Hacker News new | past | comments | ask | show | jobs | submit login
Facebook will reveal who uploaded your contact info for ad targeting (techcrunch.com)
444 points by sahin-boydas 71 days ago | hide | past | web | favorite | 209 comments

I just counted and Facebook tells me that 1,147 advertisers have uploaded a contact list that contained my info, specifically found on https://www.facebook.com/ads/preferences/?entry_product=ad_s... :

    These advertisers are running ads using a contact list they or their partner uploaded that includes info about you. This info was collected by the advertiser or their partner. Typically this information is your email address or phone number.    
Want to know what's funny? The email address I use for Facebook was created only for Facebook. I have never given it out to anyone else, ever. The inbox for that account only contains emails from Facebook. I have never given Facebook my phone number. I have never clicked on an ad in Facebook. I have never connected an app with my Facebook account. _Facebook_ itself is the only entity which has ever had my contact info associated with my account. So tell me, how did 1,147 other businesses and groups get their hands on my info if I've never given it out? I can't wait to see what the explanation is when this feature launches end of the month.

Want to know what's funny? The email address I use for Facebook was created only for Facebook. I have never given it out to anyone else, ever.

Yep. Me, too. I use the e-mail address facebook@domainiown.example, so it would never be accepted by any of my actual contacts. They all use my real e-mail address.

But somehow Facebook says that e-mail address was uploaded by Maserati of Scottsdale (never been to that part of Arizona, and can't afford that kind of car), Mini of Freeport (I've never heard of Freeport), Sunrise Ford NoHo (I have no idea where this is. North Hollywood, maybe? If it is, I don't even live in that state), Crain Kia of Bentonville (Arkansas, maybe? Never been to Arkansas), Bernard's Chrysler Dodge Jeep Ram (No idea where that is), Drive Toyota (Is that Toyota corporate? I've never owned a Japanese car), Land Rover of San Antonio (I've been to San Antonio once, and that was before Facebook even existed).

So I second the OP's suspicion that Facebook is giving out my e-mail address to advertisers/spammers/partners.

I sure hope they didn't pay a premium for Facebook's "targeting," because it is evidently atrocious.

I see two options here: Data leaks and/or lying about where the data came from.

This seems like a really good starting point for an investigation against Facebook!

Anyone else wants to steelman Facebook before I and other become too excited? Because right now I don't see any other options.

Maybe it's OAuth revealing that facebook only email address, if "login using facebook" is ever used in a 3rd party site? (I somewhat doubt anyone who goes to the lengths of using a FB-specific email address would fall for the privacy scam of using login with facebook through...)

I would guess that there are 3rd party companies who's business is to match cookie values behind the scenes to email / phone / address / demo data and re-sell it, or sell access to the aggregate db.

Hopefully a federal privacy law will clarify if this is legal at all.

That is basically LiveRamp's business model. There are other companies who do this as well. See https://en.wikipedia.org/wiki/Data_onboarding

Sounds like a class action lawsuit might be in order

There's a third possibility: The advertiser guessed the email address.

Create unique email addresses with a password generator and don't distribute them. I don't buy into they just guessed them, tbh.

There's a third possibility: The advertiser guessed the email address.

Well, in this case probably not. Though I wrote "facebook@domainiown.example" above, it's really more like "myrealfirstandlastnamefacebook@domainiown.example." So the chances of it being guessed are infinitely small.

Why would Facebook lie about the data source? They released this information voluntarily.

It's possible that Facebook has been hacked or the above posters used Facebook connect to login to a third-party service that leaked the email addresses.

i wouldn't call that voluntarily. they have been pressured to be more transparent for quite some time. if it was up to facebook, they would hide these kind of information even more.

I’ve never set foot in Arizona but I have Maserati of Scottsdale, too. I’m guessing some idiot working in their ad department doesn’t understand targeted advertising and uploaded a leaked list of emails.

Me too. I have a facebook@mydomain email address that I only use to log into Facebook and my "advertisers who use a contact list" has all those same car dealerships (and no other advertisers). There must be one company that paid Facebook for email addresses and then resold them to auto dealerships.

It could be some third party ad firm trying to generate "lookalike" audiences. They could run some algorithm on their random email lists based on known customers, then upload the resulting list to Facebook.

I noticed the exact same thing on mine. TONS of car dealerships in places I’ve never been or are even remotely close to.

Me too. My guess is car companies bought or collected a large list of email addresses and distributed the whole list out to every dealership.

Weirdly, I have a lot of the same ones: Maseratti of Scottsdale, Mini of Freeport, Sunrise Ford NoHo, etc.

Is it possible for any of those that a friend connected their Facebook, or their email account, and your connection to them was disclosed?

> So I second the OP's suspicion that Facebook is giving out my e-mail address to advertisers/spammers/partners.

It's much more likely that Facebook has a shadow profile for your actual email address and has connected with yours due to your friends/connections syncing their contacts.

I don't see it since I don't have any friends in any of those locations.

It's sad that it's so buried [1], because I think the theory you mention deep in the thread is most plausible: people scraped your username, guessed the email address <username>@facebook.com and uploaded that, and Facebook associates that email address with your account.

[1] https://news.ycombinator.com/item?id=19103490

Not excusing their behavior, but could it be Facebook have not matched you using the email address you have given them but your real address, which they have found out via shadow profiles?

E.g., they know you'd like them to assume that chrsstrm123@throwaway.example.com is your email address (and they do you the favor in all publicly visible parts of your profile), but they also see that most of the people in your friends list haven an entry for "chrsstrm456@example.net" in their address book, filed under your name. So they'll simply add both addresses as keys to your account.

Or are you using your real mobile number for 2-factor auth on Facebook?

You're probably also giving that out to businesses you have a relationship with. And most people don't have a second fake phone number to give out to avoid matching.

It's a bit like grocery store loyalty cards: you can give the grocery store bogus contact info when you sign up for one, but the first time you swipe a credit card to pay for your groceries, the store gets your name and a unique ID linked to you (the card #) that can be used to match your profile in (say) an Acxiom database.

With the pervasiveness and relatively well known existence of shadow profiles for people not on Facebook, it makes sense that Facebook would know some information about you that you haven't shared with it.

