Before you delete your Facebook account, go have a look at the No Boundaries series by Princeton U. Facebook was irresponsible as a data custodian but hundreds of thousands of web sites from small to large allow 3rd parties to keystroke log all your activity on their site, including capturing the account creation, the profile information you enter, and all transactional data.
So let’s say you create an account on such a web site. The 3rd party (or parties plural in most cases) have your account credentials and account recovery questions and answers. They can log onto your account at will. If you are one of the ~40% of people who reuse passwords, they can log onto other sites where you used the same credentials. Like maybe your bank.
Regulating Facebook’s privacy settings, the honoring of Do Not Track, or what companies can do with data in their custody doesn’t do shit if 3rd parties are keystroke-logging your session.
Now imagine that the 3rd party logging your keystrokes is the FSB in Russia. Sound farfetched? I found scripts from Yandex, the Russian Google equivalent, on the account creation pages of Ring, several lyrics web sites, sites for gamers, sites for racing enthusiasts, retail web sites, and one of the largest adult content payment gateways on the Internet. If you paid for content on Porn Hub without blocking their scripts, Yandex has your login info, credit card info, and knows all your kinks. Do you think that might be a problem?
I have spent the last year trying to bring attention to this, well before the first No Boundaries post went up. I reported to the FBI and to senators on the Intel and Banking committees. I’ve sent tips to dozens of reporters and news desks. I pestered the EFF. I’ve tweeted incessantly, as some of you know. I haven’t gotten a single response but at least as of November the Princeton researchers have confirmed it’s as bad as I have been describing. Now I’m telling you.
There are 2 things you can do.
The first is to stop the script from running in the first place. If you install NoScript you will be miserable on the Internet but you will be safer. Ad blocking and cookie management tools don’t touch this. Pi-Hole works but because it’s a blacklist it’s easily defeated. Only script blocking tools work here. Using your phone doesn’t help, and in fact makes it worse since apps lack signalling such as the lock icon in a browser’s address bar.
If you are getting the idea that no normal person can use the web safely because of this and that technical mitigations are effective only for tech geeks you would be correct. So the second thing you can do is to ask your favorite news desk or journo why they are not covering this. As bad as Facebook and Cambridge Analytica have acted, this makes their breach look tame.
The No Boundaries series is linked below. There’s a lot of deep technical data to wade through in some of these posts so the claims are verifiable, and Princeton has released a trove of research in addition to that. The first one, “Exfiltration of personal data by session-replay scripts” describes the basic problem but the researchers don’t appear at that time to have realized the scope of the exposure is actually all 3rd party scripts.
The post “Website operators are in the dark” explains why this is so ubiquitous. When you get services like Facebook for free, you pay with your data. When web site owners get services for free, they often pay by running keystroke logger scripts on your device while you browse their site. They don’t know the danger they have exposed you to and who turns down free?
Contact your favorite tech reporter or news desk and ask why this is not being covered. Give them the link to the No Boundaries series. If you want them to know about the Yandex bits (which Princeton hasn’t written about) refer them to me. And if you can stand to use the Internet with scripts blocked, install NoScript and make sure NOTHING runs on the account creation, recovery, or management pages other than the primary web site’s own scripts.
The feed of No Boundaries posts from Princeton is here:
https://freedom-to-tinker.com/tag/noboundaries/feed/
