
Who is Facebook's mysterious “Lan Tim 2”? - edent
https://shkspr.mobi/blog/2020/03/who-is-facebooks-mysterious-lan-tim-2/
======
s3r3nity
As anyone who is, or has, worked in ad-tech would tell you, this is pretty
_tame_ in terms of the "offline conversion problem."

When there are $billions$ of dollars at stake for this type of information,
you can guarantee there will be many companies attacking this problem.

Therefore, not to be a pessimist, but if you think that 1) using a fake cell
number on Facebook is going to help or that 2) there aren't services like
Google doing this already, potentially with just as good match rates as
Facebook, or 3) that using Firefox + adblock is all you need, then you're
going to be constantly plugging holes in a leaking boat.

~~~
12xo
False flags and information is the only way to deal with this stuff...

If FB thinks you're a 72 yr old retired dentist from OK, and you buy nothing
but feminine hygiene products and 3 wheel wheel barrels, you're pretty
worthless as a consumer.

The future of ad block is disinformation. Makes the entire ecosystem worthless

~~~
msla
AdNauseam is here:

[https://adnauseam.io/](https://adnauseam.io/)

It's on in the Firefox extensions site:

[https://addons.mozilla.org/en-
US/firefox/addon/adnauseam/](https://addons.mozilla.org/en-
US/firefox/addon/adnauseam/)

But not on the Google Chrome site:

[https://www.theregister.co.uk/2017/01/05/adnauseam_expelled_...](https://www.theregister.co.uk/2017/01/05/adnauseam_expelled_from_chrome_web_store/)

~~~
12xo
Thanks for sharing this. Looks very interesting but with the fraud filtering
in place for most ads, I wonder how effective this can be in the long run.
Seems as if it'd be filtered out but maybe, that's the point???

~~~
maximente
i think that's exactly it - hopefully you'd get put on some adnauseum users
list where your traffic is just dropped. OTOH maybe google et al just uses
that list for working on fraud denial/defeat so you're probably feeding the
beast no matter what.

------
easytiger
Just checked mine. Literally hundreds of entries. 700+

Crikey. Just downloaded all the data and having a browse. 22k line location
file (about 3k locations) stored too. I don't have the app installed on any
device i own. I presumed the mobile page wouldn't have permission. Checking
the data it does seem to stop when I changed phone (samsung preinstall fb app)

    
    
        $ date -d @1495296127
        Sat 20 May 17:02:07 BST 2017
        $ date -d @1573424412
        Sun 10 Nov 22:20:12 GMT 2019
    

What are they doing with ancient location data?

Also have every deliveroo purchase I've made in there they have an entry for
every deliveroo purchase i've made

    
    
       {
          "name": "Deliveroo",
          "events": [
            {
              "id": 4538632xxxx,
              "type": "SUBMIT_APPLICATION",
              "timestamp": 1583216215
            },
            {
              "id": 33897312xxxx,
              "type": "PURCHASE",
              "timestamp": 1583146135
            },
            {
              "id": 3389731270xxxxxx,
              "type": "PURCHASE",
              "timestamp": 1582371142
            },

~~~
papito
Delete Facebook.

~~~
Nextgrid
Deleting Facebook doesn't mean they won't stop stalking you. In this case it
isn't about Facebook collecting data about you, it's about other companies
willingly sending data to Facebook. Deleting your Facebook account won't stop
those companies from sending data to them. The solution is to stop doing
business with all the companies that did share data with Facebook, whenever
possible.

------
huhtenberg
> _Suppose I go to a restaurant, and I booked using my name and phone number.
> The restaurant sends that data to Facebook to say "Terence Eden ate at this
> restaurant on this day."_

Do I read this correctly that a restaurant will just dump its complete visitor
log to FB and then let FB "sort it out".

Meaning that FB gets to vacuum the info on _everyone_ including those without
FB accounts?

~~~
notyourday
This is definitely the case for restaurants that use Yelp and Open Table
booking systems.

~~~
hunter2_
"Open as in beer," if I may.

~~~
LandR
> "Open as in beer," if I may.

What does this mean?

~~~
tW4r
I understood it this way:

OpenTable sounds like it would be open-source, but it appears that it isn't

I think the parent comment to yours made a sarcastic take using a variation of
the popular ambiguity Free as in Beer [1] that usually differentiates between
free as 0 cost and free as freedom as a reaction to the OpenTable software
being free to use rather than open-source

[1]
[https://en.wikipedia.org/wiki/Gratis_versus_libre](https://en.wikipedia.org/wiki/Gratis_versus_libre)

~~~
hunter2_
Heh

------
A4ET8a8uTh0
So one of the comments on the post got my pressure up before coffee had a
chance to kick in:

"It's just offline conversion events being uploaded so you'd stop getting
these ads, or so they can market to you again in the future. You purchased
this product, gave them a phone number.. Not sure where the issue lies? You
agreed to the terms on Spreadshirt which is probably where you opted for
marketing."

This is the basic approach. You give it to us. You agree to whatever we put in
legalese and now we can do whatever we want. What?

It is disheartening, but I agree with the rest of the posts on HN that it is
not at all surprising.

I just don't know how to approach it.

~~~
edmundsauto
Devil's advocate for a moment: why can't the business do whatever they want
with the data? It's not clear to me that I own the data in any single
transaction with a business. I could see us both owning it, either shared or
independently.

For VISA to sell transaction data, that's one thing. But a business that uses
it to run their marketing, using transactions with their business? That seems
less clear.

To further muddy the waters, if I can tell the business how they can use
transaction data, shouldn't they also be able to tell me how I can/cannot use
it? That seems like it would infringe upon bad reviews/etc., but it feels more
consistent.

~~~
JohnFen
> But a business that uses it to run their marketing, using transactions with
> their business?

It's about informed consent. The businesses should at least warn their
customers that they're doing this, and who they're ratting us out to. That way
we can each make an informed decision about whether or not to use that
business.

~~~
mikekchar
What would be even better is if not only would they have to tell you this, but
that you could say, "No. I don't agree to this nonsense" and they would have
to refrain. They wouldn't even be able to deny you service based on that. They
would, of course, be able to use the data if they needed to fulfill the
contract with the customer, or if they had some legitimate reason for using
it, or if there was some legal requirement for using it. Otherwise they would
have to get consent.

It would be a kind of General Data Protection Regulation. All joking aside,
and as much as I've grumbled about implementing it at the company where I
work, I really wish this was a thing world wide.

------
settsu
Perhaps ironically, I'm frankly astounded at the apparent naïveté still held
about Facebook, Google, et al.

> I have never used FaceBook [sic] login for anything

> Facebook doesn't even have my phone number, only my name and my business
> email address.

People, if any company has __A-N-Y-thing __that can be associated with you,
online or offline, you have no privacy. None. It is gone forever.

There is billions of dollars at stake for companies to build as complete a
picture as possible of you and every detail of your life. And billions more
remains on the table. That is plenty motivation to fuel a highly-lucrative
market for accurate, meaningful profiling for years.

Sure, there's a long list of actions you could take to begin minimizing your
exposure, the practicality of each varying widely. But frankly, most of them
would only serve to make going about daily life inconvenient. (And the
correlation between effectiveness and convenience isn't 1:1...)

The best case scenario is your data becoming stale, such that its values
diminishes to a degree that makes it effectively background noise.

There is simply no means of unembedding yourself. But also, more
discouragingly, for most people there is no practical means to avoid being
ingested.

edit: grammar

~~~
zimbu668
You entirely missed the point of my comment when I said

> I have never used FaceBook [sic] login for anything

That was in response to someone saying you could avoid this by not using
Facebook login. Maybe before calling out others' naïveté you should work on
your reading comprehension.

~~~
settsu
Fair enough, I misinterpreted the context of your comment. But I wasn’t
calling anyone out and my point is still valid regardless. (And besides which,
my “point” was just expressing surprise, which doesn’t need validation or
qualification.)

------
saagarjha
> It goes to show, Facebook's level of transparency of data isn't good enough.

I'm actually quite (pleasantly) surprised that Facebook provides this
information, and somewhat curious why the author is angry at them rather than
"Lan Tim 2".

~~~
edent
I'm not angry, just disappointed...

The problem is, they don't give me any meaningful data other than a code name
and an incorrect date. If they'd said "This is from Company X on or around
date Y regarding action Z" that would be more transparent, and more useful.

~~~
saagarjha
Fair, but they might not always have that data. As the other examples show,
they _do_ provide human-facing company names; perhaps in this case there was
none and/or "Lan Tim 2" are the ones that handle all this without Facebook
knowing what's going on behind them.

------
Username_TBD
Home Depot lets you sign up to have your receipts emailed to you. Turns out if
you do this they will send what you purchase to Facebook with your email,
which was connected to my account.

I use Firefox to avoid being tracked by Facebook, and never login with
Facebook. But it looks like I slipped up in signing up for email receipts!

Even if I didn't have a Facebook account, Facebook would still be building a
profile on me using my email address /phone number in anticipation of the day
I made an account.

~~~
weka
I hate this whole new way of handling receipts.

If you order via kiosk in Taco Bell, you have your receipt ONLY by text
message or email. Yep. No print out option.

HOWEVER, if you order via cashier, you CAN print it out.

~~~
edmundsauto
"I bought a donut and they gave me a receipt for the donut. I don't need a
receipt for the donut. I give you money and you give me the donut, end of
transaction. We don't need to bring ink and paper into this. I can't imagine a
scenario that I would have to prove that I bought a donut." \--Mitch Hedberg

[https://www.youtube.com/watch?v=gWx6uA5aCrE](https://www.youtube.com/watch?v=gWx6uA5aCrE)

~~~
blaser-waffle
Mitch Hedberg is great, but I've expensed Dunkin Donuts while traveling for
work many-a-time. And HR/Accounts Payable definitely want to see a receipt...
even for a donut.

~~~
JohnFen
I've never understood expensing trivial stuff like that. It's far more effort
than it's worth, in my opinion.

~~~
sosborn
In an isolated instance, sure. But for those who live on the road, 5 bucks a
day (minimum) would add up quickly enough. Those people are usually going to
be doing the paperwork for other expenses anyway, so just tag it on.

~~~
tialaramex
Prefer a per diem rule. This can be a problem if you're my friend who services
CT scanners around the globe because cost of living varies so much (the same
price of overnight stay in two cities is the difference between a nightmare
hostel and 5 star luxury) but if you mostly do the same trips especially in
country a rule that says here's say $20 per day for food is easier than
collecting and uploading receipts for every burger and coke.

It's easier for you, and instead of fighting expenses abuse and having a bunch
of workers to check the expenses paperwork the business just has an
understandable cost when it sends people to do their jobs.

------
scottmcleod
This is seriously just a purchase event for a t-shirt that OP got. There is no
mysterious Lan Tim 2 its just a random app for a random merchant that uses FB
Ads and uses offline conversion / uploads.

~~~
jstanley
Why do Facebook get that information though?

It's fine that OP bought a t-shirt, not fine that that is somehow reported to
Facebook.

~~~
pbhjpbhj
Quite simply so that "lan tim 2" can track their customer acquisition, they
give the data to FB, FB correlate it with "did the customer see ads on our
network, which ones, how often, etc." and give that back to the supplier.

~~~
jiofih
Which means they are sharing their entire customer activity, _everyone_ ,
including personal data you never forfeited for this purpose (like the phone
number / address used for shipping).

~~~
Biganon
Yeah, I'm not sure I understood OP's innuendo at the end, but this is totally
against GDPR right?

~~~
Nextgrid
The GDPR is not enforced, so there's plenty to gain by breaching people's
privacy and nothing to lose.

~~~
Too
[https://www.compliancejunction.com/first-ever-uk-gdpr-
penalt...](https://www.compliancejunction.com/first-ever-uk-gdpr-penalty-
is-e325k-for-london-pharmacy/)

[https://iapp.org/news/a/germanys-first-fine-under-the-
gdpr-o...](https://iapp.org/news/a/germanys-first-fine-under-the-gdpr-offers-
enforcement-insights/)

------
JohnFen
> Suppose I go to a restaurant, and I booked using my name and phone number.
> The restaurant sends that data to Facebook to say "Terence Eden ate at this
> restaurant on this day." Facebook can then tell if I saw an advert which led
> me to make a purchase.

That's just great. So I guess the gift that marketing agencies have given us
is that we can't trust _anybody_. The only thing left to do is go entirely
cash-only and never give any personal details to any business whatsoever.

The marketing industry has become so toxic that it is now poisoning
everything.

~~~
mdorazio
Not sure how you got to that conclusion. A simple ad blocker and not using fb
would solve this issue entirely. Transaction data like restaurant purchases is
only useful in this scenario if it’s linkable to other online tracking data on
you.

~~~
i1856511
Browser ad blocker can't protect you from the actions of restaurant staff,
acting on their booking software.

Not using fb can't protect you from fb independently creating shadow profiles
with triangulation.

~~~
hammock
>Browser ad blocker can't protect you from the actions of restaurant staff

Then use a restaurant details blocker? Celebrities have been doing this since
the beginning of time. Use an alias. The notion that physical places of
business are collecting our data for their own purpose is not really a new
one.

~~~
bogomipz
Yeah that's not actually true. Celebrities call and give their real names
because being famous means there's always a table available even if when there
isn't one for regular people. Source: In a past life I worked at a destination
restaurant in the front of the house.

~~~
frandroid
Do non-celebrities try to game this?

~~~
hammock
Yes I know a guy who looks like a C-list celebrity, he has called ahead and
gets a table with bottle service. A little bit of research would show the real
celebrity is in another city at the moment but they never do that.

------
bayareabronco
"This is a summary of the 931 apps and websites that have shared your
activity." And "Some of your activity may not appear here." Holy cow!

~~~
code_duck
I only had half a dozen, all from the last month. This is pretty surprising. I
use Instagram regularly, though I only sign into Facebook occasionally.

All of the activity I had was from games that I casually installed and then
deleted in the past month. These are games that I signed into with Google
Play, which displayed advertisements primarily for Facebook.

Speaking of which, some of Facebook's advertisements are absurd.

[https://i.redd.it/czyfotsak2l41.jpg](https://i.redd.it/czyfotsak2l41.jpg)

"Start Reacting Today".

~~~
danlugo92
AI-made ad?

------
AdamJacobMuller
I have LAN TIM 2 on my facebook account and I have never bought anything from
spreadshirt.

Moreover my facebook account is just a dummy one which only has the bare
minimum of information to own my business page, which I don't even post to (I
have dedicated social media people who do that).

Facebook doesn't even have my phone number, only my name and my business email
address.

Very creepy.

~~~
Balgair
> I have LAN TIM 2 on my facebook account and I have never bought anything
> from spreadshirt.

Lan Tim 2 is likely a contract manufacturer. Spreadshirt outsources the
production of their t-shirts to Lan Tim 2. Likely, many companies do this as
well. Lan Tim 2 probably does more than just t-shirts.

It's like with most craft beer sold in cans. The individual breweries cannot
supply the demand for their product, so they have another company that
specializes in mass production do it according to their recipe.

The contract manufacturer is likely the one giving data to FB, not the
spreadshirt.

~~~
AdamJacobMuller
I can confidently say i've never bought any t-shirts.

Perhaps they do other whitelabel manufacturing, but I just looked through my
emails a week around the date and I don't see anything it could be.

Also keep in mind the only thing tied to my FB account is my work email (and
my name I suppose), which I definitely didn't order anything with.

------
DevKoala
I design Ad Tech systems, currently work as an architect for a DSP, and I
deleted my Facebook accounts years ago. People who think they are privacy
conscious and use Facebook are a living oxymoron.

~~~
burkaman
Why do you build ad tech if you think it's harmful?

~~~
DevKoala
I moved to B2B, doing ads for companies targeting employees of other
companies. Convincing you to buy a bad database is not harmful compared to
convincing you buy unhealthy food or feel anxious about not having the latest
in fashion.

~~~
Nextgrid
Does B2B advertising still rely on stalking and collecting personal data?
Personally my problem isn't as much as what the ads are about and more about
the data they collect, essentially creating an ever growing liability for me
up until the entire thing blows up when the data finally leaks.

~~~
DevKoala
We don’t use fingerprinting besides cookies and don’t rely on third party
identity graphs; we have over a decade of experience doing B2B and understand
what works. Also, anticipating the death of the cookie, we are moving towards
contextual technologies over individual identifiers. Understanding a company’s
buying intent is a whole different ball game, takes a lot of data that doesn’t
belong to any single individual. It is intrusive to individuals because we
infer your employer, but we don’t care about anything else; we operate at a
macro level and that keeps us ahead.

~~~
chaps
You infer peoples employer using what methods? I _genuinely_ don't understand
why you'd think that's an acceptable thing to do.

~~~
DevKoala
We don’t collect PII, emails, scrap profiles, etc. We are not in a situation
in which someone could perform a few joins and know who was reading what,
that’s not how we designed it. If anything, we use a lot of financial and CRM
data.

~~~
chaps
Er... maybe you're not being clear in what you do, but when I think of
"financial data", I think of information that the general public would prefer
nobody outside of their bank would have access to. Am I missing something?

I swear I'm not trying to be overly confrontational, but... what you're saying
makes me think that you're just a bad guy who uses naive mental gymnastics to
rationalize their dystopic contributions to the world. _Please_ prove me
wrong. I want to give you the benefit of the doubt, but... you're not making
it easy.

~~~
DevKoala
Think industry financial firmo graphics type data. Not your CC transactions.
Also, I am not a moral compass. I have just done enough to feel proud of what
I do while still making bank.

~~~
chaps
I have no idea what that means.

Edit: If you're not a moral compass (ie, you haven't put any thought about
whether you're actively causing harm in the world), then you should at least
try to say that on the onset.

------
cfv
When the game is at this stage it's better to just not play.

When an advertising platform has to pay fartsniffers to follow you around to
offer marginally better ctr than email spam, maybe just don't run ads?

Work manually on growing networks of users, actually walk up to them and chat,
talk in relevant business forums and you won't spend thousands of dollars you
don't have casting a net in hopes of finding people who more likely than not
just don't want to be associated with your practices.

~~~
ainiriand
That is very true. Also the Google Page Rank has evolved strongly towards that
direction. If you have meaningful content, praised by your peers, you get
better organic traffic.

------
poorman
Am I the only one who thinks it would be pretty cool to hook this up as SaaS
product that sends me an alert when I get a new offline conversion? Kind of
like how my credit card sends me a push notification when I get charged for
something. I like the level of transparency it provides.

Then you could also do something on a case by case basis where you can click
to say “I don’t want Facebook to have this offline conversion.”

------
qwertox
I just checked, and have "LAN TIM 2" and "DiepTrinh" on my list.

The data from "LAN TIM 2" was sent to Facebook on the 5th of March 2020,
yesterday that is.

The only stores I've shopped at lately were ALDI and EDEKA, and yesterday I
bought a Webhosting offer directly at the hoster's site, no third party
involved.

I have never bought a custom shirt.

What I do have is a Motorola G7 Plus, which is filled with uninstallable
background services from Facebook. Two days ago I upgraded it to Android 10
and now all those background services, like "Facebook App Manager" or
"Facebook Installer", "Facebook Services", all names which truly frighten me,
are activated again. I had deactivated them months ago on Android 9 as soon as
I got this phone. I really am wondering about the data this phone is pushing
to Facebook without my consent.

I really wonder what caused those two entries, I never give any consent to any
company to share my data.

God I hate Facebook, they are the cancer of the internet.

~~~
smtpserver
I have DiepTrinh as well and as I track my expenses I know for sure that I
have not bought anything on the day they appeared on my list.

------
evanb
If it is Spreadshirt, doesn't going by `Lan Tim 2' violate Facebooks real
names policy? Or is that just for peons?

~~~
adrianmonk
From the article, it sounds like Spreadshirt outsources its manufacturing.
(Just guessing, but they may even do drop shipping.)

There's no specific reason to believe this isn't the real name of the
manufacturer. I tried to find more information about Lan Tim to see if that's
likely the case, but I couldn't, but that's not very conclusive.

------
CollinEMac
You can deactivate Off Facebook Activity.

[https://www.facebook.com/off_facebook_activity/future_activi...](https://www.facebook.com/off_facebook_activity/future_activity)

~~~
Nextgrid
You are naive if you actually believe Facebook will actually stop associating
the events with your profile just because you disable this setting.

------
misiti3780
Interesting and scary post.

But raises a more important question: If you are reading this and don't like
it - why do you still have a FB account?

~~~
edent
Because humans are a social species. Abstinence is unrealistic for most people
[https://shkspr.mobi/blog/2020/02/abstinence-isnt-safe-why-
qu...](https://shkspr.mobi/blog/2020/02/abstinence-isnt-safe-why-quitting-
social-media-isnt-the-solution/)

~~~
ablation
That’s a bit of a flawed argument. Facebook isn’t the only place online or
offline where humans can socialise. Making the argument that staying with
Facebook just for one potential (and flawed) avenue for socialising is to
ignore myriad other ways to socialise.

~~~
dhosek
Except that it's where the people that I would choose to socialize are. My
twitter social graph is has nearly no overlap with my FB graph. For me twitter
is mostly writers/literary types, FB is mostly people I know in real life
(although most of my interaction on FB has been with interest-based
communities for which no analogue exists outside of FB).

That said, I'm doing a social media fast for Lent. It's entirely possible that
when Easter comes I might not go back to either Twitter or Facebook.

------
notyourday
Camera! My bloody _camera_ application that came with a phone pushes activity
to facebook!

Google Chromecast shares activity with facebook!

~~~
jeroenhd
Based on some of the network analysis I did on my phone, I think this is
related to Facebook's analytics engine. Most apps I've seen communicate with
graph.facebook.com to send telemetry (when which screen was opened etc.).

It wouldn't be beyond Facebook to immediately connect that telemetry to your
user profile, making these apps show up in your profile.

~~~
notyourday
Why would Google send anything to Facebook from its Home app ( the one used to
control Chromecasts )? It's beyond short sighted to feed data to a competitor.

~~~
teejmya
In what world are these two competitors? Would people "quit" Facebook to
"join" Google?

You are the product in both of these companies, why wouldn't they work
together? Ethics, sure, but that won't stop them.

~~~
notyourday
They have the same customers and customers have a finite advertising budgets.
When Facebook gets more Google data it benefits the "result" of the ads on
facebook which in turn over time gets more $$ shifted there.

~~~
antonyh
1\. Who knows what data Google is giving back in return? 2\. Neither want a
monopoly. A duopoly is far more resistant to regulation. 3\. Many business
will advertise on multiple channels. So long as they edge out the others it's
fine by them. They know they are the two premium outlets.

------
awinder
This seems like a decent level of effort to build out especially if it’s to
become an effective thing. What’s driving it, is it to show that facebook ads
are delivering a total value in excess of the online conversions? Is this
being done because there’s questions over Facebook ads value return? Are we
sure that Facebook ads even do deliver good value prop, like is this program
showing successful linkage / is that linkage ad-related or organic?

------
Vinnl
A bit off-topic, but does any one know how to get to the Off-Facebook Activity
page by clicking through the interface? I've only seen links to it in
articles, but I'd like to be able to show it to people who are logged in to
Facebook.

~~~
kevinastone
On the web, it's Settings -> Your Facebook Information -> Off-Facebook
Activity.

~~~
Vinnl
Thanks!

------
tim_sw
Facebook also tracks your location via phones and has your location history -
not sure if this is surfaced in this latest attempt at transparency

[https://about.fb.com/news/2019/09/understanding-updates-
to-y...](https://about.fb.com/news/2019/09/understanding-updates-to-your-
devices-location-settings/)

~~~
wil421
If you don’t have the app does the website track your location on mobile or
desktop?

~~~
edent
If you have given the FB website permission to use your browser's location,
then it could track you. If you haven't, the best it can do is IP location.

For example, if you try to login from an unknown computer, you'll get an email
asking if it was you - that usually contains a rough location based on IP.

------
lqs469
This reminds me of a meme, "My wife asked why I spoke so softly in house, I
said I was afraid Mack Zuckerberg was listening! She laughed, I laughed, Siri
laughed, Alexa laughed"

------
dehrmann
A while ago, I switched to per-site email addresses and a burner phone number
I give to anything that isn't a financial institution or healthcare provider.

~~~
rsync
Smart. Recommended. Twilio makes this very simple.

~~~
TeMPOraL
Assuming Twilio doesn't leak your data. It doesn't, right?

~~~
Nextgrid
Even if Twilio did leak the fact that the author signed up to Facebook it is
still a lot better than leaking every single merchant to where the user has
been.

~~~
TeMPOraL
Not necessarily. Twilio leaking would mean all the identities you thought were
separate are one JOIN away from being aggregated into one.

See also:
[https://news.ycombinator.com/item?id=22505464](https://news.ycombinator.com/item?id=22505464).

~~~
Nextgrid
I am aware of this. I just don't understand what Twilio will gain from sending
every single phone number you provision through them to Facebook or another
advertising partner. It would actually pollute the data if they were to send
these events from a high-volume customer that resells Twilio numbers to their
own customers (who aren't doing business directly with Twilio and most likely
aren't aware of it at all).

------
hadrien01
This is in blatant violation of GDPR. At what moment did you as a user
authorize Spreadshirt to communicate your private information to its partner
"Lan Tim 2", and how does "Lan Tim 2" assume it can transfer your data to
Facebook?

~~~
ajross
Lan Tim 2 was a subcontractor for the merchandise, and probably shipped it
themselves. I'm no expert on the GDPR but I'm sure it has some kind of carve
out for this kind of (very traditional, very routine) business arrangement.

The sharing with Facebook seems presumptively illegal. But I'm guessing the
author isn't in Europe.

~~~
tialaramex
Nope, GDPR (and similar legislation before it) is explicit, you (even an
individual "Sole Trader" in the course of business) need to _explicitly_ get
permission to store or process people's personal information and you need to
explain what will get done with it. You can't say "Eh, you know, stuff" and
you aren't allowed to change your mind without requesting fresh permission
(which obviously most users won't grant). You also need to make it possible
for anybody to see what you've stored about them, and ensure you fix any
mistakes promptly.

You _might_ get away with being somewhat vague about who needs it, e.g. maybe
you can say "Our delivery contractors need to know your address" and not spell
out which companies you've contracted with for delivery. But it's on you, the
outfit the user gave their personal information to, to enforce that e.g. "This
phone number is for calling our recipient about the delivery, you can't keep
it after the delivery is successful and you can't give it to anybody else"
through contractual arrangements or whatever other reasonable legal steps.

I am in Europe (though it's England, so eventually no longer subject to EU
regulations sadly but it does have a Data Protection law anyway) and I see
this "Lan Tim 2" crap in my Facebook as well. If I have bought anything from
Spreadshirt it was months (maybe years?) before the supposed "Off-Facebook
interaction" listed by Lan Tim 2.

I actually wouldn't be astonished if this comes down to:

* There's an incentive (maybe not by Facebook) to create tremendous numbers of "Interactions".

* It is possible to create fake Interactions by generating garbage, e.g. lists of randomly chosen phone numbers or email addresses and sending them to Facebook.

* So somebody creates accounts maybe initially with real business names "South China Air Freight Inc." and then they get lazy "So Lee" ... "Lan Tim" ... "Lan Tim 2" and they upload random garbage to harvest the incentive.

* This publicity drives Facebook to eliminate the incentive or make it too hard to upload garbage so that the incentive isn't worth it, and the "problem" goes away.

------
glangdale
Ah! This _might_ explain some of the weirder "wow, how could Facebook have
known about this short of using the microphone" moments that I've had
recently... well, short of either (a) using the microphone or (b) grovelling
through vast piles of much more easily accessible external-to-Facebook data.
Interesting.

------
sneak
This is a good reason to use a service like Burner (
[https://www.burnerapp.com/](https://www.burnerapp.com/) ), and also probably
to cycle your GSM handset number at your carrier multiple times per year, as
TFA notes. (Switch to TOTP or U2F for two factor.)

I already use anonymous single-use email addresses for a lot of services
(anonaddy.com is good for this), and I think in the future I'm going to just
decline to use anything that demands a phone number of me. Far, far too much
of it is being sold to third parties as soon as it's obtained by these
companies.

[https://techcrunch.com/2018/09/27/yes-facebook-is-using-
your...](https://techcrunch.com/2018/09/27/yes-facebook-is-using-your-2fa-
phone-number-to-target-you-with-ads/)

~~~
Nextgrid
Ironic that the service that's supposed to protect my privacy redirects me to
a tracker (adjust.io) when trying to download their app. I'm also willing to
bet good money the app itself will have creepy tracking built-in.

------
CoryAlexMartin
I feel even better about resisting Facebook's attempts to get me to provide my
phone number.

If I'm remembering right, they had two methods they'd switch between:

A. By emphasizing how much more secure it would make my account.

B. By telling me how many of my friends have provided theirs, which is a
blatant attempt at manipulation via peer-pressure.

~~~
rhizome
OKCupid is making a lot of noise these days about requiring a phone number,
right after Facebook themselves had a massive breach (267+ million numbers):

[https://www.forbes.com/sites/johnbbrandon/2019/12/19/267-mil...](https://www.forbes.com/sites/johnbbrandon/2019/12/19/267-million-
names-and-phone-numbers-leaked-online---and-theyre-all-from-
facebook/#3cf81c4c5a6b)

Either it's a bizdev scam that they're all trying to get in on, or they're
clueless. I lean toward the latter but expect it to be the former. Surely they
can raise ad rates with the extra PII, I'm guessing?

------
jvagner
What would a "Real Privacy Problems" website/blog, aimed at
individuals/consumers, look like and need to do to be an effective site to a)
inform, and b) empower people to hold companies and our governments more
accountable for the regulatory and industry environment in which we operate,
and c) empower those individuals to make the changes in their own tech and
behavior to minimize their own exposure?

------
soared
A few comments and op were trying to align dates listed in fb to dates they
made purchases based on cc data and haven’t been successful. I don’t know if
it’s the case here, but working with dates in facebook ads is a bit of
headache. Those dates might be when the transaction was made, when it
processed, when the product was shipped, when the user first saw an as, when
they last saw an ad, etc.

------
martinko
I am stunned that despite having ublock origin and privacy badger in chrome, I
still see numerous sites sharing my data. What plugin disables this?

~~~
notRobot
None of them. You sign up to a website, they'll get your name, username, email
and turn it over to FB.

~~~
netsharc
I made the mistake of using the same "throwaway" email address for Facebook as
all my online orders. Of course many of the stores uploaded their data on me
to Facebook...

The bitchy thing is, even an Android app like MX Player or Maps.ME was sending
events to Facebook, but FB's JSON just said "custom event"...

------
vietvu
I don't know the technical details, but the name itself looks like Vietnamese
name, stripped from Vietnamese accent. The one with accent might be "Lan Tím
2".

Also since it is related to Spreadshirt, many Vietnamese are working in
t-shirt making MMO, which make it even more suspicious to me.

------
CrankyBear
It's really pretty simple. If you use Facebook to login to other services,
they're connected. If you're concerned about it, don't use Facebook as your
ticket to all the other services out there.

~~~
zimbu668
That is not true, I have never used FaceBook login for anything, and certainly
not for the 12 services listed in my "Off-Facebook Activity" tab.

~~~
rolph
i just get a facebook loginpage when i click the link. I dont use facebook
thus dont have an account and never have. I wonder what is the difference?

------
bashmelek
Is it just coincidence that the name is a lot like
[https://en.wikipedia.org/wiki/Tam_Lin](https://en.wikipedia.org/wiki/Tam_Lin)

------
smarri
If true, this is absolutely outrageous behaviour from Facebook and companies
involved or doing similar things. It's stalking branded as advertising.

------
anotheryou
I always prefer to log in not through facebook and voila: no app in my list :)

I mean, what did you think happens when you sign up via facebook?

------
fyp
Why the fuck are government websites like coveredca.com sharing information
with facebook? I don't use facebook logins with it.

------
etxm
As a person that doesn’t use Facebook, the restaurant thing makes me want to
punch Facebook employees.

------
peter_retief
A good reason not to have facebook on your phone or create a facebook account
linked to you cell number.

~~~
zeveb
Interesting … it occurs to me that Signal ties everything to phone numbers,
and is presumably able to see which phone numbers are communicating with one
another (since they route messages between accounts and don't use private
information retrieval). I wonder if they resell any of that information.

~~~
tialaramex
Signal doesn't know who sent most messages between friends.

Signal users have a "profile" which is encrypted, and their device can give
the keys to other people. By default it'll give keys to Contacts you message
on Signal, and this encrypted profile has more keys and tokens inside it that
people can use to send you stuff. So when you send a Signal message to your
friend Alice, what Signal sees is that somebody sent this encrypted message,
which comes with a token proving Alice authorised somebody to send her a
message.

Alice's device decrypts the message, and in doing so it decrypts a MAC which
it can then examine to prove that this is a message from zeveb (or Alice has
faked a message to herself but like, why?). Signal never learns who you were
in this process.

So, if you use Signal to communicate with strangers and they haven't
overridden the defaults (you can say you love strangers and don't mind spam,
in which case this Sealed Sender technology works for anybody sending you
messages) they would if they wanted to be able to figure out this
relationship, and then monetize it. They explicitly promise not to, but I
guess if you want to you could believe that Signal is the problem and we
shouldn't worry about Facebook.

I definitely have a bridge for sale you should enquire about, also that big
iron tower in France? I can get you a good deal on the scrap.

~~~
zeveb
> Signal doesn't know who sent most messages between friends.

Why not? They know which device sent the message (because Signal were sent it)
and they know which device received it (because Signal sent it). I know that
they have some really clever ways to forget the sender information and still
route the messages, but we really don't know that they actually do forget it.

> They explicitly promise not to, but I guess if you want to you could believe
> that Signal is the problem and we shouldn't worry about Facebook.

I think Facebook is a far greater problem, but I also worry that Signal is a
problem too. It's not either/or but both/and.

~~~
tialaramex
> They know which device sent the message (because Signal were sent it)

"Which device" here meaning they have an origin IP address for the traffic? Is
that what you think most people mean by "sender" ?

Like, who sent this postcard "A pillar box in Westminster, London" ?

If your quibble was that this isn't technically completely anonymous I'm down
with that. But the original claim was that Signal can tie this to a phone
number, and "We could tell the IP address of the sending device" isn't that at
all.

If you are worried about IP addresses then just as with literally everything
else the only effective way to hide your IP is Tor. But then why bring Signal
into this?

------
intsunny
I also have "Lan Tim 2" in my account. But I've never even heard of
Spreadshirt until now.

Strange.

~~~
tialaramex
It's shown on my account too, it's the only thing shown. I use a Container to
ensure Facebook doesn't connect my presence there to anything else, but
evidently "Lan Tim 2" wasn't fooled and somehow connected... something to that
account.

I also have access to an account for a fictitious member of an old web comedy
group I was part of. They don't have anything from Lan Tim 2, but Lê Linh did
register some "Off-Facebook Activity". Which is impressive for a person who
doesn't even exist. Good quality data, obviously, from both Lan Tim 2 and Lê
Linh.

------
jkaplowitz
I've never made a Facebook account because I haven't wanted to agree to their
data collection practices, terms of service, privacy policy, etc. How can I
see what they have on me without agreeing to those things? (At minimum they
should have records of their attempts to recruit me as an employee, but I
never initiated those and never proceeded beyond a polite "no thanks" email
reply.)

I don't get the benefit of GDPR or CCPA since I live in Quebec, Canada rather
than the EU or California. But, I wonder if there's a way for me to send a
request based on Canadian or Quebec privacy law, since they do have an office
and plenty of users here in Quebec? Or have they effectively firewalled that
stuff off from whatever entity controls or processes the data?

~~~
JohnFen
> How can I see what they have on me without agreeing to those things?

You can't. It's part of the perversity that is Facebook -- in order to be able
to see (and delete-ish) the data they have about you, you need to sign up for
an account and give them more data about you.

------
gcbpp
the fact there is no "household" or "user targeting" to be found in this
comment thread with currently 265 comments tell me there are only clueless
pundits.

every single advertising company already sell advertisements by "household"
where they clump together all accounts assumed to be from one user and their
family/roommates, effectively going back to aggregate IP targeting, but not
saying its using IPs because that tarnish things with GDPR et al.

also, even if not using household, they sell by "people targeting" vs the old
"device targeting", which again breaks all account separation people here
assume.

I strongly suggest people minimally interested in privacy or advertising to
create an account with any advertising network, or at the very least look up
youtube videos on how marketers create and target campaigns.

------
mstg
Using Facebook for Business does not violate GDPR as long as it's stated in
the privacy policy. Which for example Airbnb do mention
([https://www.airbnb.com/terms/privacy_policy#sec201910_4](https://www.airbnb.com/terms/privacy_policy#sec201910_4)).

Other situations where Facebook processes data sent by third parties to show
relevant ads for said third party and not use the data to match for other ads
is also legal under GDPR, since Facebook only acts as a data processor to act
on behalf of said third party.

When ordering from Spreadshirt, you may be ordering from a partner that uses
Facebook for Business and their privacy policy apply to you. This is also
stated in Spreadshirt's privacy policy.

GDPR is not an umbrella protection for all type of tracking, even though it
usually is brought up as such. It only makes sure you have insight in what is
getting shared, a way to export, modify and delete said information. In
shop/partner situations, you have to contact the partner to request deletion
as the shop is not responsible after your approval.

I may be completely wrong, but this is my general understanding.

~~~
robin_reala
Just putting it in the privacy policy isn’t good enough. The general consensus
is that unless you’re claiming another legal basis for your processing of data
(which would be hard to argue here), consent needs to be informed, opt-in, and
granular per usage. I don’t see evidence of that in this story.

------
imhoguy
This is GDPR bomb.

