Hacker News new | past | comments | ask | show | jobs | submit login
Off-Facebook activity (facebook.com)
710 points by bigbaguette on Jan 29, 2020 | hide | past | favorite | 379 comments



Clearly I need to step it up. I was (unsurprisingly) surprised at what I've observed they've managed to correlate. I run standard pi-hole, resist fingerprinting, and normally go through a VPN (mainly because I'm on public wifi half the time when travelling). I haven't logged into facebook in about four years, just did it for the first time today to see what's been correlated.

Aside the mountain of irrelevant notifications, here's what I've observed in this report that's concerning.

1. Albeit some data has been correlated properly (banking applications which is scary on it's own part it's sending data to facebook, imgur, Xbox, my telco provider, and a few misc blogs I've visited a handful of times per year), it's correlated a significant amount of data that may not belong to me (good thing, I suppose?)

2. Why the heck are banking applications sending data to Facebook as "CUSTOM", with no context? For example, RBC bank in Canada sends "CUSTOM" data (haven't been with them for over two years, but all interacts labelled CUSTOM) and Facebook will not give any more context on the exact data it received. Little scummy, Facebook.

Well, time to sweep this up and resist tracking more. Let's see how it works this time round.


They only had two small websites for me. Great success!

I'll share my strategy.

On desktop:

Banking: Vivaldi Browser w/ privacy badger and ublock origin

Email and Commerce: Chrome Browser w/ privacy badger and ublock origin

News and other BS (like Hacker News): Firefox browser, always in private mode w/ privacy badger and ublock origin

LinkedIn (in the rare case I use it): Internet Explorer

Mobile:

Facebook: Opera

Commerce: Chrome

Reddit: Naked Browser

News and other BS: DuckDuckGo Browser

EDIT: I also do not use my credit card on my phone unless in extreme rare events. Absolutely no banking on my phone. No fancy apps (I use the web version where possible) beyond the generic stuff like email and maps. I use Signal for texting.


I also had only 2 sites/apps. One I used Facebook oauth, the other I'm not 100% sure what it was.

My strategy (Desktop & Mobile):

Firefox + Facebook Container & uBlock Origin & Privacy Badger & DDG as search.


For me they have nothing (success! :)

I use Firefox + FB container + uBlock Origin + Privacy Badger and recently started to use CanvasBlocker as well. I have Firefox configured to delete all cookies on closing (except for few sites to avoid the need to enter the 2FA code every time I log in).

I've also set Firefox Enhanced Tracking Protection to "Custom mode" with "cross-site and social media trackers" blocked [1] and to use block list "level 2".

I also have the "Do Not Track" option switched on.

I don't have a proper smartphone (never owned one), just KaiOS-powered dumb-phone on which I use Facebook mobile (i.e. their web site) all the time.

Also no Pi-Hole or similar stuff.

I use a throwaway email account for Facebook.

______

[1] Just now I've found out that there seems to be a new option, to disable "all cookies from unvisited sites", which I'm going to try as it looks even better.


> I use a throwaway email account for Facebook

I feel like this might be key, I use a random burner number and this seems to confuse the tracking.


Hmm, I don't use pi-hole, just uBlock Origin and Firefox containers, and they've only tracked three minor things, probably when I had some problems with my phone and uBlock wasn't working right.

So how were they able to track so much about you? Do you have the Facebook or Whatsapp app on your phone? Or is this just the difference that they track much more in the US than in Europe?


My activity was largely from apps on my phone. I just uninstalled and reviewed every one of those that was unnecessary. Unfortunately I need to find a new financial aggregator, because mine was sharing data with FB. I've seen a few self hosted ones listed on hn.


Which one was sharing the data?


Personal capital.


Damn. I was planning on signing up with them this weekend.


You will want to use Firefox containers in order to isolate the Facebook cookie into a container to limit this.


I use Facebook container and most of the sites reporting should've never even seen my Facebook account. However, many of these sites have my email address. I highly suspect they're correlating data without knowing my Facebook account itself.


They definitely do for advertising, at least. You can click “why am I seeing this” it’ll tell you as much.


Unfortunately there are no good answers for this on mobile.


if you're using android you can get add-ons for firefox. Also, you can use a firewall app like Netguard [1] to prevent apps from calling FB (graph.facebook.com)... I see most apps attempting to do this, and it's often the first thing they do.

There's similar setups on iOS, I am just not very familiar with the app names.

[1] https://github.com/M66B/NetGuard


At the risk of a bit of inconvenience, you could use Firefox Focus. Browse (it's only one tab), erase at the end of browsing and repeat. It also has built-in blockers of different kinds.


When you say `interact[s]` you mean interactions right? Not interact transfers?


I think you can't avoid links you click within facebook itself right?


My off-facebook activity was empty. That's encouraging, because it looks like my countermeasures have been working:

- Fingerprinting resistance in Firefox (privacy.resistFingerprinting = true)

- First-party isolation in Firefox (privacy.firstparty.isolate = true)

- Blocking third-party cookies in Firefox (network.cookie.cookieBehavior = 1)

- Firefox container when I need to login to ad/tracking companies (Facebook, Google)

- uBlock Origin

- Cookie AutoDelete

- PiHole on my home network


How do you cope with constant reCAPTCHA prompts? I get prompted by Google when using search, because it thinks I'm a bot if I'm anonymous enough.


Have you tried using another search engine like DuckDuckGo?


There should be an extension to automatically filter the reCAPTCHA-using sites out of the results of the search engines.


I think GP is saying that Google itself is presenting the captchas, not the Google results they click. I've had it happen a couple of times when using VPNs before.


reCAPTCHA is a Google product, but the owner site needs to actually integrate it, so it's a conscientious decision


I might not have been clear; sometimes when using a VPN, you can't even load Google search results until you submit a captcha. If you go to "google.com", it will make you enter a captcha before you can search anything.


Ah that's fair, Google captchas VPN users, but I don't think it's recaptcha, it doesn't look exactly the same.

Having done this in a previous life, they do this because they fight against scrapping their search results.


You learn to derive some satisfaction from feeding it inaccurate labels.


Out of all activities you listed, just 3rd party Cookie blocking and using any "login with Facebook" buttons would give the same result for Web. I don't think any of the activities you listed would prevent the data collected through apps though.


If you have a domain, you can give every service it’s own email address, ${service}@${domain}. They can try reporting that to Facebook, but unless someone understands that the entire domain is one account they won’t be able to correlate them.


I don't think they will tell you the whole truth.

It's just like with Google history you can "delete".

They have the data stored for the authorities anyway.

They are required to do it by law (Patriot Act etc.)


> I don't think they will tell you the whole truth.

This is true:

>We receive more details and activity than what appears in your off-Facebook activity. For technical and accuracy reasons, we don’t show all the activity we’ve received. This includes things like information we’ve received when you’re not logged into Facebook, or when we can’t confirm that you’ve previously used Facebook on that device. We also don’t show details like the item you’ve added to your shopping cart.

https://www.facebook.com/help/2207256696182627


Thanks for that link. Looks like the infamous "ghost profiles" are officially confirmed now.

I wish they would show the ghost profiles as well, but since it's not linked with 100% confidence they are probably not allowing it because it could be a privacy violation if it turns out that the link was incorrect (i.e. they showed a ghost profile to the wrong user).


I'm not sure how ghost profiles are legal within the EU.


They can’t be I think. No way to opt in. Or even to inform the person.


Thanks for sharing

BTW, how does PiHole help in regards to anonymity?


> how does PiHole help in regards to anonymity?

By blocking many advertisers tracking cookies (by blocking all access to those hosts via point the DNS result elsewhere) it reduces how far your information immediately spreads.

Far from massively effective because it does nothing to stop 1st party tracking and those 1st parties sharing further, or 3rd party cookies for new hosts not in the blocklists yet, but it can still help.

My use of PiHole isn't really an anonymity/tracking avoidance thing, my priorities in using it are avoiding ad network related annoyances like drive-by install attempts from less reputable (and/or hacked) networks, auto-playing audio, pop-ups/-unders, bandwidth waste (particularly from auto-playing video clips), occasional attempts to access microphone and/or camera, etc.


Block requests to all of FB's domains in the hope that it can't load FB's scripts or buttons or "like" buttons; literally anything from FB as far as humanly possible.


It allows you to block the domains of known third-party tracking companies. However, this measure is going to become less effective over time with the increasing usage of first-party tracking.


Thank you for this.


To me the thing that bothered me most was that a mental health site (Psychologytoday.com) that I used to find a therapist was passing the information on my searches to Facebook, presumably to aid in targeted advertising.

Honestly, I think that health-related searches that are directly tied to a specific individual (especially without informed consent - I didn’t log in or receive any notice this was being done) should be covered by HIPPA just like any other personally identifiable health record.

The other weird one was the huge amount of data my bank was sending. 20+ requests per session. I have no idea why they would do that.


This needs to be brought to the attention of legislators. Our digital health data needs to be protected like it is in a real world setting.

I wonder what Google is doing with all those health related searches I'm making...


I think a solution would be for people to own their own personally identifiable information, in much the same way that a celebrity can own their “likeness”.

Unauthorized copying or use of this information could be simple copyright infringement, which is apparently criminal enough to involve the FBI if you are a movie studio with enough money spend on political donations.


