
Doordash and Thousands of Other Companies Passively Send Your Data to Facebook - URfejk
https://onezero.medium.com/doordash-and-thousands-of-other-companies-passively-send-your-data-to-facebook-4ebe851e710
======
Chirael
This, incidentally, is why I strongly resist installing apps onto my phone.
Because once you let an app run on your phone, you really don't know what it's
doing. At least with a browser, it's _somewhat_ sandboxed/limited. I don't
have nearly as much confidence that I've correctly twiddled whatever settings
I needed to, to limit data sharing for an app, and even if I did, I don't have
any confidence the company didn't find some way to get around those settings.

~~~
amatecha
Yeah, I'm in the same boat. I mean, not only did deleting the FB iOS app years
ago actually mess up my phone and necessitate a full system restore (super
sketchy IMO), I'm pretty suspicious of how hard some sites pressure you into
installing their mobile app (Reddit is a definite offender here). Considering,
no, actually just looking at this one search result on a page in the browser
I'm already in is _definitely easier and more convenient_, it is not "best in
the app!!111"

~~~
mrzimmerman
Reddit is SO irritating with it's constant push to have you download their
app. There's nothing on the site that requires it—Reddit is just listed
content of text, video, images, and links. They also limit what you can post
from their mobile site which I believe is just further pressure to get you
into their unnecessary app.

But my god, they are SO pushy.

~~~
mostlysimilar
If you're on iOS, try Apollo. It's a third party Reddit app and it's
outstanding. Top-notch user experience and an engaged and friendly developer.

More on topic: I'm curious why we tolerate these horrible experiences on the
web. Technically savvy people can't be the only ones infuriated by these dark
patterns, yet I don't often see my non-tech friends complaining about it.

I also don't understanding the motive on Reddit's part. Let's broadly
categorize users into two buckets: those who actively don't want to use the
app, and those that do.

In most cases a native app experience "feels" better than a web app
experience, so your average user is probably happy to see the "please use our
app instead" popup. Those users will probably click it on the first try, and
never have to deal with it again on the web.

The remainder who specifically want to use the browser version are doing so
probably for technical reasons: don't want to be tracked, etc. Those people
are never going to click to download the app, no matter how many times Reddit
nags at them to do it. So why continue to force-feed the popup? All it's doing
is creating ill will from the people who see it every time, and those people
are arguably the more technically savvy and know it's intentionally being
annoying. It's just making technical people dislike the platform and the
company.

I guess I'm missing where the benefit of trying to force people into the app
is. Is the disdain from techies worth the tiny amount of people who initially
click no and then eventually click yes?

~~~
treebornfrog
I'd also suggest Baconreader premium.

Its fast and lightweight. A superb third party reddit client.

------
ve55
>When I made the purchase, I expected that my little indulgence would remain
between me and Doordash

This is where they went wrong, as unfortunate as it is. Aside from the massive
amount of third party analytics and tracking and so on, there's many more out-
of-band ways that others will find out about what they did, for example by
purchasing credit card transaction history (Google, many other institutions),
reading and automatically parsing your receipts sent via email (Google),
making generalizations about your Internet activity (phone/Internet provider)
and many others.

~~~
Scoundreller
> reading and automatically parsing your receipts sent via email (Google)

I love it when companies exclude this info from email and make me log in to
see the details, but then run a bunch of trackers themselves.

I wonder if the tracking companies pay more if you exclude the info from
emails, which I generally find annoying.

~~~
inlined
I thought google stopped mining emails with the advent of GDPR

------
DrWumbo
Imagine how many of these companies send 'EVENT' data to Facebook on the
backend as opposed to directly from your client. Just like any illegal
activity, corporate data privacy violations will keep happening but be pushed
further into the shadows.

------
crazygringo
Does anyone have any clue what Doordash is paid by Facebook to do this? (Or
other sites?)

Is it a straight-up cash transaction, or is it a discount Facebook gives
Doordash on its ad spend, or something else?

Or is it just a side effect of using Facebook Analytics, that most companies
aren't even aware that they're sharing data that gets used for advertising
too? So they're getting free analytics software but that's it?

Just very curious what the business deal structure here is.

~~~
marketingtech
DoorDash and others pay Facebook to acquire users and drive specific customer
behaviors. This data sharing allows them to optimize and measure the results
of their marketing campaigns.

This data is used to create a feedback loop for ML models powering FB's ad
auction and delivery. Marketing campaigns all have objectives that can be
monitored via this data. FB will adapt auction dynamics to maximize the value
for all parties, and this data helps FB properly set the auction bids or
artificially inflate/deflate the price for individual users based on the
predicted likelihood of a campaign objective being met.

It's used for campaign measurement - DoorDash reports an action in their app,
and FB says "that person saw or clicked on a FB ad before taking that action.
give us credit for it!" Facebook is effectively grading their own homework
here and ignores other marketing campaigns that may have contributed to the
action, but there is a deeper science around interpreting this measurement
(marketing mix modeling) and third-parties who can help validate.

The data can also be used to create Facebook campaign audiences. "Show this
promotion to customers who ordered from DoorDash 4 times last month." "Show
this promotion to those customers' FB friends who do not have the app
installed." "Show this promotion to users who have installed the app, but
haven't placed an order yet."

So no money is being exchanged for the data, but both parties are able to
maximize their partnership value from it.

~~~
victorvation
This is correct. Nothing overtly nefarious is happening here (above the
baseline level of telling FB who your customers are in order to figure out how
much ROI your campaign had).

> Facebook is effectively grading their own homework here and ignores other
> marketing campaigns that may have contributed to the action

One thing I'd add is that FB is _still_ incentivized to accurately attribute
actions. Over-attribution (and thus over-estimation of ROI) would give FB more
spend in the short term, but would hurt them in the long term by causing
auction inefficiencies.

This is the reason direct action campaigns on Google are perceived to be
low(er) value: last click attribution disproportionately favors AdWords.

~~~
tekknik
Just reading this and the parent post it is still amazing to me how much
effort we expend to attempt to force a sale/advertise. We’re even calling it
“pay to acquire users”, you don’t earn your users anymore, you buy them.
Entire, very wealthy, industries exist around this one concept that users
don’t want but businesses just love. Ranting yes, but interesting still.

------
wackget
I blame bad developers for this. Marketers will always pull this shit, but a
conscientious developer will ensure the browser's "Do Not Track" setting is
respected.

Take note, developers; it's as simple as this:

    
    
        if (!navigator.doNotTrack) { // Tracking code }

~~~
saagarjha
Yeah, except enough websites poisoned that particular well for this to not be
a thing anymore.

~~~
Chirael
The takeaway I got from DNT is: "It doesn't work, and it just makes it easier
to fingerprint you." So I used to do it, but now I don't bother and turn/leave
it off.

------
seemslegit
Half of HN personally responsible for doing exactly this kind of thing for a
living, shifting in their chair uncomfortably... I umm... just doing my job...

~~~
wackget
That's not really an excuse. A developer might be asked to implement Facebook
tracking code, but a conscientious developer will ensure the browser's "Do Not
Track" setting is respected.

It's as simple as:

    
    
        if (!navigator.doNotTrack) { // Tracking code }

~~~
npteljes
It's not this simple when managements explicitly asks you not to do this, and
takes it as sabotage if you still do it.

------
asplake
“To keep reading this story, get the free app or log in” (Facebook is an
option). Oh the irony

~~~
ffpip
Clear cookies and cache for medium.com . And anything *.medium.com

------
hkt
I could imagine a browser plugin which tells you if a company shares data with
facebook (and other ad networks) before you sign up, make a purchase, etc. It
could have crowdsourced data based upon these kinds of requests.

I've wanted for some time to see a couple of variations of things like the
Fair Tax Mark ([https://fairtaxmark.net/](https://fairtaxmark.net/) \- a cert
that a company isn't using tax evasion tactics), especially one for privacy.
FTM is trademarked and therefore able to police its logo's usage, a Privacy
Mark could do the same, and enhance the market for privacy respecting
services.

Maybe it is time to start on efforts like these. Who'd be interested?

------
johnklos
Blown away by how much they're collecting? Please. We've known about
Facebook's fetish for collecting everything they possibly can for years.

What should be shocking is how many people dismiss such information because "I
have nothing to hide," or "but Facebook connects me with friends and family."

Saying that drugs make you feel good doesn't make it less bad that the pushers
want you to get addicted.

~~~
kevincrane
> Blown away by how much they're collecting? Please. We've known about
> Facebook's fetish for collecting everything they possibly can for years.

Fair, everyone has an approximate idea of how much FB is sucking down about
you, but I still get surprised now and then by some of the stuff they do. Like
I've always avoided using FB login for anything for obvious reasons, but I
never knew that just the act of including a facebook SDK in your app was
enough to phone home to that company every time I use it.

~~~
gowld
FYI if you browse to any web page that integrates with FB web SDK, it does the
same and has been publicly known for the.

~~~
kevincrane
I have uBlock, Facebook Container, and pihole set up so I _should_ be good for
any FB tracking on my desktop (heavy emphasis on the word "should" there), but
my phone always finds ways to surprise me.

------
dmje
Maybe a stupid question, but is this sort of data still shared (with Facebook)
if you’re not a Facebook user...?

~~~
Nextgrid
Yes. They send names, e-mails, phone numbers and sometimes more information
regardless of whether you have an account or not.

------
faitswulff
Was Doordash one of the apps that broke due to Facebook’s SDK failure
recently?

~~~
dvtrn
Evidently, they were: [https://www.theverge.com/2020/5/7/21250689/facebook-
sdk-bug-...](https://www.theverge.com/2020/5/7/21250689/facebook-sdk-bug-ios-
app-crash-apple-spotify-venmo-tiktok-tinder)

------
ornornor
One more reason to use nextdns on iOS or adaway/nextdns on Android.

~~~
esalman
This won't work if data are shared from the back end, though.

~~~
ornornor
True. However, it blocks everything clientside which I better than nothing at
all.

------
ProAm
"The Age of Privacy Is Over" \- Zuckerberg [1] Privacy is now a commodity,
whether is a valuable commodity is up to you.

[1]
[https://archive.nytimes.com/www.nytimes.com/external/readwri...](https://archive.nytimes.com/www.nytimes.com/external/readwriteweb/2010/01/10/10readwriteweb-
facebooks-zuckerberg-says-the-age-of-privac-82963.html)

~~~
thraway4234231
Is it though ?

Privacy has relied on the good-nature of service-providers for so long, that
we don't know half the things that shady operators were upto (fingerprinting
etc.).

Apple appears to pushing industry in a direction that's going to change things
for the better.

------
marketingtech
DoorDash and others pay Facebook to acquire users and drive specific customer
behaviors. This data sharing allows them to optimize and measure the results
of their marketing campaigns. This data is used to create a feedback loop for
ML models powering FB's ad auction and delivery. Marketing campaigns all have
objectives that can be monitored via this data. FB will adapt auction dynamics
to maximize the value for all parties, and this data helps FB properly set the
auction bids or artificially inflate/deflate the price for individual users
based on the predicted likelihood of a campaign objective being met.

It's used for campaign measurement - DoorDash reports an action in their app,
and FB says "that person saw or clicked on a FB ad before taking that action.
give us credit for it!" Facebook is effectively grading their own homework
here and ignores other marketing campaigns that may have contributed to the
action, but there is a deeper science around interpreting this measurement
(marketing mix modeling) and third-parties who can help validate.

The data can also be used to create Facebook campaign audiences. "Show this
promotion to customers who ordered from DoorDash 4 times last month." "Show
this promotion to those customers' FB friends who do not have the app
installed." "Show this promotion to users who have installed the app, but
haven't placed an order yet."

So no money is being exchanged for the data, but both parties are able to
maximize their partnership value from it.

------
johnvega
Coincidentally Sleep Cycle iOS app crashed once (can't remember ever crashing
before from over 5 years of using it almost every day/night) within the
approximate 3 hour time frame with other major apps crashing caused by
Facebook SDK.

------
thraway4234231
How does facebook accomplish this ? Third-party cookies ? Facebook can't be
using this anymore now that Safari (and soon Firefox) are enforcing strict
rules regarding tracker cookies.

~~~
ffpip
Doordash sends it to facebook from their own servers. You can't control it.

------
hkt
I have to ask, what is in this for Doordash, exactly? What incentive does
Facebook give for this stuff?

~~~
dylan604
Money. What else?

~~~
hkt
I suppose really I was asking about the mechanism by which one turns such
things as a record of a purchase of bubble tea into money.

~~~
dylan604
Step 1: Build a website that sells things. Step 2: Sell the data about those
transactions to anyone and everyone willing to buy it.

After that, who cares what is done with it? Best not think about those things
lest it bother your conscious.

Your question probably is more along the lines of why would someone want to
buy that data? You add that info to the buyer's enormous trove of data
profile. This person bought an Apple device = they have lots of disposable
income (send them ads on other superfluous crap). This person bought a baby
crib = send this person lots of adds about diapers, formula, toys, etc.

------
ape4
How about Firefox's Facebook Container? Does it stop this.

~~~
hkt
No, some of the data could be sent via the company's back end.

~~~
wackget
It could be, but in this case it's not, and thankfully the majority of these
event integrations are dont via the front-end (via JavaScript) and as such can
be blocked using something like DuckDuckGo Privacy Essentials, Privacy Badger,
uMatrix etc.

~~~
philsnow
For now. Somebody's going to come up with a library that proxies those
requests through the first party's site or CDN, and privacy badger / umatrix
won't be able to distinguish them from regular traffic.

The reason they don't do it yet is it's more expensive to host that traffic.
The good news is, I don't think enough people will ever use privacy extensions
to ever make it profitable for the DoorDashes of the world to go this far.

