The recent spate of revelations surrounding data breaches, subversion of the democratic process, and general disregard for user privacy were the last straw. It’s time to say goodbye to Facebook. However, not everyone feels so strongly and cutting off a channel of communication as ubiquitous as Facebook can be challenging. So what can you do to protect yourself?
Note: The web browser sections below are Firefox-specific.
Don’t use Facebook Mobile appLications
Installing Facebook or any Facebook afiliated app on your phone is probably the worst thing you can do. For example, it was recently revealed that Messenger was sending all kinds of data back to the mothership. Specifically, contact lists and phone call / SMS metadata. It’s very hard to know exactly what closed-source apps are doing behind the scenes so as a general rule don’t install them.
Disable FACEBOOK PLATFORM
Facebook Platform provides a set of application programming interfaces (APIs) that give third-party developers access to your data. This is exactly how Cambridge Analytica got access to the user data of over 50 million people. If you have “Apps, websites and games” turned on, you’re putting yourself at serious risk.
Don’t ‘like’ stuff
Your personal information is valuable – don’t give it away for free! If someone offered you a service but in exchange you had to tell them your sexual orientation, ethnicity, religious and political views, personality traits, intelligence, happiness, use of addictive substances, parental separation, age, and gender would you accept? Chances are you wouldn’t. A 2013 study of 58,000 volunteers showed how your Likes reveal all of the above with frightening accuracy.
Don’t upload media with embedded EXIF metadata
Exif (Exchangeable image file format) defines a standard for embedding metadata in image and sound files. This metadata can include your device’s serial number and GPS coordinates. The serial number can be used to identify every other photo taken by that device. I’m sure you can imagine scenarios in which that might not be ideal. The power of metadata is best exemplified by the story of Higinio O. Ochoa III, an alleged Anonymous hacker from Texas (see also A Picture is Worth a Thousand Words, Including Your Location, by the Electronic Frontier Foundation).
If you have an Android phone OscuraCam is a good option for stripping Exif metadata before uploading to Facebook.
Isolate your usage of Facebook.com
Facebook recently confirmed what most people already knew; namely that it tracks and profiles users and non-users alike. You can minimise your exposure to tracking in one of two ways.
Option 1: Install the ‘Facebook Container’ add-on
Firefox Containers facilitate the segregation of site data by giving each container its own cache, cookie storage, indexeddb, and localStorage. Containers were initially only available in Firefox Nightly. In September 2017 they became widely available via the Firefox Multi-Account Containers add-on. In March 2018 Mozilla released Facebook Container – a container-based add-on designed to isolate your web activity from Facebook.
See this Mozilla blog post for more information.
Option 2: Use a dedicated browser profile
If you use Firefox, you already have a default profile. It’s where Firefox stores your history, bookmarks, installed add-ons, saved passwords, etc. Profiles also have their own cache, cookie storage, indexeddb, and localStorage. For all intents and purposes, a profile is a completely separate browser. You can see information about your current profile(s) by type ‘about:profiles‘ in the Firefox address bar.
The best way to fully isolate Facebook from your general day-to-day browsing is to create a new profile whose sole purpose is accessing Facebook. Information on adding and removing profiles can be found here.
From here on in I’ll assume you have two profiles; “default” (for all your day-to-day, non-Facebook, browsing) and “facebook” (used purely for accessing Facebook). Now that you’re no longer using your default profile for accessing Facebook, you should block all Facebook domains and cookies in that profile.
When it comes to domain blocking in the browser my go-to tool is uMatrix. From a privacy perspective uMatrix is ideal because it actually blocks requests to blacklisted domains. On the flip side it’s not the most user-friendly for non-technical users. At the time of writing, the following rules should suffice:
* facebook.com * block * facebook.com.edgekey.net * block * facebook.com.edgesuite.net * block * facebook.net * block * facebook.net.edgekey.net * block * facebook-web-clients.appspot.com * block * fb.com * block * fb.me * block * fbcdn.com * block * fbcdn.net * block * fbsbx.com * block * fbsbx.com.online-metrix.net * block * m.me * block * messenger.com * block * tfbnw.net * block
Information on adding uMatrix rules can be found on the uMatrix Wiki.
If you don’t have a Facebook account, or you’ve deleted it, and are technically inclined, you can attempt to block Facebook at the network level:
- Block all known Facebook domains at the router or in your computer’s host file.
- Get hold of a Raspberry Pi and install Pi-hole, preferably in conjunction with DNSCrypt.
- Use a filtering proxy such as Privoxy (P.S. never download anything from SourceForge as there have been numerous instances of malware being bundled with SourceForge downloads).
It should be noted that blocking Facebook at the network level isn’t foolproof. New domains create a constantly moving target and applications can always bypass DNS based blockers by using IP addresses.