Some time ago, I reactivated my inactive Facebook account. I hate Facebook and pretty much everything it stands for. Even though I totally support social activity, I think Facebook is probably the worst example of how to not implement something. I think it encourages a belief in activity that’s mostly meaningless and superficial, and it completely wipes out any kind of privacy you might have. So, why in the world would I reactivate my own account?
First of all, I’ve set all privacy and application settings to the most restrictive. Second, I’ve made sure I don’t have any friend linked to my account. Why the latter? Because one of the most restrictive privacy settings you can have still allows friends of friends to see you. Which is completely absurd. If you only want to be known to a specific, small set of people—it’s impossible to do that on Facebook. If any of your friends is friends with somebody else, those other people can see you too. Last, I never post anything on it.
The single reason I have an activated account is so I can post the occasional comment to Toronto’s event blog site, BlogTO. BlogTO relies on authenticating users with a Facebook identity provider. This means they don’t need have to implement their own database of users and passwords and can, instead, rely on Facebook for authentication. But, after I increased the security of my web browser, I discovered I could no longer post comments—or even see any existing comments.
I gradually discovered the settings that are required to both create and view Facebook-authenticated comments on BlogTO:
- Prevent tracking activities by known sites – This setting must be disabled. Unless you allow Facebook (and every other known site in the world, as there seems to be no granular control over the setting) to track you, the Facebook Comments Plugin will simply not be displayed. This means you can neither post a comment yourself nor see comments that anyone else has posted.
- Allow popup windows – If you don’t enable this setting, the Facebook authentication dialog box that BlogTO activates will simply never be seen. With just the above setting, you’ll be able to see other comments but never post your own. However, you can at least limit the sites from which you allow popups to just BlogTO and any other site of a similar nature where they are required for needed functionality.
- Allow all cookies – If you don’t enable this setting too, something strange happens. The Facebook authentication dialog box will repeatedly, in a loop that never ends, appear and disappear again. I’m sure this has something to do with third-party cookies. Again, however, there is no granular control by which the browser can be told to only allow third-party cookies when visiting a particular site. As with tracking activity, it’s a setting that must be applied globally. In this case, however, cookies can be set to expire after a single session so at least they don’t follow you from session to session. (And, with cookies anyway, there is granular control—allowing cookies to be kept for specific sites that are frequently visited and where that makes a difference.)
So, what tracking activities are now taking place by Facebook and every other website I visit that implements them? I have no idea. I should probably investigate and determine exactly what the implications are. I have some assumptions (such as websites determining the geographical location of the computer I’m using to browse and post from) but it could be more than that. The fact that I don’t care enough to immediately investigate is telling. I’ve made reasonable efforts to maintain my privacy as much as possible but, even for me, there is a line I don’t cross between functionality and security. Sites are tracking me in some way—and any BlogTO posts I make are still accompanied by a little picture of myself as well as the fact that I’m associated with Trent University—but I don’t care enough to get rid of those things. Just think of the millions of people who care even less and use a fully unrestricted Facebook every single day?
I recently switched from SeaMonkey to Firefox. (After twenty years, it felt a little disloyal, but I wasn’t able to function with the lack of working extensions for SeaMonkey.)
After switching, I couldn’t see or post comments on BlogTO. But I remembered this from before. With Firefox, I was able to disable all tracking—but allow BlogTO as an exception. Also, disallowing third-party cookies prevented me from commenting (as I mentioned), but I could set Firefox’s policy on third-party cookies to “From visited,” rather than allowing them universally.
However, I wasn’t done. I looked at the list of cookies after I’d authenticated, and saw that Facebook had been added to the list. I changed my preference back to disallowing third-party cookies, but added an exception to always allow cookies from Facebook. This worked!
The interesting thing is that I’d already set an overall policy to allow all cookies. (I use an extension to more finely control the deletion of cookies.) It seems that the “Exceptions” list does double duty and applies to both overall cookie policy and to third-party cookies at the same time.
(Also interesting is that I’m still blocking popups for both BlogTO and Facebook—and my comments work despite this. Either Firefox is doing something intrinsically different than SeaMonkey, something has changed, or I was just mistaken about needing to allow popups in this situation.)
But the bottom line is that my browser is now secure from “spying”—except from Facebook.