Nelz's Blog

Mah blogginess

Facebook Connect: Nonconsensual Privacy Leak

The Problem

I do not like Facebook. I do not like it one bit. I want nothing to do with Facebook at all, and I’ve been very adamant about not signing up for an account despite the urging of everyone and their brother.

So, when I recently gained an understanding of how Facebook Connect works, I got a bit upset. Let me show you why with an example.

Let’s say I want to create an account at MapMyRun.com which implements Facebook Connect, I will use my primary email address of “nelz@example.xxx”. After my account gets created MapMyRun then encrypts my email address with a one-way hash, which for the sake of argument looks like “BIGBADHASH”, and sends this hash to Facebook. “So what?” you think. Sure, they can’t figure out anything about me from a single one-way-hash of my email address, right?

Well, then let’s say I register for an account at io9, again with my primary email address “nelz@example.xxx”. Since io9 also implements Facebook Connect, they also hash my email address and send it to Facebook. Guess what? The resulting string, “BIGBADHASH”, is the exact same as what MapMyRun just sent them.

Now, Facebook knows that someone with an email address that hashes to “BIGBADHASH” has an account on both MapMyRun and io9. Again you think “So what?” That one-way-hash protects my identity from being associated with any of these specific behaviors, right? Au contraire, mon frère.

Now one of my well-meaning friends, who doesn’t know how much I loathe Facebook, tells Facebook that they want to connect with someone at the address “nelz@example.com”.

This was the last piece of the puzzle that Facebook needed. Facebook need only apply the one-way-hash to the plaintext email that my friend just provided them with, and they get “BIGBADHASH”. Then, they look up in their database where they’ve seen that hash before, and now they know that a user with an email address of “nelz@example.com” has an account on both MapMyRun and io9.

Now I, who has never ever logged into Facebook, am getting tracked by Facebook whether I like it or not.

External Remediation

Okay. So what can we do about this?

I looked on Facebook.com, and I found a Privacy Policy. But everything on there requires that you have an account on Facebook. I guess I could create an account, then delete it, but I don’t want an account on Facebook! What Facebook really needs is some web form for non-members that says “Forget anything you have, or will, ever collect about email XYZ”. But, that’s not likely to happen.

What about the end-points, the sites that are implementing Facebook Connect? Personally, during their sign-up processes, I’d like to see a check box that says “Don’t sell me out to Facebook.” Again, that’s not likely to happen.

Personal Remediation

Now, don’t get me wrong, I’m not a n00b. I realize there are all sorts of sites tracking my footprints across the digital landscape every day. (Quantcast, DoubleClick, etc…) For most of them, if I were paranoid and technical enough I could purge their cookies or set up a proxy that doesn’t let my browser connect to those URLs.

But this Facebook thing is different, because it’s highly likely that the communication back to Facebook is not coming from my browser, but from the servers of sites like io9 and MapMyRun. And I have no way to stop it.

How about using a different email address for each site. Sure, that could work. If I had my own mail server, I could create “io9@nelzserver.xxx” for io9 and “mapmyrun@nelzserver.xxx” for MapMyRun, but how many people will have access or technical ability for something like that?

Gmail has a feature that could help out here. If I have an email address like “example@gmail.com”, I will still get the mail if it is sent to “example+io9@gmail.com” or “example+mapmyrun@gmail.com”. I found two challenges with this pattern: 1. it can break the “Forgot My Password” functionality if you forget what email you signed up with, and 2. emails with “+” in them don’t always pass the (incorrect) regex’s sites use to validate emails.

Conclusion

As I have said before, I am living life pretty openly on the internet. And like I said above, I know there are countless other companies doing much more specific tracking and profiling of me.

But Facebook’s hegemonic desires to run the internet frustrate me, and I don’t want to be a part of it. And it pisses me off that there’s nothing I can do to extract myself.

Update: Found this interesting blog post – “Dark Stalking on Facebook