I'm curious why Facebook would link a shadow profile about you to your real profile though, even if it knew with relative certainty you were one in the same. I can see no benefit other than advertising (which doesn't really necessitate them telling you in this way) but it seems that it could pretty easily lead to the misunderstanding above where folks impugn nefarious motives to Facebook that aren't accurate.

Your data is bought from other companies to do targeted advertising campaigns using your IP and location. Look at the newest post about Carta in the stocks reddit.

You only ever have to connect to the system once, even accidentally, and it will figure the rest out. In spycraft you can do everything right, except that one tiny mess up and you're burned.

I find it interesting given what you likely know about the surveillance economy that you're incredulous to the concept that you know and have covered every possible vector.

A single person is no match for the surveillance economy.

I'm certainly not hiding my identity behind layers of personas because my life is at stake. I do believe my data has value and that I shouldn't be giving it away to a consumer service for them to monetize at will. Have I taken every available measure? No. Have I made it reasonably difficult for Facebook to figure out who I am, to the point that I'm not endlessly hounded by advertisers and tracked across the depths of the net? Yes. But if we've come to the point where surveillance and social media have merged to the point that no one can post notes to their family and friends without leaving a trail of state-level surveillance data that is kept forever, well then we've all already lost. The IPO of Move Fast and Break Things will continue to haunt everyone for decades to come in ways we haven't even imagined yet.

But if we've come to the point where surveillance and social media have merged to the point that no one can post notes to their family and friends without leaving a trail of state-level surveillance data that is kept forever, well then we've all already lost.

I can assure you, the advertising industry knows vastly more about US persons than any state-level surveillance does.

Why do you think they’re allowed to exist, and haven’t been legislated out of existence? Public-private partnerships provide a great model for state-level actors to effectively do what they aren’t “allowed” to do...

That's an unfounded consipiracy.

The reality is very simple, these companies dominate the advertising industry (which is huge) so they make a lot of money. That's all it comes down to.

Sounds like a job for GDPR man.

On a related note, I see exactly what advertisers someone else has interacted with: As you do, I use an alias email for my facebook account. I use it for my facebook login and nothing else (although I do receive the email that arrives there).

Now it happens that there's some guy on the other side of the world who has a name similar to mine who keeps erroneously putting down _my alias email_ address as his email for a lot of services (maybe he just sometimes uses the wrong major email provider after the @).

I know A LOT about that guys life based on the countless emails I get instead of him. (loan offers, negotiations for used car sales, church group meeting protocols, what politicians he donates to...)

Turns out, the advertiser info FB has on "me" is actually on him (or >95% at least.)

Very interesting. I too have a doppelgänger, several in fact, due to me getting an early gmail address. I have seen all sorts of things, car insurance, memberships, a renovation agreement for the condo, amazon purchases, etc. His gym even came after me because he forgot to pay one month. I used to reply, explaining they had the wrong email, and never once, ever, got a response.

> Typically this information is your email address or phone number.

Which means they are also using other types of information to identify you, and since your email and phone number can't be used, it must be those other information types. I'd love to know what they are.

My count is 11,885 advertisers, for what it's worth. It looks like car dealerships are the majority of them... I've never bought a car from a dealership. Very odd.

And if a friend had put your name and phone number in their phone, and they synced their contact list with FB and merged the contacts, welcome to the system (at least Android has this function, it can have contacts from many sources like Skype, FB, WhatsApp, GMail, and can put all of them under 1 person in the Contacts app).

I wonder if the linking is even necessary, if FBs dark pattern made your friends upload their contact list, they could just infer that since Alice and Bob are your FB friends and they both have your name and number on their uploaded contacts, they can probably associate that number with your FB profile with x% certainty (a higher percentage if your FB friends Cedric, Dave, Emily and Fritz also have the same name and number...).

Fun stuff huh? /s Someone should associate that Patrick Stewart "Extras" line "But it's too late, I've seen everything." with Mr. Zuckhole.

> And if a friend had put your name and phone number in their phone, and they synced their contact list with FB and merged the contacts, welcome to the system...

> I wonder if the linking is even necessary, if FBs dark pattern made your friends upload their contact list, they could just infer that since Alice and Bob are your FB friends and they both have your name and number on their uploaded contacts, they can probably associate that number with your FB profile with x% certainty (a higher percentage if your FB friends Cedric, Dave, Emily and Fritz also have the same name and number...).

Yeah, my bet's on this. Once, long ago, when I was more trusting, I installed the Facebook app on my phone (back when Android permissions were all or nothing). Facebook slurped up my address book, and I don't even think they ever explicitly asked for permission to do that.

About six months to a year ago I noticed these contacts in my FB data dump...and they were connected to all kinds email addresses and phone numbers I never had in my address book.

My guess is that if you want to keep Facebook from linking to your personal info from other sources, you need to have zero data overlap (different email, phone, name) and never install any of their apps on any device you own and never share a browser session between Facebook and any other browsing.

I was thinking the same thing too. You have to be super deligent and careful NOT to be a part of FBs data collection campaign (or any other company trying to harvest data the same way). This does not sound morally right.

Probably best to have no Facebook friends also.

I started tracking the advertisers who upload my contact information a few months ago. One day I "hid" all of the pages in that section of the ads settings page and the next day it showed that over 100 pages had uploaded my contacts. I messaged a selection of the "new" pages (I'm not sure if they were actually new or if the had just re-upped their list). Most of them responded that they were confused as to how my info would end up associated with their pages, since most or all of them are quite a distance from where I live. A couple mentioned that they outsource their marketing to outside groups. My theory is that there may be industry marketing groups that collect contact information for use in social media advertising.

One auto dealer worker responded to my question, "how did my name get on a list that your page uploaded?" by saying "I don't know, I just post ads."

The ad settings page suggests that usually the uploaded identifying information is a phone number or email address, but the wording is vague enough that it could probably be just about anything. So if you've ever shared your phone number with Facebook (even once, I suspect, even if you've since deleted it) I wouldn't be surprised if they use that to identify you. Similarly, a postal address or even a city might enough to identify you for these purposes.

Edit: A quick Google shows a number of groups similar to [1] that sell lists of auto owners. I would be surprised if there were not similar groups for other industries, particularly real estate.

