The Problem
I do not like Facebook. I do not like it one bit. I want nothing to do with Facebook at all, and I’ve been very adamant about not signing up for an account despite the urging of everyone and their brother.
So, when I recently gained an understanding of how Facebook Connect works, I got a bit upset. Let me show you why with an example.
Let’s say I want to create an account at MapMyRun.com which implements Facebook Connect, I will use my primary email address of “nelz@example.xxx”. After my account gets created MapMyRun then encrypts my email address with a one-way hash, which for the sake of argument looks like “BIGBADHASH”, and sends this hash to Facebook. “So what?” you think. Sure, they can’t figure out anything about me from a single one-way-hash of my email address, right?
Well, then let’s say I register for an account at io9, again with my primary email address “nelz@example.xxx”. Since io9 also implements Facebook Connect, they also hash my email address and send it to Facebook. Guess what? The resulting string, “BIGBADHASH”, is the exact same as what MapMyRun just sent them.
Now, Facebook knows that someone with an email address that hashes to “BIGBADHASH” has an account on both MapMyRun and io9. Again you think “So what?” That one-way-hash protects my identity from being associated with any of these specific behaviors, right? Au contraire, mon frère.
Now one of my well-meaning friends, who doesn’t know how much I loathe Facebook, tells Facebook that they want to connect with someone at the address “nelz@example.com”.
This was the last piece of the puzzle that Facebook needed. Facebook need only apply the one-way-hash to the plaintext email that my friend just provided them with, and they get “BIGBADHASH”. Then, they look up in their database where they’ve seen that hash before, and now they know that a user with an email address of “nelz@example.com” has an account on both MapMyRun and io9.
Now I, who has never ever logged into Facebook, am getting tracked by Facebook whether I like it or not.
External Remediation
Okay. So what can we do about this?
I looked on Facebook.com, and I found a Privacy Policy. But everything on there requires that you have an account on Facebook. I guess I could create an account, then delete it, but I don’t want an account on Facebook! What Facebook really needs is some web form for non-members that says “Forget anything you have, or will, ever collect about email XYZ”. But, that’s not likely to happen.
What about the end-points, the sites that are implementing Facebook Connect? Personally, during their sign-up processes, I’d like to see a check box that says “Don’t sell me out to Facebook.” Again, that’s not likely to happen.
Personal Remediation
Now, don’t get me wrong, I’m not a n00b. I realize there are all sorts of sites tracking my footprints across the digital landscape every day. (Quantcast, DoubleClick, etc…) For most of them, if I were paranoid and technical enough I could purge their cookies or set up a proxy that doesn’t let my browser connect to those URLs.
But this Facebook thing is different, because it’s highly likely that the communication back to Facebook is not coming from my browser, but from the servers of sites like io9 and MapMyRun. And I have no way to stop it.
How about using a different email address for each site. Sure, that could work. If I had my own mail server, I could create “io9@nelzserver.xxx” for io9 and “mapmyrun@nelzserver.xxx” for MapMyRun, but how many people will have access or technical ability for something like that?
Gmail has a feature that could help out here. If I have an email address like “example@gmail.com”, I will still get the mail if it is sent to “example+io9@gmail.com” or “example+mapmyrun@gmail.com”. I found two challenges with this pattern: 1. it can break the “Forgot My Password” functionality if you forget what email you signed up with, and 2. emails with “+” in them don’t always pass the (incorrect) regex‘s sites use to validate emails.
Conclusion
As I have said before, I am living life pretty openly on the internet. And like I said above, I know there are countless other companies doing much more specific tracking and profiling of me.
But Facebook’s hegemonic desires to run the internet frustrate me, and I don’t want to be a part of it. And it pisses me off that there’s nothing I can do to extract myself.
Update: Found this interesting blog post – “Dark Stalking on Facebook“
[...] Facebook Connect: Nonconsensual Privacy Leak « Nelz's Blog nelz.net/2009/09/26/facebook-connect-nonconsensual-privacy-leak – view page – cached I do not like Facebook. I do not like it one bit. I want nothing to do with Facebook at all, and I’ve been very adamant about not signing up for an account despite the urging of everyone and their… (Read more)I do not like Facebook. I do not like it one bit. I want nothing to do with Facebook at all, and I’ve been very adamant about not signing up for an account despite the urging of everyone and their brother. (Read less) — From the page [...]
Pingback by Twitter Trackbacks for Facebook Connect: Nonconsensual Privacy Leak « Nelz's Blog [nelz.net] on Topsy.com — 28 September 2009 @ 09:53
Does it really work that way? I though FB connect was more like openid in that it only connects with FB if you are selecting to connect using your FB account? Also, even if these sites are automatically sending hashes to see if there is a FB account I’d be surprised if FB stores these hashes when there isn’t a FB account.
Do you have links about this?
One solution for you: You could just set up one junk email account for general sites like io9 and MapMyRun. That way when your friend searches for you on FB via email FB would not match up your personal email with your other websurfing habits.
Another solution is to just use a site like http://mailinator.com for throwaway emails or for more robust throwaway emails use http://www.spamgourmet.com/
Comment by Colin — 28 September 2009 @ 10:24
Good point, I didn’t provide much documentation of this:
http://wiki.developers.facebook.com/index.php/Connect.registerUsers
Specifically in the Notes section: “The typical use case for this method will be a bulk transfer of existing users with periodic updates for new users.”
Thanks for the additional ideas for circumventing FB. I think there are probably hundreds of techniques to avoid the Sauron-like eye of Facebook, but this just fundamentally violates what I consider the opt-in nature of
Facebookthe web.Comment by nelz9999 — 28 September 2009 @ 11:09
… you have a gmail account, yet you’re paranoid about facebook? weird.
The simple solution – don’t sign up to websites using facebook connect. It’s there as a unified login option, but there is no requirement to use FBC. Facebook has a couple of obstacles standing in its way of running the tubes… the largest one being the proprietor of your e-mail address.
Relax, nothing is under control.
Comment by emericle — 28 September 2009 @ 11:11
When you said “don’t sign up to websites using facebook connect”, did you mean that I should avoid sites implementing FBConnect, or are you saying I shouldn’t use the FBConnect unified login?
Avoiding sites that implement FBConnect is a crappy argument, especially as more an more sites implement it. But that doesn’t fix the problem where I had an account on a site that didn’t implement FBConnect, but then at some later time they decide to implement it after I’ve already signed up.
Because I’m not using the unified login. But that doesn’t matter, because my (hashed) emails still gets sent to FB.
Yes, I realize that I have given Google access to a lot of my information, but that is a choice I made. I have not chosen to share info to Facebook, yet it happens anyways.
Comment by nelz9999 — 28 September 2009 @ 11:22