add content/posts/2025-06-07-uninstall-facebook.mdHEADmain

1 files changed, 126 insertions, 0 deletions

diff --git a/content/posts/2025-06-07-uninstall-facebook.md b/content/posts/2025-06-07-uninstall-facebook.md
new file mode 100644
index 0000000..e8a8701
--- /dev/null
+++ b/content/posts/2025-06-07-uninstall-facebook.md
@@ -0,0 +1,126 @@
+---
+slug: uninstall-facebook
+title: "Uninstall Facebook"
+date: "2025-06-07T18:08:27-04:00"
+---
+You should immediately remove the Facebook and Instagram apps from your
+Android devices:
+
+> We disclose a novel tracking method by Meta and Yandex potentially
+> affecting billions of Android users. We found that native Android
+> apps—including Facebook, Instagram, and several Yandex apps including
+> Maps and Browser—silently listen on fixed local ports for tracking
+> purposes.
+>
+> ...
+>
+> This web-to-app ID sharing method **bypasses typical privacy protections
+> such as clearing cookies, Incognito Mode and Android's permission
+> controls. Worse, it opens the door for potentially malicious apps
+> eavesdropping on users’ web activity.** (emphasis mine)
+
+[Source][local mess]
+
+[Ars Technica][] also has [an excellent summary][].
+
+In English: If you have the Facebook app or Instagram app installed on
+your Android device, then Meta may have collected your identity and your
+browsing history.
+
+This is true even if you don't have a Facebook account.  It's true even
+if you don't use the Facebook app.  It's true even if you took steps to
+hide your browsing history like clearing cookies or using a private
+browser window.
+
+On June 3rd, Meta claimed that the code responsible had "been almost
+complete removed"; this is [weasel wording][] which actually means "the
+code has not been removed".
+
+Even if Meta actually did remove the code from their apps, there are
+still several problems:
+
+1. Meta has an [atrocious privacy record][].  It would be foolish to
+   take Meta at their word and they have a strong incentive to try
+   this again or something similar in the future.
+2. Removing code does not address the information Meta has already
+   collected.  This information could be leaked in a data breach or
+   subpoenaed by law enforcement.
+3. Malicious or [trojaned][] apps could listen on the same local ports
+   and collect the same information.  The [Local Mess][] researchers
+   demonstrated this with a proof-of-concept app.
+
+Additional privacy recommendations:
+
+1. [Stop using Google Chrome][ditch-chrome].  I recommend [Firefox][]
+   with [uBlock Origin][] and some [configuration
+   changes][firefox-privacy].  Other folks swear by [DuckDuckGo Browser][],
+   but I haven't used it personally.  See also: [The case for ditching
+   Chrome][vox-chrome].  If you really do need Chrome or Edge, then at
+   least install [uBlock Origin Lite][].
+2. Stop using Google Search.  I recommend [DuckDuckGo][].
+3. Switch from MacOS or Windows to [Linux][].  I recommend [Ubuntu][]
+   for new users.  I use [Debian][] personally.  If you really do need
+   Windows, at least [disable Windows telemetry][].
+4. Switch from text messaging and WhatsApp (owned by Meta) to [Signal][].
+5. Set up [Pi-hole][] on your home network.  It has an easy-to-use web
+   interface and can help block ads and tracking on mobile devices and
+   "smart" TVs.
+6. Consider [Tor Browser][] or [Tails][] if the you need more protection
+   and are willing to accept some tradeoffs.
+
+Further reading: [Surveilance Self Defense][ssd]
+
+[local mess]: https://localmess.github.io/
+  "Local Mess: Tracking method used by Facebook, Instagram, and Yandex Android apps which bypasses privacy protection."
+[atrocious privacy record]: https://en.wikipedia.org/wiki/Privacy_concerns_with_Facebook
+  "Privacy concerns with Facebook (Wikipedia)"
+[ars technica]: https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
+  "Ars Technica"
+[an excellent summary]: https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
+  "Ars Technica: Meta and Yandex are de-anonymizing Android users’ web browsing identifiers"
+[weasel wording]: https://en.wikipedia.org/wiki/Weasel_word
+  "Weasel word: Word or phrase aimed at creating an impression that something specific and meaningful has been said, when in fact only a vague, ambiguous, or irrelevant claim has been communicated (Wikipedia)"
+[fingerprint]: https://www.amiunique.org/fingerprint
+  "fingerprint"
+[trojaned]: https://en.wikipedia.org/wiki/Trojan_horse_(computing)
+  "Trojan horse (Wikipedia)"
+[firefox]: https://www.mozilla.org/en-US/firefox/new/
+  "Mozilla Firefox web browser"
+[ublock origin]: https://en.wikipedia.org/wiki/UBlock_Origin
+  "uBlock Origin ad-blocker"
+[ditch-chrome]: {{< relref "posts/2023-12-02-firefox-redux.md" >}}#why-ditch-chrome
+  "Why Ditch Chrome?"
+[brave]: https://en.wikipedia.org/wiki/Brave_(web_browser)
+  "Brave web browser"
+[duckduckgo browser]: https://duckduckgo.com/app/
+  "DuckDuckGo web browser"
+[firefox-privacy]: https://cyberinsider.com/firefox-privacy/
+  "Firefox Privacy Checklist"
+[duckduckgo]: https://duckduckgo.com/
+  "DuckDuckGo search engine"
+[tor browser]: https://www.torproject.org/download/
+  "Tor Browser"
+[tor network]: https://www.torproject.org/
+  "Tor network"
+[linux]: https://en.wikipedia.org/wiki/Linux
+  "Linux operating system"
+[debian]: https://debian.org/
+  "Debian Linux"
+[ubuntu]: https://ubuntu.com/
+  "Ubuntu Linux"
+[disable windows telemetry]: https://windowsreport.com/disable-windows-11-telemetry/
+  "Disable Windows 11 telemetry"
+[pi-hole]: https://en.wikipedia.org/wiki/Pi-hole
+  "Pi-hole"
+[raspberry pi]: https://en.wikipedia.org/wiki/Raspberry_Pi
+  "Small single-board computer."
+[signal]: https://signal.org/
+  "Signal secure messenger"
+[ssd]: https://ssd.eff.org/
+  "Surveilance Self Defense"
+[tails]: https://tails.net/
+  "Tails: portable operating system that protects against surveillance and censorship"
+[vox-chrome]: https://www.vox.com/technology/387375/google-chrome-antitrust-privacy-android
+  "The case for ditching Chrome (vox.com)"
+[ublock origin lite]: https://en.wikipedia.org/wiki/UBlock_Origin#uBlock_Origin_Lite
+  "Manifest V3 version of uBlock Origin for Google Chrome, Microsoft Edge, and other Chromium-based browsers."