[1] https://hedgescompany.com/consumer-automotive-mailing-lists/

Mine is almost entirely car dealerships (in the US, which I am not in).I have never bought a car, much less at a dealership.

Mine is exclusively car dealerships. Are DMV records public?

Speculation elsewhere (a Twitter thread I've since lost) is that car dealerships are simply uploading every possible US phone number as a "contact". It seems reasonable, and I can't really think of other reasons car dealerships in states I've never visited have added me (or at least some info Facebook associates with me) as an ad target.

Why would this help them? Facebook already lets you target by geography, they could just target all US residents much more easily.

Advertisers want more control over who they target than just geographic regions. I'd bet that Facebook let's you select demographic targeting using all of the information they hold on your contacts, so by uploading every phone number you can target people based on geography, age, income, family size, etc.

But you can't target demos for users not in your contacts? That makes no sense.

Yes. That's why when you buy a new car there is a flood of 3rd party warranty snail mail spam.

(NB: There are very valid reasons WHY this information is in the public record...mostly to make it harder to fence stolen vehicles.)

Either that, or the DMV sells them. (I use one-off e-mail addresses, and dmv@mydomain.com is _really_ popular)

Absolutely DMV sells everything on you. State I live winter time - Florida - when I got speeding ticket, less than 4 days later my mailbox was full of ticket schools’ solicitations. They knew everything about me and my ticket. They even knew time and street and speed I was pulled over and cleverly used that in marketing titles: “clocked 67 in 40 miles with highschool on the corner of Oak and Main St? withiut knowledgeable attorney that can cost you 90 days in county jail. Call now”. Its even worse - a friend also in Florida had DUI. Day three a lawyer knocks on his door bringing pizza and beers (!) to sit down discuss his case for free evaluation! Totally unsolicited knock at his door.

That’s not the DMV selling anything, it’s the clerk of court...everyday they publish a list of new cases (public record) and your ticket is attached to the case and the ticket contains all relevant data (name, address, license #, dob, charge, etc...) and an added bonus the court will also link your dmv driving record to the ticket case so the “scrapers” get your dmv record anyway (for free). They do the same for foreclosure cases.

Same here. I think they upload your address and the fact that you have a car and then attempt to sell you another car based on those two factors (as well as age and gender).

Mine is about 70% US car dealerships and I'm not American. I guess they've been buying up some low quality contact lists

How do you even get the number? It doesn't list the total on my page and I couldn't even get to the end of the list after clicking "See More" for 10 minutes...

Mine is zero. I wonder if maybe its not showing for me since I'm in Canada

Fascinating. I have loads of US car dealerships such as Land Rover San Antonio, Mini of Freeport and South Motors Infiniti.

I've never been to the US!

This is the same email that I use everywhere, so its easy for them to get and stuff into Facebook, but surely they are then paying to advertise to someone who isn't able to buy from them. Or maybe this is then further filtered based upon geo location.

Maybe, as soon as I land in San Antonio I'd start receiving Land Rover adverts because they've provided my email address. Incredible how many of them are US car dealerships.

Based on commercial te in this thread, clearly these dealerships did something shady or bought a list from someone shady. If Facebook was concerned about user experience and ad quality, they would detect cases like this and block those advertisers.

In my case I am really surprised a lot by what I found. I created my Facebook account just three years ago and only ever use it with a few family members. I also use a Facebook-specific email address. Most personalisation and privacy settings are locked down, etc.

Well, how to explain that under the list of "Advertisers who use a contact list added to Facebook" the only company there is the National Bank of Canada, with which I had a bank account from 2007 to 2008? I didn't have a Facebook account until almost 10 years later, didn't have the same phone number or address (that was in Canada and I had been back in France for a long time when I signed up to Facebook) and didn't even own the domain of my Facebook email address then.

Also, for some reason they are listed twice, once as Banque Nationale du Canada, and once as National Bank of Canada.

I don't think they had anything else to link to my account than just my real name.

Consideration: Facebook Pixel is still tracking you across the web, so it's easy to correlate other accounts from other companies to your account; not to mention that other services are probably consuming the Facebook Pixel service. They can build their own databases, referencing your Facebook correlation information, and share that back to Facebook.

So, let's say you have a Facebook account and go to "Mom & POP Shop, Inc. dot com". If "Mom & POP Shop, Inc. dot com" implements Facebook Pixel (or has a way to consume it) and you buy something from them, giving your phone number, address, etc., then your other information is automatically correlatable just by those two points of data.

The fact that 1,147 other companies have your information tells me that there was probably an intermediary advertising company between "Mom & POP Shop, Inc. dot com" and Facebook, so that intermediary could sell your information to anyone and everyone and, once it's on the "advertising market", it's ripe for correlation from other companies - Amazon, Google, Microsoft, etc.

All that's need is at least one, consistent, correlatable point of data - say your mac address or your browser's established fingerprint and you're "fair game" for targeting on the "advertising market". (Insert Bill Hicks' reference to Marketing and Advertising[1] here.)

[1] - https://youtu.be/9h9wStdPkQY

But he has never given that email address to anyone other than Facebook.

I think their trying to say.. But Facebook knows the other email addresses you use, due to using Facebook Pixel. The advertiser targets the other email addresses, not the one you use for Facebook.

Identity graphs built by syncing IP addresses, cookies and device id’s acrosss multiple vendors.

You don’t need to click an ad to leave a footprint. You just need to go online.

This doesn't explain how third parties would get his email address.

Facebook claims they don't disclose it. Companies upload lists of email address they already have for Facebook to find similar audiences.

If he only used this email for Facebook, then only Facebook should have it.

Facebook says the list contains “info about you”. There’s no reason to assume that has to be an email address. Your full name and DoB will do, read the docs for yourself:


Third parties don’t know his email address per say. A third party has hold of the OP’s info through a different source. This information in the third party DB is linked to a cookie or device id, or other means of digital footprint. Facebook onboards the third party data by syncing the ID they have for the OP under their origin, with the ID from the third party’s origin through a process called cookie syncing, which allows data from one origin to be pushed to another. Cookie syncing is how it is done on the web. For mobile, it is device ID syncing. To sync multiple devices, web + mobile, you use IP affinity + geo, or other means of inference and find common patterns through the stream of data. It is easy to link devices having access to the ad stream of an exchange like AT&T’s APPNEXUS for example. These are practices that were standard five or so years ago.

