Facebook - Defensive Computing

FACEBOOK

No doubt there are many defensive strategies for Facebook (aka Meta), with the strongest one being avoidance. That's what I do. This section may be a bit haphazard because not being a Facebook user, I can't verify things.

It is safer to use the Facebook website as opposed to their mobile app. Better yet, use private browsing mode. Better still, use the Facebook website from a Chromebook in Guest Mode.
March 16, 2023: Don't get hacked on Facebook. Do these 6 things now by Heather Kelly for the Washington Post. The article starts out noting that it is a million times easier to prevent a Facebook hack than it is to fix one after the fact. Among the defensive steps: 2FA, use better passwords (rounding up the usual suspects) and insure that Facebook has a current email address on file for you. Also, be alerted to all log-ins to your account (see article below from Facebook). So that you don't get scammed, the article warns that Facebook will never text, email or call you to ask for your log-in information or the two-factor authentication code. The article also discusses backing up Facebook data, saying an entire account can be saved (contacts, posts and other information). Photos on Facebook can also be copied to other services.
Get notified if a bad guy logs into you Facebook account. See Get alerts about unrecognized logins to Facebook from Facebook (undated, of course). The alerts occur when someone tries logging in from a device or web browser that Facebook does not recognize. The alerts will tell you which device tried logging in and where it's located. A list of recent devices that have logged into your Facebook account can be found in your Security and Login Settings.
How to remove your phone number or email from Facebook, even if you have no account by Martin Brinkmann (Nov 2022). Facebook may have the email address or phone number, of people who never signed up for the service. They published a tool in mid-2022 to remove personal information from the site. They did not announce the tool and it is not widely known. Read about it here. The URL is facebook.com/contacts/removal
April 4, 2023: No bullsh*t opt-out: Free noyb tool for quick and broad Facebook objections is now online! New tool to opt out of targeted advertising. More: Welcome to noyb’s Meta Opt-Out Tool!.
FACEBOOKS SPYING PIXEL
The Facebook tracker pixel is the main way that Facebook spies on people. It is JavaScript code (usually) that companies put on their websites to report back to the Facebook mother ship. The NSA must be so jealous.
- An example of spying via the Facebook Pixel Tax Filing Websites Have Been Sending Users' Financial Information to Facebook from The Markup (November 22, 2022). Among the services doing this: TaxAct, TaxSlayer, and H&R Block. Ars Technica also wrote about this: Major tax-filing websites secretly share income data with Meta by Ashley Belanger (Nov 22, 2022). Neither article says anything about defending yourself, so each qualifies as scare mongering click bait.
- A quick look at the documentation (links below) shows that it should be possible to block the Facebook Pixel. If it is implemented via JavaScript, then it is loaded from connect.facebook.net which can be blocked. If it is implemented as an IMG (image) element, then it is loaded from www.facebook.com which people that do not have Facebook accounts can block.
- One way to block these sub-domains is with DNS. A service such as NextDNS lets you specify domains and sub-domains that should be blocked. NextDNS offers free starter accounts. Every desktop web browser offers secure/encrypted DNS as an option and if you point this to your NextDNS account, you can block whatever you want, in that one browser. A nice feature of NextDNS is the optional logs. After configuring it to block the Facebook Pixel you can review the logs to verify that the blocking is working.
- Another way to block sub-domains is in your router, either with DNS or parental controls or a firewall rule or whatever. That said, not many routers can block domains. One that can is the Pepwave Surf SOHO.
- A third approach to blocking sub-domains is by modifying the hosts file for your Operating System
- A fourth approach is to use a DNS service provided by a VPN. The one from Windscribe is excellent for this.
- In addition to the sub-domains above, you might also want to block: graph.facebook.com, api.facebook.com, apps.facebook.com, staticxx.facebook.com and web.facebook.com.
- Meta Pixel documentation from Facebook about their Pixel
- Facebook tracker pixel documentation from Facebook
- Facebook has a browser extension intended as a debugging tool for their Meta Pixel. Someone interested in blocking the Pixel can use this to verify that it is really being blocked. See the Meta Pixel Helper documentation from Facebook.
NOTE: These Washington Post articles are written by a non-techie who can only go so far with technical issues. While the advice in these articles can be useful, it is far from complete. For serious blocking of Facebook spying, see the topic above. The public is cheated when the mainstream media does not employ techies to cover tech subjects.
1. How to block Facebook from snooping on you by Geoffrey Fowler for the Washington Post (Aug 2021). Discusses changes that impact what Facebook and Instagram can learn about you outside of their apps.
2. There’s no escape from Facebook, even if you don’t use it also by Geoffrey Fowler (Aug 2021). Discusses why you want to bother making all the changes in the prior article. Quoting: "It isn't just the Facebook app that's gobbling up your information. Facebook is so big, it has convinced millions of other businesses, apps and websites to also snoop on its behalf. Even when you're not actively using Facebook. Even when you're not online. Even, perhaps, if you've never had a Facebook account."
Facebook's surveillance is hard to avoid. They partner with websites, apps and stores to track you when you are not using Facebook. Geoffrey Fowler of WaPo wrote about this in Jan. 2020: Facebook will now show you exactly how it stalks you - even when you’re not using Facebook. The article is focused on a new "Off-Facebook Activity" tool (see it at facebook.com/off_facebook_activity). To be spied on, you don't have to be logged in to the Facebook app or website. Companies can report other identifying information to Facebook, enough to match you to your Facebook account. Fowler found that Home Depot told Facebook when he visited its online store, viewed an item or added an item to a shopping cart. Other spies he found were The Atlantic, Amazon's Ring app, the Peet’s Coffee app and the website for an HIV drug.
To limit this: Settings -> Your Facebook Information -> Off-Facebook Activity -> Manage Your Off Facebook Activity -> Manage Future Activity. Still not done. Click another "Manage Future Activity" button. Curse Facebook. You want the toggle next to "Future Off-Facebook Activity" to be gray. If it is blue, click it, then click "Turn Off"
10 Facebook Marketplace Scams to Watch Out For by Tim Brookes for HowToGeek. February 2022. The scams covered are: Shipping Insurance, Sellers Requesting Payment in Advance, Sellers and Buyers Who Take the Transaction Elsewhere, Fake House and Apartment Rental Listings, Car Deposit and Vehicle Purchase Protection, Stolen or Faulty Goods, Gift Cards, Identity Fraud and Personal Information Harvesting, Overpayment Refunds and, of course, Fake Goods.
This article from Malwarebytes Labs, Facebook users targeted in massive phishing campaign, has a section with Tips to avoid Facebook phishing. by Christopher Boyd June 2022.
Giving Facebook less data is a good idea. Even better: Just use it less by Rob Pegoraro in Fast Company (June 2020). You can take some steps to limit how much Facebook knows about you. But as long as you use the service, it can monetize your interests and activity.
To see information Facebook knows about your activity in other apps and on other websites, see Off-Facebook Activity. From Facebook, you can get to the same data with Settings -> Your Facebook Information -> Off-Facebook Activity. This was introduced in Jan. 2020. Fowler (above) suggests clicking on "Clear History" to remove that data. To have Facebook stop using your off-Facebook activity, look for "Manage Future Activity" and then make sure "Future Off-Facebook Activity" is turned off. Note the word "using" - they will still collect the data.
See the devices that are logged in to your account here. It should also show approximately where in the world those devices are located.
FACEBOOK CONFIGURATION ARTICLES
- 16 Settings to Make Facebook Less Evil (or at Least More Private) by Pranay Parab for Life Hacker (Nov 2021)
- Facebook privacy settings to change now Washington Post (Sept. 2021)
- 7 Important Facebook Privacy Settings to Change Right Now by Tim Brookes (June 2021). The article covers: Delist Your Profile from Search Engines, Make Your Friends List Private, Restrict Visibility of Your Older Posts En Masse, Enable Timeline Review, Disable Facial Recognition, Restrict How You Are Found on Facebook, Review Connected Apps and Websites and Preview How Others See Your Profile.
- Guide to Facebook Privacy and Security Settings by Larry Magid, for ConnectSafely (January 28, 2021)
- Cybersecurity 101: Protect your privacy from hackers, spies, and the government by Charlie Osborne and Zack Whittaker of ZDNet (Dec. 2020) has some tweaks for Facebook settings.
- How to Use Facebook Privacy Settings by Thomas Germain of Consumer Reports. Last updated Sept. 2019.
- How To Stop Facebook From Blabbing Out Your Phone Number by Monica Chin (March 2019)
- Basic Privacy Settings & Tools from Facebook. Quite long. Undated.
- Hands off my data! 15 default privacy settings you should change right now by Geoffrey Fowler in Washington Post (June 2018).
  Suggestions from the article:
  1. In Timeline settings turn on the option to review posts you are tagged in before the post appears on your timeline. Settings -> Timeline and Tagging -> Review section -> enable both options.
  2. In the Facial Recognition settings, set "Do you want Facebook to be able to recognize you in photos and videos?" to No.
  3. In the Ad Preferences settings: Under Your information, turn off ads based on your relationship status, employer, job title and education. Under Ad settings, set "Ads based on data from partners" and "Ads based on your activity on Facebook Company Products that you see elsewhere" to Not allowed. Also, set "Ads that include your social actions" to No One.
The Facebook Privacy Checkup is incomplete. Your profile information should be set to "Friends of Only Me" which, in English, means private. Also, set "Future Posts" and "Stories" to "Friends" and click the button for "Limit Past Posts" and select "Limit" More.
Check the Facebook Privacy Shortcut
Configure: In Settings --> Your Facebook Information --> Access Your Information --> Profile Information --> About --> Contact and Basic Info, set your birthday to "Only Me"
CONFIGURE FACEBOOK: Privacy Settings:
1. Profile and Tagging -> Reviewing. set both item to On
2. Change "Who can see your friends list" from Public to Friends or Only me.
3. Consider only letting friends see your posts rather than making them public.
4. Consider changing who can send you friend requests. It defaults to Everyone. Another option is "Friends of Friends."
5. Consider restrictions for "How people can find and contact you."
6. Turn off Location and Face recognition.
7. Set the default privacy setting for future posts to "Friends".
8. Restrict the visibility of your past posts to Only Friends with "Limit The Audience for Old Posts on Your Timeline" -> Limit Last Posts. Anything that was shared publicly or with friends of friends will be changed.
9. Set your phone number "Friends" or "Only Me"
10. At Ads -> Ad Settings there is much to change. Under "Categories used to reach you" de-select all details about yourself. Remove anything under "Interest categories" and "Other categories". Set "Ads shown off Facebook" to "Not Allowed". Under "Social" select "Only me" for who can see what ads you have liked.
11. Clearview AI does facial recognition and was profiled in the New York Times (Jan. 2020). They copy pictures from many sources including Facebook. To block them, change a privacy setting, so that search engines can not link to your profile.
Configure: For help configuring Facebook for maximum privacy, consider the Jumbo mobile app. There are links to it in both the iOS and Android topics.
Don't share: your birthday, your current location or that you will be away from home for a while.
Goes without saying: use a long password for Facebook, and one that you do not use anywhere else.
In Ad Preferences you can see how Facebook has categorized you.
Location: How to disable Facebook location tracking by Jack Wallen (Oct 2019). Understanding Updates to Your Device’s Location Settings by Facebook (Sept 2019) is about new Location settings in Android 10 and iOS 13. How to stop Facebook from tracking your location by Lori Gil (March 2018). Thinking bigger, see the section here on Location Tracking.
PERIODIC FACEBOOK MAINTENANCE:
1. The Facebook Settings page is always changing so review it from time to time.
2. Remove old devices that still have access to your account at the Security and Login page, in the Where You're Logged In section.
3. Remove old apps that still have access to your account at the Apps and Websites page. Settings -> Apps and Websites.
Mozilla created a Facebook container extension for Firefox. They claim it prevents Facebook from tracking you around the web. What it can not do, is block Facebook tracking on iOS or Android.
Are you ready? Here is all the data Facebook and Google have on you by Dylan Curran for The Register (March 2018)
HACKED FACEBOOK ACCOUNTS
- Defense: Your Facebook password should not be used for anything else.
- Defense: Your Facebook email address should not be used for anything else. It should also be one that still works. See Add or remove an email address from your Facebook account from Facebook.
- Defense: Articles suggest using Two Factor Authentication and may give you the impression that it's perfect. It is not. There are different types of 2FA. Any free and easy type will not be as secure as an expensive and harder to use type. See How two-factor authentication works on Facebook from Facebook.
- Official starting point: www.facebook.com/hacked
- Hello? Hello? Is This Facebook? Anybody There? (Nope.) by Kirsten Grind in the Wall Street Journal (May 2022). Beware IT charlatans who tout their expertise in restoring Facebook accounts. Thousands turn to JustAnswer, a website that connects people with experts in various industries. A Reddit post suggested that people locked out of their account seek help from a specific employment lawyer. He helped one person. Another person purchased a $300 Oculus virtual-reality headset (it is now called Meta Quest) because it has a dedicated customer-service phone number. This worked. In March, Facebook introduced Facebook Protect, which it said added another layer of security to some accounts. Some users said the new feature instead blocked them from accessing Facebook.
- Recovering locked Facebook accounts is a nightmare. That’s on purpose. by Tatum Hunter in the Washington Post (September 2021). Hacked.com is a service for people locked out of online accounts. The article mentions someone who paid them $500 to get back into their Facebook account. The article offers two different procedures for getting back into a hacked Facebook account.
- Your Facebook Account Was Hacked. Getting Help May Take Weeks - Or $299 NPR All Things Considered (August 2, 2021). One person only got Facebook's system to accept her driver's license after she covered up everything but her name and photo with a Post-it note. Someone purchased a $300 Oculus Quest 2 just for access to Facebook customer support. It worked and he plans to return the device without ever having used it.
- FYI: The long, lonely wait to recover a hacked Facebook account by Tatum Hunter (November 2022). Facebook has no real customer support. This is always the cost for a free service. Hacked.com helps victims recover hacked Facebook accounts. When Facebook users can't get help, they turn to the ITRC or Federal Trade Commission, which collects complaints about online fraud.
- FYI: It is so hard to recover a hacked Facebook account, that a black market has sprung up. Facebook employees, even some security guards, would take bribes to restore hacked accounts. From Meta Employees, Security Guards Fired for Hijacking User Accounts by Kirsten Grind and Robert McMillan in the Wall Street Journal (Nov. 2022)
DELETING FACEBOOK CONTENT
- How to Delete Your Old Posts on Instagram, Facebook and Twitter by Dalvin Brown in the Wall Street Journal (Feb. 2022). Discusses the Manage Activity feature that was introduced in 2020 to help people remove large numbers of posts.
- Facebook's Clear History Tools Won't Actually Delete Your Data by Thomas Germain of Consumer Reports (Aug. 2019)
QUITTING FACEBOOK:
1. From Facebook: Deactivating or Deleting Your Account. They say that a deleted account will have all the posts and photos removed after a few days. They say.
2. You've decided to quit Facebook. Here’s how to migrate your online life elsewhere. Washington Post (Oct 2021)
3. How to Permanently Delete Your Facebook Account by Brian Barrett of Wired (Oct 2021). Also has info on downloading your data beforehand. The final section How to Limit Facebook Tracking You is un-informed.
4. Smashing Security podcast episode 75: Quitting Facebook with Graham Cluley, Carole Theriault and Maria Varmazis. (April 2018)
From John Opdenakker (Oct. 2019). If you get a friend request from someone you don't know it's better not to accept it. This might be a scam and your online security and privacy might be in danger. Facebook friends can see all your profile information and even information about your friends. They can abuse this information to scam you and your friends.
See also Facebook Messenger in the Secure Messaging topic.
Background: A Guided Tour of the Data Facebook Uses to Target Ads by Bennet Cyphers of the EFF (Jan 2019). Not much defense offered.
Background: How Facebook and Other Sites Manipulate Your Privacy Choices by Arielle Pardes in Wired (Aug 2020). The article is about how companies use Dark Patterns (confusing language, manipulative interface design) to trick people into saying yes, when they want to say no. One cited example is the Facebook Privacy Checkup.

FACEBOOK BAD

This section is a bit like reminding people that water is wet. Goes without saying. Still, a few reminders:

In October 2020, Leo A. Notenboom had to take a break from Facebook. Quoting: "The divisiveness, the anger, the misinformation, the legions of otherwise rational people ready and willing to accept piles and piles of manure as truth ... become too much" He wrote about using Feedly and RSS as a substitute in My Solution to Social Media Overload.

If You're Not Terrified About Facebook, You Haven't Been Paying Attention by Carole Cadwalladr of The Guardian (July 2020)

In August 2019 we learned that Facebook Paid Contractors to Transcribe Users' Audio Chats (Bloomberg) just like all the providers of Voice Assistants. Contractors (it's always contractors, never employees) transcribed audio from people who opted in to having their Messenger app voice chats transcribed.

Facebook inflated the average time users viewed video on the platform. Facebook to Pay $40M Under Proposed Settlement in Video Metrics Suit October 2019. Professor Scott Galloway summed this up: The viewership metrics were inflated by 150 to 900%. Whole companies shifted their strategy to video. Companies going bankrupt, people losing jobs, FB gets away with 0.18% of annual income ($40M / $22B), a slap on the wrist.

Quite a quote about Facebook: "morally bankrupt pathological liars who enable genocide (Myanmar)" (ZDNet April 2019)

Facebook does not remove bad guys until they are publicly shamed in a high profile way (Brian Krebs, April 2019)

Mark Zuckerberg leveraged Facebook user data to fight rivals and help friends, leaked documents show NBC News April 2019