
Ask HN: How does Facebook know what I buy on Amazon or vice versa? - kmonad
Following just happened: An hour before lunch I googled and visited websites that sell bicycles. I also visited Amazon during this research. I then bought a bike from one of the manufacturers&#x27; websites. A few hours later I browse facebook and see ads to this manufacturers&#x27; bikes in my newsfeed, via an Amazon sponsored ad.<p>I use one browser (Safari) for facebook exclusively, and browsed the bikes &#x2F; Amazon &#x2F; made the purchase on Chrome. I have different email addresses for facebook, amazon and, well, google.
======
aresant
Straightforward:

1) Amazon tracked your research and likes to use " ad retargeting" if they see
you leave before checking out to remind you to come back and purchase.

3) FB offers advertisers a variety of retargeting means + insanely advanced
cross-device tracking. Like a building full of PhD's advanced. Maintaining
privacy by logging in from different devices / accounts / etc is a thing of
the past if you EVER cross-pollute between browsers / devices / etc the signal
is picked up and then compared with browsing behavior etc to get a strong
profile. (1)

(1) [https://www.facebook.com/business/a/performance-marketing-
st...](https://www.facebook.com/business/a/performance-marketing-strategies)

~~~
md224
But... what about step 2?

> Like a building full of PhD's advanced.

On a more serious note, it's unfortunate that so many smart people use their
intelligence to enable this kind of gross technology. It's all about "solving
puzzles" rather than making the world a better place. There's gotta be more
productive ways to advance your career.

~~~
chb
The banality of evil. So many engineers just want to make the trains run on
time with a better algorithm. Never mind that they cary oil or weapons or the
victims of our next genocide. Engrossing technical problems are convenient
blinders for inconvenient truths.

~~~
eeZah7Ux
You can't tell in advance what trains, in general, will carry.

When writing ad targeting code, user surveillance, nuclear missile guidance,
VW pollution test circumvention code... you know exactly what is going on.

~~~
kbart
Not necessarily. I don't know much details about other technologies you have
mentioned, but user surveillance has many overlapping technologies with IT
security: deep packet inspection, network flows monitoring, white/black
listing etc. can be used for both good and evil and switched in-between quite
easily. I'm very pro-privacy and sometimes get to work with such technologies,
though I emphasize that what I do is strictly for security purpose only.

~~~
eeZah7Ux
> deep packet inspection, network flows monitoring, white/black listing

This is usual network security.

At some point someone need to glue together existing devices and software into
something that has an obvious use case with ethical implications e.g. the
chinese "great firewall".

------
theweirdone
As others have pointed out, it's an advertising technique called retargeting.
Here are some of the technical details of how exactly it is done(Facebook's
implementation might differ somewhat from this, but overall concept is same)

/* DSP - Demand side partner (Entity which works with someone who wants to
show their ads) SSP - Supply side partner (Entity which works with some who
have potential space on web to show ads) _/

1\. When you visited Amazon.com, one of the DSP associated with them drop a
cookie on your system to uniquely identify you as a user. Let's call it
cookiexyz. 2\. When you end up on Facebook.com, their SSP also drops a cookie
on you, let's call it cookieabc. 3\. Now only thing remaining is to determine
cookiexyz and cookieabc are same users. 4\. To do that, SSP requests a bid
from Amazon's DSP(among others). While doing that, it calls one of the DSP's
url(bid tag) which sends cookiexyz in request headers and sends cookieabc in
query params. This uniquely profiles the user which DSP stores in their system
and next time user requests a bid again, they can serve them ads based on
preferences based on cookiexyz. In other words, info that your looked at some
shoes on Amazon.com

/_ disclaimer: I work as a dev in one of the Advertising partner for Yahoo and
Bing. */

~~~
oelmekki
Thing is, OP mentions using two different browsers, which is why it's
surprising.

I guess there's still the possibility that a cookie was added months before
that and that "tainted" browsing was forgotten. But it's still worth wondering
if some other identification mechanism could be at play.

~~~
theweirdone
Or, facebook([https://www.facebook.com/business/learn/facebook-ads-
reach-e...](https://www.facebook.com/business/learn/facebook-ads-reach-
existing-customers)) matches this cookie to your fb account in their system.
Then making this information available across the browsers is trivial.

Now, to actually think of implementation, I can't even imagine the amount of
data they need to store(and clear in LRU manner) to make this work.

------
TekMol
I have had similar experiences. Others have already mentioned some cross-
browser fingerprintig techniques. One of the worst that many people don't know
about is that browsers hand over your local IP. Check this proof of concept:

[http://net.ipcalf.com/](http://net.ipcalf.com/)

The media device IDs the browsers provide look even worse:

[https://jsfiddle.net/u4n4s296/](https://jsfiddle.net/u4n4s296/)

I am not sure if these are unique to the device type (for example a certain
soundcard model) or to the device itself. If it's the latter, then that is an
indestructible cross-browser cookie right there. EDIT: As per icebraining's
comment, in Firefox they are not not cross-domain, not cross-browser and get
randomized when you delete your cookies.

~~~
icebraining
In Firefox, the media device IDs are different for each site (origin): _It is
un-guessable by other applications and unique to the origin of the calling
application. It is reset when the user clears cookies (for Private Browsing, a
different identifier is used that is not persisted across sessions)._

[https://developer.mozilla.org/en-
US/docs/Web/API/MediaDevice...](https://developer.mozilla.org/en-
US/docs/Web/API/MediaDeviceInfo/deviceId)

~~~
dunham
It looks like chrome is doing something similar. Each profile has a different
value and each site has a different value, but the value is stable across
restarts.

Safari (tech preview or high sierra) seems to give a new value every time you
reload the page.

------
captainhcg
I am working at FB but not in ads or related team. But I had talked to a
person who is directly working on it.

Amazon is different to other AD buyers. Amazon does not want FB to know what
customers are doing on its own site, so there is no FB tracker on Amazon at
all. However, Amazon can choose what ad to deliver to you on FB backed up by
its own team.

~~~
rajathagasthya
OP says they have different email addresses for Amazon and FB. How would
Amazon know which user to target ads on FB in this case?

~~~
thisismine
Cookie is a thing.

~~~
ars
It's not cookie, it happens across different browsers. It's IP based.

~~~
dbbk
How could IP-based possibly work for people at places like college campuses?

~~~
Jasamba
They take the number of people from the same IP into account. IPs are broken
down into public IPs vs private IPs based on traffic/timing of usage etc.
There are research papers on this sort of feature contruction using only IPs.
Cross device especially uses it extensively to be able to probabilistically
ascertain if the person from your house who is checking their phone is the
same person who checked smth on the Desktop computer last night based on your
online timing, IPs, behaviour over the day. They can figure out, for instance,
your office vs home browsing timing, interests etc with the same methods.

~~~
hyades
Interesting. Do you have the links of these papers so that I can read more?

------
exelius
DMPs.

Amazon buys (and sells) data to/from DMPs. That data can (and often does)
include a hash of your credit cards, all the e-mail addresses you go by, etc.
Amazon can basically buy programmable ad inventory that says "I want to show
this ad for chainsaws to kmonad" and the DMP resolves who 'kmonad' is through
a variety of methods.

Realistically, the opsec you would need to have to avoid this would be
astronomically inconvenient. These DMPs work off statistics, so they don't
need to know 100% that this browser session is probably kmonad, just 70%.
Maybe you have the same IP, OS version, browser extensions, cookie sets...

~~~
lxchase
This is most likely. To take it one level further, since you bought something,
it can be DLX data (or Oracle now) or some other purchase-based data (from
Visa or Nielsen Catalina). Facebook can ingest these as custom segments to
target. For instance, I can buy a data segment of past purchasers of Giant
bicycles for $1 CPM that will be layered on whatever partner is integrated.
With every "match" there will be drop off as one ID system needs to be matched
with a separate ID system (i.e. FB <-> DLX, or Liveramp <-> Mobile App)

~~~
exelius
Right; I think it would really creep people out to know what data is available
to target for advertising purposes and how deeply it goes.

Basically, there are a bunch of methods for tying your session back to your
identity, and most DMPs will run through a good dozen or two. Most will fall
back on geolocation patterns (which are surprisingly accurate themselves) but
it's actually very hard to totally anonymize your internet activity. We are
creatures of habit, but our patterns betray us. :)

~~~
dx034
But even with all that data, they still show irrelevant apps? In this case the
user already bought the item and gets shown ads for it afterwards. That's very
likely ineffective marketing. Is data mining this complex really worth it if
the result is that bad?

~~~
exelius
I would bet that Amazon does this intentionally. I don't know their rationale,
but they're a data-driven company so they wouldn't keep doing it if it didn't
produce desirable results.

------
calebcuster
If you want to know what advertisers are retargeting you, you might want to
check: [http://whoisretargeting.me](http://whoisretargeting.me) It can be
enlightening. You can also opt out of a lot of it here:
[https://www.facebook.com/help/568137493302217](https://www.facebook.com/help/568137493302217)

~~~
jszymborski
I don't seem to see too much specific to me, other than anything you can gleam
from geolocation... Suspect NoScript/uBo/Self-destructing Cookies have
mitigated a lot of it.

------
kristianc
Amazon has a Facebook retargeting pixel loaded which identifies you based on
your (probably logged in but quite possibly not) Facebook account. Facebook
has you IDed across browsers and across devices, getting around the single
browser limitations cookies usually have.

This links back to your FB account. Best practice would be for advertisers to
also load a 'burn' pixel on a conversion page which lets them know you have
purchased the product, but the tech doesn't always allow for this.

~~~
tagawa
It's worth noting that according to this study[1], Facebook has trackers on
25% of the top 1 million websites (Google is top with 75%). This doesn't
immediately explain how they get around the use of separate browsers, but with
device fingerprinting techniques, e.g. checking the list of installed fonts,
screen size, IP address, etc., I'm sure they can reach a high probability of
recognising a single user.

[1]
[https://webtransparency.cs.princeton.edu/webcensus/](https://webtransparency.cs.princeton.edu/webcensus/)

~~~
kristianc
Facebook's trackers (predominantly) link back deterministically to a logged in
Facebook account. Your account on Facebook is linked to a list of known
devices/browsers that you use (verifiable as when you try to log in to a
device or browser that you don't use regularly, Facebook will prompt you).

Facebook and Google will make use of probabilistic device fingerprinting
techniques etc, but to nowhere near the same extent that a company would that
didn't have FB/Google's level of logged in data.

------
js7745
They use the Facebook Pixel [https://www.facebook.com/business/a/facebook-
pixel](https://www.facebook.com/business/a/facebook-pixel)

They segment users that visited each product on Facebook with a custom
audience and then create ads for similar products that they show you. This is
all done programmatically.

~~~
icebraining
How would that work across different browsers?

~~~
nickphx
If you're logged into facebook on the browser the pixel fires on then that
event is associated with your facebook account and is used in further
targeting.

------
danilocesar
Not totally related to the post, but IMHO the following happen too often:

I'm looking for a camera. So I opened a market place in my country that sells
those cameras. Then I decided to buy one.

Then, for a few days, I open facebook and I only see ads about cameras, from
the same marketplace. That's useless as I'm sure (and they should know with
some confidence) I'm not buying another camera. They should/could target me
ads about SD cards, lens. But certainly not cameras.

* Then it happened again when I bought the SDCards =/

~~~
sumedh
Maybe the tracker did not track your purchase and still thinks you are looking
to buy one.

------
dmerrick
You can change this by going to your Amazon Advertising Preferences page[1]

More info here[2]

1:
[https://www.amazon.com/adprefs?ref_=ya_advertising_preferenc...](https://www.amazon.com/adprefs?ref_=ya_advertising_preferences)

2:
[https://www.usatoday.com/story/tech/columnist/2017/02/12/how...](https://www.usatoday.com/story/tech/columnist/2017/02/12/how-
stop-seeing-your-amazon-searches-everywhere/97764058/)

------
trjordan
Some data matching isn't done with straight cookies. You visited from the same
computer, same IP. It may be a guess done by comparing IP + installed fonts.

The other possibility is that your multiple email addresses have been matched
as the same person. So even though you use different browsers and have
different cookies, they're collapsed on Facebook's side.

------
wu_tang_chris
shoutout to yesterday's post on Ad Nauseam
([https://adnauseam.io/](https://adnauseam.io/)).

you know, incase you find this kind of thing reprehensible.

------
alimoeeny
It is enough for you to only once have used the same browser / profile with
both accounts. There are cookies to keep track of who is who and then it is a
matter of matching identifiers on one platform to the other. It is hard to
believe you have been diligent enough to keep things absolutely 100% separate
between Facebook and amazon.

------
Grustaf
I read your question as being about how facebook found out from amazon what
you bought. I don't know much about web technology but it seems to me they
don't need to know, since the ads you mentioned came from Amazon, even if
they're served inside facebook. So it's enough if facebook gives enough info
to amazon so that the latter can infer who you are, then they know that you
bought that bike.

It's somewhat encouraging that the algorithms are still so stupid as to
advertise precisely the things you are least likely, a large infrequent
purchase that you just made!

~~~
MichaelGG
Are they stupid? I've cancelled and bought a competing product more than once,
though not via ads (adblocker), just searching or reconsidering.

~~~
Grustaf
I think in general you are not very likely to buy a new bike (or phone in my
case) the day after buying one, but there may be exceptions.

Perhaps it's enough to be so crude as to not take timing into account. I mean
it IS true that people who buy bikes online once are likely to do it again at
dome point.

------
__abc
This is all fairly straight forward however, what blows my mind is Facebook
makes recommendations of friends that I've NEVER had any digital interaction
with.

For some reason it picked up the kid who stocks the craft beer at my local
family run grocer. Literally only talked to the kid face-to-face. No phone
number, no texting, no contact entry (not that I share those with Facebook
anyways).

That made the hair on the back of my neck stick up when _that_ happened.

~~~
mateo411
There is some process that is running a spatial join. You were both logged
into facebook at the same time, and were in close proximity.

I had a similar situtation where Facebook recommended that I friend a coworker
that sat next to me.

~~~
beejiu
Facebook claimed a year ago that they did not use location data.
[https://www.theguardian.com/technology/2016/jun/29/how-
does-...](https://www.theguardian.com/technology/2016/jun/29/how-does-
facebook-suggest-potential-friends-not-location-data-not-now)

~~~
mateo411
Interesting.

The situation I described happened over a year ago, so I imagine they were
using location data then.

------
jdavis703
These companies can also track you by IP address. I've had conversations with
co-workers about them considering a specific large purchases, and then seen
ads for what we talked about popping up. I'm assuming that if the CPM is low
enough, many ad-retargeters will take the risk of targeting ads based on IP
address alone.

------
godot
Aside from basic retargeting with cookies, there's definitely something more
going on between Facebook and Google. (geoip/location might be a good guess)

I have a habit of going into Incognito browsing often. Not for viewing any
NSFW stuff, I just have this habit whenever I want to look up something that I
know is very one-off and not related to my general interests. (habit started
with Amazon and it showing me related products of stuff I wasn't interested in
because I clicked on a link friends send over skype)

A few days ago I was sitting at home, remembered about a specific couch-in-a-
box company, wanted to check out how the couch looks again, so I opened up
Incognito as I always do, and searched for Burrow.

Later on that night, I saw Burrow facebook ads. Not only was I in incognito
when I searched, and this time I was actually on a whole different laptop
while on Facebook!

------
nickphx
All of those actions (searching, viewing, purchasing) sent signals to various
tracking companies that all exchange data either directly or indirectly
through third parties. While Amazon may not directly work with Facebook and
exchange tracking data, Facebook may work with another third party that works
with Amazon.

------
ars
It's by IP address.

I know this because you can browse for something on Amazon on one machine,
then find ads for that item on an entirely different machine - but one that's
using the same WiFi.

Good luck buying a surprise present for a Significant Other. If you try,
they'll see ads for it on Facebook.

------
mrhektor
On a related note, I had a weird experience where I was talking about a trip
to Vietnam with my friends. A few hours later, I saw an ad for air travel to
Vietnam on my FB page.

Now I'm 100% sure I hadn't googled or searched for Vietnam previously. At
first, the conspiracy theorist inside said "they're listening!" through my
phone microphone or whatever. But then, I thought, could they have been
forming a pattern of my behaviour over the past several days, cross-referenced
across several platforms (maybe I had searched for "Travel destinations" and
also a friend had given a travel recommendation of Vietnam on chat)? Have the
algorithms gotten that advanced?

~~~
sumedh
When you say talking do you mean you guys were physically close to each other
then if your friends searched for Vietnam, FB will know that this group of
people whose current GPS coordinates are the almost the same are interested in
Vietnam.

------
dx034
It's fascinating to see to what lengths advertisers go to identify users only
to serve irrelevant ads. The bike ad after a purchase is completely useless
and would've better been served to any other user.

~~~
koolba
> It's fascinating to see to what lengths advertisers go to identify users
> only to serve irrelevant ads. The bike ad after a purchase is completely
> useless and would've better been served to any other user.

On the contrary, I'd wager that a person who's purchased a bike is far more
likely to buy another than a random other person. I'm not saying there's isn't
someone _more_ likely to buy one than the guy who just did. But he would be
more likely than someone who has no recent bike related purchases or interest.

It could be as simple as, " _Hey this is a nice bike I bought. I bet my wife
/sister/brother/friend would like one too. Hey Bike Co is having a sale!_".

------
SpendBig
They add tracking to the products you view/visit/buy for retargeting ads:
[https://m.facebook.com/business/help/651294705016616](https://m.facebook.com/business/help/651294705016616)

------
confounded
It's just Amazon cookies. In short, you didn't see the ad because of what
Facebook know about you (though they'll know a great deal more than Amazon),
just that the two cut a deal to allow Amazon to read Amazon cookies from
Amazon ads on Facebook.

------
sunstone
If you haven't disabled third party cookies in your browser then you're doomed
from the start. After you've done that it's still a battle. Clear your cache
and all that every time you close your browser (it's also a browser setting).

------
amrrs
This is remarketing. It's based on Cookies (which sometimes could be both on
Server and Client side). In this model, Facebook is the ad agency that doing
this tracking and Amazon is just a customer of Fb.

------
mikegerwitz
I recommend reading/skimming Networks of Control:

[http://crackedlabs.org/en/networksofcontrol](http://crackedlabs.org/en/networksofcontrol)

------
molestrangler
If you stay logged in on FaceBook and browse & search other sites they know.
Only login when you need it the service, then logout and delete cookies.

~~~
ars
That doesn't make any difference. It tracks across browsers that are not
connected in any way except IP.

------
kostarelo
Yet, FB doesn't know that you bought it. Just knows that you did the research.
It would show you the ads regardless of if you bought it or not.

------
2pointsomone
Google "Ad retargeting"

------
jayess
Another reason to install ublock and add the social tracking filters.

~~~
ars
That would not help. Amazon knows what you looked at because you did it on
their site.

It's not Facebook tracking you, it's Amazon.

It's also not Facebook giving you the ad, it's Amazon. So technically not a
privacy violation.

------
BaptisteGreve
Would the same thing have happened if you were using the Brave browser
(supposed to protect your privacy) - [https://brave.com/](https://brave.com/)?

~~~
marvel_boy
No. Using Brave they have no way to follow you (no cookies).

------
EADGBE
FWIW, Home Depot does this too.

------
eip
If you are not blocking cookies and javascript then you are an intertoob noob.

------
jlebrech
amazon serves their ads on facebook with scripts hosted on their domain, and
the browser willinging gives amazon it's own cookie back, even if you're on fb
and not amazon.

------
dtft
Three words......Facebook Tracking Pixel

You go to Amazon, they tell Facebook what you are looking at, and then can
dynamically create ads specifically for you.

~~~
reustle
Does Amazon really use the fb tracking pixel? I wouldn't think so

~~~
netsharc
Op said he visited a website that sold bicycles. If this website has a "Like"
button or such a tracking pixel or Facebook analytics (do they have that?),
Facebook would then know that OP is interested in this bike.

An effective ad network would know that OP already bought such a bike, so it's
actually useless to try to sell him bikes... maybe accessories.

------
markgamache1
It's called the internet. That's what it does. Do you ask why bacon is
delicious?

