
Facebook will reveal who uploaded your contact info for ad targeting - sahin-boydas
https://techcrunch.com/2019/02/06/why-am-i-seeing-this-ad/
======
chrsstrm
I just counted and Facebook tells me that 1,147 advertisers have uploaded a
contact list that contained my info, specifically found on
[https://www.facebook.com/ads/preferences/?entry_product=ad_s...](https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen)
:

    
    
        These advertisers are running ads using a contact list they or their partner uploaded that includes info about you. This info was collected by the advertiser or their partner. Typically this information is your email address or phone number.    
    

Want to know what's funny? The email address I use for Facebook was created
only for Facebook. I have never given it out to anyone else, ever. The inbox
for that account only contains emails from Facebook. I have never given
Facebook my phone number. I have never clicked on an ad in Facebook. I have
never connected an app with my Facebook account. _Facebook_ itself is the only
entity which has ever had my contact info associated with my account. So tell
me, how did 1,147 other businesses and groups get their hands on my info if
I've never given it out? I can't wait to see what the explanation is when this
feature launches end of the month.

~~~
beaugunderson
> Typically this information is your email address or phone number.

Which means they are also using other types of information to identify you,
and since your email and phone number can't be used, it must be those other
information types. I'd love to know what they are.

My count is 11,885 advertisers, for what it's worth. It looks like car
dealerships are the majority of them... I've never bought a car from a
dealership. Very odd.

~~~
nerdponx
Mine is _exclusively_ car dealerships. Are DMV records public?

~~~
fivre
Speculation elsewhere (a Twitter thread I've since lost) is that car
dealerships are simply uploading every possible US phone number as a
"contact". It seems reasonable, and I can't really think of other reasons car
dealerships in states I've never visited have added me (or at least some info
Facebook associates with me) as an ad target.

~~~
mgpc
Why would this help them? Facebook already lets you target by geography, they
could just target all US residents much more easily.

~~~
onion2k
Advertisers want more control over who they target than just geographic
regions. I'd bet that Facebook let's you select demographic targeting using
_all_ of the information they hold on your contacts, so by uploading every
phone number you can target people based on geography, age, income, family
size, etc.

~~~
hopler
But you can't target demos for users not in your contacts? That makes no
sense.

------
o10449366
Are they assigning blame to a single individual? Because I'm pretty sure 95%
of my Facebook and Instagram friends have "connected their contacts" at some
point. I've had this huge banner on my Instagram profile page for over a year
now. It takes up over 50% of the screen and shows up every time I press the
button to go to my page:

[https://i.imgur.com/PLvohTH.jpg](https://i.imgur.com/PLvohTH.jpg)

I've never clicked it and never will, but I don't doubt that many of my
friends have just to get it to go away. That's why I only give out my Google
Voice number to people and only use my real phone number when it's strictly
necessary.

~~~
randomacct3847
A person adding their contact list isn’t “ad targeting.” Some companies
literally upload email contact lists to Facebook and pay for ads that will be
shown to anyone on that list that also has a Facebook account.

~~~
marsRoverDev
It's worth noting that they hash their email lists and upload those. They are
never given access to a list of the list of people on facebook who share those
addresses.

------
reilly3000
As a recovering media buyer I think this is one of the most concrete forward
steps Facebook has made since their struggles began. “Custom Audiences” are
great for CRM matching campaigns but so very easily abused. There used to be a
20 row min on lists. There was an article or reddit post I remember that
showed how a kid trolled his roommate with ads targeted exclusively at the
roommate and 19 fake people. They subsequently increased the list size minimum
to 500, but I still cannot fathom that they left such a huge abuse vector open
for so long. It’s like they didn’t care as long as the clicks kept coming.

~~~
reilly3000
Here it is: [http://ghostinfluence.com/the-ultimate-retaliation-
pranking-...](http://ghostinfluence.com/the-ultimate-retaliation-pranking-my-
roommate-with-targeted-facebook-ads/)

TIL even the 20 user mine wasn’t required and today the min is only 100. I
know for a fact that Trump 2016 used this technique with voter rolls to
discourage turnout for likely Hillary voters based on a talk I watched by
their media team.

~~~
smudgymcscmudge
How did they do that? Target them with ads that said “don’t bother voting
she’s got it under control”?

~~~
mehrdadn
I think parent is referring to a 60 Minutes interview with Brad Parscale, if
you want to look it up.

~~~
reilly3000
The talk I was referring to was from Molly Schweickert, Vice President Global
Media from Cambridge Analytica on "How digital advertising worked for the US
2016 presidential campaign"

[https://youtu.be/bB2BJjMNXpA?t=897](https://youtu.be/bB2BJjMNXpA?t=897)

Its really a fascinating watch, and a perfect case study for why GDPR is
needed. After reviewing it I don't see any mention of specific techniques used
to discourage turnout, but those techniques are well-documented elsewhere:
[https://www.theatlantic.com/politics/archive/2016/10/trumps-...](https://www.theatlantic.com/politics/archive/2016/10/trumps-
black-voter-dilemma/505586/)

------
randomacct3847
I went to a growth meetup last year and sat through a presentation by a
Pinterest engineer who walked through how they upload emails from churned
Pinterest users to Facebook to try to reactivate them as the primary use case
for their FB ad spend.

Honestly didn’t even realize it was “ok” for companies to share emails with
third parties as I thought that is even considered PII.

~~~
ssvss
I think they upload the hashes of emails they have, and facebook matches it
with the hashes of the emails it has.

~~~
omeid2
In some jurisdictions, that is still, rightly so, considered PII.

~~~
Jonanin
In what way is a cryptographic hash of your email personally identifiable?

~~~
omeid2
if the purpose of an email hash is to identify me for ads targeting, then it
is by definition reasonably identifying me, even if indirectly.

~~~
pdkl95
DJB on hashing identifying information[1]:

> Hashing is magic crypto pixie-dust, which takes personally identifiable
> information and makes it incomprehensible to the marketing department. When
> a marketing person looks at random letters and numbers they have no idea
> what it means. They can't imagine that anybody could possibly understand the
> information, reverse the hash, correlate the hashes, track them, save them,
> record them.

[1]
[https://projectbullrun.org/surveillance/2015/video-2015.html...](https://projectbullrun.org/surveillance/2015/video-2015.html#bernstein)

------
austinhutch
Of my list, which I'm still parsing, I'm seeing a TON of local car dealerships
and realtors. What I really wish is I could see the supplier that's selling my
data to these folks who are 100% not running their own Facebook ad campaigns.
Actually - I might reach out to the car dealerships and try to figure out what
agencies they are using.

~~~
fru2013
Same for me with the car dealerships. I've never owned a car or even ever
contacted a dealership before. My guess is maybe car rental companies are
selling the data to dealerships, since they would be gathering email + phone
and car-renters would be targets for car-sellers.

~~~
tricolon
I've never owned or rented a car, contacted a dealership, or ever had a
license, but my list is almost completely car dealerships. I'm beginning to
suspect my state's DMV, where I got my state ID.

------
rubyfan
It’s reason enough to leave my Facebook account open. I’ve just stopped using
it anymore and that’s fine.

It’s been months and I don’t miss the constant barrage of political rants from
my friends on both sides of the political spectrum.

~~~
nerflad
At least on FB you can unfollow the main offenders. My feed is surprisingly
tolerable. Enjoyable, even. The unrelenting barrage of political content comes
to me from Twitter. Twitter is designed to surface popular tweets even from
those you don't follow, and it's almost always low effort political tripe.
It's exhausting.

~~~
taude
I got bored of my feeds. Someone else succulently put, "20 minutes per week on
a Sunday is more than enough to keep up with people"

~~~
matt_j
Succinctly? :P

~~~
taude
No idea what I was spelling there.

~~~
SmellyGeekBoy
I just assumed that your source was a cactus.

~~~
OJFord
He's a bit of a prick, but he makes some good points.

------
plorg
The Do Not Call Registry obviously isn't 100% effective, but one possible
regulatory move would be to create a similar service for email and phone
numbers used in marketing lists, such that possessing a list with the PII of a
person who had opted out would subject you to monetary penalties. Then make it
incumbent on the company to prove that the person affirmatively consented to
sharing their PII.

An attempt at such a concept appears to exist as implemented by a non-
governmental group here [1], although that group is voluntary rather than
compulsary, and probably doesn't have anything to do with the shadier data
brokers.

[1] [https://dmachoice.thedma.org/](https://dmachoice.thedma.org/)

------
renholder
>Starting February 28th, Facebook’s “Why am I seeing this?” button in the
drop-down menu of feed posts will reveal more than the brand that paid for the
ad, some biographical details they targeted and if they’d uploaded your
contact info. Facebook will start to show when your contact info was uploaded,
if it was by the brand or one of their agency/developer partners and when
access was shared between partners. A Facebook spokesperson tells me the goal
is to keep giving people a better understanding of how advertisers use their
information.

This is great and all but what about the people who don't have a Facebook
account, which Facebook is still keep tracking of (e.g.: Facebook Pixel)?

------
busterarm
That just means that uploaders will scrub their data through an intermediary,
if they aren't already.

~~~
llukas
I don't think it would help much in EU. :)

Would GDPR allow to withdraw consent for the intermediary? What if I disallow
intermediary to handle my data but some other third party I gave permission to
process data uses this intermediary?

~~~
floatrock
The California Consumer Privacy Act (coming into effect in 2020) definitely
does.

From [https://privacylaw.proskauer.com/2018/07/articles/data-
priva...](https://privacylaw.proskauer.com/2018/07/articles/data-privacy-
laws/the-california-consumer-privacy-act-of-2018/), the California Consumer
Privacy Act specifies:

> 1\. the right to know, through a general privacy policy and with more
> specifics available upon request, what personal information a business has
> collected about them, where it was sourced from, what it is being used for,
> whether it is being disclosed or sold, and to whom it is being disclosed or
> sold;

> 2\. the right to “opt out” of allowing a business to sell their personal
> information to third parties (or, for consumers who are under 16 years old,
> the right not to have their personal information sold absent their, or their
> parent’s, opt-in);

> 3\. the right to have a business delete their personal information, with
> some exceptions;

In fact, this entire facebook announcement looks like it's just compliance for
#1.

Good for them for not waiting until the month before like GDPR, but don't be
fooled that they're showing this information out of the goodness of their
hearts.

------
ppeetteerr
This is a step in the right direction. I would like to see more regulation
around who can upload ads to Facebook as well.

------
knaik94
I got department of homeland security...
[https://i.imgur.com/qlsKmNH.png](https://i.imgur.com/qlsKmNH.png)

------
mdekkers
IMHO this would require a "I did not provide consent" button to keep the ad
publishers (i.e. Facebook's paying customers) honest. There will obviously be
many people clicking this "incorrectly" but much like your spamfilter, FB
should eventually learn this user x _really_ doesn't want to hear about this
company anymore.

Not that this is likely to ever happen, given the we are the product, not the
user.

~~~
chillacy
You can get to "Hide all ads from <advertiser>" in a few clicks. I mean that
makes sense since if you really don't want to hear from a company, the company
can better spend their money elsewhere.

------
aembleton
If you make a POST request to
[https://www.facebook.com/ads/profile/advertisers/](https://www.facebook.com/ads/profile/advertisers/)
with your facebook cookies then you get the JSON back with all of your
advertisers. Looks like I have well over a thousand of them.

~~~
mxuribe
Yeah, i'm interested myself. (Either my curl wrangling is wrong, or FB not
playing nice now.) Would love to know how you're doing this.

------
0xCMP
I clicked "Show more" via the console until it stopped and then "clicked"
every button and waited.

It's not a real solution, but at least I've voiced my intention to not be
tracked by these advertisers. I wish deleting my Facebook was a valid option
here, but as we all know they keep profiles on you anyways.

~~~
grogenaut
So I guess keep the facebook account because it's hopeless anyway? Way to be
principled. How bout delete it and feed them less and stop being an ecosystem
effect.

My friends from college for years were planning yearly meetups. 2 years ago
enough of us dropped off FB that we started planning with email and MMS again.
Quite a few more dropped as well last year and this. So it does work
eventually

------
aussieguy1234
Could be good for competitive intelligence - discover your competitors ad
targeting strategy

------
sahin-boydas
I just counted and Facebook tells me that 713 advertisers have uploaded a
contact list that contained my info.

The super funny thing is that i saw my old girl friend create a page and
upload my info and target me. ;)) (a good idea to create jealousy i guess)

------
senectus1
I'm not sure why anyone would trust this information.

there is a plethora of ways they could omit information or order information
or over provide information to make this work in their favour.

------
jmspring
How about FB just allows a simple click of "ignore everything about me and
provide phsyical proof that such is happening".

------
trumped
When I created my Facebook account, I used a unique email address that I
completely disabled after the signup process was over (because I wanted to
avoid Facebook's email spam) and I never gave them my phone number and never
used the Facebook apps on my phone... yet a bunch of companies uploaded that
contact info? very strange.

~~~
jahewson
Facebook does not tell you exactly what contact information was uploaded. Does
your Facebook profile include your name? Birthday? Location? That’s what it’s
gonna be. Not so strange.

~~~
trumped
Facebook should at least give you access to your shadow profile so that you
know what they have. I didn't give them my real birth date or home address but
they still could have them, I guess (some people wished me happy birthday on
Facebook, for example)

------
makecheck
Not sure this can really help; information changes hands _quickly_. Once an
agent misheard my name when setting up electricity and I received bills
addressed to a similar-sounding name from them. For _years_ I would receive
mail from all kinds of random things they clearly sold me to, with the exact
same mistake.

------
werid
I looked at the advertisers who uploaded a contact list with me in it...

* Motley Denim

* TV2 Sumo

* Bandcamp

* NBA

I am a bit surprised it was only four, and a bit disappointed bandcamp was one
of them.

------
rblion
This is going to be very interesting year for a lot of industries and
movements. It's only February.

------
gnicholas
I can’t tell if this change affects how lookalike audiences are described.
Does anyone know how they are currently described?

 _“You are seeing this ad because BigCo wants to target people who like things
similar to people whose email addresses they uploaded”_ or something?

------
a_imho
Otoh Techcrunch (I mean Oath Family) will not reveal this article if you are
European and don't agree to their tracking. It presents a complex and captcha
ridden interface where it is impossible to give/deny informed consent.

------
lucb1e
Oh, I thought this was about my friends, so I could mention to my friends that
I wasn't happy they uploaded my PII through their usage of Facebook.

------
Raed667
Most of the ones I have got are from apps I use (Netflix, Uber, Airbnb,
etc...)

They already have me as a user, do they really feel the need to push it?

------
dbg31415
And, is your Facebook-powered social media leaking your data? The answer may
not surprise you. It’s ‘yes, it’s Facebook.’

------
tjpnz
Would've been nice for them to go a step further including the name of the
person handling your information.

------
starpucks
How is any of this surprising? At this point pretty much anything you are
doing is monitored including clicks and typing within iPhone apps

------
bigiain
I wonder how much Facebook are charging "preferred advertisers" to be left out
of this?

------
the_cat_kittles
if you think facebook is doing this because they are "on your side" you are a
complete sucker

~~~
floatrock
You're right, but the reason they're doing this is less conspiratorial than
you suggest... it's just compliance for the California Consumer Privacy Act
coming into effect in 2020.

From [https://privacylaw.proskauer.com/2018/07/articles/data-
priva...](https://privacylaw.proskauer.com/2018/07/articles/data-privacy-
laws/the-california-consumer-privacy-act-of-2018/), the first major provision
is:

> 1\. the right to know, through a general privacy policy and with more
> specifics available upon request, what personal information a business has
> collected about them, where it was sourced from, what it is being used for,
> whether it is being disclosed or sold, and to whom it is being disclosed or
> sold;

The UI mocks in the article are literally a checklist of each of these items.

