Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach
Facebook's data collection tactics make waves
With Facebook and Cambridge Analytica in the news, Facebook's threat to privacy is finally getting the widespread attention it deserves. Beyond the obvious political propaganda concerns, the wider implications of Facebook's data collection are coming to light, and some of the examples are alarming. Multiple users have downloaded their history and discovered that Facebook had records of all of their phone calls and text messages.
In addition to siphoning up phone-related data, much of the web has become infected with Facebook tracking beacons that collect your browsing history on desktop PCs and mobile devices. When you see a Facebook "Like" or "Share" button on a web page, your browser typically loads these directly from Facebook's servers. Some websites without visible Facebook widgets will instead load a tiny invisible image known as a web bug or tracking pixel. Facebook logs where all of these requests come from, along with enough metadata to identify your specific browser like a fingerprint: your IP address, your browser's name and version, your screen resolution, any Facebook cookies you may have, and more.
This tracking all takes place whether you're logged into Facebook or not, and even if you don't have a Facebook account at all. Facebook maintains "shadow profiles" of unregistered users, and will correlate all of their surveillance with your real identity if they can obtain it through marketing partners or other means.
A comprehensive approach to blocking Facebook is required
Faced with pervasive data collection from multiple angles, what's a concerned person to do?
Abandoning your Facebook account and deleting the apps make a good first step, but this effort isn't sufficient to stop Facebook from watching what you do online. To avoid leaking data about your Internet usage habits to Facebook, a more proactive security stance is needed. I recommend a multi-layered approach:
Uninstall all Facebook-owned apps.
This will end any direct collection of phone data you never intended Facebook to see.
Install privacy-enhancing browser extensions.
These browser extensions can recognize and block specific beacon code.
Block Facebook in DNS.
By sinkholing Facebook's domains, you'll eliminate most of their tracking and speed up web browsing.
- Firewall Facebook from the network.
Firewall rules will catch connection attempts to new or unknown Facebook-owned domains.
Not all of these steps are accessible to everyone. The latter two require some advanced technical skills (or a chunk of time to spend learning), and are easier if you have a computer on your network acting as a dedicated hardware router. Implement the layers you can. Each safeguard you add leaves you better protected than you were before.
Security Layer 0: Uninstall all Facebook-owned apps and disengage
Skill level: Beginner
If you have any of the following apps, consider them tainted and remove them from all your devices: phones, tablets, iPods, everything. Having these apps installed gives Facebook direct access to your device, and may imply legal consent to various forms of data collection.
Start by deleting the Facebook app. Get rid of the others on that list, too; they're all owned by Facebook, and the extent of data sharing between them is unclear. You might also take a few minutes to evaluate settings in your other apps, disabling the "Facebook Connect" feature wherever you find it.
If you're ready to permanently sever ties with Facebook, login to Facebook in a web browser and delete your account.
Many folks aren't ready for this level of commitment, and that's okay. Using a web browser, log in to Facebook and post a "goodbye" status update so people know you're no longer reachable there. Confirm that your privacy settings are as restrictive as you can possibly make them, then log out. A web browser is the best tool for this task, as some versions of the Facebook app don't show all of the different privacy options that the Facebook website does.
As you read on, if you aren't comfortable implementing the other layers of protection, make sure to do this one 100%. Leave no Facebook-owned app behind on any of your devices!
Security Layer 1: Install privacy-enhancing browser extensions
Skill level: Beginner
One of the most important defenses against Facebook is your web browser. Because Facebook tracking beacons are scattered all over the web, your browser presents a large attack surface. Privacy-enhancing browser extensions can intercept and block tracking attempts from Facebook and other companies. Installing some or all of these extensions is part of an effective privacy strategy, especially if you aren't able to install a DNS sinkhole or add rules to your firewall.
Firefox, Chrome, and Safari all have repositories full of available add-ons (if you're using Internet Explorer or Edge, consider switching to Firefox). Here are a few suggestions:
Disconnect Facebook - Chrome
Specifically blocks Facebook "Like/Share" widgets and tracking pixels.
- Ghostery - Chrome | Firefox | Safari
Blocks a variety of ads and trackers, including Facebook. Recently revamped as open-source.