Thanks to this comment I noticed mine has a hospital:

    bannerhealth.com (8)
The portal where I access my records is on a third-party vendor's domain and this is likely just from Like buttons on their public site. But I wouldn't be surprised to see the name of the specialist I saw (just to look up their phone number) or a condition they treated (the portal links to articles there) in those 8 entries. Haven't bothered to download my entire history just to see...yet.


Wow that's creepy. It lists apps where a) I didn't use FB login/signup and b) used a different email address to sign up. How do they cross-reference that to me? Hand how can I prevent that outside of their tools (which I assume still violate my privacy)?


What you can do to prevent this is:

1) Install https://www.eff.org/privacybadger to prevent trackers from being loaded

2) Install https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... to delete any cookies you might have accepted after a week time or so, which prevents the infinite gobbling-up of your data after innocently accepting a cookie once

3) Install the Google, Facebook, Twitter and Amazon containers to "separate" your browsing with these sites from the rest of your browsing. Links: https://addons.mozilla.org/en-US/firefox/addon/facebook-cont... https://addons.mozilla.org/en-US/firefox/addon/twitter-conta... https://addons.mozilla.org/en-US/firefox/addon/google-contai... https://addons.mozilla.org/en-US/firefox/addon/amazon-contai...

Also, if you are creeped out by this, just imagine the amount of data Google has on you. I'm convinced they have way more, just by virtue of every website having Google Analytics installed.


Those are good, but they don't work for what the GP is talking about. I'm seeing games/apps associated with my FB account even though I never logged in to FB with them or gave them any info. I literally just opened the app and that activity was associated with my FB account.

I have no idea how they're doing this, since they didn't even request storage access (or I didn't give it). Can any Android developer here chime in on how an app can figure out my Facebook ID even though I don't even have Facebook installed on my phone and didn't give any sort of credential or access to the app?


I think they cross-reference Android Advertising ID in their SDK. Have you ever logged to Facebook from your phone?

https://developers.facebook.com/docs/app-ads/targeting/mobil...


I have, either in the browser or in Swipe (a third-party app). I've never logged in to or installed the Facebook app or Messenger.


Try to opt out of Advertising ID (Settings -> Google -> ads) and see if apps continue to be associated with your facebook account. I suspect Swipe sent both your account ad advertising id during login.


I opted out of Google advertising a long time ago, I think in the end it was Instagram/WhatsApp that did the dirtywork.


Then FB left behind tracking data, and there's your link. Sigh.


How? It was running in a browser.


Once you've logged into facebook from the device, they likely created a device fingerprint for your device: https://en.wikipedia.org/wiki/Device_fingerprint . This would allow them to identify you even without a cookie or ad id to correlate against.


I don't think the browser fingerprint and native app fingerprint are the same, what you say sounds unlikely to me.


Fingerprinting across devices is possible too, using things like behavioral analytics, network traffic, timing, third-party data sources etc.

The third party data sources is the easy one. Log into service A on your computer and service A on your phone. Service A fingerprints both and sells the data to service B. Now service B knows how to correlate your behavior between devices even though you never logged in.

I’m sure you’ve logged in something on both your phone and computer. It doesn’t have to be Facebook.


Maybe same phone number on Google Play and Facebook or some other way the phone number IDs you?

Edit: This report[1] puts the blame mostly on Google ads ID.

[1] https://privacyinternational.org/report/2647/how-apps-androi...


That's possible, though if any app can get my number without asking for any permission I'm going to throw my phone away.


Are you using Instagram or WhatsApp?


Ahh, there we go, I forgot about those... That must be it, thanks.


The whole point of them buying WhatsApp was to have a backdoor into people's contacts (among other things).


I found a mere four items in my activity list, all from several months ago, probably when I mistakenly used the wrong container or had uBlock turned off. It's nice to see all my anti-tracking software is working!


I use Firefox Containers to limit and logged in FB activity to that & never log in using FB other than FB website itself. I have no FB apps (including WhatsApp).

I've been running uMatrix for a few months.

My firefox tracking-prevention (similar to EFF's one, but probably not as good) is always using maximum privacy settings.

I still have a few sites appear... AND for websites I've never even visited (that I'm aware of, & I'm the only user of this machine)

There seems to be some serious fingerprinting going on, more than simple cookies.


Agreed, even with all of the above I had about 15 or so sites in that Facebook list. I suspect it's because I was logged in to Facebook on my phone's browser for a while. Not sure why I even did that...


I thought Google Analytics had a decent privacy policy that would prevent Google from doing anything with GA data. But I remember some fuzzy wording like "your data" which could simply mean that Google considers GA data to be their data.

Has anyone done a good deep dive on what Google actually does with GA data?


Even before firefox containers, I used a dedicated profile for facebook only as well as using privacy badger and ublock origin. Facebook still collected data about me from external sites. I think mainly through my phone, possibly through linking phone number or email addresses.


By far the worst thing are android phone applications (not only FB official app). They have their spyware bundled and can slurp from you the data which are normally unaccessible by web browser, from phone number, imei, mail addresses to all your contacts and there is almost nothing you can do except installing vpn based firewall (like NetGuard) and block all access and add permissions one by one for each url. This should just be illegal.


How can phone apps with no permissions get my phone number?

> except installing vpn based firewall

So they can send the data instead?


From your friends :) Or you will allow it. To use it. On the other side you can at least control that the common advertisers wont get it (like fb). For everything else get root and xposed + xprivacy. But for most users that is too much. I just gave the easiest advice. I am running microg lineage, xprivacy lua and netguard. But I wonder was this as advice worth the letters used? ;) Will someone go trough the trouble to use it? To replace the rom, install everything, run everything in block mode and allow only what is really needed, like connection to my own mail server? My own ssh tunnel? Probably not. And then comes the master villan, google. How many will remove that one from the phone? Waste of words, right?

Anyway even netguard is far better than nothing, most apps dont need their own servers. And the largest data slurpers are known. For fb just block all fb domains.


I think they either:

- use Facebook pixel tracking on the site.

- hand over all of their user's email addresses to use for audience building.

Or most likely both. Creepy stuff indeed.


I use uBlock Origin and Privacy Badger on my desktop and phone, as well as Blokada, and yet Facebook still had a bunch of app activity even though I never ever sign in to stuff using FB (or even gave the apps my email or any other piece of personal data).

I literally just opened the app, granted no permissions, used it a bit, and Facebook associated it with my account. What the fuck.


They could be associating you server-side using persistent identifiers on your phone. For example, if an app has the Facebook SDK, it could send your IMEI to Facebook. Then, if you have a first-party Facebook app like Messenger, that too can send your IMEI to Facebook and link it back to your Facebook account.


Yep - all of above....

690 App/Sites for me! Not overly surprising really


I'm pretty sure that 95% from the activity that is listed for me comes from the Facebook tracking pixel, that every website has to embed if they want to (effectively) advertise on Facebook.


Some chat apps (like Viber and others) have Facebook SDK integrated in them, without any direct Facebook functionality people would use. Discovered after using NetgGuard, and seeing who is calling home, and not only home. (Why viber is making requests to graph.facebook.com anyway?)

Duolingo is a nice app for learning new languages, yet it might be using the same sdk, since it likes to call facebook.com domain.

Netflix is a good streaming service, but it has some option somewhere, which allows them to share data with others, and enabled by default. And yes, it's present in fb activity.

The list can go on...

There are developers who integrate dozens of SDKs, without any specific purpose for users, and not knowing what is happening. We need something like PrivacyBadger/ublockorigin for phones/laptops/routers/homes/cars. It's getting more than creepy.

And why would Facebook allow third-parties/businesses upload into FB info they have on their customers...

PS: analysis of how a simple menstrual tracking app is leaking data about the owner https://media.ccc.de/v/36c3-10693-no_body_s_business_but_min...


As an EU "customer" I'm rather surprised by this. There are services that I've signed up to since GDPR came into effect which I didn't get explicitly consent to do this. For example my business bank. Why would I give them permission to share data with my personal Facebook account? I will be digging into this more.


Sounds like the activities view could be some good evidence to give to a data protection commissioner.


Other commenters seem to have missed what you’re really saying here.

I’m on iPhone, and see apps listed where:

- I’ve never logged in on the web

- I’ve never clicked to open a link in a browser on-device

- Used a phone number to sign up that’s not associated with my fb account - Didn’t use email at all


For starters you can delete your facebook account .


I don't think that'd really be true, since they'd just have it stored in the background without you having a FB account (and wouldn't have the ability to see how bad it is)

not saying that's worth having an account though.


does that stop facebook from collecting data about you? I didn't think it did, and because you don't have an account it's not, or at least wasn't possible to control any privacy settings.


Technically, no. Legally, it means you haven't accepted their terms of service, so if/when (I hope) the political privacy landscape changes, it'll be more likely that you can sue, report a violation, request deletion, (or maybe they'd even preemptively delete it to cover their tracks / come into compliance with new laws).


That's an interesting thought. I've removed (deleted?) my Facebook account several months ago. Maybe I should have kept it around in order to manage it.


which I did a couple of years ago. Now I have no idea what they know about me. I use adblock and friends, but I wonder how much data about me they still manage to gather


When I view this link, I can see no activity.

Here is my secret: I deleted my facebook account several years ago. (before it was cool)

I love how links like this are (successfully?) attempting to pull people back in.


Fair point!


In my profile, they managed to obtain a `PURCHASE` event from Macy's -- for an in-person purchase at a physical store. Macy's has my email address and certainly linked it to my credit card number, but this is nonetheless seriously creepy.

I just tried to change my email address on Facebook and discovered that they canonicalize plus and dot variations in gmail.com addresses, and thus claim that the new email address is already associated with an account. Ended up having to create a completely new email alias on my own domain.


It’s not a situation where FB “managed to obtain”. It’s Macy’s directly uploading transactions in order to attribute purchases to their online ad campaigns. It uses email and name etc to match.


I agree.

While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"

Connecting purchase + email + 'where the ad happened' via social solves that.


> While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"

That can still be creepy. (If you're meaning that the accusation of "creepy" should be directed at modern marketing in general and not just Facebook, yes, I'd agree with that, though a good part of how we got here is large centralized aggregators like Facebook.)

I think there are plenty of non-advertising contexts where "using people's data to influence their behavior more effectively" can easily cross from normal to creepy as you start collecting more data. If you give your SO a certain flower because you remember a conversation the two of you had a while ago about that flower, that's normal and even thoughtful. If you give your SO a certain flower because you hired people to follow them before you even started dating and you got a report that they always stopped to admire a certain flower on their walk to work, that's creepy.


Absolutely, but I think it's time to start asking:

1. Is that ok that we accept this sort of Pavlovian training from anyone, much less for-profit companies?

2. Is it ok now that the entities are so easily able to completely track the effectiveness of their advertising and thus empowered to amplify whatever works to increase their success rather than some metric like human happiness?


Imagine all of our phones' lockscreens being unlockable only by face unlock and not fingerprint... you know, our face which is all over the internet and trackable across websites and in-store and public cameras.


Every profession has challenges. Most of them don’t resort to violating the rights of others to solve those challenges.


What rights are being violated here?


The right of privacy. The right of dominion of ones own affairs. There right to not be harassed by soulless individuals and companies who are 'merely' seeking to gratify their greed.


If rights were violated then this would all be illegal. Clearly it isn't. In the US, there is no constitutional right to privacy, and any legal precedents are mostly about government surveillance.

There's new data privacy regulations at the state and federal level going into effect which is why FB made these changes, but they don't explicitly prevent this kind of data sharing from an outside company using first-party trackers to send data to Facebook's marketing platform.


You are right, of course. It just goes to prove that we are little more than slaves to the system of governments who dictate what is lawful, who usurp their position in order to bestow rights back to us that used to be intrinsically ours to begin with. It doesn't make it right however.


"Attribution" in this sense is always going to be the enemy of privacy, because it boils down to the question of "what was on your screen when you decided to make this purchase".


The fact that there is a commercial motivation doesn't make it less creepy.


Match backs? Or offline conversions? Looks like Zapier offers a match back service too.


Google has long bought credit card transactions and so probably have dozens of others. The root cause is that they are allowed to be sold


I'd argue that the root cause is that they have any value whatsoever.


are credit cards different from debit cards in this regard? Do some credit cards not sell your transactions?


It's the card network (MasterCard, Visa, AE) that sells your data. They each have their own op out:

* https://marketingreportoptout.visa.com/OPTOUT/request.do

* https://www.mastercard.us/en-us/about-mastercard/what-we-do/....


Your Mastercard URL got truncated somehow. It's a pretty easy search, though. Just the same, thanks for linking because I had no idea this was even an option:

https://www.mastercard.us/en-us/about-mastercard/what-we-do/...


> To opt-out from our anonymization of your personal information to perform data analyses, please provide your Mastercard or Maestro payment card number below.

This sounds like they are going to continue using my purchase data but without anonymization? Not a native speaker so perhaps I'm just misunderstanding the sentence.


I think they tried to formulate it so it will sound less damning for them, like they want to make it explicit that what they performed their data analysis on is your anonymized personal information.


You're right. I don't think that's the intention, but that is certainly what the language implies. It's rather vaguely worded.


It’s crazy that they do this yet still charge nearly 3%.


They don't charge 3%, they charge about a tenth of a percent (0.11%). What you think of as fees is actually a basket of charges going to different parties. almost 2% goes to your (the purchaser) credit card company to cover the risk of you not paying them, about a percent goes to the store's bank to cover the case when they have to give the money back (either because it was a fraudulent online transaction, or the store cheated the customer and the customer went to their card issuer, etc.) and that tiny little bit that's left goes to Visa/MasterCard.

Credit transaction fees actually make lots of sense and are grounded in the actual cost of the financial product. As a merchant, you can choose to accept only debit cards to avoid the cost


I get that this is how it works in the real world, but the argument that transaction fees are necessary for the credit company to cover the risk of the cardholder not paying is a bit feeble, because to my non-banker mind: that's what the interest rates are for. If someone is risky, simply don't approve their application, or raise their rate. Am I missing something?


The 2% that goes back to the credit card company is what ends up paying for all the rewards points and cash back discounts—which work as mechanisms for you to get that money back so long as you actually pay your credit card bills.


> about a percent goes to the store's bank to cover the case when they have to give the money back (either because it was a fraudulent online transaction, or the store cheated the customer and the customer went to their card issuer, etc.)

Is this right? It's been my experience (in Canada) that losing a fraud case or chargeback the store takes the hit.


They force merchants to accept the 3% as a function of their oligopoly power. Merchants don’t negotiate anything inside the basket.


With the new "elite" cards that have higher transaction costs that you can't disallow as a merchant, it's becoming more like a tax.


And if you’re a savvy customer you get “cash back rewards” from your credit card, meaning some of the fees just end up coming back to you.


A "savvy" customer has a card that doesn't make them perform a dog and pony show like you describe. A savvy customer's card charges the lowest reasonable rate in order to provide the service.

Giving someone money and then feeling all giddy when you get a "reward" later means you've been gamed.


But this is such a weird way to think about it. Credit cards don't cost anything. In some vague grandiose sense prices are slightly higher since credit cards exists and merchants want to cover their fees but my perspective as a customer spending via a credit card is basically free money. There's no dog and pony show except buying things like I normally would.

* I get literal cash through their rewards program which just slowly accumulates without me having to think about it.

* I get all the nice protections and can do chargebacks.

* The money I spend every month stays in my bank account until just after the bank calculates and cuts my interest check. Like it's super negligible but hey, if I'm getting an interest free loan anyway.

2% cash back from the card + 0.25% interest from the bank ain't nothing.


The point is that everything you buy with the card is at least 2% more expensive, because the merchants are just passing on their credit card fees to the consumer. You are not saving money in any way, shape or form.

Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable.

In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.


Which is all fine and good but my options are pay 2+% more for everything and get nothing or pay 2+% more and get something.

Like there’s no point to trying to punch a river as a lowly software dev completely unrelated to finance and politics.


Yes, you absolutely should use a credit card in the US and get your cashback or rewards or whatever. You have to play the game, because everyone is playing the game.

But, you have to realize that it's not beneficial to you. You don't earn anything, you merely, barely, move the needle back up to break-even. You're not gaining. You're not winning. You're not sticking anything to any man. If the entire credit card industry got rid of rewards, and lowered their merchant fees, it would be a net benefit to you.

So feeling happy or grateful for cash-back means that they got you, they tricked you into feeling grateful for the privilege of giving away your money.


If you paid cash, in virtually every case you'd pay exactly the same price because most merchants don't provide cash discounts. If your merchant does provide a cash discount, I would suggest taking advantage of it. But if they don't provide a cash discount, you're still paying that 2% margin anyway without receiving any benefit from it.

Likewise, except for small businesses whose owners don't actually price in the cost of their own time and labor, it's not entirely obvious to me that the cost of accepting credit card payments actually is any more expensive than the cost of handling cash, which is probably why cash discounts are rare. The main exception to that seems to be gas stations (which usually have a lower price for debit cards and not straight cash), except even in that case, I get an even bigger discount by using Costco's gas station, which doesn't have any such discount. You do address this point...

> > Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable. In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.

That makes no sense. If the cost of receiving credit card transactions is 2%, that doesn't imply that the cost of receiving any other kind of transaction is 0%. If there's no cash discount, the difference in cost to the consumer is zero anyway. But the difference in cost to the merchant isn't 2% either, because if they accepted a different form of payment, the difference in cost would be 2% minus the cost of accepting that different form of payment. (And if they didn't accept any form of payment at all, the cost would effectively be 100% because there would be no sales). In a world where credit card sales are ubiquitous, if anything, credit cards become a better deal for merchants because there's less economy of scale for cash-handling services.

All in all, I would even suspect there are instances where credit card rewards end up providing a net positive to a sufficiently devoted cardholder simply because most people are not going to expend the time and effort necessary to maximize their credit card rewards. It's just like Vegas in that sense--while it's true that "the house always wins", casinos will also comp you rooms and drinks, and there are documented instances in which you would expect to be better off playing video poker or blackjack for long enough to get a free room (assuming perfect play, which means memorizing a small decision tree). Why is this possible? Because the vast majority of people don't play perfect blackjack or video poker. Businesses plan for average-case expected customer behavior and not best-case (or worst-case from their perspective).


The cost for a merchant to handle credit cards is whatever the credit card companies can get away with.

The actual cost of handling card payments is very, very low these days, but merchants are stuck paying the higher price, because there's effectively no competition in the space. To avoid having obscene profits, the cc companies give back a lot of the extra money to the consumers in the form of cashbacks and rewards, and then consumers stupidly feel grateful for being fleeced.

In an ideal world, merchants would pay only the actual cost for handling card payments, only pay for the tech itself, and the fraud risk. Naturally, such a pricing would be a fixed per-transaction-fee, because the actual cost is the same for each transaction.

In the same ideal world, the credit risk of credit cards have to be managed through the interest rate and credit worthiness management. It's completely outrageous that credit card processing fees should in any way, shape or form cover the risk side or the fraud side of the business. That's not the merchant's problem.

That would be fair. That wouldn't be gameable. Some countries did exactly this: https://en.wikipedia.org/wiki/Dankort


> The actual cost of handling card payments is very, very low these days, but merchants are stuck paying the higher price, because there's effectively no competition in the space.

In other words, the cost of processing credit cards is low enough that it successfully competes with every alternative form of payment. In which case I don't see what you're outraged about. Invent a more cost-effective payment mechanism if you think there's an opportunity for it.


It's also worth mentioning that cash isn't necessarily any less expensive for merchants to accept. It is if you're talking about a small local business or something, but if you're paying for the actual labor of counting cash, delivering and depositing it to the bank, as well as the increased security risks and costs of holding large sums of cash, it starts to add up.


I pay $89/year for my card, which I use for every purchase. I get hundreds if not thousands of dollars in rewards each year, and have never paid a penny in interest.

There's no dog and pony show involved, and I have not been gamed.


The merchant pays the interchange rate regardless if you get a reward or not. If you have a no annual fee card with no rewards, you are simply leaving money on the table (which your card issuer pockets), since you can get 1-1.5% cash back, also with no annual fee.


A "savvy" customer pays their entire credit card bill every month, so the actual interest paid is zero. At that point, the rewards are the only meaningful difference in return from one card to another.


So you must have a recommendation for a card that charges lowest reasonable rate?


The rate a card charges differs from applicant to applicant. Without knowing your credit score, credit history, and other financial information I cannot recommend a card for you.


If you're just talking about interest rate, the trick is to not even have to care about that.


I'm not.


The rate a card charges is immaterial since if you pay the entire balance each month, you pay zero interest. (And if you don't, you're making a big mistake.)


> feeling all giddy when you get a "reward" later means you've been gamed.

It doesn't really feel that way as you're flying to Hawaii for free.


You're not flying to Hawaii for free. Every single purchase you made with the card was more expensive than it had to be, because the merchants needed to cover their credit card fees.

What you're doing is the equivalent of always paying with bills, and dropping your spare change in a jar. And when the jar is full, you buy a ticket to Hawaii with the money in it. Except with a credit card, they keep the jar, take half the quarters, give you back the rest, and make you feel grateful for the entire experience.


It doesn't really feel that way as you're flying to Hawaii for free.

There is no free lunch.


In this particular case all of the people without premium cards who pay with cash or debit cards with no rewards are paying for our free lunch and flight to Hawaii. It's a tax on basically every transaction, paid to those participating in the rewards scheme

The lunch is not free. You're buying it for us.


Are these datas for sale in Europe as well?


With VISA and MasterCard yes, but e.g. the German girocard network on its own doesn’t sell anything, and there it depends on your bank (and most banks don’t sell that data either).

So if you have the choice between using a girocard or a credit/debit card to buy a product, the credit/debit card is significantly more likely to sell all your data.


Anyone who wants to do this: Make sure that you also opt out your virtual card numbers (such as Apple Pay or Android Pay).

Also, the opt-out of each number is only honored for FIVE years after which you need to opt-out again.


How can I opt out a virtual card number through Apple Pay? It doesn't seem that you can get the full "Device Account Number".


I'm not sure that the "Device Account Number" matters. As I recall from the presentation, that number changes with each purchase. And Goldman has promised (ha!) not to sell your information for marketing purposes.

But it's still worth opting-out of your Apple Card's virtual number.

The number is in the wallet app, ... > Card Information


I don't see the number exposed in Apple's UI, but I can definitely see it on my bank's website.

It's possible that this is an implementation detail and some banks do it without a unique card number...


How does Capital One give back 2% on all purchases? They must be monetizing purchase data as well, right?


Do they have access to purchase line items or only the overall transaction metadata?


No, if it's data they can collect it's data they can sell.

Can't sell cash transactions yet!


Unless you are carrying your cell phone at the time—not sure anyone is doing this yet, but I have heard of at least one chain that tracks customers' cell phone locations via triangulation.


It used to be common to track the mac address of customers that pinged the in-store wifi. Not sure how much this happens now that some phones randomize mac addresses.


The accuracy by Bluetooth is horrendous.


How accurate does it need to be? If you shop in a market stall, or a bodega, then you could be tied to a neighboring store. But if you're in a regular-sized (American) store, it's certainly good enough.


What about wifi? My understanding is this chain uses their in-store access point mesh for this.


Which chain?



Another good reason to keep wifi off unless you really need it.


Not going to name them since I don't have verified firsthand knowledge. It's a large regional chain based in the midwestern US.


Unless you use a loyalty card at the same time ;)


This is likely based on an Offline Conversion which advertisers can bulk upload to FB


Here's Facebook's business help link for how to upload and use point of sale and other offline data: https://www.facebook.com/business/help/1142103235885551?id=5...


>, they managed to obtain a `PURCHASE` event from Macy's

interesting.. they could use that to predict earnings..


A lot of hedge funds purchase credit card data to do exactly that.


You don't even necessarily have to predict earnings. If you've ever connected to your financial account via a service like Plaid or it's ilk, that service has an API endpoint[1] they can call to neatly package up your income information. Sometimes it seems innocuous and unassuming for a one time use like identity verification, or to set up automated payments, or a one off transfer/disbursement. Other times it's for stuff like getting a consolidated view of your personal finance (i.e. a transaction aggregator such as Mint). But if you authenticate for anything, that service has access to everything.

And unless you rotate your financial passwords on a frequent basis, that access continues pretty much indefinitely[2].

[1] https://plaid.com/products/income/

[2] Not true for 100% of cases, but a general rule of thumb that's applicable to the majority of institutions they log into with your credentials.


By “they” I assumed the GP was talking about Facebook being able to predict Macy’s earnings before they were publicly announced. That would be pretty interesting to see :)


interesting.. they could use that to predict earnings..

A few years ago when Chipolte had its little food scare, Foursquare used its data to predict how much the restaurant chain's revenues would decline. IIRC, it was accurate to within 1%.


Predict? Facebook buys earnings data directly from payroll companies.


Dot variations in Gmail all belong to you by default. That's a Gmail thing not a Facebook thing.


That last part makes sense. If you want a different identity, you need to choose a different ID. Better to make you be more explicit about what you are trying to do (multiple accounts), then accidentally split accounts of people who aren't trying to do that.


I saw the same for Gap inc for a list of in-store purchases at Old Navy. Incredibly on the nose about how screwed privacy is going to be soon.


What do you mean, "soon"?


old navy is owned by gap - not sure if this counts..


It’s better to not use the same email address everywhere. I use SimpleLogin to create email alias and it works great so far.


I just don't give my e-mail address to anyone. Anyone. Doctors, vets, especially retail stores.

I just tell them that I don't have one. On the very rate occasions anyone has balked I tell them I just moved and haven't set up my internet yet.


My first reaction to this was to be creeped out. Even being in the industry how did all of these sites (560) have data about me that they were willingly sending to Facebook without my permission. And while I have a Facebook account, I am not a Facebook user – as in I've logged in twice in the last year to see a neighborhood post or the like.

But then I went from creeped out to oh shit as sites I run were on the list. The way Facebook puts it, these businesses are actively sharing data with Facebook for the businesses benefit. But as a developer who has been asked to put a pixel on a site many times, I have to rethink the data exchange here. Obviously the sites are not getting the benefit that Facebook is receiving from everyone piping in data – often unknowingly.


> Obviously the sites are not getting the benefit

How is that obvious?

Surely sites would eventually stop going through the extra effort to maintain trackers if they didn't get a benefit?


I realize this is an unpopular opinion around here... but can anyone explain how they have actually been harmed by this? Like for real not in abstract notions of "creepiness" or whatever. I, for one with Facebook actually figured how to do something useful with that data and not be that raw sewage stream that basically led to stop logging in.


The harm is that Facebook gains control over prediction markets that they then sell to the rich and powerful to nudge enough of the population to their points of view. These points of view are often not in the general public interest.


Agree here; Given the insane hours that people spend in FB, the feed becomes part of their reality and better nudges affect their outlook on the world, their spending decisions and their political directions.


My particular issues are different from most people here.

The biggest impact, for me, is that the dominance of Google and Facebook based on having access to this data for the general population has led to worse advertising revenue for the news industry and some of my favorite websites. That has caused some of them to rely on memberships and paywalls.

I also don't appreciate that the money that they've accrued due to their dominance as a result of data like this has led to undue political influence. That comes at the expense, I believe, of voters (and I'm one of them). I don't think that power is healthy for a democracy, generally. I believe this about non-tech companies, too, so I wouldn't suggest anybody just pick on this industry.

This isn't to say that I'm not concerned about privacy. It's only to say that IF YOU AREN'T, then there are other reasons to root for people to have transparency around how their data gets passed around.


I for one much prefer paywalls. I'd rather be the customer than the product.


