A recent article on The Verge, “Facebook begins tracking non-users around the Internet,” raised my hackles. I have never had an account on Facebook as I don’t particularly want to support a business operating almost exclusively on the tenet that the user is the product.
Now, whether I want it to or not, Facebook is going to try to track and profile me. But I shouldn’t object, I should embrace it, after all Facebook surely has my best interests in mind:
“Facebook believes it can more accurately target non-members using the vast amounts of data it already has on the nearly 1.7 billion people who use the site. The company says it can use that data to make inferences about the behaviour of non-members, an approach known as ‘lookalike’ targeting. ‘Because we have a core audience of over a billion people who we do understand, we have a greater opportunity than other companies using the same type of mechanism.’” Andrew Bosworth, vice president of Facebook’s ads and business platform, speaking with the Wall Street Journal
That’s great. Thanks Mr. Bosworth, but no thanks.
I have enabled Do Not Track in my web-browser but Facebook does not honour that request.1 The company has no respect for an individual’s privacy. So here’s what I’m going to do: I’m going to block all traffic from my computer to Facebook.
To do this, I’m going to use PF, the packet filtering firewall that OS X provides.
In order to configure a PF rule to block them, I need to find all the external IP address blocks that Facebook operates with. How? Well Facebook is a large organisation, with countless servers and other Internet-facing appliances spread around the planet. In all likelihood, they’ll qualify for an Autonomous System Number. A quick Google search for facebook asn
confirms this and reveals their ASN: AS32934
.
In the terminal, I can retrieve a list of all IP address ranges associated with that ASN with the following command:
whois -h whois.radb.net '!gAS32934' | tr ' ' ', '
which returns a list covering ~60,000 IP addresses at the time of writing.
I take the resulting comma-separated list and add it into a new rule in the pf.conf
file on my Mac:2
table <facebook> persist { 204.15.20.0/22, 69.63.176.0/20, 66.220.144.0/20, 66.220.144.0/21, 69.63.184.0/21, 69.63.176.0/21, 74.119.76.0/22, 69.171.255.0/24, 173.252.64.0/18, 69.171.224.0/19, 69.171.224.0/20, 103.4.96.0/22, 69.63.176.0/24, 173.252.64.0/19, 173.252.70.0/24, 31.13.64.0/18, 31.13.24.0/21, 66.220.152.0/21, 66.220.159.0/24, 69.171.239.0/24, 69.171.240.0/20, 31.13.64.0/19, 31.13.64.0/24, 31.13.65.0/24, 31.13.67.0/24, 31.13.68.0/24, 31.13.69.0/24, 31.13.70.0/24, 31.13.71.0/24, 31.13.72.0/24, 31.13.73.0/24, 31.13.74.0/24, 31.13.75.0/24, 31.13.76.0/24, 31.13.77.0/24, 31.13.96.0/19, 31.13.66.0/24, 173.252.96.0/19, 69.63.178.0/24, 31.13.78.0/24, 31.13.79.0/24, 31.13.80.0/24, 31.13.82.0/24, 31.13.83.0/24, 31.13.84.0/24, 31.13.85.0/24, 31.13.86.0/24, 31.13.87.0/24, 31.13.88.0/24, 31.13.89.0/24, 31.13.90.0/24, 31.13.91.0/24, 31.13.92.0/24, 31.13.93.0/24, 31.13.94.0/24, 31.13.95.0/24, 69.171.253.0/24, 69.63.186.0/24, 31.13.81.0/24, 179.60.192.0/22, 179.60.192.0/24, 179.60.193.0/24, 179.60.194.0/24, 179.60.195.0/24, 185.60.216.0/22, 45.64.40.0/22, 185.60.216.0/24, 185.60.217.0/24, 185.60.218.0/24, 185.60.219.0/24, 129.134.0.0/16, 157.240.0.0/16, 204.15.20.0/22, 69.63.176.0/20, 69.63.176.0/21, 69.63.184.0/21, 66.220.144.0/20, 69.63.176.0/20 }
block quick to <facebook>
I save that, then load the rules into PF:
sudo pfctl -f /private/etc/pf.conf
Then — facebook.com
and, for a long time, nothing… then the browser simply times-out. The firewall has prevented the network request to facebook.com
and I can rest easy knowing that my computer is passing no information to that parasitic organisation.
An extreme tactic? Maybe, or perhaps Facebook should simply respect the wishes of those of us who do not want to participate in their “user is the product” model.