How to disable Facebook/Twitter secret whitelist

privacy
#1

As reported across the web, there is a hidden Facebook whitelist. I don’t use Facebook or Twitter and I want to disable the whitelist. How do I do so?

5 Likes
#2

That article is inaccurate and misleading:
https://brave.com/script-blocking-exceptions-update/

1 Like
#3

I am sure that from a developer standpoint it is frustrating to do your best to provide a functional browser without confusing users “I just want to login in using Facebook I don’t want to actually go there why is it broken?!” I get it: a lot of users are dumb.

However from a privacy conscious perspective every time we hear about Facebook they’re doing some sleazy shenanigans to hoover up our data and a secret whitelist, configured to protect our identities or not, is exactly the same tedious shit we’re sick of dealing with and probably moved to Brave specifically to avoid.

Can you understand how this comes off as a core betrayal?

5 Likes
#4

It’s one of those things I guess, users want the adblocking hardcore and for Brave to do what it’s intended to do, then same users are moaning and bitching cause it’s breaking Facebook sites, Google related sites and so forth…

“Oh boo hoo, I can’t login to facebook or gmail/google stuff… but why aren’t you blocking facebook and google stuff!!! You’re using Chromium the same thing as Google Chrome!! Oh noes… I’m going back to Firefox!!” …

It’s never ending circle… “We don’t want spied on, but we’ll install security cameras and video recorders all around the bathroom and in shower, so someone’s always watching you shower or taking dump. And we know the core issue is us installing recorders /cameras in the bathroom and shower, all the while we want the privacy, but we just like to never be happy and satisfied.”

Guess Brave should block ALL stuff facebook, twitter, etc… and no white-list, and if people bitch and moan about having login issues with facebook and twitter and so forth, then tough shit. Brave is privacy focused browser… if you want the privacy, then you get it… don’t put up recorders/cameras in the bathroom and expect privacy.

People expect Brave to be middle guy between cameras in bathroom watching you, and add the blur effect that’s put over the people’s private parts when they showering/taking dumps/etc before the person watching the live feed sees it. It’s impossible. If you want privacy / security, then only use Brave while not using Google, facebook, twitter, instagram, etc etc. All those sites are evil anyway, and if enough people reject them, they’ll stop doing what they’re doing, or they’ll go belly up.

3 Likes
#5

A complication here is that the whitelist was implemented without advising the users and without an option to disable it.

6 Likes
#6

@packetpocket and @matteopa both have good points, and @Mattches’ linked article provides an excellent explanation/expansion of what’s described in the OP article. However, after reading both articles, this really seems to be a non-issue.

I’ll ask this question: if one is using Facebook and/or Google to login to some third party website, how could one think that would be happening without sharing anything with Facebook and Google? At the very least there has to be some way to provide Facebook/Google login credentials or the equivalent like a secure token tied to your identity, or it would be pointless in the first place.

On the other hand, in the US we buy products with warnings like “Don’t use this toaster while standing in water” and “Standing on the top of this ladder could result in you falling and hurting yourself.” So maybe some warning would be appropriate, something like “if you login to third party sites using your Facebook or Google credentials, Facebook or Google will know about it because you’re logging into a third party site using the respective credentials.” But on its face, if I were Brave, I would see that as insulting the intelligence of the user base, something almost as obvious as “If you stick your hand in that water, your hand will get wet.” So do they piss off users by assuming they won’t get this, or by not saying it and someone pointing out, “Oh, hey, people logging into sites with Facebook/Google are having some information shared with Facebook/Google?”

I suppose as Brave is more widely adopted, the Brave folks will have to opt for risking insulting the intelligence of the user base to be safe. Personally, I think that’s sad.

2 Likes
#7

As I ruminate, I realize this statement might be too conclusory. It is probably more accurate to say “Facebook or Google might be able to figure out you’re logging into that third party site because…”

Also, I operate on the (possibly false, probably paranoid) assumption that a company whose business model is to profit from knowing everything they can about its users will find a way to use the third party login scheme to that end, even if that scheme putatively allows login “anonymously.” This is one reason I don’t use my Facebook or Google credentials to login on very many sites to the point where even when I’d like to join a community, if the only way to do that is to use a Facebook or Google account, like Medium, it’s often a no-go.

1 Like
#8

I seen that article before about the whitelist and didn’t get enraged or upset about it… cause I figured Brave developers had good reason to do it. Even when I wasn’t using Brave browser itself and had used another browser with Ublock Origin and some other privacy extensions, I had to whitelist main “facebook.com”, “twitter.com” and maybe even some of their “cdn” or whatever domains to get those sites working to login, load images, etc. Facebook albums, and images on instagram took forever to load without whitelisting those certain domains.

It sucks, cause it’s back to what I said above there but at same time, you almost have to have some of those sites to be able to function /be usable, etc. It’s harder to convince the entire world’s population to drop Twitter, Facebook, and Instagram for an alternative than it is to whitelist some top level domain names to get those sites to function some-what properly and be usable, whilst still trying to block some “spying” aspects of those companies.

1 Like
#9

Going along with what I said before, about being harder to convince world’s population to switch to alternatives… It’s harder to have billions of users switch from a free service like Google products (gmail,calendar,documents, pendrive,etc) to something like https://kolabnow.com/cockpit/signup/ and pay 4.39 monthly (52.00-ish yr).

Not everyone has money for it (low income, etc). And not everyone wants hassle of switching over to something new and possibly more confusing to use. Most android phones connects the google accounts as well and have Google Play Store for all their favorite apps. When I tried using some other app stores, most cases the apk files wouldn’t download and I couldn’t manually install them either. I had no choice but to keep a “dummy google account” just to use for cell phone apps etc.

It would be awesome though if Brave developers could come up with their own services like Google products… App Store (apps with no spying in them), Calendar, Drive, Documents, email service (like protonmail), etc… Users could then signin to Brave browser, and link all their Brave stuff together like Google does, without the spying.

Brave Mail
Brave Browser
Brave Drive
Brave Documents
Brave Calendar
etc… Or just put last 3 as “Brave Tools” lol.

1 Like
#10

@matteopa I like your ideas. FWIW, I wasn’t encouraging anyone to necessarily drop use of the Google and Facebook services (although…), especially not to spend money on a substitute service if they don’t have it - I love free, and free, privacy-oriented services would be awesome. Sure, as you point out, there’s ProtonMail (also see https://alternativeto.net/software/gmail/?license=free which has a couple of others), but there aren’t really good alternatives in the calendar, cloud drive, etc., channels. It would seem like a tough proposition, really, since if a company can’t make money from ads or selling [supposedly anonymized] user information, they have to come up with some other way to cover their costs and allow their employees/owners to actually make a living. I’ve not read ProtonMail’s explanation about how they can do it in a long time and don’t remember how they do.

My earlier comments were directed toward using Google/Facebook credentials to login to third party sites. I mean, if coolsite.com offers to let one “Login using your Facebook account,” it seems like it should come as no surprise that Facebook is going to be contacted when that option is selected even though you’re logging into coolsite.com.

Anyway, yeah, it would be awesome if Brave Mail and Tools were brought into being, as it would if Brave’s people can figure out this login thing.

Regards,
Hnk

#11

You already have free calendar, to do, notes etc on pretty much every device. Am pretty sure you can invite ppl from your calendar appointments/meetings at least on Apple ones so pretty sure droid and others will be the same so… Google just want you to think they are gods answer to everything but you know that is just smoke and mirrors or lies.

Btw Sync (ex bittorrent now resilio) is way way way better for sharing or just having a non-cloud file system between your devices and or friends/family/business that does not spy on you that I know of.

#12

Great discussion.

So how to disable the whitelist?

#13

As we learn from reading both articles, the exceptions are for javascript loading/execution, so a ham-handed solution might be to disable javascript. But most people probably wouldn’t like that (I wouldn’t), so until a feature’s enabled in Brave’s preferences directed to this particular exception list, my guess is a script blocking extension with higher resolution controls (block scripts from specific domains on a per-website basis) might be the ticket. @Mattches, can you confirm that this would work? Maybe suggest one?

A quick search of the Store shows three likely candidates (selected because they were high in the results list and updated within a year):

  1. Script Block

  2. No-Script Suite Lite

  3. uMatrix

I’ve been using uMatrix in Firefox for a long time, and it’s the most recently updated, so it should probably be no. 1 in my list, and if it were me, I’d try that since it allows per-website blocking of specific domains and calls (I may not be using the right terminology). In fact, I think I’ll install it, maybe all three, and give them a whirl, though a dev confirmation that one of these will do what @packetpocket (and presumably others) wants would be great.

Have a great weekend.

#14

For a fun experiment, I installed uMatrix in my vanilla Brave, and here’s what uMatrix shows on a site (medium.com) that I happen to know uses Google and Facebook to create accounts and sign in:

So, even before I try to create an account or login with those other companies, it’s already blocking at least one Google script. So far so good?

When I click sign-in, it brings up this:

I’ve not seen the Twitter and e-mail options until tonight, so Brave and the blockers in my other browsers were blocking those from being displayed, or Medium added them in the last few days.

That sits on top of the existing page, so the uMatrix list isn’t much changed:

Clicking any of the Google, Facebook, or Twitter buttons takes you to an authorization page on their respective domain, so (1) if you do that, you want the scripts to work, and (2) it looks as though only a Google script tries to load on the landing page in the first place (tried an article or two with same results), so … I’m on tiptoes in the deepening water, really, but it looks as though uMatrix blocks that third party script from doing anything.

I go now. Good evening.

1 Like
#16

Perfect. Allow me to jump in on the pile.

I use linux, one of the reasons being that I want to own and control my own system, unlike the others. I don’t want this kind of ‘feature’ in my browser, OS, or electric toothbrush. Even though FB is in my hosts file…

I respect that Brave doesn’t want to break anything. Perhaps Brave can provide a ‘switch’ to enable/disable/tweak.

The feature opposes my computing philosophy. Lock it all down by default, then adjust accordingly <-- safety best practice

Actually, breaking FB would be a societal boon, but I’m trying to be realistic…

I like Brave and use it on linux and android because I believe we have similar ways of operating. I like the receptivity to user input. It’s snappy. I am a bit afraid of Chrome/Chromium and anything close, though.

Requests:
backspace = back a page in linux version

android: default to clean all data upon close, option to default to private window, option to delete entire session after a certain time if not closed manually.

If I am mistaken, please let me know.

1 Like
#17

as far as i am aware this only affects sites when you click to login with facebook or facebook its self (Correct me if i am wrong) and if people are so concerned about privacy why would they be using such services like facebook/google in the first place ?

1 Like
#18

Couldn’t agree more. Facebook, Google, Amazon, etc., were exactly the ones I don’t want tracking me.

1 Like
#19

As others in the thread have pointed out, unless I’ve grossly misunderstood:

  • these aren’t trackers and can’t track you unless you actively click a login link to activate login with Google/Facebook/Twitter/whatever.

Despite this, it seems the devs are looking into a way to avoid breaking sites that use such logins without whitelisting the (on explicit user demand) execution of the scripts. Frankly, I don’t know how one would expect to use logins to third party sites with Google/Facebook/Twitter credentials and NOT have some form of tracking, but apparently it may be possible.

Again, if I’ve misunderstood, I hope @Mattches, @toml, or someone else with stronger KungFu in this regime will correct me.

#20

“these aren’t trackers and can’t track you”

How could you possibly know that? How could I?

This browser specifically allows Twitter and Facebook to run scripts when I have specifically asked it not to, and according to this thread there is no way to prevent it without inviting a 3rd party to my browser’s configuration.

How is this not a problem? How is this not precisely contrary to the mission of a privacy focused browser?

#21

Well, that was my takeaway from reading the articles, and such, and may very well be naïve and/or wrong, but maybe that doesn’t even matter because …

After rereading the thread and articles I finally get it. Sorry it took so long.

Fairly early on, you said

and a little later:

So, finally, yes, I think I do understand. Assuming the technical side has a bandage solution with extensions (still needing Brave built-in solution), 1. Putting the whitelist in there, 2. Making it override the block list/not have an off switch, and 3. Not telling users that the whitelist was in there give rise to issues of principle and trust.

What’s missing to date, AFIK, is some remedy for the feelings of betrayal. I’m willing to forgive and move on, but I get that others would want acknowledgment, explanation, and/or apology from the devs. That seems like what you’re after in addition to the technical fix; is that right @packetpocket?

What I’ve seen is stuff like,

and from Eich on Reddit,

BrendanEichBrave 8 points·23 days ago

Two problems: 1/ People perceive the list as a problem and we take that seriously. It costs them in cognitive load and doubt, and us in explaining (over and over) how tracking works.
[[snip]]
For sure it was expedient in 2015, given the cookie blocking and other protections, to allow certain scripts or else break the Web and stall growth. Software is full of trade-offs, and this is a good example. The net win of Brave’s shields reached many more users than would have been the case had we just blocked. If we had the staff, we would have done the work we’re now looking at of deferring script and other resource loads until the user clicks on the widget.

Eich thus acknowledges that people are upset and demanding explanations, as well as removal of the whitelist. Need for removal was even in the uncovered code, so there was recognition at the time it was done that it was… inopportune. Including it was the result of a cost benefit analysis, basically.

Searching the web with [GASP] Google, as well as Duck Duck Go (first), I get nothing for “Brave browser whitelist apology” that is relevant.

I very much like Brave and support its dev team and wish for Brave’s success, but I can definitely see how a non-tonedeaf statement about all of this would be appreciated by concerned users.