06 June 2014

FSecure's FreedomeVPN - what does "tracking protection" really mean?

Since my previous blog entry on FSecure's "FreedomeVPN" app and how it after my previous test didn't block Google's tracking cookies, there have been a couple of conversations on Twitter on this matter. One such conversation took place last night, when twitter user @PrivacyMatters referred them to my blog post and asked for FSecure and Mikko's take on it. It went something like this:

Interesting... they apparently disagree that their failure to block Google's tracking cookies* is not really tracking, or maybe that Google is not a tracking company, or maybe that Google is not in the advertising or selling-user-data to-advertisers business.

* = Google's persisted tracking cookies include a long unique number assigned to each visitor, and identifies each site visitor, where they came from, and on Google's end can be matched up to everything else that Google knows about that user.

So... maybe I am just to picky. Maybe Google don't track users, and their tracking cookies is not part of FSecure's "untrackably invisible claim". This morning I decided to take FSecure's FreedomeVPN for another 3-minute test just to see how their tracking protection measure up, and if I am maybe just too picky.

This time I decided to simply check if Facebook is able to track me around the web with FreedomeVPN's tracking protection is active. You may have noticed that many sites around the web have embedded Facebook Like boxes.

The Facebook like box shows if you and any of your friends have clicked "like". It comes in a few different shapes and sizes, but whenever it is present on a site, it means that every time you visit that site Facebook will know you did so through the use of their own tracking cookies. This seems like something that I would expect Freedome's "tracking protection" to block.

If Facebook is unable to identify you, the tracking box will state how many people have clicked "like" on the site and show some random profile pictures of people who have clicked like:

If Facebook is able to identify you, the tracking box will show if you at any point have clicked like, and it will show your own profile picture and profile pictures of any of your friends that have done so too, rather than profile pictures of other random Facebook users:

My test today was simple, and as follows. I installed FSecure's FreedomeVPN again (to ensure I had the latest and greatest version installed for the test):


* = Note the "become untrackably invisible" slogan is still there...

After installing, I activated all the protection features, including "tracking protection" with an exit point in Finland.

Surely I was now "untrackably invisible" to all datamining and advertising companies..? Easy to find out, just hit a (non-FB) website with an embedded FB asset*.

* = FB like button/like box/share button/login button/etc all work the same and come with the same tracking features.

Lo and behold. Despite having all FreedomeVPN's "anti tracking" and now being "untrackably invisible", Facebook was able to identify me when visiting a third party site. This means they are able to track me on ANY site around the internet that has an embedded FB Like, Share, Login, etc button embedded.

Sorry, FSecure and Mikko Hyppönen: I think we have different views on what "tracking protection" and "untrackably invisible" means.

After the test, the FreedomeVPN control panel says they have blocked one tracking attempt. Obviously not the one from Facebook, but maybe some other more obscure tracking service in that case...?

This app doesn't seem to do what FSecure's marketing claims it does, so I will uninstall it for now. Maybe I will try it again some time in the future if FSecure's developers catch up with what their marketing team's claims.

No comments:

Post a Comment