
How Facebook Knows When Its Ads Influence Your Offline Purchases - cyphersanctus
http://www.wired.com/2014/12/facebook-knows-ads-influence-offline-purchases/
======
gcb0
...aaand facebook starts to buy news pieces to justify their ad network.

this is nothing more than a press-release for their atlas feature. A new low
even for wired.

~~~
tzs
Odd. It seems unusual for a press release to include criticism from the EFF.

How would the article have to have been written for you to not think it was a
press release?

~~~
wdewind
I feel like PG's submarine piece has really made HN's view of PR very black
and white. There are a lot more gradations, and likely this is a piece that
was pitched by Facebook and actually was moderately investigated by Wired. The
worst journalists are copy pasting press releases, the best are finding their
own stories, but the vast majority lie somewhere in between. And I'm not
convinced there is anything wrong with that.

------
chestnut-tree
Some commentators in this discussion question why anyone would give their
phone number to shops when they make a purchase. Yet millions of people give
their mobile phone number (and name, date-of-birth and gender) to Google when
they sign up for a Google account. And yet the degree of tracking that Google
can undertake is an order of magnitude greater than what any individual store
can track. Does Google use your mobile number solely for two-factor
authentication and absolutely nothing else? Who knows? Google doesn't tell
you.

When you can sign in on your tablet/mobile/desktop/TV/thermostat/fridge and
who knows what else - how hard can it possibly be to stitch together your
spending and consumption habits with all the other data collected about you?
In fact, it wouldn't surprise me if those joined-up journeys have already been
compiled. It's pretty obvious that the information companies collect about you
goes far, far beyond creating a simple "advertising profile".

Companies like Google and Facebook (and others) have no self-restraint when it
comes to tracking you and they don't even do it anonymously. How do they get
away with it? Because we happily let them.

~~~
jfuhrman
Google uses Android phones GPS location to track people's store visits.

[http://digiday.com/platforms/google-
tracking/](http://digiday.com/platforms/google-tracking/)

[http://www.datadrivenbusiness.com/google-quietly-testing-
off...](http://www.datadrivenbusiness.com/google-quietly-testing-offline-
store-visits-tracking)

If you turn it off, things like Google Now stop working.

~~~
phatfish
Yep, im pretty sure just the mac address collection from wifi radios would be
enough to track what store you have been in if you run an Android phone.

I have wifi and gps turned off except when i am lost.

------
dmurray
> The trick is that the hash of a phone number captured on Facebook will look
> just like the hash of the same phone number captured in a brick and mortar
> store, so the two companies can match the numbers without actually trading
> them.

This just isn't possible. How many cents would it cost to brute-force hash all
legal American phone numbers?

~~~
logicallee
This is correct. As a zero-knowledge proof it is, sadly, trivially broken.
(Not just in a theoretical sense. As you mention there just isn't enough
entropy going into the hash. It's like asking for your age and gender, but
only providing a hash to some other party so they can verify that you are who
you say you are, without your divulging what information you were just given.
That doesn't work - you would leak everything, because 1-100 (age) M/F
(gender) only has 200 possible values. 200 hashes later your counterparty
knows what you were asking to check.)

But that doesn't mean this _couldn 't_ be done properly.

There are actual zero-knowledge proofs. I liked this primer. You should read
it!

[http://blog.cryptographyengineering.com/2014/11/zero-
knowled...](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-
proofs-illustrated-primer.html)

It is 100% possible for there to exist absolutely zero-knowledge proof in many
instances. (Such as the one in the article.)

So, it could be possible for example (I don't know an algorithm) to check
whether a phone number you were given is in someone else's set of phone
numbers - without either your learning what the other's set is, or the other
learning what phone number you're testing.

~~~
dmurray
If there is, the 'someone else' would still have to do some rate limiting.
Otherwise, once again, I can just run this algorithm for all possible phone
numbers.

~~~
logicallee
No, no. Read my link :) The whole point is that the definition of 'zero-
knowledge' is that (if you use a zero knowledge interactive protocol) you
learn no further knowledge.

You are right that the hash-passing is _not_ zero-knowledge. Rather than just
verify whether it's in a set, you've accidentally revealed a number. So if you
have a set of phone numbers and I have 1 to check if it's in that set, then
checking hashes doesn't work - I would end up divulging my number if I used
it.

~~~
nly
Intersecting a set of observed identifiers against another set is an issue
Moxie dealt with on the TextSecures blog[0] (for phone numbers at that). He
evaluated some ZKP algorithms and basically concluded this problem is hard or
impractical today. I imagine an ad/referral network has many of the same real
time constraints and scalability issues.

[0] [https://whispersystems.org/blog/contact-
discovery/](https://whispersystems.org/blog/contact-discovery/)

~~~
logicallee
thanks - this was interesting. Some of the numbers are interesting. So, for
example, he says to have ten million clients updating daily, he would need to
sustain 40 MB 116 times every second. . . that's like 37120 megabit so if you
pay $10 per megabit monthly, that's $371,200 per month. It's pretty bad. On
the other hand you do have ten million users.

so the numbers are off, but they're not five orders of magnitude off. If we're
going to service ten million users, we might have something of a hosting
budget for it.

So while I believe the author that the current trade-offs aren't goods, clever
academic mathematics might help in the future. Cryptography itself came from
there.

------
phkahler
I see false positives. So last week I decided to do my first project that will
use a Raspberry Pi. I googled around to the pi site, amazon, newegg, (gasp)
radio shack, microcenter, etc... I figured out what I wanted to get but didn't
put anything in any carts. So then Pi ads start showing up on Facebook. IIRC a
Radio Shack Pi ad too. Whatever. But now when I buy one, is Facebook going to
claim some responsibility for the sale? Because they honestly don't deserve
it. I'm going to buy one anyway and I have not seen an ad for a place I didn't
look already. While I often give a real store the business based on "I can get
it on the way home" the price difference in this case is nuts. So NewEgg it
will be and Facebook ads aren't going to influence that.

In this case, correlation does not indicate causation.

~~~
jeffchuber
causation is implied on a population through test and control. causation and
correlation for an individual is almost always impossible.

~~~
phkahler
So are they going to use statistical models to figure out how much to charge
for ads? That seems like a hard sell.

------
dao-
"It has happened to you, and it has probably happened more than once."

Umm, no. Why on earth would I give my phone number or email address to random
shops? This is crazy. I surely don't want merchants to contact me "about other
stuff I might want to buy." This assumption sold as a certainty in this
article is somewhat disturbing. Do others from the US feel the same way? (I'm
from Germany. Different culture?)

~~~
berelig
I can only think of a couple of retailers that have asked me for an email
address here in Canada (coincidentally both were US companies).

I do get asked for my postal code fairly often but that's hardly a personal
detail.

~~~
anigbrowl
You postal code, name and the expiration date on your card is enough to
positively ID you in many consumer databases, and by giving it to the retailer
you're implicitly granting consent for its use for this purpose.

~~~
mgbmtl
I am not a lawyer, but I'm pretty sure that in Canada, this would be in
violation of the federal "Personal Information Protection and Electronic
Documents Act", as well as many provincial laws.

[https://www.priv.gc.ca/leg_c/leg_c_p_e.asp](https://www.priv.gc.ca/leg_c/leg_c_p_e.asp)

"Use or disclose personal information only for the purpose for which it was
collected, unless the individual consents, or the use or disclosure is
authorized by the Act."

"Keep personal information only as long as necessary to satisfy the purposes."

If the client uses one of those "points" cards, yes, they are tracked, but
otherwise they shouldn't. When a retailer asks for your postcode, it is mostly
just for market study to identify where their clients live, but that's it
(although I rarely get asked). You can also just answer "no thanks" to this
question.

------
spacefight
"People voluntarily link things like phone numbers and email addresses to
their Facebook accounts"

People voluntarily are idiots. Never connect a phone number to your FB account
and use another mail address if you really need to have an account.

~~~
lozf
I agree with you, but sadly it's not that straightforward; It's entirely
plausible (perhaps even likely) that your "facebook friends" have your number,
and do something stupid^H^H^H^H^H^Hconvenient like give fb access to their
address book (as is often requested, and I wouldn't be surprised if it happens
by default with their mobile apps), Facebook are only one name match away from
having your number and perhaps DoB and other personal info anyway.

------
hnnewguy
> _As Boland explains it, Facebook simply shows advertisers that a given
> number of people who saw an ad for a product also purchased that product._

Facebook doesn't share my personalized shopping data with advertisers. That's
good.

But the data still exists. So the data the advertisers receive is only really
anonymous until there's some sort of security breach or economic decision
whereby it's suddenly more profitable to sell the personalized data. Either or
Both of which are inevitable.

All in all, a moderately informative marketing piece.

~~~
bitwize
_Facebook doesn 't share my personalized shopping data with advertisers.
That's good._

The stuff about you personally that can be gleaned from market analytics will
make you shit a brick.

And this is what private industry can do, not even getting into three-letter
agencies.

------
notahacker
tldr; it doesn't, but offline vendors that collect your contact information
they can anonymously check the proportion of purchasers which might
[incidentally?] have been shown their ad on Facebook's network. Only a media
buyer with a budget bigger than their brain would assume causality.

~~~
jessriedel
Couldn't Facebook easily demonstrate causality by running an RCT? Just
randomly select half of a certain demographic to show the ad to, and then show
that those users are more likely to make a purchase later.

~~~
notahacker
Theoretically yes, but I think with standard Facebook ad units and regular
consumer brands sold in stores they'd be pretty unhappy with the results...

(since _probability of giving stores your contact details post purchase_ and
_susceptibility to marketing messages pre-purchase_ are probably positively
correlated and Facebook is permanently running concurrent trials of different
kinds and being very selective about what they share, any positive effect they
did manage to identify should be viewed as an almost certain overstatement of
the ads' actual effectiveness anyway)

------
chiph
Who gives their phone number to store clerks? "Sorry, it's unlisted."

~~~
breitling
As hard as it is to believe, I'm sure plenty of people give out their phone
numbers when asked. I have personally witnessed many many people (including my
wife) give out their number at checkout without hesitation. I guess the fact
that this is continued practice means that it actually works.

This may vary by geography...my observations are from Canada.

------
idiotclock
Is anyone else frightened the increasing efficiency of capitalism? Since when
does user-experience depend on best fulfilling my consumer desires? Shouldn't
I try to soften this impulse?

------
song
And this is why I did not give my phone number to facebook and why I use a
different email for everything.

It's unfortunate that keeping one's privacy requires a lot of knowledge and
work.

~~~
polynomial
> It's unfortunate that keeping one's privacy requires a lot of knowledge and
> work.

I wonder if the more vexing problem is that the market for privacy solutions
seems largely unproven at scale. While people seem to value privacy when
polled individually, they seem to vote the other way as an aggregate body.

Smart privacy products could take the knowledge and work out of it, but will
the market support them?

------
cornewut
Amazon product pages already have Facebook tracker embedded, so Facebook knows
what you are looking at. No need to provide your phone number.

~~~
walterbell
Is that visible via NoScript?

~~~
cornewut
I'm using disconnect.me

