Sign up to our newsletter
The latest security news direct to your inbox
What’s wrong with this picture?
Yes, that’s right, I am using Google’s incognito mode and Clicker knows exactly who I am!
I have previously blogged here and here about Facebook’s instant personalization, but let me spell it out for you. Facebook “Instant Personalization” destroys Google Chrome’s “Incognito mode”. There is nothing incognito about opening a clean browser with no cookies and going to a website you have never visited before and being called by name with your picture on the web page. Facebook and “Instant Personalization” partner sites deliberately ignores your obvious and explicit instructions NOT to track you.
In October 2010 Gigaom.com posted an article http://gigaom.com/2010/10/13/bing-launches-facebook-instant-personalization/ that claimed “Microsoft today launched social search features for Bing created in partnership with Facebook. The two companies are teaming up to take on their common enemy: Google.” Perhaps there is truth to that.
It is mind-boggling that Microsoft’s Bing ran an end game around the Microsoft Internet Explorer team by also defeating IE9’s “InPrivate Browsing” and poor Mozilla was caught in the crossfire as Microsoft and Facebook sneak around Firefox’s Private browsing feature as well. Apple’s Safari browser’s privacy mode was also hunted down and shot.
Let’s call it like it is. Facebook rolls out a “feature” that deliberately over-rides a user’s explicitly expressed desire to browse in privacy without tracking. Perhaps I should be thanking Facebook for exposing the pure and utterly misleading notion that these browsers offer a “private” browsing experience. You might be interested to see how much information your browser reveals by going to https://panopticlick.eff.org and running their test. In the meantime we’ll do a bit more investigating here to see if we can determine or maybe Facebook will simply tell us how they are running around the browser privacy modes.
It is true that in the above example “Clicker.com” does offer to let me disable their unauthorized Facebook enabled spying, however this does not happen until private browsing has already been subverted by Facebook. It would be very interesting if a legal team put these tactics to the test of whether or not it qualifies as unauthorized access to deliberately defeat “in private” browsing features without informed consent.
Having worked at Microsoft I can imagine how completely frustrating it must be for internal Microsoft privacy advocates to have to stand idle and watch Bing override Internet Explorer’s “InPrivate” browsing feature. Perhaps for IE10 Microsoft can make more open labels and claims of what the browser can really do.
The whole issue would have been avoided had Facebook had the decency to let users choose BEFORE they sabotage your browser and privacy.
Director of Technical Education
Cyber Threat Analysis Center
ESET North America
Author ESET Research, ESET