As reported across the web, there is a hidden Facebook whitelist. I don’t use Facebook or Twitter and I want to disable the whitelist. How do I do so?
That article is inaccurate and misleading:
I am sure that from a developer standpoint it is frustrating to do your best to provide a functional browser without confusing users “I just want to login in using Facebook I don’t want to actually go there why is it broken?!” I get it: a lot of users are dumb.
However from a privacy conscious perspective every time we hear about Facebook they’re doing some sleazy shenanigans to hoover up our data and a secret whitelist, configured to protect our identities or not, is exactly the same tedious shit we’re sick of dealing with and probably moved to Brave specifically to avoid.
Can you understand how this comes off as a core betrayal?
It’s one of those things I guess, users want the adblocking hardcore and for Brave to do what it’s intended to do, then same users are moaning and bitching cause it’s breaking Facebook sites, Google related sites and so forth…
“Oh boo hoo, I can’t login to facebook or gmail/google stuff… but why aren’t you blocking facebook and google stuff!!! You’re using Chromium the same thing as Google Chrome!! Oh noes… I’m going back to Firefox!!” …
It’s never ending circle… “We don’t want spied on, but we’ll install security cameras and video recorders all around the bathroom and in shower, so someone’s always watching you shower or taking dump. And we know the core issue is us installing recorders /cameras in the bathroom and shower, all the while we want the privacy, but we just like to never be happy and satisfied.”
Guess Brave should block ALL stuff facebook, twitter, etc… and no white-list, and if people bitch and moan about having login issues with facebook and twitter and so forth, then tough shit. Brave is privacy focused browser… if you want the privacy, then you get it… don’t put up recorders/cameras in the bathroom and expect privacy.
People expect Brave to be middle guy between cameras in bathroom watching you, and add the blur effect that’s put over the people’s private parts when they showering/taking dumps/etc before the person watching the live feed sees it. It’s impossible. If you want privacy / security, then only use Brave while not using Google, facebook, twitter, instagram, etc etc. All those sites are evil anyway, and if enough people reject them, they’ll stop doing what they’re doing, or they’ll go belly up.
A complication here is that the whitelist was implemented without advising the users and without an option to disable it.
@packetpocket and @matteopa both have good points, and @Mattches’ linked article provides an excellent explanation/expansion of what’s described in the OP article. However, after reading both articles, this really seems to be a non-issue.
I’ll ask this question: if one is using Facebook and/or Google to login to some third party website, how could one think that would be happening without sharing anything with Facebook and Google? At the very least there has to be some way to provide Facebook/Google login credentials or the equivalent like a secure token tied to your identity, or it would be pointless in the first place.
On the other hand, in the US we buy products with warnings like “Don’t use this toaster while standing in water” and “Standing on the top of this ladder could result in you falling and hurting yourself.” So maybe some warning would be appropriate, something like “if you login to third party sites using your Facebook or Google credentials, Facebook or Google will know about it because you’re logging into a third party site using the respective credentials.” But on its face, if I were Brave, I would see that as insulting the intelligence of the user base, something almost as obvious as “If you stick your hand in that water, your hand will get wet.” So do they piss off users by assuming they won’t get this, or by not saying it and someone pointing out, “Oh, hey, people logging into sites with Facebook/Google are having some information shared with Facebook/Google?”
I suppose as Brave is more widely adopted, the Brave folks will have to opt for risking insulting the intelligence of the user base to be safe. Personally, I think that’s sad.
As I ruminate, I realize this statement might be too conclusory. It is probably more accurate to say “Facebook or Google might be able to figure out you’re logging into that third party site because…”
Also, I operate on the (possibly false, probably paranoid) assumption that a company whose business model is to profit from knowing everything they can about its users will find a way to use the third party login scheme to that end, even if that scheme putatively allows login “anonymously.” This is one reason I don’t use my Facebook or Google credentials to login on very many sites to the point where even when I’d like to join a community, if the only way to do that is to use a Facebook or Google account, like Medium, it’s often a no-go.
I seen that article before about the whitelist and didn’t get enraged or upset about it… cause I figured Brave developers had good reason to do it. Even when I wasn’t using Brave browser itself and had used another browser with Ublock Origin and some other privacy extensions, I had to whitelist main “facebook.com”, “twitter.com” and maybe even some of their “cdn” or whatever domains to get those sites working to login, load images, etc. Facebook albums, and images on instagram took forever to load without whitelisting those certain domains.
