These advertisers are running ads using a contact list they or their partner uploaded that includes info about you. This info was collected by the advertiser or their partner. Typically this information is your email address or phone number.
Yep. Me, too. I use the e-mail address firstname.lastname@example.org, so it would never be accepted by any of my actual contacts. They all use my real e-mail address.
But somehow Facebook says that e-mail address was uploaded by Maserati of Scottsdale (never been to that part of Arizona, and can't afford that kind of car), Mini of Freeport (I've never heard of Freeport), Sunrise Ford NoHo (I have no idea where this is. North Hollywood, maybe? If it is, I don't even live in that state), Crain Kia of Bentonville (Arkansas, maybe? Never been to Arkansas), Bernard's Chrysler Dodge Jeep Ram (No idea where that is), Drive Toyota (Is that Toyota corporate? I've never owned a Japanese car), Land Rover of San Antonio (I've been to San Antonio once, and that was before Facebook even existed).
So I second the OP's suspicion that Facebook is giving out my e-mail address to advertisers/spammers/partners.
I sure hope they didn't pay a premium for Facebook's "targeting," because it is evidently atrocious.
This seems like a really good starting point for an investigation against Facebook!
Anyone else wants to steelman Facebook before I and other become too excited? Because right now I don't see any other options.
Hopefully a federal privacy law will clarify if this is legal at all.
Well, in this case probably not. Though I wrote "email@example.com" above, it's really more like "firstname.lastname@example.org." So the chances of it being guessed are infinitely small.
It's possible that Facebook has been hacked or the above posters used Facebook connect to login to a third-party service that leaked the email addresses.
> So I second the OP's suspicion that Facebook is giving out my e-mail address to advertisers/spammers/partners.
It's much more likely that Facebook has a shadow profile for your actual email address and has connected with yours due to your friends/connections syncing their contacts.
E.g., they know you'd like them to assume that email@example.com is your email address (and they do you the favor in all publicly visible parts of your profile), but they also see that most of the people in your friends list haven an entry for "firstname.lastname@example.org" in their address book, filed under your name. So they'll simply add both addresses as keys to your account.
You're probably also giving that out to businesses you have a relationship with. And most people don't have a second fake phone number to give out to avoid matching.
It's a bit like grocery store loyalty cards: you can give the grocery store bogus contact info when you sign up for one, but the first time you swipe a credit card to pay for your groceries, the store gets your name and a unique ID linked to you (the card #) that can be used to match your profile in (say) an Acxiom database.
I'm curious why Facebook would link a shadow profile about you to your real profile though, even if it knew with relative certainty you were one in the same. I can see no benefit other than advertising (which doesn't really necessitate them telling you in this way) but it seems that it could pretty easily lead to the misunderstanding above where folks impugn nefarious motives to Facebook that aren't accurate.
I find it interesting given what you likely know about the surveillance economy that you're incredulous to the concept that you know and have covered every possible vector.
A single person is no match for the surveillance economy.
I can assure you, the advertising industry knows vastly more about US persons than any state-level surveillance does.
The reality is very simple, these companies dominate the advertising industry (which is huge) so they make a lot of money. That's all it comes down to.
Now it happens that there's some guy on the other side of the world who has a name similar to mine who keeps erroneously putting down _my alias email_ address as his email for a lot of services (maybe he just sometimes uses the wrong major email provider after the @).
I know A LOT about that guys life based on the countless emails I get instead of him. (loan offers, negotiations for used car sales, church group meeting protocols, what politicians he donates to...)
Turns out, the advertiser info FB has on "me" is actually on him (or >95% at least.)
Which means they are also using other types of information to identify you, and since your email and phone number can't be used, it must be those other information types. I'd love to know what they are.
My count is 11,885 advertisers, for what it's worth. It looks like car dealerships are the majority of them... I've never bought a car from a dealership. Very odd.
I wonder if the linking is even necessary, if FBs dark pattern made your friends upload their contact list, they could just infer that since Alice and Bob are your FB friends and they both have your name and number on their uploaded contacts, they can probably associate that number with your FB profile with x% certainty (a higher percentage if your FB friends Cedric, Dave, Emily and Fritz also have the same name and number...).
Fun stuff huh? /s Someone should associate that Patrick Stewart "Extras" line "But it's too late, I've seen everything." with Mr. Zuckhole.
> I wonder if the linking is even necessary, if FBs dark pattern made your friends upload their contact list, they could just infer that since Alice and Bob are your FB friends and they both have your name and number on their uploaded contacts, they can probably associate that number with your FB profile with x% certainty (a higher percentage if your FB friends Cedric, Dave, Emily and Fritz also have the same name and number...).
