
Off-Facebook activity - bigbaguette
https://www.facebook.com/off_facebook_activity/
======
thegeekbin
Clearly I need to step it up. I was (unsurprisingly) surprised at what I've
observed they've managed to correlate. I run standard pi-hole, resist
fingerprinting, and normally go through a VPN (mainly because I'm on public
wifi half the time when travelling). I haven't logged into facebook in about
four years, just did it for the first time today to see what's been
correlated.

Aside the mountain of irrelevant notifications, here's what I've observed in
this report that's concerning.

1\. Albeit some data has been correlated properly (banking applications which
is scary on it's own part it's sending data to facebook, imgur, Xbox, my telco
provider, and a few misc blogs I've visited a handful of times per year), it's
correlated a significant amount of data that may not belong to me (good thing,
I suppose?)

2\. Why the heck are banking applications sending data to Facebook as
"CUSTOM", with no context? For example, RBC bank in Canada sends "CUSTOM" data
(haven't been with them for over two years, but all interacts labelled CUSTOM)
and Facebook will not give any more context on the _exact_ data it received.
Little scummy, Facebook.

Well, time to sweep this up and resist tracking more. Let's see how it works
this time round.

~~~
xfalcox
You will want to use Firefox containers in order to isolate the Facebook
cookie into a container to limit this.

~~~
untog
Unfortunately there are no good answers for this on mobile.

~~~
propogandist
if you're using android you can get add-ons for firefox. Also, you can use a
firewall app like Netguard [1] to prevent apps from calling FB
(graph.facebook.com)... I see most apps attempting to do this, and it's often
the first thing they do.

There's similar setups on iOS, I am just not very familiar with the app names.

[1] [https://github.com/M66B/NetGuard](https://github.com/M66B/NetGuard)

------
jannes
My off-facebook activity was empty. That's encouraging, because it looks like
my countermeasures have been working:

\- Fingerprinting resistance in Firefox (privacy.resistFingerprinting = true)

\- First-party isolation in Firefox (privacy.firstparty.isolate = true)

\- Blocking third-party cookies in Firefox (network.cookie.cookieBehavior = 1)

\- Firefox container when I need to login to ad/tracking companies (Facebook,
Google)

\- uBlock Origin

\- Cookie AutoDelete

\- PiHole on my home network

~~~
abdusco
How do you cope with constant reCAPTCHA prompts? I get prompted by Google when
using search, because it thinks I'm a bot if I'm anonymous enough.

~~~
ddalex
There should be an extension to automatically filter the reCAPTCHA-using sites
out of the results of the search engines.

~~~
saghm
I think GP is saying that Google itself is presenting the captchas, not the
Google results they click. I've had it happen a couple of times when using
VPNs before.

~~~
ddalex
reCAPTCHA is a Google product, but the owner site needs to actually integrate
it, so it's a conscientious decision

~~~
saghm
I might not have been clear; sometimes when using a VPN, you can't even load
Google search results until you submit a captcha. If you go to "google.com",
it will make you enter a captcha before you can search anything.

~~~
ddalex
Ah that's fair, Google captchas VPN users, but I don't think it's recaptcha,
it doesn't look exactly the same.

Having done this in a previous life, they do this because they fight against
scrapping their search results.

------
alasdair_
To me the thing that bothered me most was that a mental health site
(Psychologytoday.com) that I used to find a therapist was passing the
information on my searches to Facebook, presumably to aid in targeted
advertising.

Honestly, I think that health-related searches that are directly tied to a
specific individual (especially without informed consent - I didn’t log in or
receive any notice this was being done) should be covered by HIPPA just like
any other personally identifiable health record.

The other weird one was the huge amount of data my bank was sending. 20+
requests per session. I have no idea why they would do that.

~~~
sizzle
This needs to be brought to the attention of legislators. Our digital health
data needs to be protected like it is in a real world setting.

I wonder what Google is doing with all those health related searches I'm
making...

~~~
alasdair_
I think a solution would be for people to own their own personally
identifiable information, in much the same way that a celebrity can own their
“likeness”.

Unauthorized copying or use of this information could be simple copyright
infringement, which is apparently criminal enough to involve the FBI if you
are a movie studio with enough money spend on political donations.

------
wukerplank
Wow that's creepy. It lists apps where a) I didn't use FB login/signup and b)
used a different email address to sign up. How do they cross-reference that to
me? Hand how can I prevent that outside of their tools (which I assume still
violate my privacy)?

~~~
akie
What you can do to prevent this is:

1) Install
[https://www.eff.org/privacybadger](https://www.eff.org/privacybadger) to
prevent trackers from being loaded

2) Install [https://addons.mozilla.org/en-US/firefox/addon/cookie-
autode...](https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/)
to delete any cookies you might have accepted after a week time or so, which
prevents the infinite gobbling-up of your data after innocently accepting a
cookie once

3) Install the Google, Facebook, Twitter and Amazon containers to "separate"
your browsing with these sites from the rest of your browsing. Links:
[https://addons.mozilla.org/en-US/firefox/addon/facebook-
cont...](https://addons.mozilla.org/en-US/firefox/addon/facebook-container/)
[https://addons.mozilla.org/en-US/firefox/addon/twitter-
conta...](https://addons.mozilla.org/en-US/firefox/addon/twitter-container/)
[https://addons.mozilla.org/en-US/firefox/addon/google-
contai...](https://addons.mozilla.org/en-US/firefox/addon/google-container/)
[https://addons.mozilla.org/en-US/firefox/addon/amazon-
contai...](https://addons.mozilla.org/en-US/firefox/addon/amazon-container/)

Also, if you are creeped out by this, just imagine the amount of data Google
has on you. I'm convinced they have way more, just by virtue of every website
having Google Analytics installed.

~~~
StavrosK
Those are good, but they don't work for what the GP is talking about. I'm
seeing games/apps associated with my FB account even though I never logged in
to FB with them or gave them any info. I literally just opened the app and
that activity was associated with my FB account.

I have no idea how they're doing this, since they didn't even request storage
access (or I didn't give it). Can any Android developer here chime in on how
an app can figure out my Facebook ID even though I don't even have Facebook
installed on my phone and didn't give any sort of credential or access to the
app?

~~~
monort
I think they cross-reference Android Advertising ID in their SDK. Have you
ever logged to Facebook from your phone?

[https://developers.facebook.com/docs/app-
ads/targeting/mobil...](https://developers.facebook.com/docs/app-
ads/targeting/mobile-advertiser-ids/)

~~~
StavrosK
I have, either in the browser or in Swipe (a third-party app). I've never
logged in to or installed the Facebook app or Messenger.

~~~
monort
Try to opt out of Advertising ID (Settings -> Google -> ads) and see if apps
continue to be associated with your facebook account. I suspect Swipe sent
both your account ad advertising id during login.

~~~
StavrosK
I opted out of Google advertising a long time ago, I think in the end it was
Instagram/WhatsApp that did the dirtywork.

------
kpozin
In my profile, they managed to obtain a `PURCHASE` event from Macy's -- for an
_in-person purchase at a physical store_. Macy's has my email address and
certainly linked it to my credit card number, but this is nonetheless
seriously creepy.

I just tried to change my email address on Facebook and discovered that they
canonicalize plus and dot variations in gmail.com addresses, and thus claim
that the new email address is already associated with an account. Ended up
having to create a completely new email alias on my own domain.

~~~
lawlessone
>, they managed to obtain a `PURCHASE` event from Macy's

interesting.. they could use that to predict earnings..

~~~
cosmie
You don't even necessarily have to predict earnings. If you've ever connected
to your financial account via a service like Plaid or it's ilk, that service
has an API endpoint[1] they can call to neatly package up your income
information. Sometimes it seems innocuous and unassuming for a one time use
like identity verification, or to set up automated payments, or a one off
transfer/disbursement. Other times it's for stuff like getting a consolidated
view of your personal finance (i.e. a transaction aggregator such as Mint).
But if you authenticate for anything, that service has access to everything.

And unless you rotate your financial passwords on a frequent basis, that
access continues pretty much indefinitely[2].

[1] [https://plaid.com/products/income/](https://plaid.com/products/income/)

[2] Not true for 100% of cases, but a general rule of thumb that's applicable
to the majority of institutions they log into with your credentials.

~~~
alasdair_
By “they” I assumed the GP was talking about Facebook being able to predict
Macy’s earnings before they were publicly announced. That would be pretty
interesting to see :)

------
ivyirwin
My first reaction to this was to be creeped out. Even being in the industry
how did all of these sites (560) have data about me that they were willingly
sending to Facebook without my permission. And while I have a Facebook
account, I am not a Facebook user – as in I've logged in twice in the last
year to see a neighborhood post or the like.

But then I went from creeped out to oh shit as sites I run were on the list.
The way Facebook puts it, these businesses are actively sharing data with
Facebook for the businesses benefit. But as a developer who has been asked to
put a pixel on a site many times, I have to rethink the data exchange here.
Obviously the sites are not getting the benefit that Facebook is receiving
from everyone piping in data – often unknowingly.

~~~
papln
> Obviously the sites are not getting the benefit

How is that obvious?

Surely sites would eventually stop going through the extra effort to maintain
trackers if they didn't get a benefit?

------
vinaypai
I realize this is an unpopular opinion around here... but can anyone explain
how they have actually been harmed by this? Like for real not in abstract
notions of "creepiness" or whatever. I, for one with Facebook actually figured
how to do something useful with that data and not be that raw sewage stream
that basically led to stop logging in.

~~~
gummydog
The harm is that Facebook gains control over prediction markets that they then
sell to the rich and powerful to nudge enough of the population to their
points of view. These points of view are often not in the general public
interest.

~~~
mrgreenfur
Agree here; Given the insane hours that people spend in FB, the feed becomes
part of their reality and better nudges affect their outlook on the world,
their spending decisions and their political directions.

------
pjc50
Hmm. I have no website activity listed - but seemingly every single Android
game and a few other apps is sending "activity" to FB, despite me never using
any feature to associate the two. This sounds like:
[https://privacyinternational.org/report/2647/how-apps-
androi...](https://privacyinternational.org/report/2647/how-apps-android-
share-data-facebook-report)

Any sensible way of stopping this?

~~~
Nextgrid
Blocking the entire Facebook ASN at the firewall/network level stops this.
Google is a bit more tricky as they also have GCP so you can’t block their ASN
without also blocking innocent services.

~~~
s_Hogg
How does one do this?

~~~
pjc50
Specifically, how do you do it on a normal Android device? Is it even possible
to do this on an iOS device that's on 4G or someone else's wifi? Do iOS
devices have the same "leak"?

~~~
MagnumOpus
> Is it even possible to do this on an iOS device that's on 4G

No.

> Is it even possible to do this on an iOS device that's on [...] someone
> else's wifi

Yes, since you can do it on your device, and do not have to do it on the
router. Drawback is you have to do it for each Wifi network anew.

> Do iOS devices have the same "leak"

Yes, there is nothing that prevents apps from phoning home (or phoning every
one of a dozen data collection "partners")

~~~
newscracker
>> Is it even possible to do this on an iOS device that's on 4G

> No.

If it is a DNS server change on 4G/LTE, it can be done by using FOSS apps like
DNSCloak on iOS. [1]

[1]: [http://github.com/s-s/dnscloak](http://github.com/s-s/dnscloak)

------
nonbirithm
I was surprised to see that Plex is sharing a bunch of interactions with
Facebook despite me only signing in with email. They seem to just blindly
correlate the email address with whatever Facebook account it points to. There
is no mention of Facebook on their privacy page[1]. As a lifetime Plex Pass
holder this has damaged my credibility with them.

One of their employees says this is in error[2] so hopefully it will be fixed.

I guess signing in with email is pretty much equivalent to contacting Facebook
if this is possible to do.

Besides that there are physical retailers that send data to Facebook even
though I don't recall giving them any idea identifying info. I feel powerless
since I rely on Messenger for communication with friends, who I've tried and
failed to convince to switch elsewhere.

[1] [https://www.plex.tv/about/privacy-legal/privacy-
preferences/](https://www.plex.tv/about/privacy-legal/privacy-preferences/)

[2] [https://forums.plex.tv/t/why-is-plex-sharing-my-
activities-w...](https://forums.plex.tv/t/why-is-plex-sharing-my-activities-
with-facebook/534222/5)

~~~
prophesi
Yeah, I was really surprised to see Plex in my friend's off-FB-activity list.
I've been wanting to switch to Emby, but I already have a Plex lifetime
membership, and it would be difficult to get friends to make the switch. I'm
not liking Plex's direction with getting into the streaming business, along
with this FB spyware mishap.

~~~
thekyle
> it would be difficult to get friends to make the switch

Could you elaborate on why this is an issue? Plex doesn't really have network
effects and is usually only managed by 1 person.

Maybe you give your friends access to your instance? In which case it seems
like they are in no position to complain.

~~~
guftagu
Emby doesn’t have good apps for as many platforms as plex does. I use plex on
my PS4 where Emby doesn’t have an app.

~~~
prophesi
Yeah, this is probably the main reason. I know two friends who use Plex
exclusively on their PS4.

I'm also not the only one in my group maintaining a Plex server, so they'd
incur a transitioning cost as well.

------
feintruled
Deliveroo has evidently been sending them all my orders. Or at least, there
are as many 'interactions' as I have made orders. I don't log in via my
Facebook so that is an unwelcome surprise.

~~~
lprd
Same here. I had to recollect if I even signed up with Facebook. After
checking my Deliveroo settings, it seems that my FB account isn't even
connected. This is insane...

~~~
culturestate
Do you use the same e-mail address for both Deliveroo and Facebook?

If so, that could be how they matched you. Facebook lets businesses create
custom retargeting audiences[1] from existing customers, and you can
(obviously) include interaction data in order to segment e.g. frequent
customers from occasional customers.

1\.
[https://www.facebook.com/business/help/1472206006327390](https://www.facebook.com/business/help/1472206006327390)

~~~
feintruled
I suppose that would explain it. I can't see what Deliveroo get out of it
though, and how they might expect Facebook to have a better handle on what
sort of food I would order and how often as opposed to Deliveroo themselves,
who know. I wonder if they have plans for service expansion into "Deliveroo
but for X" and want to see what their customers are into. Or perhaps they want
to see if I am two-timing them with Just Eat!

Funny, I now remember reading a post from someone claiming that if they
ordered an online grocery shop off a company that was not their usual, like
magic a voucher would appear from their original company. I assumed this was
coincidence, but this is the exact mechanism that such a thing could happen.

Of course this could also just be a manifestation of the trend of companies
desiring data for data's sake, and a load of deliveroo managers are sitting in
a meeting somewhere looking at a graph showing an intersection of people who
are into retro computing and also like burritos and trying to brainstorm some
strategy off such trivia.

~~~
culturestate
> how they might expect Facebook to have a better handle on what sort of food
> I would order and how often as opposed to Deliveroo themselves

That's not really the idea - they're just trying to serve you ads wherever
they think you might see them. Retargeting (whether it's through Facebook ads
or AdWords or what have you) is one more engagement lever alongside push
notifications, emails, etc.

------
yason
I had a few - all of them from my Android apps and via Facebook business tools
i.e. the vendors are actively pushing my data to Facebook. One utility app
that I'm not surprised about, one that I'm a bit more surprised about but the
interesting bit was G-Shock Connect (for the watch).

I installed their app once, figured it doesn't properly do the only thing I
needed it for (show battery charge level), and I went to uninstall it. How did
it find itself on Facebook?

The app wasn't given any permissions and I did not enter any personal
information. The TOS did require giving consent to sending app and watch usage
data but I didn't tick allowing that for marketing purposes nor was personal
information mentioned, just identification data from the phone itself,
operating system etc.

The app must have obtained my phone number or email from the phone's personal
data. Apparently that's possible even if I declined all explicit permissions.
They might be able to find my Google email by using Android's AccountManager
apis. Phone number might be possible but slightly tricky and I think I
disconnected my phone number from Facebook way before installing their app.

Interesting stuff - looks like everything should run in an anonymous container
by default on phones, too. I hope we'll get there soon. Still, a lot of this
is based on trust rather than technical countermeasures. Will you trust the
vendor or not?

------
stonedge
Allegedly, I ditched my Facebook account years ago. Not just deactivated but
delete, though I don’t really believe it. Is there anyway to see what’s in
this (or to see if my account really is gone) without accidentally re-upping?

~~~
hughes
I had deactivated my account about a year ago. I tried logging in to view this
page, and it reactivated everything immediately. Also, it has clearly been
linking a vast quantity of off-facebook activity despite my account being
deactivated.

~~~
hellofunk
Facebook provides two different options, one is deactivation and the other one
is deleting. They are not the same thing. If you merely deactivated it, then
your account never was deleted.

------
chrisjamesc
If you want to disable facebook tracking out of facebook in the future, it's
possible on this link:
[https://www.facebook.com/off_facebook_activity/future_activi...](https://www.facebook.com/off_facebook_activity/future_activity)

EDIT: the link doesn't seem to work, so you can click on "Manage Future
Activity" => "Manage Future Activity" in the popup => Disable "Future Off-
Facebook Activity"

~~~
Vinnl
One warning it gives me:

> We will still receive future activities from companies and organisations you
> visit. These might be used for analytics and to improve our advertising
> systems, but will not be connected to your account.

(Translated from Dutch because for some reason Facebook figured I'd want this
particular message in Dutch.)

~~~
bobsoap
Extrapolation: "Account" here means the Facebook account created by you and
visible to you; probably distinct from "Profile" in their lingo, which is all
the data they have on you, of which most is invisible to you. If this is true,
that's not an opt-out for data collection, just a choice to keep that info
from showing in your account while merrily continuing to build your profile.

------
dannyr
Man I feel hopeless.

I have not connected my Facebook account for over 90% of these sites/apps but
they still sent my data to Facebook.

~~~
gpvos
They probably just have a Like button on their website, which passes on data
even if you don't click it. Use a request blocker like uBlock Origin.

~~~
Drew_
You don't need anything on your frontend to share data with Facebook. Facebook
doesn't acquire information like what shirt you bought by putting a like
button a page. Your clothing retailer is willfully sharing that information
for marketing benefits.

------
gingerlime
Is it just me, or is there no way to download activity details? I click on an
activity, then there's a few examples and a link to download, but this leads
to a generic "Download your information" page and I cannot see an entry for
the app or off-facebook specifically...

How can I block it? some apps are on my iPhone, but I don't have the Facebook
app on it (I do have messenger), and only used the apps on the phone. Aren't
they isolated in some way?

~~~
orhanhh
For downloading the data there is an option to download "Ads and Businesses"
under "Information About You". I just downloaded it, and it includes all data
that was shared.

However, the data only shows the source, timestamp and activity ID. The actual
event data is not included..

------
CodiePetersen
I deleted my Facebook a couple months ago. Now I wish I would have kept it
just a little longer to see what they had on me.

But in the end I still would have deleted it. Facebook clearly can't be
trusted with my data. Idc what connections it gives me. They have shown time
and time again that they will exploit the tiniest things to predict and
manipulate your behavior.

And apparently companies desperate for even slight up ticks in conversion
rates will upload everything they know about you.

No wonder Cambridge Analytica, AggregateIQ, and Robert Mercer had such an easy
time compiling psychological profiles and categories of Americans and Brits.

In the end, it's real simple. The human brain adjusts based on the environment
and events around it. Id rather not have Zuckerberg, Dorsey, or anyone else
they deem worthy, intentionally or otherwise playing around in my head.

~~~
kcorey
It's still there.

Try logging in. You might have to reset your password, but the bastard's
haven't really deleted it.

~~~
netule
I tried this, but it only gives me the option to sign up. I think I deleted my
account around two years ago, and it's seemingly really gone.

------
ben7799
I feel like this stuff actually creeps me out more since I deleted my Facebook
account. I didn't deactivate, I completely deleted.

I'm near 100% sure they're still trying to track & sell me, but without an
account I can't even see it.

~~~
mcstafford
Back when I got rid of my account there wasn't an option to immediately delete
an account. It first had to be deactivated, and would supposedly be deleted
after a two-week cool-down period.

~~~
ben7799
Yes I went through that too. It was about 2 years ago.

They sent me all the warnings that they were deleting anything.

Do I believe them at all? Not really?

~~~
yason
I know people who have left Facebook and then much later come back, setting up
a new account with new credentials and Facebook could still begin to suggest
old friends and interests.

~~~
mrgreenfur
Isn't that because they can still match the friends side to the new data? They
still have half of the matches and once you give them your half they will
suggest the same stuff.

------
avip
I was asked to "sign in" to "facebook" therefore I have no idea what this post
is about.

(seriously, concerned citizens should consider browsing fb incognito and never
stay signed-in)

~~~
AlexandrB
I agree with this advice. I treat facebook.com like a warez site from the 90s:
actively hostile. So far only off-site activity tracking came from AirBnB.

------
Lammy
The linked page displays nothing but "You must log in to continue" if you
don't have a Facebook account. I searched around and found this news page that
explains it: [https://about.fb.com/news/2019/08/off-facebook-
activity/](https://about.fb.com/news/2019/08/off-facebook-activity/)

------
m1
A bit weird that my Monzo seems to be sending data to Facebook?

~~~
buro9
Hmm, that feels incident worthy.

My bank should send precisely zero things to advertising / marketing
companies.

Have you raised it with their Help team? You should.

Unfortunately I cannot as I do not have a facebook account so cannot determine
whether or not facebook hold data on me without creating an account.

~~~
papln
You might (justifiably) not like it, and it might inspire you to boycott the
business or plead for regulatory relief, but it's not an "incident" _from
their perspective_ to be intentionally doing what they do to run their
business.

~~~
buro9
This is a bank, and they are regulated. Depending on the information shared,
this may be a breach of that regulatory code.

I do not have access to see what the data is, but would certainly in their
shoes investigate with high priority, and Would raise a security incident to
do so. If it turns out to be empty and of no concern, then great. But ignoring
such things is seldom wise.

------
milankragujevic
Apparently my website is complicit in this... I'm disgusted with and ashamed
of myself.

[https://i.imgur.com/Wz7O8HU.png](https://i.imgur.com/Wz7O8HU.png)

Edit: typo complacenet to complicit, thanks Zarel.

~~~
Jupe
You mean you didn't know _this_ would happen by adding something (script,
tracker, pixel, etc.) to your site, or you don't have a root cause as to why
your own site is sending data to FB?

~~~
milankragujevic
I didn't assume that Facebook would explicitly connect this information with
the visitors in this way. I don't remember WHY I added the pixel but I did add
it. I need to get rid of these things, and Disqus.

I was probably trying to do some research on visitor demographics, which
presumably failed.

~~~
KajMagnus
> I need to get rid of these things, and Disqus

There're open source track free comments:

[https://www.discourse.org/](https://www.discourse.org/)

[https://commento.io/](https://commento.io/)

[https://www.talkyard.io/blog-comments](https://www.talkyard.io/blog-comments)

All of them are equally ads and tracking free, and have optional paid hosting
services (if you don't want to self host). I'm developing the last one,
Talkyard.

------
Infinitesimus
Apparently Blind made the list. So much for 'anonymous'

------
joshspankit
Anyone else thrown off that “Download Activity Details” (which seems to be the
only way you can find out _what_ interaction was sent) leads to the main
Download Your Information page, and not to anything specific to that app or
that interaction?

------
wrdalex
Revolut is sending data to them, too. 202 interactions for my account.

~~~
wasmitnetzen
And the last date they received information about me according to Facebook is
the last date I used the app. Revolut mentions "Analytics providers" in their
privacy policy as companies they are sharing my data with.

~~~
wrdalex
For me it seems there is a 3-day difference between the last time I've used
the app (today) and the last time they shared data with facebook.

~~~
throwawaylolx
>The summary doesn't contain your most recent activity. It may take a few days
for your activity to show in your off-Facebook activity. The dates in your
activity summary are when we received the activity.

[https://www.facebook.com/help/2207256696182627](https://www.facebook.com/help/2207256696182627)

------
CreepyLife
If Google and Facebook is ready to "show" these data, I wonder what and how
much data they are hiding.

~~~
WA
Good point. I also wonder what the motivation behind this tool is.

Furthermore, I don't understand how any of this is GDPR-compliant.

~~~
sumedh
> Good point. I also wonder what the motivation behind this tool is.

Probably to tell regulators and politicians that "transparency is in our dna"
we design tools to help users know who is interacting with their data

------
gjm11
There's a little note saying that the list may not be complete. If you click
that, they pop up an explanation, one of the bullet points in which says this:

> We receive more details and activity than what appears here. For technical
> and accuracy reasons, this list doesn't show all of the activity that we've
> received. Activity that is not shown includes information that we've
> received when you're not logged in to Facebook, or when we can't confirm
> that you've previously used Facebook on that device. It also includes
> details such as the item that you added to your shopping basket.

It seems to me that this gives them carte blanche to omit _anything_ they feel
like omitting.

------
king_magic
Real nice that there is no bulk turn-off feature. Giant pain to click through
a few hundred sites to block future activity. But I suppose that's the point,
right? To make it as difficult as possible for users to block this kind of oh-
shit creepy behavior.

~~~
loxs
There is not turn-off at all. If you read carefully you will see that they
will still collect the data, just that they "promise" won't assign it to you.
Yeah right :)

------
cryptozeus
Blind app send interactions to Facebook. This defies the whole point of blind
app. This is so wrong on so many levels.

~~~
dtrailin
This was the most shocking for me. How is Blind getting my FB info from the
app? Is there a way to prevent this on Android?

------
Jaruzel
I don't use Facebook, but I do use Messenger as I have a couple of close
family members who refuse to use anything else. I've just logged into Facebook
(which has no history as I've purged it[1]), and still there are 5 apps
sharing my activity with Facebook. These 5 apps are all on my phone, so I
guess Messenger is also sharing back to FB. :( \---

[1] Shameless plug:
[https://github.com/Jaruzel/DeleteFacebookActivity](https://github.com/Jaruzel/DeleteFacebookActivity)

 _[Cross-posted from the other thread]_

------
chinathrow
That's so funny that they come up with this page these days.

"We receive Jane's off-Facebook activity and we save it with her Facebook
account. The activity is saved as "visited the Clothes and Shoes website" and
"made a purchase"."

I downloaded my data before, and never have I seen what exactly the listed
companies sent to FB.

I have a list of just a few companies (mainly by using a different email
address for FB only) but still, I have no idea what these companies sent to FB
about me.

Edit: I found the data now - it's now available for export.

------
jmccorm
NETFLIX. The regular "payment" records don't concern me but the "custom"
records (as recent as last night) do. Is that viewing data or what is this?
I've also got "custom" records from HULU, but the last one was in December.

This isn't necessarily sinister... but it certainly raises some questions on
what these streaming video companies are telling Facebook on a regular basis.

------
makecheck
Be sure to find both settings: the one to clear activity up to now, and the
_separate_ one to ensure that future activity is not tracked either.

------
Pxtl
... wow.

You know, you hear about tracking cookies but it's a whole other thing to see
it staring you in the face. What's the most shocking is how _small_ so many of
these entries are. Like, there's a local children's day-camp and sports
facility that I send my kids to on P.A. days on the list. And a local
politician's page.

------
SCdF
There is nothing on this page I was not aware of and intentionally linked
(e.g. Strava).

So does this mean I am successfully stopping them from tracking websites I
visit via tracking pixels / IP mapping / whatever other nefarious shit they
do, or are they just not showing this information here?

------
padraic7a
One thing I'm not clear on - when I click on Coinbase (just one example) I see
the following under 'What you can do';

\- View coinbase.com

\- Turn off future activity from coinbase.com

\- Give feedback about this activity

Does 'turn off' mean they won't share this information again, or that I won't
be told about it again?

~~~
lioeters
I believe the vague wording is intentional, so they can just stop displaying
it to you, while continuing to collect the data. It's like how "delete
account" works.

~~~
loxs
It's not that vague, if you do click to disable you are taken to page that
words it quite directly.

~~~
lioeters
OK, maybe "misleading" is more suitable.. :)

------
forgottenpass
>We receive more details and activity than what appears here. For technical
and accuracy reasons, this list doesn't show all the activity that we've
received. Activity that is not shown includes information we've received when
you're not logged into Facebook, or when we can't confirm that you've
previously used Facebook on that device.

So, basically all the information they have on me? I don't log in to facebook
all that often. By not helping them survive me, they'll coyly pretend like
they have less surveillance data tied to my account in their database than
they do. I doubt they're going to purge those surveillance records "technical
and accuracy" reasons.

------
pmlnr
"just must log in to read this"

Can someone please share it?

~~~
cmroanirgo
It's a page for people with an account at FB that lists the 3rd party websites
that have given information to FB.

> _Off-Facebook activity includes information that businesses and
> organisations share with us about your interactions with them, such as
> visiting their apps or websites._

It's creepy.

> _We receive more details and activity than what appears here. For technical
> and accuracy reasons, this list doesn 't show all of the activity that we've
> received. Activity that is not shown includes information that we've
> received when you're not logged in to Facebook, or when we can't confirm
> that you've previously used Facebook on that device. It also includes
> details such as the item that you added to your shopping basket._

------
eivarv
I can't believe that this stuff is acceptible, or even legal. The fact that
you're tracked off-Facebook (for instance), even if you're not logged in or on
Facebook is not just creepy, but borderline abusive.

~~~
vinaypai
Congratulations, of all the people who have responded with outrage on this
thread, you are the only person I've found that has a website listed that
DOESN'T run Google Analytics or some other third party analytics platform.

~~~
eivarv
Thanks, but what value does your appeal to people's hypocracy bring to this
discussion?

~~~
vinaypai
[https://xkcd.com/386/](https://xkcd.com/386/)

~~~
eivarv
Point is, though, someone being hypocritical doesn't make their argument wrong
- claiming that it does is a fallacy [0].

[0]:
[https://en.wikipedia.org/wiki/Tu_quoque](https://en.wikipedia.org/wiki/Tu_quoque)

------
novok
Now we need a one click delete all data in account button, without 'deleting'
the account, because 'deleting' your facebook account doesn't delete any of
the data inside of it.

------
Jupe
Interestingly, _none_ of the other "big brother" companies show up on my
activity feed, even though I do use them. No Apple. No Amazon. No Google. No
Netflix. Not even Microsoft.

Anyone else??

Wow, this is beyond creepy.

------
code4tee
Clearly they’ve come to the realization that they either do this voluntarily
or future regulation will force them to do it. The beginning of the end of
hyper-targeted online advertising has started.

------
qu4ku
Nowhere to hide.

Just a few days ago I wanted to research some nasty disease and I used brave
on TOR to watch some stuff about it on YT.

First thing after I opened FB was a clinical laboratory tests adv.

------
nerdjon
The fact that they have information about apps that I specifically chose to
not link to facebook for variety of reasons...

Including one specific app that they have 356 interactions from that I really
do not want associated with my facebook account.

Looks like I am going to be spending the next couple of days digging through
the report I just generated.

When this is all server side is the only option to make an email that is only
for facebook and hope they can't link data any other way?

~~~
Nextgrid
The fault is half on Facebook but also half on the providers & services
sending the data to Facebook. The Facebook SDK or tracking pixel doesn't
magically embed itself into apps or websites, it's still up to the developer
to include this.

I suggest stopping doing business with that vendor and letting them know why.

------
Nextgrid
It would be good to name and shame every vendor that shares data with Facebook
and have them in a searchable list, so people can check before engaging with
them.

------
kjakm
What are the best ways to protect against this kind of tracking? I would argue
it's probably better to keep a Facebook account so you can see what they're
tracking and work to prevent it.

In my browser I'm running uBlock Origin, HTTPS Everywhere, and Privacy Badger.
I'm guessing those will help quite a lot. However on an iPhone what can I do
(as that's where a lot of this data seems to be coming from)?

~~~
jannes
Keep in mind that Facebook probably has a few unique identifiers from you
apart from browser cookies:

\- Email address

\- Cell phone number (even if you only used it for 2FA)

\- Credit card number (if you ever made a donation via Facebook or bought
digital currency in a Facebook game)

\- Advertising ID of your mobile device (can be reset in Android as well as
iOS)

In order to avoid tracking, you have to make sure that none of these are known
to Facebook and to other companies.

------
neycoda
I removed my Facebook info from my browser and phone, changed the info I had
on there to be basically anonymized (except to people who know me), and then
logged in with a different browser on both desktop and phone dedicated to just
Facebook. Now they can't tell what websites I'm going to and don't have direct
access to my photos and files etc.

------
HelloFellowDevs
Kinda surprised how many interactions I've had tracked from my visits to Home
Depot, I've only recently started stopping by there in the past year or so.
What data could they have possibly even used? Sell me more cardboard moving
boxes? Plant supplies?

~~~
Jupe
You'd be surprised... Both are multi-billion-dollar industries:

[https://www.grandviewresearch.com/industry-
analysis/cardboar...](https://www.grandviewresearch.com/industry-
analysis/cardboard-box-container-market)

[https://www.ibisworld.com/united-states/market-research-
repo...](https://www.ibisworld.com/united-states/market-research-
reports/nursery-garden-stores-industry/)

------
Pxtl
... html/js allowing requests to domains other than the one in my URL bar was
a mistake.

------
UncleSlacky
Weirdly, FB thinks I've had dealings with Home Depot, which I've never visited
(virtually or IRL). Nothing else, but then I use Ublock Origin, Privacy
Badger, disconnect.me etc. as well as FB Purity. I also don't have a
smartphone.

------
Hoasi
> You must log in to continue.

Nah, I will pass.

~~~
croon
I couldn't open the link either. I have only the URL to go on, but the irony
is... glaring.

------
Doctor_Fegg
Four days before the UK general election, Facebook apparently "received
activity" relating to me from an anonymous, icon-less organisation with a
cryptic name, who appear to be completely un-googleable.

Well, that's reassuring.

~~~
gatherhunterer
Nice FUD there.

> icon-less organisation with a cryptic name

Oh my god what if they're foreign? Isn't it terrifying to think about
foreigners? Better take that fear into the voting booth with you.

~~~
Doctor_Fegg
Er, what? Where did I mention anything about them being foreign?

------
fsflover
"You have no available activity to show at this time."

Qubes OS with disposable VMs helps!

------
Santosh83
I apparently have no records of off-Facebook activity. This is probably
because of blocking all 3rd-party cookies and enabling the blocking of social
media trackers in both uBlock as well as that built into Firefox.

------
alien1993
Seems like most of my data they got from apps on my Android phone, there was
even an app that I just installed, opened and uninstalled in less then a
minute without even logging in or anything.

How can I block them in the future?

~~~
rkachowski
set the "limit ad tracking" feature on your phone at the os level and the
advertising id will become unavailable to everything. On Android this is
Settings > Privacy > Advanced > Opt out

------
xyby
I am in Europe, so by law (GDPR) I have the right to make them delete all of
this data.

How do I do so?

Also, I never consented to this being collected. How can their practice of
collecting this type of data be GDPR compliant?

~~~
wasmitnetzen
You can disable to storage of this data on the linked page.

But I'd recommend going to the source: Read the privacy policy of each party
delivering data and check if they mention it. I already sent a mail to the DPO
of an app provider which shows up in this list and doesn't mentions Facebook
in their privacy policy.

~~~
xyby
Even if the app had it in their privacy policy, that would not mean it is
legal to send your data to Facebook.

GDPR requires the users _consent_ to do so. Having a statement in a privacy
policy is imho not enough to qualify as consent.

------
tallgiraffe
In case of Facebook, one has to wonder, is this a move towards consumer
privacy, or a way for Facebook to clear cache so they could build a more up to
date profile of you.

------
ArtDev
These apps are from my phone which does not have the facebook app installed.
They must be harvesting stuff on me from the Instagram and/or Whatapp
permissions.

------
robteix
Literally the first result in the list of companies that shared data about me
with FB is my pharmacy. My pharmacy! That's just... wrong.

------
kirillzubovsky
When is Facebook's next investor call? The number of newly active users (who
showed up for this) is going through the roof!

------
DannyB2
I clicked the link and was told I needed to log into Facebook to continue.

Is it necessary to have a FB account in order to read TFA?

~~~
Lewton
It's not an article, it's a link to an overview of all the "off-facebook
activity" data that facebook has gathered on your (the logged in) profile

------
heinrichhartman
What is this? I only get a login prompt. I don't have a fb account.

Would s/o mind explaining what this is all about.

------
Andromeda88
Emirates NBD Bank app and CAREEM app are sharing info with Facebook.

It was very surprising to see ENBD in the list.

------
alinspired
never installed facebook app on a phone, but multiple 3rd party apps on the
phone report to facebook. For some reported apps i've never been logged in.

looks like facebook knows my phone's "hardware id" from somewhere

edit: good to know that uBlock blocked all web activity

------
cryptozeus
Now imagine what google has on you.

------
abright
Ah, so disappointing that I need a Facebook account to read this. The joy of
missing out.

------
ryanmarsh
My payroll and accounting systems are talking to Facebook about me. Why? I
have no idea.

~~~
Nextgrid
Is it FreeAgent by any chance? I use it (but can't check as I don't have a
Facebook account) and if it is that one then I will definitely be looking to
switch away as this is unacceptable.

------
DevKoala
Is there a way to tell how Facebook is tracking you if you deleted your
account?

------
dbg31415
Can someone post a screenshot for those of us with out Facebook accounts?

~~~
collinmanderson
[https://snipboard.io/H1KQ2r.jpg](https://snipboard.io/H1KQ2r.jpg)

------
skytbest
Did they take this down? It just goes to my Facebook home page

------
sequoia
Can someone tell us non-Facebook users what this looks like?

~~~
alpha_squared
From what I can gather (I'm in the same boat), it seems Facebook launched a
portal for users to see what third-party services/activities they know about.
One user here mentions an offline, in-store Macy's transaction appearing in
that data; others mention streaming service data (Netflix, Hulu); one even
mentions a reference to Blind, but not much detail on what type of data.

Surely, Facebook must be collecting this on non-users as well who obviously
have not agreed to their terms.

------
theqult
390 connected apps. And i never use facebook login

------
throwawaylolx
Is there an equivalent Off-Facebook for Google?

~~~
dutchCourage
There is, and it's equally creepy:
[https://myactivity.google.com/myactivity](https://myactivity.google.com/myactivity)

~~~
throwawaylolx
This is only information related to Google services or approved third-party
apps, no? I was hoping there was a service showing what apps communicated with
my Goolge account without any explicit notification or permission.

~~~
papln
Here's what Google says. Ask your lawyer if you want to know what it _means_.

[https://support.google.com/websearch/answer/54068?p=web_app_...](https://support.google.com/websearch/answer/54068?p=web_app_activity)

When Web & App Activity is on, you can include additional activity like:

* Sites and apps that partner with Google to show ads

* Sites and apps that use Google services, including data that apps share with Google

* Your Chrome browsing history

------
s-skl
fu __ing unbelievable that my photo to scan app on the phone is sending
activity to Facebook!

------
rypskar
Also check
[https://www.facebook.com/ads/preferences/?entry_product=info...](https://www.facebook.com/ads/preferences/?entry_product=information_about_you&section_id=interacted#interacted)
to see who has uploaded lists including your email or phone number to to
facebook. Wonder what GDPR say about uploading this type of lists

------
allovernow
So is there any way to find out what information FB has on you if you don't
have an account?

------
marknadal
I don't understand.

It says I completed a registration for a company I never signed up to.

I did visit that company's restaurant that day, but I did not purchase
anything.

Are some companies auto-registering you?