It sucks, cause it’s back to what I said above there but at same time, you almost have to have some of those sites to be able to function /be usable, etc. It’s harder to convince the entire world’s population to drop Twitter, Facebook, and Instagram for an alternative than it is to whitelist some top level domain names to get those sites to function some-what properly and be usable, whilst still trying to block some “spying” aspects of those companies.
Going along with what I said before, about being harder to convince world’s population to switch to alternatives… It’s harder to have billions of users switch from a free service like Google products (gmail,calendar,documents, pendrive,etc) to something like https://kolabnow.com/cockpit/signup/ and pay 4.39 monthly (52.00-ish yr).
Not everyone has money for it (low income, etc). And not everyone wants hassle of switching over to something new and possibly more confusing to use. Most android phones connects the google accounts as well and have Google Play Store for all their favorite apps. When I tried using some other app stores, most cases the apk files wouldn’t download and I couldn’t manually install them either. I had no choice but to keep a “dummy google account” just to use for cell phone apps etc.
It would be awesome though if Brave developers could come up with their own services like Google products… App Store (apps with no spying in them), Calendar, Drive, Documents, email service (like protonmail), etc… Users could then signin to Brave browser, and link all their Brave stuff together like Google does, without the spying.
etc… Or just put last 3 as “Brave Tools” lol.
@matteopa I like your ideas. FWIW, I wasn’t encouraging anyone to necessarily drop use of the Google and Facebook services (although…), especially not to spend money on a substitute service if they don’t have it - I love free, and free, privacy-oriented services would be awesome. Sure, as you point out, there’s ProtonMail (also see https://alternativeto.net/software/gmail/?license=free which has a couple of others), but there aren’t really good alternatives in the calendar, cloud drive, etc., channels. It would seem like a tough proposition, really, since if a company can’t make money from ads or selling [supposedly anonymized] user information, they have to come up with some other way to cover their costs and allow their employees/owners to actually make a living. I’ve not read ProtonMail’s explanation about how they can do it in a long time and don’t remember how they do.
My earlier comments were directed toward using Google/Facebook credentials to login to third party sites. I mean, if coolsite.com offers to let one “Login using your Facebook account,” it seems like it should come as no surprise that Facebook is going to be contacted when that option is selected even though you’re logging into coolsite.com.
Anyway, yeah, it would be awesome if Brave Mail and Tools were brought into being, as it would if Brave’s people can figure out this login thing.
You already have free calendar, to do, notes etc on pretty much every device. Am pretty sure you can invite ppl from your calendar appointments/meetings at least on Apple ones so pretty sure droid and others will be the same so… Google just want you to think they are gods answer to everything but you know that is just smoke and mirrors or lies.
Btw Sync (ex bittorrent now resilio) is way way way better for sharing or just having a non-cloud file system between your devices and or friends/family/business that does not spy on you that I know of.
So how to disable the whitelist?
A quick search of the Store shows three likely candidates (selected because they were high in the results list and updated within a year):
I’ve been using uMatrix in Firefox for a long time, and it’s the most recently updated, so it should probably be no. 1 in my list, and if it were me, I’d try that since it allows per-website blocking of specific domains and calls (I may not be using the right terminology). In fact, I think I’ll install it, maybe all three, and give them a whirl, though a dev confirmation that one of these will do what @packetpocket (and presumably others) wants would be great.
Have a great weekend.
For a fun experiment, I installed uMatrix in my vanilla Brave, and here’s what uMatrix shows on a site (medium.com) that I happen to know uses Google and Facebook to create accounts and sign in:
So, even before I try to create an account or login with those other companies, it’s already blocking at least one Google script. So far so good?
When I click sign-in, it brings up this:
I’ve not seen the Twitter and e-mail options until tonight, so Brave and the blockers in my other browsers were blocking those from being displayed, or Medium added them in the last few days.
That sits on top of the existing page, so the uMatrix list isn’t much changed:
Clicking any of the Google, Facebook, or Twitter buttons takes you to an authorization page on their respective domain, so (1) if you do that, you want the scripts to work, and (2) it looks as though only a Google script tries to load on the landing page in the first place (tried an article or two with same results), so … I’m on tiptoes in the deepening water, really, but it looks as though uMatrix blocks that third party script from doing anything.
I go now. Good evening.