Most news websites load trackers regardless on paying so you can be both the customer and the product. This is also why I will never subscribe to a news website. I'd rather let them try their luck with tracking rather than just hand them in all my personal & payment info on a platter.


You mean like the Google Analytics you have running on your website?


Yes that is something I plan to address by switching to another blogging platform. If you look at the GA ID you'll notice it's not mine and it belongs to my blogging platform (which apparently enables GA with their own ID even if you don't provide a custom one instead of just disabling the feature).

Edit: I have now deleted the DNS records so the website will be down until I have time to fix this properly.


Do you have another platform (ideally self-hosted) in mind? I used to run a WordPress instance for my personal site but took it down after it got annoying to stay on top of the frequent updates and security fixes.


I have the same problems regarding Wordpress so it definitely won’t be that.

I’d look into static site generators but the problems with them is that I will always be tempted to tinker with it which is why I went with a hosted solution.

I will look into Substack as I’ve seen it used quite a bit around here recently. If not, I’ll see what Squarespace has to offer.

I actually tried emailing the owner of Svbtle (the platform I used) about removing GA but haven’t had a reply.


My issue isn't that I don't want to pay the paywall -- it's that because people broadly don't prefer paywalls that relying on them rather than a thriving online ad business means they can't hire more reporters, video people, data folks, etc.

So at the end of the day, it means I don't get to enjoy as much quality content from the publications that I love.

In my view, I end up with the best content when advertisers aren't going to one or two central places for their ad buys online. I'm actually an advertiser, myself (as just one part of my job). And I certainly know how my own buying practices have shifted over the past 14 years to now be 100% focused on FB/Google. Some of the Google money trickles down to other publications, and certainly this makes my job easier, but I don't think it's a good thing as somebody who also loves reading online.


Online advertising is pretty much always going to be a race to the bottom because everything a website does is just a dog and pony show to get people to watch ads. Why bother putting together quality content when churning out clickbait and low-effort crap generates far more clicks with far less work?


As an advertiser, I can tell you that clickbait is the worst place for my ad to live because people click away immediately.


Yeah I agree advertisers would rather have their ads next to quality content. Publishers don't always have the same incentives while it's easy to fill lots of inventory with at lower prices but make up for it in volume. A fine dining restaurant might make more money per diner than a McDonald's, but your average McDonald's probably makes way more money.


If something benefits McDonalds AND the fine dining places I enjoy, that's fine with me.

I don't have a problem with bad content out there, so long as there's a ton of really good content. For the great publications I read, I want them to be successful businesses so they can expand. A better ad market, or even a return to how it was before the dominance of FB/Google, would enable them to do that in a way that relying mostly on subscriptions hasn't.


Yeah, and the other stalkers out there should find productive use of their data gathering, too.

/s


Hmm. I have no website activity listed - but seemingly every single Android game and a few other apps is sending "activity" to FB, despite me never using any feature to associate the two. This sounds like: https://privacyinternational.org/report/2647/how-apps-androi...

Any sensible way of stopping this?


Blocking the entire Facebook ASN at the firewall/network level stops this. Google is a bit more tricky as they also have GCP so you can’t block their ASN without also blocking innocent services.


This is assuming that all data sharing to Facebook is done from the client which is obviously not true. If your desired service wants to share data with Facebook they can and will do so and there's nothing you can do about it except not use the service.


How does one do this?


If you are running Android >=9 then you can block the trackers by changing your DNS settings to use one from https://nextdns.io/

Instructions on changing DNS settings https://joyofandroid.com/how-to-change-dns-on-android/


Specifically, how do you do it on a normal Android device? Is it even possible to do this on an iOS device that's on 4G or someone else's wifi? Do iOS devices have the same "leak"?


> Is it even possible to do this on an iOS device that's on 4G

No.

> Is it even possible to do this on an iOS device that's on [...] someone else's wifi

Yes, since you can do it on your device, and do not have to do it on the router. Drawback is you have to do it for each Wifi network anew.

> Do iOS devices have the same "leak"

Yes, there is nothing that prevents apps from phoning home (or phoning every one of a dozen data collection "partners")


>> Is it even possible to do this on an iOS device that's on 4G

> No.

If it is a DNS server change on 4G/LTE, it can be done by using FOSS apps like DNSCloak on iOS. [1]

[1]: http://github.com/s-s/dnscloak


You either need to control the mobile side of things and never connect to unrestricted Wi-Fi or use Apple Configurator to create a profile for an always-on VPN to a place you control where you can apply the restrictions.


I'm blocking Facebook DNS requests using DNS66. I'd also be interested in how to block their entire ASN, though.


I am unable to verify this right now for the obvious reason, but facebook operates on ASN gAS32934[0]

So you can ask https://www.radb.net/ for the IP addresses that are associated with this AS and, after a quick manual sanity check, insert it into the firewall of your choice. For example:

  whois -h whois.radb.net '!gAS32934'|  tr ' ' "\n" | sed 's/^/saddr /'| sed 's/$/ DROP;/'
[0] https://www.facebook.com/peering/


From your link:

> "Privacy International has tested both opt-outs and found that they had no discernible impact on the data sharing that we have described in this report."

So there's that. I wonder if any opt-out really helps. I think the best approach is still to use a good blocker such as uBlock Origin.


the Android advertising_id property and the ios IDFA (identifier for advertisers) are available to every app, and once an association against the id and your Facebook account is made further interactions can be attributed to your identity.

Both of these identifiers can be reset at any time via os features, making you appear as a new user (at least until fingerprinted or a new association with PII is made)


Realise that you don't really need those android apps, or the google or facebook account. The utility and entertainment you get is half of surveillance capitalism ecosystem, and the other half is that they compile all this information about you.

I know it sounds preachy and it's not a conclusion most people will like. But, like fasting, going without something you like but don't really need does help you focus on what you really do need.


I don't actually care all that much and I like my luxuries. Do I "need" the Google account? No. Do I want to tell every person and business currently using it that I've changed email? Also no, that's a huge amount of work. Likewise for facebook, which is now down to once-a-day-ish use for coordination with a specific group of people whom I do not want to do the work of moving all of them off Facebook too.


Yeah, I make similar trade-offs. The sunk cost of a few TV shows purchses keep me from closing my Google account. But I won't let it anywhere near my phone.

I think the process of honestly asking the question is more useful than the actual answer. Life & society is full of compromises.


I was surprised to see that Plex is sharing a bunch of interactions with Facebook despite me only signing in with email. They seem to just blindly correlate the email address with whatever Facebook account it points to. There is no mention of Facebook on their privacy page[1]. As a lifetime Plex Pass holder this has damaged my credibility with them.

One of their employees says this is in error[2] so hopefully it will be fixed.

I guess signing in with email is pretty much equivalent to contacting Facebook if this is possible to do.

Besides that there are physical retailers that send data to Facebook even though I don't recall giving them any idea identifying info. I feel powerless since I rely on Messenger for communication with friends, who I've tried and failed to convince to switch elsewhere.

[1] https://www.plex.tv/about/privacy-legal/privacy-preferences/

[2] https://forums.plex.tv/t/why-is-plex-sharing-my-activities-w...


Yeah, I was really surprised to see Plex in my friend's off-FB-activity list. I've been wanting to switch to Emby, but I already have a Plex lifetime membership, and it would be difficult to get friends to make the switch. I'm not liking Plex's direction with getting into the streaming business, along with this FB spyware mishap.


> it would be difficult to get friends to make the switch

Could you elaborate on why this is an issue? Plex doesn't really have network effects and is usually only managed by 1 person.

Maybe you give your friends access to your instance? In which case it seems like they are in no position to complain.


Emby doesn’t have good apps for as many platforms as plex does. I use plex on my PS4 where Emby doesn’t have an app.


Yeah, this is probably the main reason. I know two friends who use Plex exclusively on their PS4.

I'm also not the only one in my group maintaining a Plex server, so they'd incur a transitioning cost as well.


I don't think it's be email (or at least not ONLY email). The page shows a company is sharing my data with Facebook and my email address is different from the one I use with that company.


Deliveroo has evidently been sending them all my orders. Or at least, there are as many 'interactions' as I have made orders. I don't log in via my Facebook so that is an unwelcome surprise.


Yeah that is insane especially for a paid product.


Same here. I had to recollect if I even signed up with Facebook. After checking my Deliveroo settings, it seems that my FB account isn't even connected. This is insane...


Do you use the same e-mail address for both Deliveroo and Facebook?

If so, that could be how they matched you. Facebook lets businesses create custom retargeting audiences[1] from existing customers, and you can (obviously) include interaction data in order to segment e.g. frequent customers from occasional customers.

1. https://www.facebook.com/business/help/1472206006327390


I suppose that would explain it. I can't see what Deliveroo get out of it though, and how they might expect Facebook to have a better handle on what sort of food I would order and how often as opposed to Deliveroo themselves, who know. I wonder if they have plans for service expansion into "Deliveroo but for X" and want to see what their customers are into. Or perhaps they want to see if I am two-timing them with Just Eat!

Funny, I now remember reading a post from someone claiming that if they ordered an online grocery shop off a company that was not their usual, like magic a voucher would appear from their original company. I assumed this was coincidence, but this is the exact mechanism that such a thing could happen.