Yeah, my bet's on this. Once, long ago, when I was more trusting, I installed the Facebook app on my phone (back when Android permissions were all or nothing). Facebook slurped up my address book, and I don't even think they ever explicitly asked for permission to do that.
About six months to a year ago I noticed these contacts in my FB data dump...and they were connected to all kinds email addresses and phone numbers I never had in my address book.
My guess is that if you want to keep Facebook from linking to your personal info from other sources, you need to have zero data overlap (different email, phone, name) and never install any of their apps on any device you own and never share a browser session between Facebook and any other browsing.
One auto dealer worker responded to my question, "how did my name get on a list that your page uploaded?" by saying "I don't know, I just post ads."
The ad settings page suggests that usually the uploaded identifying information is a phone number or email address, but the wording is vague enough that it could probably be just about anything. So if you've ever shared your phone number with Facebook (even once, I suspect, even if you've since deleted it) I wouldn't be surprised if they use that to identify you. Similarly, a postal address or even a city might enough to identify you for these purposes.
Edit: A quick Google shows a number of groups similar to  that sell lists of auto owners. I would be surprised if there were not similar groups for other industries, particularly real estate.
(NB: There are very valid reasons WHY this information is in the public record...mostly to make it harder to fence stolen vehicles.)
I've never been to the US!
This is the same email that I use everywhere, so its easy for them to get and stuff into Facebook, but surely they are then paying to advertise to someone who isn't able to buy from them. Or maybe this is then further filtered based upon geo location.
Maybe, as soon as I land in San Antonio I'd start receiving Land Rover adverts because they've provided my email address. Incredible how many of them are US car dealerships.
Well, how to explain that under the list of "Advertisers who use a contact list added to Facebook" the only company there is the National Bank of Canada, with which I had a bank account from 2007 to 2008? I didn't have a Facebook account until almost 10 years later, didn't have the same phone number or address (that was in Canada and I had been back in France for a long time when I signed up to Facebook) and didn't even own the domain of my Facebook email address then.
Also, for some reason they are listed twice, once as Banque Nationale du Canada, and once as National Bank of Canada.
I don't think they had anything else to link to my account than just my real name.
So, let's say you have a Facebook account and go to "Mom & POP Shop, Inc. dot com". If "Mom & POP Shop, Inc. dot com" implements Facebook Pixel (or has a way to consume it) and you buy something from them, giving your phone number, address, etc., then your other information is automatically correlatable just by those two points of data.
The fact that 1,147 other companies have your information tells me that there was probably an intermediary advertising company between "Mom & POP Shop, Inc. dot com" and Facebook, so that intermediary could sell your information to anyone and everyone and, once it's on the "advertising market", it's ripe for correlation from other companies - Amazon, Google, Microsoft, etc.
All that's need is at least one, consistent, correlatable point of data - say your mac address or your browser's established fingerprint and you're "fair game" for targeting on the "advertising market". (Insert Bill Hicks' reference to Marketing and Advertising here.)
 - https://youtu.be/9h9wStdPkQY
You don’t need to click an ad to leave a footprint. You just need to go online.
Facebook claims they don't disclose it. Companies upload lists of email address they already have for Facebook to find similar audiences.
If he only used this email for Facebook, then only Facebook should have it.
So tell me, how did 1,147 other businesses and groups get
their hands on my info if I've never given it out?
Why does that get a fail mark? In my opinion such promises are worth absolutely nothing. Does that compromise my anonymity somehow by disabling them?
"Setting your browser to unblock ads from websites that commit to respecting Do Not Track rewards companies that are respecting user privacy, incentivizing more companies to respect Do Not Track in order to have their ads shown at all. By preserving privacy-friendly ads, sites that rely on advertising funding can continue to thrive without adjusting their core business model, even as they respect users’ privacy choices."
Claiming you're not protected because you've decided to block all does seem deceptive, though.
In my case it shows... 2x more than I expected, but looking at the names, most of those were most likely pictures of t-shirts, or funny videos, that I just clicked to check out.
This isn't a superhuman feat. Just install an ad blocker and don't click on the obvious sidebar ads. Done.
My ad preference record demonstrably shows I've not done so, with only 10 advertisers on the list and no ads clicked for the last 90 days at least.
I guess it helps to not have Facebook on your phone too.
How do we settle this?
to be clear OP, i'm not trying to be mean or anything. i don't remember what i had for lunch yesterday. it seems that unless you took technical means to validate that everything you said is true, it's quite likely there was an errant click, an errant sharing of the email to a friend, etc, etc.
It's almost impossible to hide from Facebook.
So you might hide your email address but how do you know others did?
Edit: They didn't have the phone number, according to the data exporter. Pretty plausible explanation here: https://news.ycombinator.com/item?id=19103490
Every week I do this.
FB lets me disallow OTHER types of advertising. But not this type.
