer “hosts” file blocklist for Facebook at:
https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all
I assume that list is updated periodically.
If you’re running an antivirus and you manually edit your hosts file by adding blocklists like the one above, the AV might throw up false positive and delete your edits. With Kaspersky, the only way I have found to avoid this is to exclude the hosts file from protection — a double-edged sword, since the AV will no longer detect when an otherwise unblocked script or program has placed a bogus redirect in hosts. I don’t know whether there are any elegant solutions to this dilemma. If there are any in Kaspersky, Kaspersky hasn’t made them easy to find.
Easy solution: use uMatrix or uBlock Origin (or eMatrix on Pale Moon or Basilisk). Block FB globally. Allow FB only when you’re on FB (if you’re a user).
@MdN:
That’s good advice, but it remember that doing so isn’t really a solution. It does help, though, particularly if you combine it with deleting your facebook account.
“Buried in a Help Center post behind a drop-down menu, Facebook clarifies: “Your future off-Facebook activity will be disconnected within 48 hours from when it’s received. During this time it may be used for measurement purposes and to make improvements to our ads systems.†https://www.wired.com/story/off-facebook-activity-privacy/
Although I have never had a Facebook account their shadow profiles are still there.
Over complicated privacy settings like these are all essentially windows dressing and a sure sign Facebook is not changing anything.
Why aren’t people outraged at Google doing far worse than this?
@Anonymous:
They are.
Obfuscation Incorporated. Doesn’t FTC have to approve this shell game when FB tries it in USA? Are the initial four countries going to laugh? Yup.
Means little to nothing. How big are those buckets full of random MID’s? Ten users?
FB is still getting the same user info, disconnected or not, just putting it in a bag, shaking it and pouring it out in ways only they understand.
Nothing Facebook could do would ever convince me to trust them. This maneuver is so typical of entry level engineers using inane complication to fix a mess they made.
I had an account for a couple years but began to dread the potential for invasion of privacy and hit del. Personal interaction is far more rewarding.
Who still uses fb? pre-teenagers?
Martin, you could improve the quality of ghacks.net by not reviewing facebook stuff.
A lot of people use facebook products and services everyday. There’s a reason they make billions in revenue everyday.
Disagree. Facebook has a shadow profile of you, me and everyone else.
Facebook has a shadow profile of you, me, and everyone else, *whether you’ve ever had a Facebook account or not.* They’re as relentless at tracking and profiling as Google, and it won’t stop until we have effectively enforced privacy laws with draconian civil and criminal penalties for entities that violate them *and* for any human actors involved (from coders right up to CEOs).
No thanks, I will take a hard pass on anything from FB
Even weak sauce is better than no sauce, I suppose, and this is very, very weak sauce.
It also does nothing to protect those of us who don’t have Facebook accounts. So, speaking personally, this entire effort is without value to me.