Security Layer 2: Block Facebook in DNS
Skill level: Advanced
It's often said that DNS is the Internet's phone book. That makes a DNS sinkhole analogous to putting a block on dialing premium numbers. A sinkhole is a DNS server configured to resolve undesirable domains to a non-routable IP address, like 0.0.0.0 or 127.0.0.1. When your browser asks "what's the IP for facebook.com?" your sinkhole DNS server responds with an IP address that you can't connect to. This prevents any outbound requests for, say, a Facebook "Like" button or an invisible tracking pixel from going through.
If you have a Pi-hole or some other managed DNS interface, you can just add Facebook's domains there to sinkhole them. You'll want to block: facebook.com, facebook.net, fb.com, fb.me, fbcdn.com, fbcdn.net, fbsbx.com, and fbsbx.net. That was easy, and you're ready to skip ahead to the firewall section.
Otherwise, you're going to want to install a DNS server somewhere on your home or office network. The DNS service should always be running and accessible to every other device on your network, so it's a good idea to install it on a PC that's always turned on. If you have a computer acting as a dedicated hardware router/firewall, that's the best choice. Some consumer routers will let you install third-party software, and a few even come with a DNS server built in; consult your router's manual for information.
Which name server to install? There are several options, and
BIND is a popular choice. Digital Ocean has a great tutorial about installing
BIND. The tutorial is written for Ubuntu, but the bulk of it applies to any operating system. Install
BIND through your package manager and then follow the instructions for configuring a forwarding server. Windows users can download the Windows installer, click through it to install
BIND as a Windows service, then follow along the Digital Ocean guide to configure your
After installing your DNS server, make sure to configure the devices on your network to use it. Just plug its IP into your network settings instead of your ISP's DNS servers. There are guides available for changing the system DNS server on Windows, Linux/BSD, OS X/macOS, Android, and iOS. (Don't use any IP addresses you might find in those links. You want to use the local IP address of the machine where your local name server is installed.)
Once you have a DNS server running on your network, modifying it to act as a sinkhole won't take much work.
First, you need a zone file that will resolve every host in a domain to a non-routable IP. This blackhole.zone file will work fine, just change the
NS records to point to your local DNS server's hostname. Place the file wherever your other
BIND files live, like
Next, edit your
named.conf so your
BIND server is authoritative for Facebook's domains. As of this writing, there are 9 different domains used by Facebook and its various content distribution networks. Append the
zone directives in the following file to the end of
- facebook-zones.txt (0.3 KB)
Facebook's known domains as
BIND so the new settings take effect, then see if you can connect to facebook.com. If things went well, your browser should give you an error message instead of displaying Facebook's home page. You're now blocking Facebook's known domains, including every possible subdomain of each. Any time your computer tries to connect to a Facebook hostname, the lookup will fail and the connection won't go through.
Security Layer 3: Firewall Facebook from the network
Skill level: Intermediate
Facebook operates one of the world's largest content distribution networks. Their IP address inventory is comprised of more than 90,000 IPv4 addresses and potentially billions of possible IPv6 addresses. It's a good idea to permanently block them all at the network (router) level. If Facebook registers new domains that your DNS sinkhole doesn't know about, or if tracking beacons bypass DNS and point straight to a Facebook IP address, your firewall will still catch and block the traffic.
The list of Facebook's prefixes is a little excessive to include here, so I've put a few files up on Github:
facebook-ip-ranges.txt (4 KB)
Known Facebook IPv4 and IPv6 ranges in CIDR format
facebook-iptables.sh (21 KB)
A Facebook ingress/egress firewall script using
- facebook-ipfw.sh (24 KB)
A Facebook ingress/egress firewall script using
How you implement these blocking rules depends on your network setup. With a dedicated computer acting as a hardware firewall/router, place these rules there to impact your whole network. Most consumer routers offer some type of firewall interface, though a lot of them are lackluster and may require manually entering each IP range to block. If you use a firewall solution other than
ipfw and have scripted rules for Facebook, especially if you have a script for Windows Firewall, I'd welcome your contribution.