Or you know, just name and date of birth.

Facebook allows advertisers to upload lists of their existing contacts to target. This can be some simple combination of name, address, date of birth, gender, etc. It’s not limited to email and phone number. The advertiser may themselves have sourced some of this information from third parties based on other information which they have about you - such as your actual phone number or email address.


  So tell me, how did 1,147 other businesses and groups get 
  their hands on my info if I've never given it out?
Hint: Cookie Monster loves these

I always use Facebook in a sterile browser that doesn't get used for anything else. Once Firefox released the container feature I've only ever used Facebook inside the Facebook container.

Do you have a dedicated VPN exclusively for browsing Facebook too?

I only use Facebook in a special VM that I spin up every time I want to use it. The VM is attached to its own network card that is used for nothing else, and I run a script that randomizes the MAC address once an hour. The email address was randomly generated and the domain is hosted on a Kubernetes cluster of Digital Ocean instances. Yet, Maserati of Yazoo City, MS, is still targeting me.

https://panopticlick.eff.org test your container with that.

> Does your browser unblock 3rd parties that promise to honor Do Not Track? no

Why does that get a fail mark? In my opinion such promises are worth absolutely nothing. Does that compromise my anonymity somehow by disabling them?

I don't think the fail mark in that case is supposed to mean you're easier to track; it's rather related to the EFF's position on DNT:

"Setting your browser to unblock ads from websites that commit to respecting Do Not Track rewards companies that are respecting user privacy, incentivizing more companies to respect Do Not Track in order to have their ads shown at all. By preserving privacy-friendly ads, sites that rely on advertising funding can continue to thrive without adjusting their core business model, even as they respect users’ privacy choices."


Claiming you're not protected because you've decided to block all does seem deceptive, though.

If you used it prior to this feature, is it too late?

Either you forgot something you did in the past X years or you've uncovered a massive conspiracy. I know where I'd put my money. I mean, to say you've NEVER clicked an ad, even accidentally? I doubt it, internet stranger.

In case of Facebook ads, you can check advertisers whose ads you clicked on the same page where you check who uploaded your data.

In my case it shows... 2x more than I expected, but looking at the names, most of those were most likely pictures of t-shirts, or funny videos, that I just clicked to check out.

Interesting. OP are you saying that it shows you clicked 0 ads? In that case, you might be on to something.

The GUI interface shows 0 activity across the board. The data download is much more helpful and complete - shows two ad actions of "action": "closed ad" within the past 2 weeks, one of which I would have been asleep. It confirms they don't have my phone or any other alternate email, other than the @facebook.com address they auto-generate for everyone. I'm thinking now that maybe someone realized that Facebook did this and set out to grab usernames via the graph and added emails to their list that contained username@facebook.com. Best theory at the moment since that sounds exactly like something a growth hacker would come up with. The data download doesn't tell you which email address the advertisers provided from their list, which would settle this pretty quick.

> I mean, to say you've NEVER clicked an ad, even accidentally? I doubt it, internet stranger.

This isn't a superhuman feat. Just install an ad blocker and don't click on the obvious sidebar ads. Done.

My ad preference record demonstrably shows I've not done so, with only 10 advertisers on the list and no ads clicked for the last 90 days at least.

I guess it helps to not have Facebook on your phone too.

Does Facebook not sell the email/contact information? If so, those lists are going to make the rounds, 1,100 seems excessive though.

Also consider it could have been an employee grabbing contact/details lists and selling them.

I don’t. He seems determined. My money’s on the stranger!

How do we settle this?

he should give us the email address .. lol

to be clear OP, i'm not trying to be mean or anything. i don't remember what i had for lunch yesterday. it seems that unless you took technical means to validate that everything you said is true, it's quite likely there was an errant click, an errant sharing of the email to a friend, etc, etc.

I don't have a Facebook account but I'm sure I have a profile because other uploaded my contact info, uploader pictures with my face, mentioned my name and so on.

It's almost impossible to hide from Facebook.

So you might hide your email address but how do you know others did?

Did you add your phone number to your account? Or have a WhatsApp/Instagram/Tinder account that does? Contact info can be more than just e-mail.

If it's a phone number you don't even have to do it yourself. If any of your friends have linked their contacts entry of you to your Facebook account and have one of Facebook's apps installed, Facebook can now know your phone number.

Edit: They didn't have the phone number, according to the data exporter. Pretty plausible explanation here: https://news.ycombinator.com/item?id=19103490

Is the email address something someone else might enter by accident? I constantly get emails intended for someone who has the same surname and first initial as me (and presumably a very similar email). She signs up for all sorts of things and accidentally enters my email (it's quite annoying). I even got her plane tickets once. And I can see loads of FB advertiser matches that are clearly her rather than me.

Have you had a chat to her about it?

Every week I actually go through and remove a couple dozen advertisers who upload my contact data to Facebook so that they can't target me. It's annoying, and unlike some other features Facebook doesn't allow me to simply not allow this type of advertising.

Every week I do this.

FB lets me disallow OTHER types of advertising. But not this type.

Isn't that what the setting "adds based on data from partners" are for? (guessing what it will be named in English) I have set it to not allow and have never seen an add from any of the 8 companies who have uploaded my contact data

No. Here's what the info box says about that existing privacy feature:

"Products that are provided by the Facebook Companies, including WhatsApp and Oculus, as well as Facebook Products like Facebook, Instagram and Messenger."

That has nothing to do with non-Facebook companies. It's something else entirely.

Maybe different settings for different regions, probably connected to GDPR. Directly translated the 3 info boxes I get say: Ads based on data from partners, ads based on your activity on Facebook Companies products (seems to be the one you have), and Ads based on your social activities (for instance pages you like). The 2 first can be set to not allow and the last to none.

That first one is "Data from partners includes your use of partners' websites and apps and certain offline interactions with them, such as purchases."

This offline interaction data is different from contact data. The latter doesn't involve any "partnership." It's a completely different part of Facebook ads.

Why? You're not removing their knowledge of you, just their ability to target you. It doesn't sound like you're doing this for grins, what do you get out of it?

It's the "if everyone did this..." rule.

I play my own part in this massive economy that exists of selling data to be used in Facebook ads (Google and other big tech companies do it, too). To me, it's the number one most dangerous thing that has happened to the web. It's my belief that you can make a direct tie from this type of advertising to the layoffs of journalists. That's a more complicated argument than I have time and space for here, but that's why it's an important issue to me -- I think it's a problem for democracy.

Edit: I also tell people I do this to spread the word about the practice and FB's failure to provide proper privacy tools -- in person, but also in forums like I did here.

I've had a profile for 10 years by now with multiple email addresses associated to it.. including my phone number.

I just opened that website for the first time, expecting to see thousands of advertisers, but I can't find any number. On the other hand, the list there had 68 'advertisers', most of which I recognise, some that I'm glad hiding, but I don't believe there's only 68 after all this time??? Especially since at least 10 of those were duplicates (like different countries for the same brand)

Am I missing something? I'm just looking at "Who use a contact list added to Facebook"

I really want to scrape this page/data and get alerts when a new entity is added. Like I see the company that makes the Sous Vide device I got for Christmas. Prior to the gift I had never heard of this brand (it's a good brand, I just hadn't done any research) but they show up in the list. I would bet I got added after I setup a user account with them but I would love to know how quick that process is. Getting a push notification would be pretty cool to see if it happens in batches or more or less immediately after I give some my contact info.

re: "The email address I use for Facebook was created only for Facebook. I have never given it out to anyone else, ever. The inbox for that account only contains emails from Facebook."

Per the book "Chaos Monkeys", as well as others sources I would presume since, that single signal is not a "unique key". There are plenty of other ways being used to tie you to your devices (plural! as in, you're a known / constant as you move from phone to laptop to tablet, and so on.)

Mind you, neither is new, but Dragnet Nation and Chaos Monkeys are both insightful, and if you take your privacy and liberty serious frightening.



Of the two, CM is the written to be more entertaining.

I think unlike Google, Facebook ad targeting does not only look at you / your profile / your clicks, but also at your friends, and what they are interested in, they then use this information to Infer or predict what things you might be interested in. So yes, you might not have interacted with any ads or apps, but people in your social graph have.

I use mine everywhere and yet I only have less than 80 advertisers there, a good portion of which I have registered on their website (Ubisoft, Airbnb, Bell, Candy Crush, Nintendo, Hilton, HP, Netflix, Particle, CBS, EVE Online, KnowRoaming, Seeed Studio, Uber Eats, Goodfood and plenty others...).

How? Is it public on your profile page? Have you ever used facebook apps or oauth/single sign on?

Nope, contact info is hidden. Never authed with another app or service. The idea of super cookies doesn't play either, I only use Facebook in a separate browser that doesn't get used for anything else, and these days it only gets used in Firefox using the Facebook container. I've always treated Facebook like the plague and never let it come close to my normal activities. I went to great lengths to not let them figure out who I was, other than the graph info they have on my friends.

You were probably tracked via IP address. Even without a static IP address, it probably doesn't change that much. With so many Facebook "like" icons everywhere, it doesn't really matter what browser you use, or if you are logged in or not.

Data brokers sell contact lists that advertisers upload to facebook for targeting. Maybe this has changed, but last I checked, you could upload lists of emails, phone numbers, and/or facebook IDs.

All you need is for one of those identifiers (email, phone number, facebook ID) to show up on a list somewhere. Since you say your email is unique and only used for Facebook, it's unlikely that was used for targeting. Your phone number could be acquired from somebody else syncing their contact list to some app or service. Your facebook ID could be acquired from you authenticating to an app or service via facebook, or it could be scraped from public group pages.

TL;DR they swindled your contact info from users, purchased it and/or traded for it.

>This info was collected by the advertiser or their partner.

Why do you think so many apps want to extract your phone contact list if not to sell? Have you ever given that phone number out, even if only to one friend or relative? If your name and phone # are saved in their smartphone contact list, they may have been using a smartphone with an adware OS designed by the largest data monitizer on earth bundled with additional spyware preinstalled from the manufacturer, service provider, plus 10 of the highest bidders. Those advertisers could have bought it from your cc issuer, merchant, loyalty card issuer, car dealership or bank as part of a bundle with your transaction history. It could have come with a location history package from your mobile service provider or it could have come compliments of Equifax.

Sure, it could have been collected way back in 2017 or whenever while FB was still giving the data out for free. There are plenty of totally innocent explainations...

If it turns out next month that those 1,147 advertisers are all just Alphabet companies and the contact list was uploaded by their partner, Facebook, you'll sure feel stupid for jumping to conclusions. /s

I’m in the same boat. Facebook has certainly (let’s say 85%, I’m open to another explanation) connected my Facebook account to an email address that I’ve never given them and sent ads to me based on companies giving them that other email address.

You should contact those advertisers and ask what where they got your info from. It's about time that the backlash hits all those advertisers who'll happily use what facebook has to offer, and not only fb themselves.

A) The people you friended uploaded their contact information

B) People searched your name on Facebook

C) Facebook creates ghost profiles with all these details until it has enough confidence to sync it with an new/existing Facebook profile

The $64,000 question is if they eventually are able to connect a ghost profile to a real profile, then shouldn't that data be available in the data export of the real profile? I've downloaded all my data before but just kicked off another one to check again. If someone in the EU was in the same situation I'd like to see what their data download looks like given the new privacy and data rules under GDPR.

> If someone in the EU was in the same situation I'd like to see what their data download looks like given the new privacy and data rules under GDPR.

Once an EU citizen contacts them and requests the dump, they get redirected to the same tool. You have to explicitly bug them and quote the article 15 (of the GDPR) a few times to receive a different dump.

Disclosure: I haven't done this personally, but I have talked to people who did and read their interactions with Facebook. I can't guarantee that this info is still up-to-date, since that happened months after GDPR went into effect.

That's the data you never provided them.

That data is in blackbox ML system which is exclusively for ad targeting, and it can't be described :) that's the Facebook's defense.

GDPR doesn't cover the intermediate info AI/ML generates on you.

For the record, I also use a unique email address for my Facebook account and it was NOT uploaded by any advertisers. Just wanted to put this here in order to point out that this might not affect everyone.

Clicking on "advertiser's" on the preferences page gives me a "no internet connection" error within the Facebook mobile web app. Don't get that anywhere else .

There are many fields that you could be searched for beyond just those two. Your name, street address, city, state, etc.

Have you used “log in with Facebook”? That definitely exposes your email address, and then it can be saved and resold.

Unless you self host, maybe your email provider sold you out? They would know that you created it.

"There are no advertisers in this category right now. Learn more."

I wonder why the massive difference

It says “...or phone number” my guess is all businesses that have your phone number

Is there a script or way to auto click remove on all of these?

I'm pretty sure these are nonsense. I've seen the exact same advertisers listed for me and a friend and those advertisers have nothing remotely related to us.

> So tell me, how did 1,147 other businesses and groups get their hands on my info if I've never given it out?

Excellent question. I am also very intrigued. I'm gonna ask them all. https://cohan.io/activate-the-gdpr-robots/

You in the the EU? Sue em.

Maybe some sort of auto-complete leakage?

>I have never given it out to anyone else, ever.

Not directly, perhaps.

>The inbox for that account only contains emails from Facebook. I have never given Facebook my phone number.

Your phone number can easily be scraped or harvested from other users who give Facebook your information.

>I have never clicked on an ad in Facebook.

VERY unlikely.

>I have never connected an app with my Facebook account.


>_Facebook_ itself is the only entity which has ever had my contact info associated with my account.

Very unlikely.

>So tell me, how did 1,147 other businesses and groups get their hands on my info if I've never given it out?

User error.

The point is that "I would never do that!" is not a valid defense. Humans make errors, you are not an exception to this rule and leaking data is made very, very easy.

Are they assigning blame to a single individual? Because I'm pretty sure 95% of my Facebook and Instagram friends have "connected their contacts" at some point. I've had this huge banner on my Instagram profile page for over a year now. It takes up over 50% of the screen and shows up every time I press the button to go to my page:


I've never clicked it and never will, but I don't doubt that many of my friends have just to get it to go away. That's why I only give out my Google Voice number to people and only use my real phone number when it's strictly necessary.

A person adding their contact list isn’t “ad targeting.” Some companies literally upload email contact lists to Facebook and pay for ads that will be shown to anyone on that list that also has a Facebook account.

It's worth noting that they hash their email lists and upload those. They are never given access to a list of the list of people on facebook who share those addresses.

There should be an App Store rule that you can only ask for a permission once, if the user declines you can't keep pestering for it unless they've actually invoked an action that requires the permission.

On iOS, apps can only activate the system dialog for permissions once for each individual permission (camera, microphone, contacts, etc.)

So the strategy to do is to say yes for the app to ask permission and when the system dialog shows up you can decline. If you ignore or say no to the app dialog they can keep pestering you, but once you have declined on the system dialog there's not much the app can do.

The apps have to instruct you to go into the app settings if you want to activate permissions, not a lot of apps are doing this since it's quite an involved process.

It's not such an involved process anymore as apps can link people directly to the submenu within settings to modify the permissions of the said app.

We need a Stack Overflow for working solutions (like this one) to battle monopoly company bullying

As a recovering media buyer I think this is one of the most concrete forward steps Facebook has made since their struggles began. “Custom Audiences” are great for CRM matching campaigns but so very easily abused. There used to be a 20 row min on lists. There was an article or reddit post I remember that showed how a kid trolled his roommate with ads targeted exclusively at the roommate and 19 fake people. They subsequently increased the list size minimum to 500, but I still cannot fathom that they left such a huge abuse vector open for so long. It’s like they didn’t care as long as the clicks kept coming.

Here it is: http://ghostinfluence.com/the-ultimate-retaliation-pranking-...

TIL even the 20 user mine wasn’t required and today the min is only 100. I know for a fact that Trump 2016 used this technique with voter rolls to discourage turnout for likely Hillary voters based on a talk I watched by their media team.

I believe it, America POTUS election is the biggest show on Earth.

Meanwhile the ruling party here has 2 million to spend on a campaign. Not making Facebook rich.

How did they do that? Target them with ads that said “don’t bother voting she’s got it under control”?

You target people with stories containing anti-Hillary messages that are popular with Democrats in their demographic. Bernie was screwed in the primary, her e-mails, super predators, etc.

I think parent is referring to a 60 Minutes interview with Brad Parscale, if you want to look it up.

The talk I was referring to was from Molly Schweickert, Vice President Global Media from Cambridge Analytica on "How digital advertising worked for the US 2016 presidential campaign"


Its really a fascinating watch, and a perfect case study for why GDPR is needed. After reviewing it I don't see any mention of specific techniques used to discourage turnout, but those techniques are well-documented elsewhere: https://www.theatlantic.com/politics/archive/2016/10/trumps-...

I went to a growth meetup last year and sat through a presentation by a Pinterest engineer who walked through how they upload emails from churned Pinterest users to Facebook to try to reactivate them as the primary use case for their FB ad spend.

Honestly didn’t even realize it was “ok” for companies to share emails with third parties as I thought that is even considered PII.

I think they upload the hashes of emails they have, and facebook matches it with the hashes of the emails it has.

In some jurisdictions, that is still, rightly so, considered PII.

Can you share a link with info on some of those specific jurisdictions?

Euro/GDPR: https://gdpr-info.eu/art-4-gdpr/

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.

The keyword here is indirectly.

Australia: https://www.legislation.gov.au/Details/C2019C00025

personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable.

(a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.

The keyword here "reasonably identifiable".

So if the purpose of an email hash is to identify me for ads targeting, then it is by definition reasonably identifying me, even if indirectly.

In what way is a cryptographic hash of your email personally identifiable?

If it's not salted and the other site has the same information they can identify you. For example Google Analytics prevents you from uploading hashed emails because it makes them capable of identifying the person and link it new info with all the existing info they have.

In other words, the fact that it is cryptographically derived from the email is irrelevant. What makes an email PII is not the content of it, because outside of some rare names or personal/family domains, knowing John Doe who uses Yahoo is not enough to identify a person.