"Products that are provided by the Facebook Companies, including WhatsApp and Oculus, as well as Facebook Products like Facebook, Instagram and Messenger."
That has nothing to do with non-Facebook companies. It's something else entirely.
This offline interaction data is different from contact data. The latter doesn't involve any "partnership." It's a completely different part of Facebook ads.
I play my own part in this massive economy that exists of selling data to be used in Facebook ads (Google and other big tech companies do it, too). To me, it's the number one most dangerous thing that has happened to the web. It's my belief that you can make a direct tie from this type of advertising to the layoffs of journalists. That's a more complicated argument than I have time and space for here, but that's why it's an important issue to me -- I think it's a problem for democracy.
Edit: I also tell people I do this to spread the word about the practice and FB's failure to provide proper privacy tools -- in person, but also in forums like I did here.
I just opened that website for the first time, expecting to see thousands of advertisers, but I can't find any number. On the other hand, the list there had 68 'advertisers', most of which I recognise, some that I'm glad hiding, but I don't believe there's only 68 after all this time??? Especially since at least 10 of those were duplicates (like different countries for the same brand)
Am I missing something? I'm just looking at "Who use a contact list added to Facebook"
Per the book "Chaos Monkeys", as well as others sources I would presume since, that single signal is not a "unique key". There are plenty of other ways being used to tie you to your devices (plural! as in, you're a known / constant as you move from phone to laptop to tablet, and so on.)
Mind you, neither is new, but Dragnet Nation and Chaos Monkeys are both insightful, and if you take your privacy and liberty serious frightening.
Of the two, CM is the written to be more entertaining.
All you need is for one of those identifiers (email, phone number, facebook ID) to show up on a list somewhere. Since you say your email is unique and only used for Facebook, it's unlikely that was used for targeting. Your phone number could be acquired from somebody else syncing their contact list to some app or service. Your facebook ID could be acquired from you authenticating to an app or service via facebook, or it could be scraped from public group pages.
>This info was collected by the advertiser or their partner.
Why do you think so many apps want to extract your phone contact list if not to sell?
Have you ever given that phone number out, even if only to one friend or relative? If your name and phone # are saved in their smartphone contact list, they may have been using a smartphone with an adware OS designed by the largest data monitizer on earth bundled with additional spyware preinstalled from the manufacturer, service provider, plus 10 of the highest bidders. Those advertisers could have bought it from your cc issuer, merchant, loyalty card issuer, car dealership or bank as part of a bundle with your transaction history. It could have come with a location history package from your mobile service provider or it could have come compliments of Equifax.
Sure, it could have been collected way back in 2017 or whenever while FB was still giving the data out for free. There are plenty of totally innocent explainations...
If it turns out next month that those 1,147 advertisers are all just Alphabet companies and the contact list was uploaded by their partner, Facebook, you'll sure feel stupid for jumping to conclusions. /s
B) People searched your name on Facebook
C) Facebook creates ghost profiles with all these details until it has enough confidence to sync it with an new/existing Facebook profile
Once an EU citizen contacts them and requests the dump, they get redirected to the same tool. You have to explicitly bug them and quote the article 15 (of the GDPR) a few times to receive a different dump.
Disclosure: I haven't done this personally, but I have talked to people who did and read their interactions with Facebook. I can't guarantee that this info is still up-to-date, since that happened months after GDPR went into effect.
That data is in blackbox ML system which is exclusively for ad targeting, and it can't be described :) that's the Facebook's defense.
GDPR doesn't cover the intermediate info AI/ML generates on you.
I wonder why the massive difference
Excellent question. I am also very intrigued. I'm gonna ask them all. https://cohan.io/activate-the-gdpr-robots/
Not directly, perhaps.
>The inbox for that account only contains emails from Facebook. I have never given Facebook my phone number.
Your phone number can easily be scraped or harvested from other users who give Facebook your information.
>I have never clicked on an ad in Facebook.
>I have never connected an app with my Facebook account.
>_Facebook_ itself is the only entity which has ever had my contact info associated with my account.
>So tell me, how did 1,147 other businesses and groups get their hands on my info if I've never given it out?
The point is that "I would never do that!" is not a valid defense. Humans make errors, you are not an exception to this rule and leaking data is made very, very easy.
I've never clicked it and never will, but I don't doubt that many of my friends have just to get it to go away. That's why I only give out my Google Voice number to people and only use my real phone number when it's strictly necessary.
So the strategy to do is to say yes for the app to ask permission and when the system dialog shows up you can decline. If you ignore or say no to the app dialog they can keep pestering you, but once you have declined on the system dialog there's not much the app can do.
The apps have to instruct you to go into the app settings if you want to activate permissions, not a lot of apps are doing this since it's quite an involved process.