Of course this could also just be a manifestation of the trend of companies desiring data for data's sake, and a load of deliveroo managers are sitting in a meeting somewhere looking at a graph showing an intersection of people who are into retro computing and also like burritos and trying to brainstorm some strategy off such trivia.


> how they might expect Facebook to have a better handle on what sort of food I would order and how often as opposed to Deliveroo themselves

That's not really the idea - they're just trying to serve you ads wherever they think you might see them. Retargeting (whether it's through Facebook ads or AdWords or what have you) is one more engagement lever alongside push notifications, emails, etc.


I had a few - all of them from my Android apps and via Facebook business tools i.e. the vendors are actively pushing my data to Facebook. One utility app that I'm not surprised about, one that I'm a bit more surprised about but the interesting bit was G-Shock Connect (for the watch).

I installed their app once, figured it doesn't properly do the only thing I needed it for (show battery charge level), and I went to uninstall it. How did it find itself on Facebook?

The app wasn't given any permissions and I did not enter any personal information. The TOS did require giving consent to sending app and watch usage data but I didn't tick allowing that for marketing purposes nor was personal information mentioned, just identification data from the phone itself, operating system etc.

The app must have obtained my phone number or email from the phone's personal data. Apparently that's possible even if I declined all explicit permissions. They might be able to find my Google email by using Android's AccountManager apis. Phone number might be possible but slightly tricky and I think I disconnected my phone number from Facebook way before installing their app.

Interesting stuff - looks like everything should run in an anonymous container by default on phones, too. I hope we'll get there soon. Still, a lot of this is based on trust rather than technical countermeasures. Will you trust the vendor or not?


Allegedly, I ditched my Facebook account years ago. Not just deactivated but delete, though I don’t really believe it. Is there anyway to see what’s in this (or to see if my account really is gone) without accidentally re-upping?


I had followed a guide in ~2010 to delete my account (since the magic incantations to delete your account at that point were really obscure). I was told via email that my account would be deleted a certain amount of time (90 days IIRC); I got curious in 2015 and logged back in. I was not terribly surprised to find that I could log back into the account and all my old data was still there. They may actually delete accounts now, but this certainly hasn't always been true.


I had deactivated my account about a year ago. I tried logging in to view this page, and it reactivated everything immediately. Also, it has clearly been linking a vast quantity of off-facebook activity despite my account being deactivated.


Facebook provides two different options, one is deactivation and the other one is deleting. They are not the same thing. If you merely deactivated it, then your account never was deleted.


I took the leap and tried to log in. It said there was no account, so I guess the delete worked?


Depending on your location, but you could do a GDPR Data Subject Request (DSR)


Facebook doesn't really comply with the GDPR. The data displayed on this new page wasn't part of their data export and I'm sure is still not part of it.

Here's an example to what extents they will go in order to not give you what you're entitled to by law: https://ruben.verborgh.org/facebook/

In fact, if they were GDPR compliant, they wouldn't be collecting this data in the first place.


If you want to disable facebook tracking out of facebook in the future, it's possible on this link: https://www.facebook.com/off_facebook_activity/future_activi...

EDIT: the link doesn't seem to work, so you can click on "Manage Future Activity" => "Manage Future Activity" in the popup => Disable "Future Off-Facebook Activity"


You might not want to disable this completely, because it can be a useful tool to identify data leaks (similar to Troy Hunt's haveibeenpwned.com).

My off-Facebook activity had zero entries and I want to keep it that way. If they ever associate something with me I want to be alerted to the fact.


Mine had exactly one entry. And I won’t be doing business with that company anymore. No way am I disabling this. It’s too useful.


One warning it gives me:

> We will still receive future activities from companies and organisations you visit. These might be used for analytics and to improve our advertising systems, but will not be connected to your account.

(Translated from Dutch because for some reason Facebook figured I'd want this particular message in Dutch.)


Extrapolation: "Account" here means the Facebook account created by you and visible to you; probably distinct from "Profile" in their lingo, which is all the data they have on you, of which most is invisible to you. If this is true, that's not an opt-out for data collection, just a choice to keep that info from showing in your account while merrily continuing to build your profile.


I mean, they’ve already been shown to keep every tiny nugget of data, this feels more like “we won’t give anyone else tools to see that it’s you” instead of “we’ll anonymize it sufficiently”


Before you disable it, the site warns you that "This will also prevent you from logging into apps and websites with Facebook because your activity will be disconnected from your account." This annoys me, because Facebook login is actually quite convenient, and they've gone and bundled it with lots of random third-party tracking. Nothing technically required them to do this -- they could surely offer it as a separate feature.


Man I feel hopeless.

I have not connected my Facebook account for over 90% of these sites/apps but they still sent my data to Facebook.


They probably just have a Like button on their website, which passes on data even if you don't click it. Use a request blocker like uBlock Origin.


You don't need anything on your frontend to share data with Facebook. Facebook doesn't acquire information like what shirt you bought by putting a like button a page. Your clothing retailer is willfully sharing that information for marketing benefits.


Do you have the option to stop using those sites or using those vendors? At least now you have more data on the externalities of using each service.


For some of them, I can stop.

But some are essential. Transferwise is not connected to my FB account but is sending data to Facebook.


I am not sure about transferwise but n26 seems to send data, based on some obscure privacy policy here https://support.n26.com/en-de/get-more-out-of-n26/other/cust...


Same here. At least you can just turn it off on this page, and hopefully that will do something.


Is is too late to change my email address on Facebook?

I'm assuming Facebook keeps a history of my email addresses that it can still associate it to my account.

Another option is to change all my email address at these sites.


It's not even that (though it might be part of it), I use a different email address per site (sitename@mydomain.com).


I have an address unique to facebook, and they still managed to associate it with some stores.


>I'm assuming Facebook keeps a history of my email addresses that it can still associate it to my account.

This is true: if you download your Facebook information file, you'll see it stores all the previous emails as well as all the previous IPs used.


Is it just me, or is there no way to download activity details? I click on an activity, then there's a few examples and a link to download, but this leads to a generic "Download your information" page and I cannot see an entry for the app or off-facebook specifically...

How can I block it? some apps are on my iPhone, but I don't have the Facebook app on it (I do have messenger), and only used the apps on the phone. Aren't they isolated in some way?


For downloading the data there is an option to download "Ads and Businesses" under "Information About You". I just downloaded it, and it includes all data that was shared.

However, the data only shows the source, timestamp and activity ID. The actual event data is not included..


I deleted my Facebook a couple months ago. Now I wish I would have kept it just a little longer to see what they had on me.

But in the end I still would have deleted it. Facebook clearly can't be trusted with my data. Idc what connections it gives me. They have shown time and time again that they will exploit the tiniest things to predict and manipulate your behavior.

And apparently companies desperate for even slight up ticks in conversion rates will upload everything they know about you.

No wonder Cambridge Analytica, AggregateIQ, and Robert Mercer had such an easy time compiling psychological profiles and categories of Americans and Brits.

In the end, it's real simple. The human brain adjusts based on the environment and events around it. Id rather not have Zuckerberg, Dorsey, or anyone else they deem worthy, intentionally or otherwise playing around in my head.


It's still there.

Try logging in. You might have to reset your password, but the bastard's haven't really deleted it.


I tried this, but it only gives me the option to sign up. I think I deleted my account around two years ago, and it's seemingly really gone.


I feel like this stuff actually creeps me out more since I deleted my Facebook account. I didn't deactivate, I completely deleted.

I'm near 100% sure they're still trying to track & sell me, but without an account I can't even see it.


Back when I got rid of my account there wasn't an option to immediately delete an account. It first had to be deactivated, and would supposedly be deleted after a two-week cool-down period.


Yes I went through that too. It was about 2 years ago.

They sent me all the warnings that they were deleting anything.

Do I believe them at all? Not really?


I know people who have left Facebook and then much later come back, setting up a new account with new credentials and Facebook could still begin to suggest old friends and interests.


Isn't that because they can still match the friends side to the new data? They still have half of the matches and once you give them your half they will suggest the same stuff.


I was asked to "sign in" to "facebook" therefore I have no idea what this post is about.

(seriously, concerned citizens should consider browsing fb incognito and never stay signed-in)


I agree with this advice. I treat facebook.com like a warez site from the 90s: actively hostile. So far only off-site activity tracking came from AirBnB.


The linked page displays nothing but "You must log in to continue" if you don't have a Facebook account. I searched around and found this news page that explains it: https://about.fb.com/news/2019/08/off-facebook-activity/


A bit weird that my Monzo seems to be sending data to Facebook?


Hmm, that feels incident worthy.

My bank should send precisely zero things to advertising / marketing companies.

Have you raised it with their Help team? You should.

Unfortunately I cannot as I do not have a facebook account so cannot determine whether or not facebook hold data on me without creating an account.


You might (justifiably) not like it, and it might inspire you to boycott the business or plead for regulatory relief, but it's not an "incident" from their perspective to be intentionally doing what they do to run their business.


This is a bank, and they are regulated. Depending on the information shared, this may be a breach of that regulatory code.

I do not have access to see what the data is, but would certainly in their shoes investigate with high priority, and Would raise a security incident to do so. If it turns out to be empty and of no concern, then great. But ignoring such things is seldom wise.


Might be worth a post on their community.


What do you mean by community? Like a Facebook community? Do you need an account to post on the facebook community?


They have a Discourse forum: https://community.monzo.com


Not really.

They have the Facebook Pixel installed likely to do retargeting advertising when a person visits their website.

It's one of the most effective methods so it's very common to see it everywhere.


This is related to their app not their website.


Same applies to their app.

Doing retargeting for when (a) someone downloads their app but doesn't signup and (b) someone is a customer but has low engagement i.e. is likely to churn.


That may be true, but I still think it's a low-effort way for them to do it, and I expect better from Monzo than this. Plus it tracks people regardless of if they fit in a) or b) - neither of which is the case for me.


Could you say more or provide a screenshot? I’m very curious and concerned about this.


For Revolut, I have many many entries like:

ID 894103617218109 Event CUSTOM Received on 13 November 2019 at 09:51

The only event is "CUSTOM".


I use Revolut but my page is empty. I imagine it's because I don't have the Facebook nor Messenger apps installed on my phone.


Same here. I suspect most of the commenters on this post that are confused about how their data got acquired have the FB app and/or Messenger installed on their phones.

I also suspect that soon Whatsapp will be doing the same sinister activity tracking once they go ahead with their plan to introduce ads later this year.


It just says <number> interactions were received from Monzo.



I have Monzo in my list too and downloaded the actual data. The only things listed are `ACTIVATE_APP` events. It doesn't seem to send any details to Facebook aside, from that you "activated" (opened) the app.

Still not ideal, but not completely terrible.


When I used to have https://lua.xprivacy.eu/ it used to prompt me a lot, saying "This app is calling this API, do you want to allow or deny? (or allow/deny for 1 minute or 10 minutes). The Facebook app would query what packages/apps are installed on the Android phone.

Yeah, Android devs, why is that an accessible API call?

For one thing this is how FB could figure out how popular their competitors like WhatsApp, Instagram or Snapchat were, and why they bought them, or tried to.


It's part of the Intent system in Android. It's a really nice system where you can say "someone open the file with this URL and mime type" and the system asks the user which app they want to use to open it (or use their default if they set one.

It all works really well and lets app be loosely coupled to each other. It's also super flexible so you can use it for lots of different use cases. The API itself hasn't changed much since the first release of Android.

The issue is that you can query the Intent system to see if there is an app installed that can open your Intent. On the face of it, this makes a lot of sense. You could then display an error message to the user asking them to install and app that can handle it. The problem is that you can create an Intent that you know can only be handled by a single app (using the package name) and then you'll know if it's installed or not.

For what it's worth, iOS used to have exactly the same issue. You could query the phone could handle a specific "custom protocol scheme" (used for deep linking). You could then just query a scheme which you know is for a specific app and tell if the user had it installed. Apple fixed this by requireing you to include a predefined list of schemes which you can query for in your Info.plist (manifest file) and limiting the number you can have (30 I believe).

All APIs with good intentions, but very easy to abuse. Apple is just more comfortable breaking backward compatibility to fix these sorts of issues.


As far as I can tell almost every bank with an app is sending your email/advertising id/name/etc. to Facebook(+ other surveillance companies).


I have a couple of other bank accounts and none of the others seem to be sending data to Facebook.


I saw HSBC


I didn't see HSBC, but I did see Monzo - which I was surprised and disappointed by. I see no legitimate reason for them to be connecting me to my (disused aside from messenger because of friends' network effects) facebook account. Not impressed.


Apparently my website is complicit in this... I'm disgusted with and ashamed of myself.

https://i.imgur.com/Wz7O8HU.png

Edit: typo complacenet to complicit, thanks Zarel.


You mean you didn't know this would happen by adding something (script, tracker, pixel, etc.) to your site, or you don't have a root cause as to why your own site is sending data to FB?


I didn't assume that Facebook would explicitly connect this information with the visitors in this way. I don't remember WHY I added the pixel but I did add it. I need to get rid of these things, and Disqus.

I was probably trying to do some research on visitor demographics, which presumably failed.


> I need to get rid of these things, and Disqus

There're open source track free comments:

https://www.discourse.org/

https://commento.io/

https://www.talkyard.io/blog-comments

All of them are equally ads and tracking free, and have optional paid hosting services (if you don't want to self host). I'm developing the last one, Talkyard.


Gotcha. Thanks for clarifying. I'm working on a site rn, and hope to make it "ad-ethical" (if such a thing is possible any more).


(I think you wanted to use "complicit")

Please update us as to how this happened!


I think I have a pixel on there for some reason? I don't recall why I put it there.

It really does hurt when you see how awful your own behaviour is, i.e. by spying on users. I'm sorry everyone!


Apparently Blind made the list. So much for 'anonymous'


Anyone else thrown off that “Download Activity Details” (which seems to be the only way you can find out what interaction was sent) leads to the main Download Your Information page, and not to anything specific to that app or that interaction?


Revolut is sending data to them, too. 202 interactions for my account.


And the last date they received information about me according to Facebook is the last date I used the app. Revolut mentions "Analytics providers" in their privacy policy as companies they are sharing my data with.


For me it seems there is a 3-day difference between the last time I've used the app (today) and the last time they shared data with facebook.


>The summary doesn't contain your most recent activity. It may take a few days for your activity to show in your off-Facebook activity. The dates in your activity summary are when we received the activity.

https://www.facebook.com/help/2207256696182627


That one surprised me as well.


Why is it surprising?


Because Revolut is the only fintech/banking app that is actually on the list. I do have other 3 banking applications installed on my phone that I regularly use + N26 (another fintech) -- none of these are in the data sharing list.


If Google and Facebook is ready to "show" these data, I wonder what and how much data they are hiding.


Good point. I also wonder what the motivation behind this tool is.

Furthermore, I don't understand how any of this is GDPR-compliant.


> Good point. I also wonder what the motivation behind this tool is.

Probably to tell regulators and politicians that "transparency is in our dna" we design tools to help users know who is interacting with their data


INAL but will guess it is to make facebook GDPR-compliant. They show the data they have about us, but don't know if the apps that send the data to fb have used opt-in to enable sending data to fb. Maybe time to start writing emails to the companies who have uploaded our information without consent?


There's a little note saying that the list may not be complete. If you click that, they pop up an explanation, one of the bullet points in which says this:

> We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all of the activity that we've received. Activity that is not shown includes information that we've received when you're not logged in to Facebook, or when we can't confirm that you've previously used Facebook on that device. It also includes details such as the item that you added to your shopping basket.

It seems to me that this gives them carte blanche to omit anything they feel like omitting.


Real nice that there is no bulk turn-off feature. Giant pain to click through a few hundred sites to block future activity. But I suppose that's the point, right? To make it as difficult as possible for users to block this kind of oh-shit creepy behavior.


There is not turn-off at all. If you read carefully you will see that they will still collect the data, just that they "promise" won't assign it to you. Yeah right :)


Blind app send interactions to Facebook. This defies the whole point of blind app. This is so wrong on so many levels.


This was the most shocking for me. How is Blind getting my FB info from the app? Is there a way to prevent this on Android?


I don't use Facebook, but I do use Messenger as I have a couple of close family members who refuse to use anything else. I've just logged into Facebook (which has no history as I've purged it[1]), and still there are 5 apps sharing my activity with Facebook. These 5 apps are all on my phone, so I guess Messenger is also sharing back to FB. :( ---

[1] Shameless plug: https://github.com/Jaruzel/DeleteFacebookActivity

[Cross-posted from the other thread]


That's so funny that they come up with this page these days.

"We receive Jane's off-Facebook activity and we save it with her Facebook account. The activity is saved as "visited the Clothes and Shoes website" and "made a purchase"."

I downloaded my data before, and never have I seen what exactly the listed companies sent to FB.

I have a list of just a few companies (mainly by using a different email address for FB only) but still, I have no idea what these companies sent to FB about me.

Edit: I found the data now - it's now available for export.


NETFLIX. The regular "payment" records don't concern me but the "custom" records (as recent as last night) do. Is that viewing data or what is this? I've also got "custom" records from HULU, but the last one was in December.

This isn't necessarily sinister... but it certainly raises some questions on what these streaming video companies are telling Facebook on a regular basis.


Be sure to find both settings: the one to clear activity up to now, and the separate one to ensure that future activity is not tracked either.


... wow.

You know, you hear about tracking cookies but it's a whole other thing to see it staring you in the face. What's the most shocking is how small so many of these entries are. Like, there's a local children's day-camp and sports facility that I send my kids to on P.A. days on the list. And a local politician's page.


There is nothing on this page I was not aware of and intentionally linked (e.g. Strava).

So does this mean I am successfully stopping them from tracking websites I visit via tracking pixels / IP mapping / whatever other nefarious shit they do, or are they just not showing this information here?


One thing I'm not clear on - when I click on Coinbase (just one example) I see the following under 'What you can do';

- View coinbase.com

- Turn off future activity from coinbase.com

- Give feedback about this activity

Does 'turn off' mean they won't share this information again, or that I won't be told about it again?


I believe the vague wording is intentional, so they can just stop displaying it to you, while continuing to collect the data. It's like how "delete account" works.


It's not that vague, if you do click to disable you are taken to page that words it quite directly.


OK, maybe "misleading" is more suitable.. :)


>We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all the activity that we've received. Activity that is not shown includes information we've received when you're not logged into Facebook, or when we can't confirm that you've previously used Facebook on that device.

So, basically all the information they have on me? I don't log in to facebook all that often. By not helping them survive me, they'll coyly pretend like they have less surveillance data tied to my account in their database than they do. I doubt they're going to purge those surveillance records "technical and accuracy" reasons.


"just must log in to read this"

Can someone please share it?


It's a page for people with an account at FB that lists the 3rd party websites that have given information to FB.

> Off-Facebook activity includes information that businesses and organisations share with us about your interactions with them, such as visiting their apps or websites.

It's creepy.

> We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all of the activity that we've received. Activity that is not shown includes information that we've received when you're not logged in to Facebook, or when we can't confirm that you've previously used Facebook on that device. It also includes details such as the item that you added to your shopping basket.


I can't believe that this stuff is acceptible, or even legal. The fact that you're tracked off-Facebook (for instance), even if you're not logged in or on Facebook is not just creepy, but borderline abusive.


Congratulations, of all the people who have responded with outrage on this thread, you are the only person I've found that has a website listed that DOESN'T run Google Analytics or some other third party analytics platform.


Thanks, but what value does your appeal to people's hypocracy bring to this discussion?



Point is, though, someone being hypocritical doesn't make their argument wrong - claiming that it does is a fallacy [0].

[0]: https://en.wikipedia.org/wiki/Tu_quoque


Now we need a one click delete all data in account button, without 'deleting' the account, because 'deleting' your facebook account doesn't delete any of the data inside of it.


Interestingly, none of the other "big brother" companies show up on my activity feed, even though I do use them. No Apple. No Amazon. No Google. No Netflix. Not even Microsoft.

Anyone else??

Wow, this is beyond creepy.


Clearly they’ve come to the realization that they either do this voluntarily or future regulation will force them to do it. The beginning of the end of hyper-targeted online advertising has started.


Nowhere to hide.

Just a few days ago I wanted to research some nasty disease and I used brave on TOR to watch some stuff about it on YT.

First thing after I opened FB was a clinical laboratory tests adv.


The fact that they have information about apps that I specifically chose to not link to facebook for variety of reasons...

Including one specific app that they have 356 interactions from that I really do not want associated with my facebook account.

Looks like I am going to be spending the next couple of days digging through the report I just generated.

When this is all server side is the only option to make an email that is only for facebook and hope they can't link data any other way?


The fault is half on Facebook but also half on the providers & services sending the data to Facebook. The Facebook SDK or tracking pixel doesn't magically embed itself into apps or websites, it's still up to the developer to include this.

I suggest stopping doing business with that vendor and letting them know why.


It would be good to name and shame every vendor that shares data with Facebook and have them in a searchable list, so people can check before engaging with them.


What are the best ways to protect against this kind of tracking? I would argue it's probably better to keep a Facebook account so you can see what they're tracking and work to prevent it.

In my browser I'm running uBlock Origin, HTTPS Everywhere, and Privacy Badger. I'm guessing those will help quite a lot. However on an iPhone what can I do (as that's where a lot of this data seems to be coming from)?


Keep in mind that Facebook probably has a few unique identifiers from you apart from browser cookies:

- Email address

- Cell phone number (even if you only used it for 2FA)

- Credit card number (if you ever made a donation via Facebook or bought digital currency in a Facebook game)

- Advertising ID of your mobile device (can be reset in Android as well as iOS)

In order to avoid tracking, you have to make sure that none of these are known to Facebook and to other companies.


I removed my Facebook info from my browser and phone, changed the info I had on there to be basically anonymized (except to people who know me), and then logged in with a different browser on both desktop and phone dedicated to just Facebook. Now they can't tell what websites I'm going to and don't have direct access to my photos and files etc.


Kinda surprised how many interactions I've had tracked from my visits to Home Depot, I've only recently started stopping by there in the past year or so. What data could they have possibly even used? Sell me more cardboard moving boxes? Plant supplies?



I imagine they use the information of what you bought in the store to target ads for things you might want.

If you went there to buy moving boxes, they might show you ads for paint or other things someone who just moved might want.


... html/js allowing requests to domains other than the one in my URL bar was a mistake.


Weirdly, FB thinks I've had dealings with Home Depot, which I've never visited (virtually or IRL). Nothing else, but then I use Ublock Origin, Privacy Badger, disconnect.me etc. as well as FB Purity. I also don't have a smartphone.


> You must log in to continue.

Nah, I will pass.


I couldn't open the link either. I have only the URL to go on, but the irony is... glaring.


Four days before the UK general election, Facebook apparently "received activity" relating to me from an anonymous, icon-less organisation with a cryptic name, who appear to be completely un-googleable.

Well, that's reassuring.


Nice FUD there.

> icon-less organisation with a cryptic name

Oh my god what if they're foreign? Isn't it terrifying to think about foreigners? Better take that fear into the voting booth with you.


Er, what? Where did I mention anything about them being foreign?


I honestly can't tell what you're trying to insinuate. What exactly is this nefarious activity log doing that relates to the general election?


"You have no available activity to show at this time."

Qubes OS with disposable VMs helps!


I apparently have no records of off-Facebook activity. This is probably because of blocking all 3rd-party cookies and enabling the blocking of social media trackers in both uBlock as well as that built into Firefox.


Seems like most of my data they got from apps on my Android phone, there was even an app that I just installed, opened and uninstalled in less then a minute without even logging in or anything.

How can I block them in the future?


set the "limit ad tracking" feature on your phone at the os level and the advertising id will become unavailable to everything. On Android this is Settings > Privacy > Advanced > Opt out


I am in Europe, so by law (GDPR) I have the right to make them delete all of this data.

How do I do so?

Also, I never consented to this being collected. How can their practice of collecting this type of data be GDPR compliant?


You can disable to storage of this data on the linked page.

But I'd recommend going to the source: Read the privacy policy of each party delivering data and check if they mention it. I already sent a mail to the DPO of an app provider which shows up in this list and doesn't mentions Facebook in their privacy policy.


Even if the app had it in their privacy policy, that would not mean it is legal to send your data to Facebook.

GDPR requires the users consent to do so. Having a statement in a privacy policy is imho not enough to qualify as consent.


I'm not anyone's lawyer. These are questions, not answers: GDPR is about collecting data from you, right? If Site X is sending data about you to Facebook, perhaps that's an issue with Site X's GDPR compliance, not Facebook's?


In case of Facebook, one has to wonder, is this a move towards consumer privacy, or a way for Facebook to clear cache so they could build a more up to date profile of you.


These apps are from my phone which does not have the facebook app installed. They must be harvesting stuff on me from the Instagram and/or Whatapp permissions.


Literally the first result in the list of companies that shared data about me with FB is my pharmacy. My pharmacy! That's just... wrong.


When is Facebook's next investor call? The number of newly active users (who showed up for this) is going through the roof!


I clicked the link and was told I needed to log into Facebook to continue.

Is it necessary to have a FB account in order to read TFA?


It's not an article, it's a link to an overview of all the "off-facebook activity" data that facebook has gathered on your (the logged in) profile


What is this? I only get a login prompt. I don't have a fb account.

Would s/o mind explaining what this is all about.


Emirates NBD Bank app and CAREEM app are sharing info with Facebook.

It was very surprising to see ENBD in the list.


never installed facebook app on a phone, but multiple 3rd party apps on the phone report to facebook. For some reported apps i've never been logged in.

looks like facebook knows my phone's "hardware id" from somewhere

edit: good to know that uBlock blocked all web activity


Now imagine what google has on you.


Ah, so disappointing that I need a Facebook account to read this. The joy of missing out.


My payroll and accounting systems are talking to Facebook about me. Why? I have no idea.


Is it FreeAgent by any chance? I use it (but can't check as I don't have a Facebook account) and if it is that one then I will definitely be looking to switch away as this is unacceptable.


Is there a way to tell how Facebook is tracking you if you deleted your account?


Can someone post a screenshot for those of us with out Facebook accounts?



Did they take this down? It just goes to my Facebook home page


Can someone tell us non-Facebook users what this looks like?


From what I can gather (I'm in the same boat), it seems Facebook launched a portal for users to see what third-party services/activities they know about. One user here mentions an offline, in-store Macy's transaction appearing in that data; others mention streaming service data (Netflix, Hulu); one even mentions a reference to Blind, but not much detail on what type of data.

Surely, Facebook must be collecting this on non-users as well who obviously have not agreed to their terms.


390 connected apps. And i never use facebook login


Is there an equivalent Off-Facebook for Google?


There is, and it's equally creepy: https://myactivity.google.com/myactivity


This is only information related to Google services or approved third-party apps, no? I was hoping there was a service showing what apps communicated with my Goolge account without any explicit notification or permission.


Here's what Google says. Ask your lawyer if you want to know what it means.

https://support.google.com/websearch/answer/54068?p=web_app_...

When Web & App Activity is on, you can include additional activity like:

* Sites and apps that partner with Google to show ads

* Sites and apps that use Google services, including data that apps share with Google

* Your Chrome browsing history


fuing unbelievable that my photo to scan app on the phone is sending activity to Facebook!


Also check https://www.facebook.com/ads/preferences/?entry_product=info... to see who has uploaded lists including your email or phone number to to facebook. Wonder what GDPR say about uploading this type of lists


So is there any way to find out what information FB has on you if you don't have an account?


I don't understand.

It says I completed a registration for a company I never signed up to.

I did visit that company's restaurant that day, but I did not purchase anything.

Are some companies auto-registering you?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: