
Ask HN: How was this ad targeted to me? - austinjp
Apropos of the current discussion about dropping Google advertising [1], I&#x27;d appreciate HN&#x27;s thoughts on how a very particular product was targeted at me yesterday: a semi-obscure muscial instrument (which I won&#x27;t name, my paranoia is already piqued).<p>Yesterday morning at home I Googled the instrument, the name of which I didn&#x27;t actually know but Google came to the rescue. I browsed Google Shopping [2] but didn&#x27;t purchase one.<p>Later I went into work where Facebook displayed an ad for the instrument in its &quot;sponsored&quot; section and an inline &quot;suggested post&quot; for a manufacturer.<p>My home and work computers and networks are completely different. I typically use incognito mode and &quot;do not track&quot; in Firefox or Chrome. I sign out of all social media and Gmail. Yesterday I was working in a large building with tens of people all using wifi used by hundreds of people across several buildings.<p>I assume no outright nefarious activity, such as an illicit pipe of potential customer IDs between Fb and Google.<p>The best I can theorise is that I had an open Fb window at home, and one of the instrument manufacturers&#x27; websites had an embedded Facebook like button or similar tracker, and they are running targeted ads on Fb. But is this direct-to-an-individual targetting even possible on Fb? Perhaps the obscurity of the instrument meant that I was very likely to see an ad, and very likely to notice it.<p>I typically close Fb when I&#x27;m not using it, so this doesn&#x27;t immediately feel like what happened. I&#x27;ll be doubly-sure to close and log-out Fb now.<p>I can&#x27;t think of other ways that my Google activity could get to Fb. Browser fingerprinting, cellphone location etc would allow Fb to understand my location, but I can&#x27;t see how they&#x27;d match this against Google activity.<p>I&#x27;d be very interested to read how this is, or could be, achieved.<p>[1] https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=14094083<p>[2] https:&#x2F;&#x2F;www.google.com&#x2F;shopping
======
Bedon292
Facebook doesn't need to be open in a tab for it to know it was you on that
site, and you don't even need to be signed in. You and your computers are
connected, even if you think you are careful.

If you have ever signed into FB from home, they know that machine / ip /
whatever fingerprint is you. Even after you sign out, its still out. Even if
you are in ingocnito mode, its still probably you. Then you sign in to FB at
work, and now the same thing happens. They may not know the specific computer,
but they know the network you are connected to IP wise.

This happens across many different ad networks, and they are all connected to
sell ads targeting the people something wants. If you leave a potential
purchase not bough, and sometimes even when you do buy it, ads are going to
make it back to 'you'. They may not know 100% that it is you, but they can
cast a net to try and find you. And for something like a missed sale, its
worth the cost.

Note it may not be targeting you specifically. It may just be closer to:
Someone in this VERY specific demographic looked for this instrument, oh hey
here is someone else that meets that same demographic on this other ad
network. Lets try them.

The amount of tracking on the internet nowadays is absolutely crazy. Visit
practically any website, and all the major players are going to know about it
and add it to their profile of you.

~~~
netsharc
> If you have ever signed into FB from home, they know that machine / ip /
> whatever fingerprint is you. Even after you sign out, its still out.

Even if you signed out, they probably still have a cookie tracking who you
are, and when your browser fetches that Like button, it will still send that
cookie to the Facebook server. It'd be interesting on a shared computer where
2 people (e.g. a brother and sister) log in to FB alternatively, but I guess
they can still distinguish who is who (e.g. person visits gaming forum, person
visits this product page, person visits page with pics of a female supermodel:
presumably it's the brother visiting all 3 sites. It's a bit sexist but that's
what the algorithm would guess.)

~~~
ramshanker
2 people sharing same computer has amazing effects on those trackers. My
YouTube recommendations used to be awesome to my interests till I was single,
Now it's all polluted and mostly useless after I married. ;)

~~~
georgeecollins
The strange thing is sometimes I learn things about my wife from the ads that
are served. Creepy.

~~~
Scottn1
I know of a guy who found out his wife was seeking divorce weeks in advance
because he started noticing divorce lawyer ads in his browsing! He eventually
asked her if everything was ok and she came out with it. Crazy.

------
FroshKiller
You can (or at least could) absolutely target individuals with Facebook ads.
Check out this prank: [https://ghostinfluence.com/the-ultimate-retaliation-
pranking...](https://ghostinfluence.com/the-ultimate-retaliation-pranking-my-
roommate-with-targeted-facebook-ads/)

~~~
smnscu
Fantastic read. Reminds me of: [https://www.facebook.com/notes/robin-
sloan/julie-rubicon/985...](https://www.facebook.com/notes/robin-sloan/julie-
rubicon/985697811525170)

~~~
i336_
That was awesome too. The comments are great as well.

------
NKCSS
It's called re-targeting.

You can use javascript to put users into a segment and re-target that
segement; it's really easy. If you use the biggest ad-exchange (AppNexus) you
can be sure to reach just about anyone anywhere.

~~~
thom_nic
How is it OK to do this if the browser is sending DNT? Is it really voluntary
on the part of the ad network and they can just choose to ignore it?

~~~
sp332
Yes, DNT is an effort by the industry to self-regulate. If too many companies
ignore it, it's much more likely that they will be regulated "externally" (by
Congress, FTC, FCC etc).

------
nargella
I used to work in this exact industry and wrote my employer's tracking code.
You didn't clarify whether you clicked on a google shopping product and landed
on a product page. That's all that is needed.

Many ecommerce sites use both google and facebook for their campaigns. So by
you landing on the product page, a standard facebook event would be fired. The
website or the advertiser doesn't really need to know who you are but facebook
does know who you are once that event is fired. Facebook can then tie you to a
campaign around that product for that same website (if they have an active
campaign going).

------
chmackenzie
Logging out of Facebook doesn't mean they won't be able to track you. Your
browser fingerprint is likely tracked. If you've logged into Facebook at home,
and you've logged into a computer at work, Audience Network likely figures out
that your residential IP is your home, and an aggregated commercial network is
your work.

If you visited the manufacturer's site, you would have hit a re-targeting
pixel for the network, that will track you around the internet to remind you.
At work, on your phone, at school, and at home.

------
Steeeve
The other answers here seem to cover most of everything, but one more
possibility to add to the mix - prefetching. Just because you don't click on a
link doesn't mean that you aren't already going there. Chrome (and other
browsers) prefetch pages so that they will load faster when you click on them.

I haven't delved into this in a while, so I can't say I've tested anytime in
the last 5 years. I did a quick search and found this page that talks about
how to disable the functionality in chrome:

[https://www.technipages.com/google-chrome-
prefetch](https://www.technipages.com/google-chrome-prefetch)

I'm always surprised that more people don't seem to know about this.

------
jorgemf
There are so many ways:

\- you opened a web page with a facebook's like button and facebook analyzed
your browse history. If you browse for something in google shopping you might
want to buy it, so facebook added it to your interests and showed an ad later
to you. (Probably this was the cause)

\- google and facebook knows your location because you have a google/facebook
app in your mobile. It is easy to know where you work and where do you live.
Even without GPS, as they can use the wifi public IP to know your location
(among other things)

\- your browse makes a fingerprint unique to you, even if you are not logged
into any platform or you don't have an account on them they know you are you.
So they can collect data. If you later login into facebook/google they match
the fingerprint with your user. They can also use several fingerprint, because
you use several devices. I think this is called supercookies. There are
companies that just do this.

\- you have two different devices with two different accounts, but you have
the phone number of the other in your contact list and sometimes you have both
devices with you. Facebook/google will suppose you both share same interests
and show ads that match one of your devices to the other.

\- "do not track" is a suggestion, some people ignore it because they really
want to track you.

\- google and facebook probably use other ad networks to sever ads, so
facebook probably asked google (or another ad network) for an ad for you. You
probably shared your phone number / email in both facebook and google.

\- if you want to be fancy, machine learning could also help to target ads for
you, but I think the other ways are so easy to do and work so well that you
don't need complex things to show ads, just track the user.

~~~
yodsanklai
> you opened a web page with a facebook's like button and facebook analyzed
> your browse history

How could facebook (or any website) access your browsing history? they know
what link you access from their pages, but apart from that, can they get any
info from the browser?

~~~
alanfalcon
More like 80% of the web pages you opened included the Facebook Like button,
so they have 80% of your browsing history right there.

------
achairapart
I spent the last weekend in another city X. I took with me my macbook but I
didn’t used it, so it was closed in sleep mode the whole time.

However, I did some searches over the weekend on my iPhone, Safari in private
mode, not logged in.

Back home, opened the macbook, did some search with an incognito browser
window. And Google told me: You are in another city X, based on your browser
history (!).

What?! Privacy is hard nowadays.

------
dedalus
Here's the company behind that:
[http://www.criteo.com/](http://www.criteo.com/)

Its a 3 billion French company whose sole job is to show ads for products
abandoned in the cart or something you bought 6 months ago or something that
their personalization algorithm suggests

~~~
user5994461
Ironically, that's the only good tech employer in France :D

~~~
nojvek
I wonder if the only action against them is sending them so much traffic their
servers can't keep up.

I feel with the advent of internet of shit, this will start becoming more of
commonplace

~~~
mxvzr
Client side re-targeting has two pieces to it: a "segment" code placed on the
product page (a marker showing you have interest in this particular product)
and a "burn" code placed on the conversion page (that removes the previous
marker, so they can stop showing you ads for this product once you bought it).

One could add the "burn" code every time the "segment" code is detected. On
some networks that may even result in an affiliate payout.

------
akerro
Use Facebook only from their onion-service using dedicated (TorBrowser)
browser. [https://facebookcorewwwi.onion](https://facebookcorewwwi.onion)

------
sundaeofshock
The answer is cookies. Facebook sets multiple cookies on your browser that do
not expire and are not deleted when you logout. By logging in at work and
home, you are making it trivial for them to track you. They also set this
cookie when you intract with a Facebook like, share, comment or use Facebook
to log-in to a third-party site.

A few suggestions to help mitigate this:

\- Use a browser dedicated to all your social media browsing and another
browser for everything else. Say Firefox for Facebook and Twitter, and Chrome
for everything else. That will restrict what they can capture. \- Browser
Facebook in your browser's incognito it private mode. \- Minimize third-party
links you follow from your Facebook timeline. And don't shop and Facebook in
the same browser! \- Don't interact with Facebook outside of their actual
site. This includes likes and comments. \- Don't use Facebook as your log-in
credential. \- Use an ad blocker! \- Have your browsers delete all cookies on
log out. This is both your day-to-day and social media browsers. Facebook is
not the only media company tracking you.

~~~
masukomi
i assure you, that you can still be tracked without cookies. It's not as easy,
but it's definitely possible to fingerprint a browser and track its requests
to a server even if there aren't cookies. The level of confidence will be good
enough for advertising.

~~~
sundaeofshock
Indeed. Which is why I like to use a separate browser for social media. Having
said this I know it's a losing battle, but I see no reason to make it easy on
the bastards.

(I've worked in ad tech in a previous life)

------
crispyambulance
Adtech discussions like this always raise the hair on the back of my neck.

The only thing that makes me feel better is that "my data" is being handled by
a piece of software somewhere for the EXPRESS purpose of pushing advertising
to me.

I don't believe it will feel like a privacy violation for most people UNTIL we
start seeing high-profile incidents where actual human beings get caught
looking up and acting upon individuals and their data as people and not
programmatically as GUID's with bunch of metadata.

It makes me wonder if entities are buying their way into these adtech data
streams for purposes OTHER than market research or directed advertising ?

------
anacleto
Did you leave your email? If so, this is plausible flow:

1\. You visit website xyz.com

2\. You signed up at xyz.com and you dropped during checkout funnel

3\. You're email address is being added a FaceBook retargeting campaign and
Adwords campaign

------
grok2
This should answer your question -- straight from the horses's mouth!
[https://www.facebook.com/help/206635839404055](https://www.facebook.com/help/206635839404055)

Edit: Using something like
[https://www.eff.org/privacybadger](https://www.eff.org/privacybadger) helps
avoid this kind of tracking while not being too painful to use visiting web-
sites.

------
mambodog
Rather than speculating, you can find out why you're seeing a particular ad on
fb. There's a drop down on each ad which includes a menu item which explains
the targeting method used:
[https://www.google.com/amp/www.business2community.com/facebo...](https://www.google.com/amp/www.business2community.com/facebook/seeing-
ads-facebook-01564734/amp)

~~~
mercer
Yes, because when speculating about how much Facebook knows about me, the most
likely source of truth is Facebook itself!

That said, thanks for pointing out this functionality. While I might be
suspicious of the degree of truth it offers, it's at least something
(honestly).

------
inputcoffee
I do everything you do, but recently I have added one more habit thanks to
Opera's beautifully easy VPN: I google search on Opera using their VPN.

------
ar-jan
Here's an interesting read [0] about making inferences about such questions.
Story of someone who deduces audio fingerprinting must have been responsible
for a particular promoted tweet (before audio fingerprinting was known to be
used).

0: [https://slack-files.com/T0317T6QB-F04FJ2YAC-88e35e6787](https://slack-
files.com/T0317T6QB-F04FJ2YAC-88e35e6787)

------
amelius
> But is this direct-to-an-individual targetting even possible on Fb?

Why not? If the FB like-button sends the cookie for your FB session, then it
can make the connection between your account and the product.

Besides, it is also possible that you talked with a friend about the product,
and this friend searched for the product in e.g. Facebook, and by being
friends with this person on Facebook, they now show the ad to you as well.

------
lazyjones
This is just FB tracking you everywhere and recognising your account even
though you are logged out, from cookies (possibly local storage, IP address,
other browser fingerprinting methods).

This just happened to me: I visited booking.com earlier today, then FB showed
me a FB ad with the same hotels I had looked at.

------
nommm-nommm
This is pretty much the reason I block ads. If they weren't so intrusive and
stalky I wouldn't mind them too much.

------
Oras
Similar things happening to me in Youtube. I got suggestions about similar
things I watch at work which I used totally different gmail account from my
Android TV! So technically these two are not connected. Some times I use my
work gmail account at my laptop at home so I assume Google is aggregating data
based on IP address.

------
bjoern_cliqz
Here is an interesting article about this topic:
[https://cliqz.com/en/magazine/how-facebook-knows-exactly-
wha...](https://cliqz.com/en/magazine/how-facebook-knows-exactly-what-turns-
you-on)

------
snikolic
Former VP-Eng at a product-ads ad-tech company here...

You can think of this as a two step process. First, connecting your Facebook
UID to structured data about a specific product in a product catalog. Second,
connecting your FB UID to multiple devices/browsers without cookies.

I think the second part (cross-device matching) has been explained well by
other commenters: tere are multiple techniques involving IPs, hardware
footprints, browser footprints, browsing habits, etc.

I want to clarify a few things about how the first part most likely occurred.
There's been a lot of emphasis in discussion on the FB "Like" button. It's
true that this is a possible way for FB to observe you have visited a specific
webpage. However, it's more likely that there was a Facebook "pixel" on a
retailer's website (some commenters have been referring to this as
"javascript" or "retargeting"). Most e-commerce sellers use these today.
They're basically a FB web endpoint that the retailer can pass structured
metadata to that lets the retailer communicate to FB that an event has
occurred on their website. FB allows retailers to send all kinds of metadata
about all sorts of events - page loads, add to carts, checkouts, purchases,
in-app events, and custom events. The retailer can also send very detailed
info about the content being interacted with on a webpage, down to sub-SKU
granularity (e.g. not just a particular shoe, but a specific
color/size/variant of that shoe).

Historically, the FB web endpoint would return a 1x1 transparent image so that
a retailer could embed it on their website's HTML and a customer's browser is
"tricked" into loading the image from a third-party domain. Thus the name
"pixel". This is still frequently done, but nowadays the endpoint may just be
a REST endpoint and/or may be called via AJAX (or via an SDK within a mobile
app).

Facebook also allows retailers to upload their Product Catalogs to Facebook.
These are basically a CSV of structured metadata about every product the
retailer has for sale. Then, when the retailer sends a pixel event to say SKU
12345 has been interacted with by a user, Facebook can reference that SKU in
the retailer's Product Catalog to learn all kinds of info about it.

A really interesting exercise is to install the FB Pixel Helper extension for
Chrome (I'm sure there are equivalents for other browsers). It will show you
all FB pixels loaded on a given page and what metadata was passed along. Keep
an eye on it as you browse the web, especially the next time you browse an
e-commerce website. Facebook basically sees everything that happens. They may
as well be ingesting everyone's Apache/Nginx logs. :-P

[https://chrome.google.com/webstore/detail/facebook-pixel-
hel...](https://chrome.google.com/webstore/detail/facebook-pixel-
helper/fdgfkebogiimcoedlicjlajpkdmockpc) (Note: I'm not affiliated with this
extension in any way)

------
markgamache1
Lol! Free isn't free. Your desires are a commodity up for sale. The how
doesn't matter. When you discover and block one way, another is created. This
happened because you use Google and Facebook.

------
dollaholla
[https://www.facebook.com/business/a/performance-marketing-
st...](https://www.facebook.com/business/a/performance-marketing-strategies)

------
owly
uBlock, uMatrix & host based blocklists are the price of entry these days.
[https://github.com/jmdugan/blocklists/tree/master/corporatio...](https://github.com/jmdugan/blocklists/tree/master/corporations)
Block at your router if you can, then any mobile devices on your network enjoy
ad/tracker blocking too.

------
debt
assume every time you hit a googlebook server they assign a confidence score
related to potential identity or demographic and rank.

"what are the odds this is a woman? a doctor? a person living in Louisville?
Is this Jane Doe?"

each of the answers to those questions get a confidence score and a rank. then
you're shown ads based on whichever verticals you rank the highest.

I think it just means their statistical approximations are getting good.

theories idk

------
n3dst4
> a semi-obscure muscial instrument (which I won't name, my paranoia is
> already piqued).

It was a Theremin, wasn't it?

~~~
austinjp
Nope :)

------
mdekkers
_" do not track" in Firefox or Chrome._

Completely ignored pretty much everywhere...

------
shawnz
> I assume no outright nefarious activity, such as an illicit pipe of
> potential customer IDs between Fb and Google.

Where do Facebook or Google claim not to share advertising data with their
partners?

