Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How was this ad targeted to me?
122 points by austinjp on April 12, 2017 | hide | past | favorite | 87 comments
Apropos of the current discussion about dropping Google advertising [1], I'd appreciate HN's thoughts on how a very particular product was targeted at me yesterday: a semi-obscure muscial instrument (which I won't name, my paranoia is already piqued).

Yesterday morning at home I Googled the instrument, the name of which I didn't actually know but Google came to the rescue. I browsed Google Shopping [2] but didn't purchase one.

Later I went into work where Facebook displayed an ad for the instrument in its "sponsored" section and an inline "suggested post" for a manufacturer.

My home and work computers and networks are completely different. I typically use incognito mode and "do not track" in Firefox or Chrome. I sign out of all social media and Gmail. Yesterday I was working in a large building with tens of people all using wifi used by hundreds of people across several buildings.

I assume no outright nefarious activity, such as an illicit pipe of potential customer IDs between Fb and Google.

The best I can theorise is that I had an open Fb window at home, and one of the instrument manufacturers' websites had an embedded Facebook like button or similar tracker, and they are running targeted ads on Fb. But is this direct-to-an-individual targetting even possible on Fb? Perhaps the obscurity of the instrument meant that I was very likely to see an ad, and very likely to notice it.

I typically close Fb when I'm not using it, so this doesn't immediately feel like what happened. I'll be doubly-sure to close and log-out Fb now.

I can't think of other ways that my Google activity could get to Fb. Browser fingerprinting, cellphone location etc would allow Fb to understand my location, but I can't see how they'd match this against Google activity.

I'd be very interested to read how this is, or could be, achieved.

[1] https://news.ycombinator.com/item?id=14094083

[2] https://www.google.com/shopping

Facebook doesn't need to be open in a tab for it to know it was you on that site, and you don't even need to be signed in. You and your computers are connected, even if you think you are careful.

If you have ever signed into FB from home, they know that machine / ip / whatever fingerprint is you. Even after you sign out, its still out. Even if you are in ingocnito mode, its still probably you. Then you sign in to FB at work, and now the same thing happens. They may not know the specific computer, but they know the network you are connected to IP wise.

This happens across many different ad networks, and they are all connected to sell ads targeting the people something wants. If you leave a potential purchase not bough, and sometimes even when you do buy it, ads are going to make it back to 'you'. They may not know 100% that it is you, but they can cast a net to try and find you. And for something like a missed sale, its worth the cost.

Note it may not be targeting you specifically. It may just be closer to: Someone in this VERY specific demographic looked for this instrument, oh hey here is someone else that meets that same demographic on this other ad network. Lets try them.

The amount of tracking on the internet nowadays is absolutely crazy. Visit practically any website, and all the major players are going to know about it and add it to their profile of you.

> If you have ever signed into FB from home, they know that machine / ip / whatever fingerprint is you. Even after you sign out, its still out.

Even if you signed out, they probably still have a cookie tracking who you are, and when your browser fetches that Like button, it will still send that cookie to the Facebook server. It'd be interesting on a shared computer where 2 people (e.g. a brother and sister) log in to FB alternatively, but I guess they can still distinguish who is who (e.g. person visits gaming forum, person visits this product page, person visits page with pics of a female supermodel: presumably it's the brother visiting all 3 sites. It's a bit sexist but that's what the algorithm would guess.)

2 people sharing same computer has amazing effects on those trackers. My YouTube recommendations used to be awesome to my interests till I was single, Now it's all polluted and mostly useless after I married. ;)

The strange thing is sometimes I learn things about my wife from the ads that are served. Creepy.

I know of a guy who found out his wife was seeking divorce weeks in advance because he started noticing divorce lawyer ads in his browsing! He eventually asked her if everything was ok and she came out with it. Crazy.

Same here. My recommendations used to be video games and tech. Now I'm seeing tons of cat videos and gardening.

Maybe youtube took a more expansive view of tech?

And it makes browsing for surprise gifts pretty impossible !

Not sure if intentional but Google ran a TV campaign here which featured Incognito Mode as the ideal way to buy "Surprise Gifts" for your partner.

"Surprise Gifts" mode pretty much immediately became a euphemism for "I'm going to watch porn" here.

> Even if you signed out, they probably still have a cookie tracking who you are

Indeed: https://www.nikcub.com/posts/logging-out-of-facebook-is-not-...

as someone who used to work for a targeted advertising co i can confirm that, overall, this is pretty accurate. And, nearly a decade ago we were doing work to connect fingerprint x and fingerprint y when they were actually the same person (usually on different computers or maybe in incognito). Conceptually it wasn't hard. People tend behave the same way regardless of what computer they're on. I'd be VERY surprised to hear that Google hasn't made a ton of progress in connecting fingerprints

I work on ads at Google. As far as I know we don't connect users who are not logged in out of piracy concern.

I don't think this is true, or maybe it means something different when you take the colloquial meaning of what you said. (Maybe "connect" has a precise technical meaning at google.)

I get targeted ads from google all the time when logged out, even on machines where I have never logged in.

There seems to be correlation between targeting on multiple devices until I nuke all the cookies, etc.

Maybe you mean you only tie my profile to my real name and employer() while I am logged in? Or maybe there are N profiles tied to each machine, and one is "logged out but probably owned by a similar / the same person as these other machines".

() We use google's office suite instead of microsoft at work, leading to hilarious privacy snafus.

I wasn't playing any word games.

There seems to be correlation between targeting on multiple devices until I nuke all the cookies, etc.

Do you have a specific example? Was this on a Google property (search, youtube, gmail) or on a third party site? Are you sure that those ads came from Google?

Is it possible that we just identified both of your cookies as a user who is interested in topic X without linking them?

Google targets ads to signed-out users (if they consent, have cookies enabled, etc.), but they are careful not to join the fingerprint of a signed-out user with the fingerprint of a signed-in user.

In other words, when you're signed out, ads can follow you around, but in the network it should seem like you are a different user from your signed-in version. This way, signing out has a consequence.

From people I've talked to at Facebook, they are much less concerned about similar privacy issues.

I've seen ads on my work machine for things I'd searched for at home. My work machine is signed into my work Google Apps account (and never my home account; though I have used that in another Chrome profile) and home my home account.

So, even if you're not connecting logged-out users, it seems to me that you might be connecting different logged-in users accounts.

I don't mind; I'd rather have targeted ads than not; though it does seem a bit creepy and often it's useless - I'm sick of seeing ads for stuff I already bought; you're losing cash there!

Those pirates can be quite vengeful!

Would using an extension such as Ghostery prevent this?

Ghostery can't be trusted. Noscript + self destructing cookies.

Why do you say that Ghostery can't be trusted?

I'm a big fan of Noscript, but could you explain more about self-destructing cookies?

Self destructing cookies are ones that are destroyed at session end or when the browser is closed.

It stops the Visit Foo, Foo sets a cookie, You go visit Bar, then Fizz, Fizz has a tracker from Foo which gets the cookie problem (at least partially).

Where it gets interesting is when Foo, Bar, Fizz and Buzz all have trackers in some form or another and co-operate.

Privacy is pretty much dead at this point without extreme effort.

IP Tracking is not enough to get an individual. They can get a household or business that way. They can track you by your specific browser signature: combo of user agent, plugins, etc. Which is why I like to use a browser dedicated to social media. I also have a computer provided by my employer as well as my own personal device. This helps a lot.

Cross browser fingerprinting is also a thing (system fonts, exotic screen resolutions, AudioContext & canvas/webgl quirks, number of cpus, ...). At this point you either need to disable javascript or take your browsing to a VM if you worry about fingerprinting.

And a VM is probably not enough if the plugins you install or even just your behaviors are similar.

It has happened so many times that I searched something on Amazon, and next day onwards, I get advertisement for Amazon on Facebook application showing exactly same product. I just wonder, who is paying for that advertisement!

You can (or at least could) absolutely target individuals with Facebook ads. Check out this prank: https://ghostinfluence.com/the-ultimate-retaliation-pranking...

That was awesome too. The comments are great as well.

True story: Proposed my wife with a Facebook ad.

Tell us more.

I can't believe this is not a medium post.

I can't decide whether to share this with my friends or keep this in my back pocket...

This is the best thing I've read all month. Thanks for posting!

It's called re-targeting.

You can use javascript to put users into a segment and re-target that segement; it's really easy. If you use the biggest ad-exchange (AppNexus) you can be sure to reach just about anyone anywhere.

This is correct. Retargeting is one of the most valued aspects of adtech.

Manufacturers website contains an iframe to the ad networks website. They signed up for this by placing JS snippet from the ad network on their site that created the iframe. This allows ad network to know that you've visited by placing cookie. Next time you visit site that shows ads from this network they can inspect cookie and show you the retargeted ads.

Could have been FB in this case. Their ad platform definitely allows for retargeting.

Although they wouldn't have used a cookie here since it is mentioned that different browsers & devices were used. It would mean that segmenting was done on the backend, maybe using a user id from a social network.

Cross devices targeting has become prevalent for most adtech targeting, at it's most basic they will correlate your public IP address but there are other methods for correlation.

How is it OK to do this if the browser is sending DNT? Is it really voluntary on the part of the ad network and they can just choose to ignore it?

Yes, DNT is an effort by the industry to self-regulate. If too many companies ignore it, it's much more likely that they will be regulated "externally" (by Congress, FTC, FCC etc).

That is correct. Ad networks aren't obligated to obey 'Do not Track' requests.

Yes, most of them just ignore it.

Exactly - if op wants to he can install Ghostery, visit the website he was on and check if they had FB Remarketing pixel.

Case closed.

I used to work in this exact industry and wrote my employer's tracking code. You didn't clarify whether you clicked on a google shopping product and landed on a product page. That's all that is needed.

Many ecommerce sites use both google and facebook for their campaigns. So by you landing on the product page, a standard facebook event would be fired. The website or the advertiser doesn't really need to know who you are but facebook does know who you are once that event is fired. Facebook can then tie you to a campaign around that product for that same website (if they have an active campaign going).

Logging out of Facebook doesn't mean they won't be able to track you. Your browser fingerprint is likely tracked. If you've logged into Facebook at home, and you've logged into a computer at work, Audience Network likely figures out that your residential IP is your home, and an aggregated commercial network is your work.

If you visited the manufacturer's site, you would have hit a re-targeting pixel for the network, that will track you around the internet to remind you. At work, on your phone, at school, and at home.

The other answers here seem to cover most of everything, but one more possibility to add to the mix - prefetching. Just because you don't click on a link doesn't mean that you aren't already going there. Chrome (and other browsers) prefetch pages so that they will load faster when you click on them.

I haven't delved into this in a while, so I can't say I've tested anytime in the last 5 years. I did a quick search and found this page that talks about how to disable the functionality in chrome:


I'm always surprised that more people don't seem to know about this.

There are so many ways:

- you opened a web page with a facebook's like button and facebook analyzed your browse history. If you browse for something in google shopping you might want to buy it, so facebook added it to your interests and showed an ad later to you. (Probably this was the cause)

- google and facebook knows your location because you have a google/facebook app in your mobile. It is easy to know where you work and where do you live. Even without GPS, as they can use the wifi public IP to know your location (among other things)

- your browse makes a fingerprint unique to you, even if you are not logged into any platform or you don't have an account on them they know you are you. So they can collect data. If you later login into facebook/google they match the fingerprint with your user. They can also use several fingerprint, because you use several devices. I think this is called supercookies. There are companies that just do this.

- you have two different devices with two different accounts, but you have the phone number of the other in your contact list and sometimes you have both devices with you. Facebook/google will suppose you both share same interests and show ads that match one of your devices to the other.

- "do not track" is a suggestion, some people ignore it because they really want to track you.

- google and facebook probably use other ad networks to sever ads, so facebook probably asked google (or another ad network) for an ad for you. You probably shared your phone number / email in both facebook and google.

- if you want to be fancy, machine learning could also help to target ads for you, but I think the other ways are so easy to do and work so well that you don't need complex things to show ads, just track the user.

> you opened a web page with a facebook's like button and facebook analyzed your browse history

How could facebook (or any website) access your browsing history? they know what link you access from their pages, but apart from that, can they get any info from the browser?

More like 80% of the web pages you opened included the Facebook Like button, so they have 80% of your browsing history right there.

Facebook like button is a web beacon. You don't even have to have a Facebook account for them to track you. They don't get it directly from the browser, every time that "like" button is loaded it notes it in a database somewhere.


I probably was wrong and most probably the user visited the shopping place of the item, which probably would have a facebook javascript library.

But there are ways to get information of you browse history:

with a facebook like button (other facebook library, or google analytics), which it is in almost all websites, you have the previous web.

There were bugs before in browsers that exposed the previous history (sorry I cannot find the link)

You could have an extension in your browser that analyzes the whole history.

You can also get information by opening an iframe and accessing other site cookies.

Doing history sniffing (although unlikely)

I spent the last weekend in another city X. I took with me my macbook but I didn’t used it, so it was closed in sleep mode the whole time.

However, I did some searches over the weekend on my iPhone, Safari in private mode, not logged in.

Back home, opened the macbook, did some search with an incognito browser window. And Google told me: You are in another city X, based on your browser history (!).

What?! Privacy is hard nowadays.

Here's the company behind that: http://www.criteo.com/

Its a 3 billion French company whose sole job is to show ads for products abandoned in the cart or something you bought 6 months ago or something that their personalization algorithm suggests

Technically this is not correct. You can achieve the very same result using different products (eg. Adroll, Exponential Interactive) or even using Google and Facebook natively.

[0] https://www.adroll.com/

[1] http://exponential.com/

Ironically, that's the only good tech employer in France :D

I wonder if the only action against them is sending them so much traffic their servers can't keep up.

I feel with the advent of internet of shit, this will start becoming more of commonplace

Client side re-targeting has two pieces to it: a "segment" code placed on the product page (a marker showing you have interest in this particular product) and a "burn" code placed on the conversion page (that removes the previous marker, so they can stop showing you ads for this product once you bought it).

One could add the "burn" code every time the "segment" code is detected. On some networks that may even result in an affiliate payout.

They likely have billions dollars in infrastructure, you're not gonna DDoS them.

They are the one DDoSing you with ads.

In your opinion which others come close?

Which employers would you recommend avoiding?

There is nothing else close, there is no google facebook microsoft in France.

I was going to suggest OVH, but looking at the reviews at glassdoor.com… well, maybe not.


Not comparable to Google.

OVH is only a hosting company. Low margin business. They have no software side, they don't make billion of dollars, they don't run thousands of projects.

Use Facebook only from their onion-service using dedicated (TorBrowser) browser. https://facebookcorewwwi.onion

The answer is cookies. Facebook sets multiple cookies on your browser that do not expire and are not deleted when you logout. By logging in at work and home, you are making it trivial for them to track you. They also set this cookie when you intract with a Facebook like, share, comment or use Facebook to log-in to a third-party site.

A few suggestions to help mitigate this:

- Use a browser dedicated to all your social media browsing and another browser for everything else. Say Firefox for Facebook and Twitter, and Chrome for everything else. That will restrict what they can capture. - Browser Facebook in your browser's incognito it private mode. - Minimize third-party links you follow from your Facebook timeline. And don't shop and Facebook in the same browser! - Don't interact with Facebook outside of their actual site. This includes likes and comments. - Don't use Facebook as your log-in credential. - Use an ad blocker! - Have your browsers delete all cookies on log out. This is both your day-to-day and social media browsers. Facebook is not the only media company tracking you.

> The answer is cookies. Facebook sets multiple cookies on your browser that do not expire and are not deleted when you logout. By logging in at work and home, you are making it trivial for them to track you.

I don't understand how cookies could explain the scenario described in the question. Can you explain?

i assure you, that you can still be tracked without cookies. It's not as easy, but it's definitely possible to fingerprint a browser and track its requests to a server even if there aren't cookies. The level of confidence will be good enough for advertising.

Indeed. Which is why I like to use a separate browser for social media. Having said this I know it's a losing battle, but I see no reason to make it easy on the bastards.

(I've worked in ad tech in a previous life)

Adtech discussions like this always raise the hair on the back of my neck.

The only thing that makes me feel better is that "my data" is being handled by a piece of software somewhere for the EXPRESS purpose of pushing advertising to me.

I don't believe it will feel like a privacy violation for most people UNTIL we start seeing high-profile incidents where actual human beings get caught looking up and acting upon individuals and their data as people and not programmatically as GUID's with bunch of metadata.

It makes me wonder if entities are buying their way into these adtech data streams for purposes OTHER than market research or directed advertising ?

Did you leave your email? If so, this is plausible flow:

1. You visit website xyz.com

2. You signed up at xyz.com and you dropped during checkout funnel

3. You're email address is being added a FaceBook retargeting campaign and Adwords campaign

This should answer your question -- straight from the horses's mouth! https://www.facebook.com/help/206635839404055

Edit: Using something like https://www.eff.org/privacybadger helps avoid this kind of tracking while not being too painful to use visiting web-sites.

Rather than speculating, you can find out why you're seeing a particular ad on fb. There's a drop down on each ad which includes a menu item which explains the targeting method used: https://www.google.com/amp/www.business2community.com/facebo...

Yes, because when speculating about how much Facebook knows about me, the most likely source of truth is Facebook itself!

That said, thanks for pointing out this functionality. While I might be suspicious of the degree of truth it offers, it's at least something (honestly).

I do everything you do, but recently I have added one more habit thanks to Opera's beautifully easy VPN: I google search on Opera using their VPN.

Here's an interesting read [0] about making inferences about such questions. Story of someone who deduces audio fingerprinting must have been responsible for a particular promoted tweet (before audio fingerprinting was known to be used).

0: https://slack-files.com/T0317T6QB-F04FJ2YAC-88e35e6787

> But is this direct-to-an-individual targetting even possible on Fb?

Why not? If the FB like-button sends the cookie for your FB session, then it can make the connection between your account and the product.

Besides, it is also possible that you talked with a friend about the product, and this friend searched for the product in e.g. Facebook, and by being friends with this person on Facebook, they now show the ad to you as well.

This is just FB tracking you everywhere and recognising your account even though you are logged out, from cookies (possibly local storage, IP address, other browser fingerprinting methods).

This just happened to me: I visited booking.com earlier today, then FB showed me a FB ad with the same hotels I had looked at.

This is pretty much the reason I block ads. If they weren't so intrusive and stalky I wouldn't mind them too much.

Similar things happening to me in Youtube. I got suggestions about similar things I watch at work which I used totally different gmail account from my Android TV! So technically these two are not connected. Some times I use my work gmail account at my laptop at home so I assume Google is aggregating data based on IP address.

Here is an interesting article about this topic: https://cliqz.com/en/magazine/how-facebook-knows-exactly-wha...

Former VP-Eng at a product-ads ad-tech company here...

You can think of this as a two step process. First, connecting your Facebook UID to structured data about a specific product in a product catalog. Second, connecting your FB UID to multiple devices/browsers without cookies.

I think the second part (cross-device matching) has been explained well by other commenters: tere are multiple techniques involving IPs, hardware footprints, browser footprints, browsing habits, etc.

I want to clarify a few things about how the first part most likely occurred. There's been a lot of emphasis in discussion on the FB "Like" button. It's true that this is a possible way for FB to observe you have visited a specific webpage. However, it's more likely that there was a Facebook "pixel" on a retailer's website (some commenters have been referring to this as "javascript" or "retargeting"). Most e-commerce sellers use these today. They're basically a FB web endpoint that the retailer can pass structured metadata to that lets the retailer communicate to FB that an event has occurred on their website. FB allows retailers to send all kinds of metadata about all sorts of events - page loads, add to carts, checkouts, purchases, in-app events, and custom events. The retailer can also send very detailed info about the content being interacted with on a webpage, down to sub-SKU granularity (e.g. not just a particular shoe, but a specific color/size/variant of that shoe).

Historically, the FB web endpoint would return a 1x1 transparent image so that a retailer could embed it on their website's HTML and a customer's browser is "tricked" into loading the image from a third-party domain. Thus the name "pixel". This is still frequently done, but nowadays the endpoint may just be a REST endpoint and/or may be called via AJAX (or via an SDK within a mobile app).

Facebook also allows retailers to upload their Product Catalogs to Facebook. These are basically a CSV of structured metadata about every product the retailer has for sale. Then, when the retailer sends a pixel event to say SKU 12345 has been interacted with by a user, Facebook can reference that SKU in the retailer's Product Catalog to learn all kinds of info about it.

A really interesting exercise is to install the FB Pixel Helper extension for Chrome (I'm sure there are equivalents for other browsers). It will show you all FB pixels loaded on a given page and what metadata was passed along. Keep an eye on it as you browse the web, especially the next time you browse an e-commerce website. Facebook basically sees everything that happens. They may as well be ingesting everyone's Apache/Nginx logs. :-P

https://chrome.google.com/webstore/detail/facebook-pixel-hel... (Note: I'm not affiliated with this extension in any way)

Lol! Free isn't free. Your desires are a commodity up for sale. The how doesn't matter. When you discover and block one way, another is created. This happened because you use Google and Facebook.

uBlock, uMatrix & host based blocklists are the price of entry these days. https://github.com/jmdugan/blocklists/tree/master/corporatio... Block at your router if you can, then any mobile devices on your network enjoy ad/tracker blocking too.

assume every time you hit a googlebook server they assign a confidence score related to potential identity or demographic and rank.

"what are the odds this is a woman? a doctor? a person living in Louisville? Is this Jane Doe?"

each of the answers to those questions get a confidence score and a rank. then you're shown ads based on whichever verticals you rank the highest.

I think it just means their statistical approximations are getting good.

theories idk

> a semi-obscure muscial instrument (which I won't name, my paranoia is already piqued).

It was a Theremin, wasn't it?

Nope :)

"do not track" in Firefox or Chrome.

Completely ignored pretty much everywhere...

> I assume no outright nefarious activity, such as an illicit pipe of potential customer IDs between Fb and Google.

Where do Facebook or Google claim not to share advertising data with their partners?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact