Thu, 04/12/2018 – 10:06
I don’t always use Facebook, but when I do, it’s over a
compartmentalized browser over Tor.
Whenever people talk about protecting privacy on the internet, social-media sites like
Facebook inevitably come up—especially right now. It makes sense—social
networks (like Facebook) provide a platform where you can share your
personal data with your friends, and it doesn’t come as much of a surprise
to people to find out they also share that data with advertisers (it’s
how they pay the bills after all). It makes sense that Facebook uses
data you provide when you visit that site. What some people might
be surprised to know, however, is just how much. Facebook tracks them
when they aren’t using Facebook itself but just browsing around the web.
Some readers may solve the problem of Facebook tracking by saying
“just don’t use Facebook”; however, for many people, that site may be the
only way they can keep in touch with some of their friends and family members.
Although I don’t post
on Facebook much myself, I do have an account and use it to keep in
touch with certain friends. So in this article, I explain how I employ
compartmentalization principles to use Facebook without leaking too much
other information about myself.
1. Post Only Public Information
The first rule for Facebook is that, regardless of what you think your
privacy settings are, you are much better off if you treat any content
you provide there as being fully public. For one, all of those different
privacy and permission settings can become complicated, so it’s easy to
make a mistake that ends up making some of your data more public than
you’d like. Second, even with privacy settings in place, you don’t have
a strong guarantee that the data won’t be shared with people willing to
pay for it. If you treat it like a public posting ground and share
only data you want the world to know, you won’t get any surprises.
2. Give Facebook Its Own Browser
I mentioned before that Facebook also can track what you do when you
browse other sites. Have you ever noticed little Facebook “Like” icons
on other sites? Often websites will include those icons to help increase
engagement on their sites. What it also does, however, is link the fact
that you visited that site with your specific Facebook account—even
if you didn’t click “Like” or otherwise engage with the site. If you
want to reduce how much you are tracked, I recommend selecting a separate
browser that you use only for Facebook. So if you are a Firefox user, load
Facebook in Chrome. If you are a Chrome user, view Facebook in Firefox. If
you don’t want to go to the trouble of managing two different browsers,
at the very least, set up a separate Firefox profile (run
firefox -P from
a terminal) that you use only for Facebook.
3. View Facebook over Tor
Many people don’t know that Facebook itself offers a .onion service that allows you
you to view Facebook over Tor. It may seem counterintuitive that a site
that wants so much of your data would also want to use an anonymizing
service, but it makes sense if you think it through. Sure, if you access
Facebook over Tor, Facebook will know it’s you that’s accessing it,
but it won’t know from where. More important, no other sites on the
internet will know you are accessing Facebook from that account, even if
they try to track via IP.
To use Facebook’s private .onion service, install the Tor Browser Bundle,
or otherwise install Tor locally, and follow the Tor documentation to
route your Facebook-only browser to its SOCKS proxy service. Then visit
https://facebookcorewwwi.onion, and only you and Facebook will know you
are hitting the site. By the way, one advantage to setting up a separate
browser that uses a SOCKS proxy instead of the Tor Browser Bundle is
that the Tor Browser Bundle attempts to be stateless, so you will have
a tougher time making the Facebook .onion address your home page.
So sure, you could decide to opt out of Facebook altogether, but if you
don’t have that luxury, I hope a few of these compartmentalization
steps will help you use Facebook in a way that doesn’t completely remove