Blocking facebook's open graph

Posted on 2010-05-18 16:00

The number of sites that are partnered with Facebook to share your personal information is growing. If you've been under a rock for the last month than you might have missed the big news that Facebook's CEO Mark Zuckerberg unvieled what he called "the most transformative thing we've ever done on the web", something he called Open Graph at the Facebook F8 conference. Open Graph is a great name for the new initiative because its aim is to open up all the information that Facebook users previously thought of as being private. Speaking personally, I have no real problem with sharing information - thats what the web is supposed to be all about, but for people who are still relatively inexperienced when it comes to computing and web technologies the changes at facebook may come as a bit of a surprise. Many users have come to the disturbing realization that personal information which they credibly believed to be 'private' or available only to selected users has turned out instead to be the property of the site on which they entered it, and that they have relatively little control over it at all. Pictures, relationships, interests, friendships, personal data like birthdates and children's names have all (incredibly) been offered up without much question to a private firm which now intends to share that information with marketing partners (everyone) with little concern for whether you wanted to share it or not.

And apparently, the changes haven't really been well thought out - as this article points out, it might prove trivial to construct a very damaging hack around this new api which compromises a site using it or even into facebook itself.

The idea of Open Graph is to make browing the web more social - to empower the boring old web with interactive recommendation engines providing nifty Like buttons on articles and making it easier to share things of interest with your circle of friends. A fledgling step toward a true Semantic Web. Facebook (and all businesses) know that a recommendation of a product from a friend is more powerful than a faceless, nameless advertising promotion. This is where facebook provides value to business - they can provide the social context of visitors and eventually help these sites tailor their marketing to us so that we are more effectively sold to. I'd like to think that I am able to decide for myself what interests me, and that I don't need a carefully constructed sales pitch based on past social interactions and personal interest preferences to pre-decide what news or products I should be presented with. A real fear of mine of permitting myself to be treated in this manner is that soon I might only hear one kind of news or one sort of story because it is what the marketers believe I am most susceptible to. The danger of this kind of technology is that it might actually reduce our experiences to a very small subset of what we'd otherwise be able to enjoy.

My first run-in with Open Graph was when a friend posted a news article from Fox News on his wall. I was interested in the article and clicked to read it. The FoxNews site opened up, and at the bottom of the article was a little picture of my friend (his facebook profile picture) and the number of other people on Facebook who "liked" that story. I realized immediately that facebook (to which I was still logged in) was sharing the fact that I (Nate) was reading that article, and that my friend had recommended it to me. What other information from my profile had been shared (friend list, relationships, etc.) was unknown. I was disturbed by this, and immediately looked for a way to block it.

Soon afterward facebook friends were posting about the Facebook Privacy Setting for Applications and websites called "instant personalisation pilot program" which provided a nice little checkbox you could uncheck which supposedly stopped sharing profile info with partner sites. Unchecking this did absolutely nothing however. New sites I visited were obviously still pulling my facebook profile information, and in fact upon re-viewing the setting found it checked again! ReadWriteWeb, a site I've read for several years had a little box of faces and I noticed another friend's profile picture among them. Obviously the site was communicating with facebook or it wouldn't know to put my friends picture so prominently there. CNN was another culprit, and soon I found nearly every online newspaper I looked at anywhere was deploying it as well. Facebook lets you know in fine print that your friends can still share up public info about you even if the little checkbox is off anyway. That means that when your friends post a story from a partner site and you click on the link to view it, facebook will share the fact that you clicked that link with the site (and possibly deliver some other information as well). You'll notice that on facebook all links to external sites are actually facebook urls that magically transform into the real url after you click them, thats how they look up and log all that juicy interactive info.

The best idea of course would be to just cancel my account on Facebook (after deleting all the content of course), but that would take forever (unless I used Web Suicide Machine) and I would no longer be able to administer or post to the Bardic Circle fan page, and of course sharing little videos or funny stories with a large group of friends is fun. Since I'm probably not going to just give up on using Facebook entirely, what else can be done? One way to avoid the interaction between facebook and the partner sites is to log out of facebook entirely before visiting any other site, but I'm a power user and usually have a zillion tabs open at a time working on various things - I'm not going to remember to log out every time I leave that tab. Another idea might be to use a separate browser for Facebook only, but thats not practical either.

I've always been a Mozilla / Firefox user and mostly because of that brower's plugin functions. One such plugin noscript makes surfing the web a major pain in the ass. It blocks all javascript, flash, java from running until you specifically allow it to. You can permanently allow a site you trust, or never allow a site to run scripts. Not only does this plugin protect you from viruses (if you're unfortunate enough to still be tied to Windows) but it also provides a powerful means of blocking the interaction between facebook and its partner sites. In the Noscript options, on the Advanced tab, choose ABE. Click to enable ABE if it isn't already checked. Click the USER rulset and edit it. Add the following code:

Site .facebook.com
Accept from .facebook.com *.facebook.com .fbcdn.net *.fbcdn.net
Deny

Site .fbcdn.net
Accept from .facebook.com *.facebook.com .fbcdn.net *.fbcdn.net
Deny

and enable it or hit OK.

This basically sets noscript to only allow connections to facebook domains when the asking site is a facebook domain. If CNN.com were to try to make a connection back to facebook it would be denied. Warning: The result will not be pretty. When you visit a site that is attempting to share information with facebook about you, a nasty yellow bar appears with the message about which rule was violated to cause the block. This can be closed, but will reappear next time you load the page. Annoying, but less annoying than handing out my private info without asking me first, or building a database of things I read and sharing it with unknown "partners". I may yet end up quitting facebook entirely, but for now I'm just flying under the radar.