What makes email address and other unique identifiers like a hash of an email PII is that the given universally unique composition of letters and symbols is associated with a person.

john.doe@example.com -> a facebook profile -> Legal Person

836f82d......b39577f -> a facebook profile -> legal person.

For identifying a person both 836f82d......b39577f and john.doe@example.com are the same.

if the purpose of an email hash is to identify me for ads targeting, then it is by definition reasonably identifying me, even if indirectly.

DJB on hashing identifying information[1]:

> Hashing is magic crypto pixie-dust, which takes personally identifiable information and makes it incomprehensible to the marketing department. When a marketing person looks at random letters and numbers they have no idea what it means. They can't imagine that anybody could possibly understand the information, reverse the hash, correlate the hashes, track them, save them, record them.

[1] https://projectbullrun.org/surveillance/2015/video-2015.html...

Of my list, which I'm still parsing, I'm seeing a TON of local car dealerships and realtors. What I really wish is I could see the supplier that's selling my data to these folks who are 100% not running their own Facebook ad campaigns. Actually - I might reach out to the car dealerships and try to figure out what agencies they are using.

I also got a ton of out-of-state car dealerships. It might be worth looking into them to see if they exist. Lots of affiliate marketers use multiple Facebook accounts, and I wouldn't be surprised if they set them up through front companies like "car dealerships". Either that, or some advertising agency represents a bunch of car dealerships, creates a separate account for each, but uses the same contact data.

EDIT: Looking into this a bit, I don't think they're fake... it seems like most of the websites are "powered by X" where X is some CRM/website builder solution targeted at car dealerships, like these [0] [1]. They all have marketing/advertising features, and there is likely some sharing of contact data on the backend, or contact lists are outright sold as "leads"

[0] https://www.dealersync.com/

[1] https://foxdealer.com/

I had a total of 4 advertisers remaining on mine (if anything I'm doing better than most). Audi, a local real estate group, a betting agency, and an airline/frequent-flyer account. Obviously I don't want and didn't volunteer my details used for use by any of these for advertising or tracking purposes.

The frequent flyer group have just taken it from my membership details.

I don't bet, but I've worked as a statistician, so there's probably some connection there with past probability and modelling work or getting odds from these sites.

The real estate group I'm guessing is from contact details given while looking for houses that they've used without my explicit permission.

Audi is interesting because I've never had a car in my name, and haven't had one in my household for several years. Haven't so much as stepped in a car dealership. I'm guessing they must have bought(stole?) it from a rental or car-share company database...or a marketing list somewhere, but its certainly not from anything I've done first hand.

Tons of out of state real estate agents on mine. That's just poor targeting.

Same for me with the car dealerships. I've never owned a car or even ever contacted a dealership before. My guess is maybe car rental companies are selling the data to dealerships, since they would be gathering email + phone and car-renters would be targets for car-sellers.

I've never owned or rented a car, contacted a dealership, or ever had a license, but my list is almost completely car dealerships. I'm beginning to suspect my state's DMV, where I got my state ID.

The DMV sells its data too.

It’s reason enough to leave my Facebook account open. I’ve just stopped using it anymore and that’s fine.

It’s been months and I don’t miss the constant barrage of political rants from my friends on both sides of the political spectrum.

At least on FB you can unfollow the main offenders. My feed is surprisingly tolerable. Enjoyable, even. The unrelenting barrage of political content comes to me from Twitter. Twitter is designed to surface popular tweets even from those you don't follow, and it's almost always low effort political tripe. It's exhausting.

I got bored of my feeds. Someone else succulently put, "20 minutes per week on a Sunday is more than enough to keep up with people"

Succinctly? :P

No idea what I was spelling there.

I just assumed that your source was a cactus.

He's a bit of a prick, but he makes some good points.

> At least on FB you can unfollow the main offenders.

Bingo. Works great for overly vocal political friends, and the pushy MLM friends, too.

I’ve noticed that Kickstarter adds about 5 new ad identities every time I turn around. I’ve been blocking these every time I notice them and don’t get fewer Kickstarter project ads (not from individual projects but from things like “best tech kickstarters” or “cool tech kickstarters” or “hot tech kickstarters”

That’s why I have a separate Firefox profile. It’s the only site that gets used on there.

I am a lot more productive at home and save so much more time.

in case you hadn't seen them: have you tried container tabs instead of separate profiles?

I have. But I haven’t read the spec and don’t really know if they truly isolate Facebook and all it’s way of associating with my computer/Firefox profile to my account. With how shady Facebook is, I don’t believe it for a second they haven’t found a work around to identify my profile through Container Tabs. It’s paranoia maybe? But it’s warranted I think.

So for a good measure, I just use a separate profile.

yea, that's a pretty good reason :) afaik the list of what containers separate is here, if you're interested: https://wiki.mozilla.org/Security/Contextual_Identity_Projec... (I can't speak to its up-to-date-ness tho, I'm not familiar with how well maintained the moz wiki is)

there are definitely some leaks, and there is a "facebook container" extension which plugs some (all?) of those... but yea. if you want maximum separation, you want maximum separation, profiles are probably always going to be the safest bet.

I haven't logged on to Facebook since New Year's Eve and I honestly don't miss it at all. I'm ashamed to admit that I was pretty much checking it hourly before that point.

The Do Not Call Registry obviously isn't 100% effective, but one possible regulatory move would be to create a similar service for email and phone numbers used in marketing lists, such that possessing a list with the PII of a person who had opted out would subject you to monetary penalties. Then make it incumbent on the company to prove that the person affirmatively consented to sharing their PII.

An attempt at such a concept appears to exist as implemented by a non-governmental group here [1], although that group is voluntary rather than compulsary, and probably doesn't have anything to do with the shadier data brokers.

[1] https://dmachoice.thedma.org/

>Starting February 28th, Facebook’s “Why am I seeing this?” button in the drop-down menu of feed posts will reveal more than the brand that paid for the ad, some biographical details they targeted and if they’d uploaded your contact info. Facebook will start to show when your contact info was uploaded, if it was by the brand or one of their agency/developer partners and when access was shared between partners. A Facebook spokesperson tells me the goal is to keep giving people a better understanding of how advertisers use their information.

This is great and all but what about the people who don't have a Facebook account, which Facebook is still keep tracking of (e.g.: Facebook Pixel)?

