How They Track You































Filed in PHP and Website Security , Social Media and News1 comments
For my first post here, I decided to go with a rather simple topic that has been exhausted numerous times before. It’s time for another one of those blog posts describing the tracking mechanisms employed by social networks. For an added twist, consider the number of social widgets which are present on this site and realize that if you are not careful, your actions here can be linked back to your real identity.
Few of the groups which track users online have gained as much notoriety as Facebook has. Facebook Inc. has been widely criticized for the lack of privacy settings within its social network. Every status update and every post you like within Facebook contributes to a massive stash of information which is collected about you detailing everything from your location to your preferences (a treasure trove for advertisers and governments).
A quick look at the Wikipedia page “Use of social networks in investigations” will turn up numerous cases where data from social networks was used against the people who posted it. Here are some highlights:
  • In December 2006, campus police at the University of North Carolina at Wilmington were investigating the theft of two PlayStation consoles, which had been stolen by the two perpetrators of a beating and robbery on campus. They planned to raid the rented house of Peyton Strickland, an 18-year-old student at nearby Cape Fear Community College. They discovered that the other alleged robber, Ryan Mills, had posted photographs of himself on Facebook in which he posed with guns. Expecting “heavily armed resistance” at Strickland’s house, the officers called in a SWAT team for backup to raid Strickland’s house. When they arrived at the residence, which three students rented, they were not immediately let in. As one officer began to break down the door with a battering ram, another officer mistook the sound of the battering ram for gunshots and shot through the glass door multiple times, killing the unarmed Strickland and his dog.
  • In response to the monitoring [of Facebook], some students have begun to submit “red herring” party listings. In one case at George Washington University, students advertised their party and were raided by campus police. The police found only cake, no alcohol, and later claimed the dorm raid had been triggered by a noise complaint.
  • In October 2005, sophomore Cameron Walker was expelled from Fisher College in Boston for comments about a campus police officer made on Facebook. These comments, including the statement that the officer “loves to antagonize students…and needs to be eliminated,” were judged to be in violation of the college’s code of conduct.
It is also worth your time to review Facebook’s laughable policy on law enforcement. The EFF has a better (and objective) report on social networks and law enforcement (PDF) which describes the policy of Facebook as well as Twitter, MySpace, MSN, Yahoo, Craigslist, PayPal, and some other, less popular websites.
Even this blog does not escape the peering eyes of Facebook. Don’t believe me? Look at this pages source code! At the time I wrote this, a Facebook iframe element is included in the page. The src attribute for the iframe sets it to load content from facebook.com over an unencrypted, HTTP connection. The scary part is that the URL set on the iframe also includes some other data to facilitate the “like” function which lies at the core Facebook’s business model. The URL contains the exact address of the page which was read on this blog and the same is true for a vast number of pages across the internet.
But the tracking does not stop there. Social widgets are into websites that many people visit every day. News articles, blogs, software websites, and the list goes on… As we continue to experience the expansion of this data collection, it is vital that we ask ourselves what data these tracking and advertisement platforms really need to know. What would happen if the government in your country decided that news articles which were critical of the dictator should not be read? Would they be able to find out who accessed these articles by asking Facebook? This action is blatantly unacceptable, but it could happen.
Here at the ProjectX Blog we must also consider the security implications of this tracking. What would happen if Facebook was hacked? Do you want all the data Facebook has on you to become available to anyone with the technical know-how to run Metasploit? I would like to think that Facebook is more secure than that, but what about the increasing risk of governments in the cyber realm? Although we are far from “cyber warfare,” it is likely that governments both foreign and domestic have the power to infiltrate the systems of these social networks. And finally, what about spying operations enacted by agencies such as the NSA? At the time I wrote this, the Facebook widget on this blog is still using an unencrypted connection which would allow for trivial interception by the government or even by Tor exits which might be monitoring traffic.
Do not despair. There is action which can be taken to prevent yourself from these all-knowing corporations.

Protecting Yourself

  • The first and most important rule is to be wary of everything you post on Facebook. Think about the privacy implications it might have if it would fall into the wrong hands.
  • Tools such as HTTPS Everywhere and NoScript are available. HTTPS Everywhere will make sure that requests to Facebook are sent using SSL (preventing government surveillance). NoScript prevents unauthorized scripts from running on your computer. Scripts allow for increased data collection such as the length of your visit on each page, information about your browser which can be used to identify you again at a later time (even if you delete cookies).
  • Even with NoScript, you can still be tracked. Many trackers include fall-backs options which might load a 1×1 pixel image off a tracking server. When your browser makes this request, information such as your IP address, browser version, and time of visit may be collected. Ghostery might be able to help with this (and it can take out those nasty cookies). This add-on is also available for Google Chrome.
  • Tor is another great tool to prevent your IP address and location from being leaked to other websites. However, Tor cannot do much to protect you if you provide your name and address to Facebook willingly.
  • Depending on your browser, you might have the option to send a “Do not track” header on your requests. The EFF has been tracking the evolution of this technology and online advertisers are attempting to work out a standard for this technology. If you operate your own website, you should take a look at Mozilla’s Do Not Track guidelines. You can check if a visitor has Do Not Track enabled by looking for the “DNT” HTTP header.

Other Links

Source