TIL even the 20 user mine wasn’t required and today the min is only 100. I know for a fact that Trump 2016 used this technique with voter rolls to discourage turnout for likely Hillary voters based on a talk I watched by their media team.
Meanwhile the ruling party here has 2 million to spend on a campaign. Not making Facebook rich.
Its really a fascinating watch, and a perfect case study for why GDPR is needed. After reviewing it I don't see any mention of specific techniques used to discourage turnout, but those techniques are well-documented elsewhere:
Honestly didn’t even realize it was “ok” for companies to share emails with third parties as I thought that is even considered PII.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.
The keyword here is indirectly.
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable.
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
The keyword here "reasonably identifiable".
So if the purpose of an email hash is to identify me for ads targeting, then it is by definition reasonably identifying me, even if indirectly.
What makes email address and other unique identifiers like a hash of an email PII is that the given universally unique composition of letters and symbols is associated with a person.
email@example.com -> a facebook profile -> Legal Person
836f82d......b39577f -> a facebook profile -> legal person.
For identifying a person both 836f82d......b39577f and firstname.lastname@example.org are the same.
> Hashing is magic crypto pixie-dust, which takes personally identifiable information and makes it incomprehensible to the marketing department. When a marketing person looks at random letters and numbers they have no idea what it means. They can't imagine that anybody could possibly understand the information, reverse the hash, correlate the hashes, track them, save them, record them.
EDIT: Looking into this a bit, I don't think they're fake... it seems like most of the websites are "powered by X" where X is some CRM/website builder solution targeted at car dealerships, like these  . They all have marketing/advertising features, and there is likely some sharing of contact data on the backend, or contact lists are outright sold as "leads"
The frequent flyer group have just taken it from my membership details.
I don't bet, but I've worked as a statistician, so there's probably some connection there with past probability and modelling work or getting odds from these sites.
The real estate group I'm guessing is from contact details given while looking for houses that they've used without my explicit permission.
Audi is interesting because I've never had a car in my name, and haven't had one in my household for several years. Haven't so much as stepped in a car dealership. I'm guessing they must have bought(stole?) it from a rental or car-share company database...or a marketing list somewhere, but its certainly not from anything I've done first hand.
It’s been months and I don’t miss the constant barrage of political rants from my friends on both sides of the political spectrum.
Bingo. Works great for overly vocal political friends, and the pushy MLM friends, too.
I am a lot more productive at home and save so much more time.
So for a good measure, I just use a separate profile.
there are definitely some leaks, and there is a "facebook container" extension which plugs some (all?) of those... but yea. if you want maximum separation, you want maximum separation, profiles are probably always going to be the safest bet.
An attempt at such a concept appears to exist as implemented by a non-governmental group here , although that group is voluntary rather than compulsary, and probably doesn't have anything to do with the shadier data brokers.
This is great and all but what about the people who don't have a Facebook account, which Facebook is still keep tracking of (e.g.: Facebook Pixel)?
Would GDPR allow to withdraw consent for the intermediary?
What if I disallow intermediary to handle my data but some other third party I gave permission to process data uses this intermediary?
From https://privacylaw.proskauer.com/2018/07/articles/data-priva..., the California Consumer Privacy Act specifies:
> 2. the right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);
> 3. the right to have a business delete their personal information, with some exceptions;
In fact, this entire facebook announcement looks like it's just compliance for #1.
Good for them for not waiting until the month before like GDPR, but don't be fooled that they're showing this information out of the goodness of their hearts.
The intermediary is just a data processor, and while they also have to follow gdpr it's the data controller who is responsible that the intermediary actually follows the laws.
As far as I can tell facebook will just tell you who is uploading your data but then you can pursue them if you do not believe they have your concent to do so.
Not that this is likely to ever happen, given the we are the product, not the user.
It's not a real solution, but at least I've voiced my intention to not be tracked by these advertisers. I wish deleting my Facebook was a valid option here, but as we all know they keep profiles on you anyways.
My friends from college for years were planning yearly meetups. 2 years ago enough of us dropped off FB that we started planning with email and MMS again. Quite a few more dropped as well last year and this. So it does work eventually
The super funny thing is that i saw my old girl friend create a page and upload my info and target me. ;)) (a good idea to create jealousy i guess)
there is a plethora of ways they could omit information or order information or over provide information to make this work in their favour.
* Motley Denim
* TV2 Sumo
I am a bit surprised it was only four, and a bit disappointed bandcamp was one of them.
“You are seeing this ad because BigCo wants to target people who like things similar to people whose email addresses they uploaded” or something?
They already have me as a user, do they really feel the need to push it?
From https://privacylaw.proskauer.com/2018/07/articles/data-priva..., the first major provision is:
The UI mocks in the article are literally a checklist of each of these items.