Facebook and Microsoft De-cloak Chrome – MS Neuters Their Privacy Advocate

What’s wrong with this picture?

Yes, that’s right, I am using Google’s incognito mode and Clicker knows exactly who I am!

I have previously blogged here and here about Facebook’s instant personalization, but let me spell it out for you. Facebook “Instant Personalization” destroys Google Chrome’s “Incognito mode”. There is nothing incognito about opening a clean browser with no cookies and going to a website you have never visited before and being called by name with your picture on the web page. Facebook and “Instant Personalization” partner sites deliberately ignores your obvious and explicit instructions NOT to track you.

In October 2010 Gigaom.com posted an article http://gigaom.com/2010/10/13/bing-launches-facebook-instant-personalization/ that claimed “Microsoft today launched social search features for Bing created in partnership with Facebook. The two companies are teaming up to take on their common enemy: Google.” Perhaps there is truth to that.

It is mind-boggling that Microsoft’s Bing ran an end game around the Microsoft Internet Explorer team by also defeating IE9’s “InPrivate Browsing” and poor Mozilla was caught in the crossfire as Microsoft and Facebook sneak around Firefox’s Private browsing feature as well. Apple’s Safari browser’s privacy mode was also hunted down and shot.

Let’s call it like it is. Facebook rolls out a “feature” that deliberately over-rides a user’s explicitly expressed desire to browse in privacy without tracking. Perhaps I should be thanking Facebook for exposing the pure and utterly misleading notion that these browsers offer a “private” browsing experience. You might be interested to see how much information your browser reveals by going to https://panopticlick.eff.org and running their test. In the meantime we’ll do a bit more investigating here to see if we can determine or maybe Facebook will simply tell us how they are running around the browser privacy modes.

It is true that in the above example “Clicker.com” does offer to let me disable their unauthorized Facebook enabled spying, however this does not happen until private browsing has already been subverted by Facebook. It would be very interesting if a legal team put these tactics to the test of whether or not it qualifies as unauthorized access to deliberately defeat “in private” browsing features without informed consent.

Having worked at Microsoft I can imagine how completely frustrating it must be for internal Microsoft privacy advocates to have to stand idle and watch Bing override Internet Explorer’s “InPrivate” browsing feature. Perhaps for IE10 Microsoft can make more open labels and claims of what the browser can really do.

The whole issue would have been avoided had Facebook had the decency to let users choose BEFORE they sabotage your browser and privacy.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Author , ESET

  • Leo Davidson

    If Facebook can do it then phishers can do it as well.
    Isn't it, in a way, a good thing that Facebook is exposing the flaws in the private browsing modes so that the browser makers can fix them? I doubt Facebook had good intentions here but, at the end of the day, if the browsers had implemented their private browsing features properly then what Facebook is doing would not be possible, so at least some of the blame lies with the browsers, surely.

  • Ralf Muschall

    Is there anybody who is not found to be unique on Panopticlick?  It migt be possible to use a freshly installed OS with no patches and a fresh Browser with no extensions, but nobody could work with something like this.  Each of the entries about system fonts and Browser Plugins alone is sufficient to identify me, and I guess that this is true almost everywhere (at least I haven't not yet heard about a global movement to install lots of fonts and plugins that only few people need just in order to be able to hide among them).

  • Leo Davidson

    I think we (myself included) may have been confusing ourselves about the purpose of private browsing features in browsers, too.
    They are not so much about preventing the website (nor your ISP etc., obviously) from being able to identify you. Your IP address is usually a giveaway there by itself.
    They are about not leaving a trace of what you have visited *on your own computer*. i.e. Their typical use is for husbands to hide the sites they've been visiting from their wives. :)

  • Foxy

    Leo, I so get what you are saying, and it makes total sense.  If I was an exec working for Microsoft I would be pushing for that exact feature to be there.  That is because I would be a self centred money hungry pig without a conscience.
    Why can't we have a system that allows us to surf the wilds of the net without a trace left behind both on our computer or any of the systems we touch.
    Well you kind of can but it's complicated and annoying but it can be done.

  • Harryh

    I think it is a hoot. I only converse with my daughter in Belgium and a friend in sweden. The adds in my home screen are all french and swedish, hillarious really

  • Stuart

    Facebook – the 'News of the World' of social networking – soon you will be joining the NOTW.

  • Paul

    facebook and rottentomatoes share data using thirdparty cookies.  IMO, thirdparty cookies should be disabled by default, but for Chrome you can disable it using a hidden setting:
    Go to "about:flags" and enable the setting "Block all third-party cookies". You might have to clear your cookies once, but then the sites won't be able to share your ID anymore.

Follow us

Copyright © 2017 ESET, All Rights Reserved.