That just means that uploaders will scrub their data through an intermediary, if they aren't already.

'Your information was purchased by Totally Not the NSA, Inc.'



Airlines ;)

I don't think it would help much in EU. :)

Would GDPR allow to withdraw consent for the intermediary? What if I disallow intermediary to handle my data but some other third party I gave permission to process data uses this intermediary?

The California Consumer Privacy Act (coming into effect in 2020) definitely does.

From https://privacylaw.proskauer.com/2018/07/articles/data-priva..., the California Consumer Privacy Act specifies:

> 1. the right to know, through a general privacy policy and with more specifics available upon request, what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;

> 2. the right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);

> 3. the right to have a business delete their personal information, with some exceptions;

In fact, this entire facebook announcement looks like it's just compliance for #1.

Good for them for not waiting until the month before like GDPR, but don't be fooled that they're showing this information out of the goodness of their hearts.

The data controller, in this case the "original" company is responsible for collecting an informed concent to use your data for that specific use unless the use is a requirement to do business (i.e. invoicing, not advertising). It does not carry over to another company by shifting this to the processor.

The intermediary is just a data processor, and while they also have to follow gdpr it's the data controller who is responsible that the intermediary actually follows the laws.

As far as I can tell facebook will just tell you who is uploading your data but then you can pursue them if you do not believe they have your concent to do so.

This is a step in the right direction. I would like to see more regulation around who can upload ads to Facebook as well.

I got department of homeland security... https://i.imgur.com/qlsKmNH.png

IMHO this would require a "I did not provide consent" button to keep the ad publishers (i.e. Facebook's paying customers) honest. There will obviously be many people clicking this "incorrectly" but much like your spamfilter, FB should eventually learn this user x really doesn't want to hear about this company anymore.

Not that this is likely to ever happen, given the we are the product, not the user.

You can get to "Hide all ads from <advertiser>" in a few clicks. I mean that makes sense since if you really don't want to hear from a company, the company can better spend their money elsewhere.

If you make a POST request to https://www.facebook.com/ads/profile/advertisers/ with your facebook cookies then you get the JSON back with all of your advertisers. Looks like I have well over a thousand of them.

Yeah, i'm interested myself. (Either my curl wrangling is wrong, or FB not playing nice now.) Would love to know how you're doing this.

Can you explain how to do this specifically?

I clicked "Show more" via the console until it stopped and then "clicked" every button and waited.

It's not a real solution, but at least I've voiced my intention to not be tracked by these advertisers. I wish deleting my Facebook was a valid option here, but as we all know they keep profiles on you anyways.

So I guess keep the facebook account because it's hopeless anyway? Way to be principled. How bout delete it and feed them less and stop being an ecosystem effect.

My friends from college for years were planning yearly meetups. 2 years ago enough of us dropped off FB that we started planning with email and MMS again. Quite a few more dropped as well last year and this. So it does work eventually

I haven't checked mine, but couldn't you have written a simple JS to automate this?

Yea, that's what I meant. I just selected the show more link and clicked in a loop and then selected all the "X" buttons and clicked them and waited until the network requests finished.

Could be good for competitive intelligence - discover your competitors ad targeting strategy

I just counted and Facebook tells me that 713 advertisers have uploaded a contact list that contained my info.

The super funny thing is that i saw my old girl friend create a page and upload my info and target me. ;)) (a good idea to create jealousy i guess)

I'm not sure why anyone would trust this information.

there is a plethora of ways they could omit information or order information or over provide information to make this work in their favour.

How about FB just allows a simple click of "ignore everything about me and provide phsyical proof that such is happening".

Not sure this can really help; information changes hands quickly. Once an agent misheard my name when setting up electricity and I received bills addressed to a similar-sounding name from them. For years I would receive mail from all kinds of random things they clearly sold me to, with the exact same mistake.

When I created my Facebook account, I used a unique email address that I completely disabled after the signup process was over (because I wanted to avoid Facebook's email spam) and I never gave them my phone number and never used the Facebook apps on my phone... yet a bunch of companies uploaded that contact info? very strange.

Facebook does not tell you exactly what contact information was uploaded. Does your Facebook profile include your name? Birthday? Location? That’s what it’s gonna be. Not so strange.

Facebook should at least give you access to your shadow profile so that you know what they have. I didn't give them my real birth date or home address but they still could have them, I guess (some people wished me happy birthday on Facebook, for example)

I looked at the advertisers who uploaded a contact list with me in it...

* Motley Denim

* TV2 Sumo

* Bandcamp


I am a bit surprised it was only four, and a bit disappointed bandcamp was one of them.

This is going to be very interesting year for a lot of industries and movements. It's only February.

I can’t tell if this change affects how lookalike audiences are described. Does anyone know how they are currently described?

“You are seeing this ad because BigCo wants to target people who like things similar to people whose email addresses they uploaded” or something?

Otoh Techcrunch (I mean Oath Family) will not reveal this article if you are European and don't agree to their tracking. It presents a complex and captcha ridden interface where it is impossible to give/deny informed consent.

Oh, I thought this was about my friends, so I could mention to my friends that I wasn't happy they uploaded my PII through their usage of Facebook.

Most of the ones I have got are from apps I use (Netflix, Uber, Airbnb, etc...)

They already have me as a user, do they really feel the need to push it?

And, is your Facebook-powered social media leaking your data? The answer may not surprise you. It’s ‘yes, it’s Facebook.’

Would've been nice for them to go a step further including the name of the person handling your information.

How is any of this surprising? At this point pretty much anything you are doing is monitored including clicks and typing within iPhone apps

I wonder how much Facebook are charging "preferred advertisers" to be left out of this?

if you think facebook is doing this because they are "on your side" you are a complete sucker

You're right, but the reason they're doing this is less conspiratorial than you suggest... it's just compliance for the California Consumer Privacy Act coming into effect in 2020.

From https://privacylaw.proskauer.com/2018/07/articles/data-priva..., the first major provision is:

> 1. the right to know, through a general privacy policy and with more specifics available upon request, what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;

The UI mocks in the article are literally a checklist of each of these items.

This seems like a way to offload the blame onto the uploader, rather than the system that continually asks for contacts.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact