(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

Posted March 25, 2018 by shaun

Facebook's data collection tactics make waves

With Facebook and Cambridge Analytica in the news, Facebook's threat to privacy is finally getting the widespread attention it deserves. Beyond the obvious political propaganda concerns, the wider implications of Facebook's data collection are coming to light, and some of the examples are alarming. Multiple users have downloaded their history and discovered that Facebook had records of all of their phone calls and text messages.

In addition to siphoning up phone-related data, much of the web has become infected with Facebook tracking beacons that collect your browsing history on desktop PCs and mobile devices. When you see a Facebook "Like" or "Share" button on a web page, your browser typically loads these directly from Facebook's servers. Some websites without visible Facebook widgets will instead load a tiny invisible image known as a web bug or tracking pixel. Facebook logs where all of these requests come from, along with enough metadata to identify your specific browser like a fingerprint: your IP address, your browser's name and version, your screen resolution, any Facebook cookies you may have, and more.

This tracking all takes place whether you're logged into Facebook or not, and even if you don't have a Facebook account at all. Facebook maintains "shadow profiles" of unregistered users, and will correlate all of their surveillance with your real identity if they can obtain it through marketing partners or other means.

A comprehensive approach to blocking Facebook is required

Faced with pervasive data collection from multiple angles, what's a concerned person to do?

Abandoning your Facebook account and deleting the apps make a good first step, but this effort isn't sufficient to stop Facebook from watching what you do online. To avoid leaking data about your Internet usage habits to Facebook, a more proactive security stance is needed. I recommend a multi-layered approach:

  • Uninstall all Facebook-owned apps.
    This will end any direct collection of phone data you never intended Facebook to see.

  • Install privacy-enhancing browser extensions.
    These browser extensions can recognize and block specific beacon code.

  • Block Facebook in DNS.
    By sinkholing Facebook's domains, you'll eliminate most of their tracking and speed up web browsing.

  • Firewall Facebook from the network.
    Firewall rules will catch connection attempts to new or unknown Facebook-owned domains.

Not all of these steps are accessible to everyone. The latter two require some advanced technical skills (or a chunk of time to spend learning), and are easier if you have a computer on your network acting as a dedicated hardware router. Implement the layers you can. Each safeguard you add leaves you better protected than you were before.

Security Layer 0: Uninstall all Facebook-owned apps and disengage

Skill level: Beginner

If you have any of the following apps, consider them tainted and remove them from all your devices: phones, tablets, iPods, everything. Having these apps installed gives Facebook direct access to your device, and may imply legal consent to various forms of data collection.

  • Facebook
  • Messenger
  • Instagram
  • WhatsApp

Start by deleting the Facebook app. Get rid of the others on that list, too; they're all owned by Facebook, and the extent of data sharing between them is unclear. You might also take a few minutes to evaluate settings in your other apps, disabling the "Facebook Connect" feature wherever you find it.

If you're ready to permanently sever ties with Facebook, login to Facebook in a web browser and delete your account.

Many folks aren't ready for this level of commitment, and that's okay. Using a web browser, log in to Facebook and post a "goodbye" status update so people know you're no longer reachable there. Confirm that your privacy settings are as restrictive as you can possibly make them, then log out. A web browser is the best tool for this task, as some versions of the Facebook app don't show all of the different privacy options that the Facebook website does.

As you read on, if you aren't comfortable implementing the other layers of protection, make sure to do this one 100%. Leave no Facebook-owned app behind on any of your devices!

Security Layer 1: Install privacy-enhancing browser extensions

Skill level: Beginner

One of the most important defenses against Facebook is your web browser. Because Facebook tracking beacons are scattered all over the web, your browser presents a large attack surface. Privacy-enhancing browser extensions can intercept and block tracking attempts from Facebook and other companies. Installing some or all of these extensions is part of an effective privacy strategy, especially if you aren't able to install a DNS sinkhole or add rules to your firewall.

Firefox and Chrome both have repositories full of available add-ons (if you're using Internet Explorer or Edge, consider switching to Firefox). Here are a few suggestions:

  • uBlock Origin - Chrome | Firefox | Firefox Android
    General-purpose ad blocker that can block Facebook trackers after specific configuration.

  • Facebook Container - Firefox | Firefox Android
    Attempts to isolate Facebook from the rest of the web, if you absolutely must keep using it.

  • Privacy Badger - Chrome | Firefox
    Intuitive slider interface lets you block specific cookies and trackers, including Facebook.

  • Cookie AutoDelete - Firefox | Firefox Android
    Deletes cookies when you leave a website to mitigate tracking between browser sessions.

  • Disconnect Facebook - Chrome
    Specifically blocks Facebook "Like/Share" widgets and tracking pixels.

  • Disconnect - Firefox
    Blocks a variety of trackers, including Facebook.

  • Ghostery - Chrome | Firefox
    Blocks a variety of ads and trackers, including Facebook. Recently revamped as open-source.

Security Layer 2: Block Facebook in DNS

Skill level: Advanced

It's often said that DNS is the Internet's phone book. That makes a DNS sinkhole analogous to putting a block on dialing premium numbers. A sinkhole is a DNS server configured to resolve undesirable domains to a non-routable IP address, like 0.0.0.0 or 127.0.0.1. When your browser asks "what's the IP for facebook.com?" your sinkhole DNS server responds with an IP address that you can't connect to. This prevents any outbound requests for, say, a Facebook "Like" button or an invisible tracking pixel from going through.

If you have a Pi-hole or some other managed DNS interface, you can just add Facebook's domains there to sinkhole them. You'll want to block: facebook.com, facebook.net, fb.com, fb.me, fbcdn.com, fbcdn.net, fbsbx.com, and fbsbx.net. That was easy, and you're ready to skip ahead to the firewall section.

Otherwise, you're going to want to install a DNS server somewhere on your home or office network. The DNS service should always be running and accessible to every other device on your network, so it's a good idea to install it on a PC that's always turned on. If you have a computer acting as a dedicated hardware router/firewall, that's the best choice. Some consumer routers will let you install third-party software, and a few even come with a DNS server built in; consult your router's manual for information.

Which name server to install? There are several options, and bind is a popular choice. Digital Ocean has a great tutorial about installing bind; it's written for Ubuntu, but the bulk of it applies to any operating system. Install bind through your package manager and then follow the instructions for configuring a forwarding server. Windows users can download the Windows installer, click through it to install bind as a Windows service, then follow along the Digital Ocean guide to configure your named.conf.

After installing your DNS server, make sure to configure the devices on your network to use it. Just plug its IP into your network settings instead of your ISP's DNS servers. There are guides available for changing the system DNS server on Windows, Linux/BSD, OS X/macOS, Android, and iOS. (Don't use any IP addresses you might find in those links. You want to use the local IP address of the machine where your local name server is installed.)

Once you have a DNS server running on your network, modifying it to act as a sinkhole won't take much work.

First, you need a zone file that will resolve every host in a domain to a non-routable IP. This blackhole.zone file will work fine, just change the SOA and NS records to point to your local DNS server's hostname. Place the file wherever your other bind files live, like /var/namedb.

Next, edit your named.conf so your bind server is authoritative for Facebook's domains. As of this writing, there are 8 different domains used by Facebook and its various content distribution networks. Append the zone directives in the following file to the end of named.conf:

Restart bind so the new settings take effect, then see if you can connect to facebook.com. If things went well, your browser should give you an error message instead of displaying Facebook's home page. You're now blocking Facebook's known domains, including every possible subdomain of each. Any time your computer tries to connect to a Facebook hostname, the resolution will fail and the connection won't go through.

Security Layer 3: Firewall Facebook from the network

Skill level: Intermediate

Facebook operates one of the world's largest content distribution networks. Their IP address inventory is comprised of more than 90,000 IPv4 addresses and potentially billions of possible IPv6 addresses. It's a good idea to permanently block them all at the network (router) level. If Facebook registers new domains that your DNS sinkhole doesn't know about, or if tracking beacons bypass DNS and point straight to a Facebook IP address, your firewall will still catch and block the traffic.

The list of Facebook's prefixes is a little excessive to include here, so I've put a few files up on Github:

How you implement these blocking rules depends on your network setup. With a dedicated computer acting as a hardware firewall/router, place these rules there to impact your whole network. Most consumer routers offer some type of firewall interface, though a lot of them are lackluster and may require manually entering each IP range to block. If you use a firewall solution other than iptables or ipfw and have scripted rules for Facebook, especially if you have a script for Windows Firewall, I'd welcome your contribution.



Recent articles

📰 🎂

📰 SFSQuery, a PHP class to query the StopForumSpam API and DNSBL

📰 Resolving portmaster error "pkg-static: automake-1.16.1 conflicts with automake-wrapper-20131203"

📰 Resolving LibreNMS error "RuntimeException: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths"

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

📰 Installing PHP 7.2 with pthreads on CentOS 6

📰 LocalStorage kills another site, or: Working around Zap2it's new interface

▲ Back to top | Permalink to this page