Aside the mountain of irrelevant notifications, here's what I've observed in this report that's concerning.
1. Albeit some data has been correlated properly (banking applications which is scary on it's own part it's sending data to facebook, imgur, Xbox, my telco provider, and a few misc blogs I've visited a handful of times per year), it's correlated a significant amount of data that may not belong to me (good thing, I suppose?)
2. Why the heck are banking applications sending data to Facebook as "CUSTOM", with no context? For example, RBC bank in Canada sends "CUSTOM" data (haven't been with them for over two years, but all interacts labelled CUSTOM) and Facebook will not give any more context on the exact data it received. Little scummy, Facebook.
Well, time to sweep this up and resist tracking more. Let's see how it works this time round.
I'll share my strategy.
Banking: Vivaldi Browser w/ privacy badger and ublock origin
Email and Commerce: Chrome Browser w/ privacy badger and ublock origin
News and other BS (like Hacker News): Firefox browser, always in private mode w/ privacy badger and ublock origin
LinkedIn (in the rare case I use it): Internet Explorer
Reddit: Naked Browser
News and other BS: DuckDuckGo Browser
EDIT: I also do not use my credit card on my phone unless in extreme rare events. Absolutely no banking on my phone. No fancy apps (I use the web version where possible) beyond the generic stuff like email and maps. I use Signal for texting.
My strategy (Desktop & Mobile):
Firefox + Facebook Container & uBlock Origin & Privacy Badger & DDG as search.
I use Firefox + FB container + uBlock Origin + Privacy Badger and recently started to use CanvasBlocker as well. I have Firefox configured to delete all cookies on closing (except for few sites to avoid the need to enter the 2FA code every time I log in).
I've also set Firefox Enhanced Tracking Protection to "Custom mode" with "cross-site and social media trackers" blocked  and to use block list "level 2".
I also have the "Do Not Track" option switched on.
I don't have a proper smartphone (never owned one), just KaiOS-powered dumb-phone on which I use Facebook mobile (i.e. their web site) all the time.
Also no Pi-Hole or similar stuff.
I use a throwaway email account for Facebook.
 Just now I've found out that there seems to be a new option, to disable "all cookies from unvisited sites", which I'm going to try as it looks even better.
I feel like this might be key, I use a random burner number and this seems to confuse the tracking.
So how were they able to track so much about you? Do you have the Facebook or Whatsapp app on your phone? Or is this just the difference that they track much more in the US than in Europe?
There's similar setups on iOS, I am just not very familiar with the app names.
- Fingerprinting resistance in Firefox (privacy.resistFingerprinting = true)
- First-party isolation in Firefox (privacy.firstparty.isolate = true)
- Blocking third-party cookies in Firefox (network.cookie.cookieBehavior = 1)
- Firefox container when I need to login to ad/tracking companies (Facebook, Google)
- uBlock Origin
- Cookie AutoDelete
- PiHole on my home network
Having done this in a previous life, they do this because they fight against scrapping their search results.
It's just like with Google history you can "delete".
They have the data stored for the authorities anyway.
They are required to do it by law (Patriot Act etc.)
This is true:
>We receive more details and activity than what appears in your off-Facebook activity. For technical and accuracy reasons, we don’t show all the activity we’ve received. This includes things like information we’ve received when you’re not logged into Facebook, or when we can’t confirm that you’ve previously used Facebook on that device. We also don’t show details like the item you’ve added to your shopping cart.
I wish they would show the ghost profiles as well, but since it's not linked with 100% confidence they are probably not allowing it because it could be a privacy violation if it turns out that the link was incorrect (i.e. they showed a ghost profile to the wrong user).
BTW, how does PiHole help in regards to anonymity?
By blocking many advertisers tracking cookies (by blocking all access to those hosts via point the DNS result elsewhere) it reduces how far your information immediately spreads.
Far from massively effective because it does nothing to stop 1st party tracking and those 1st parties sharing further, or 3rd party cookies for new hosts not in the blocklists yet, but it can still help.
My use of PiHole isn't really an anonymity/tracking avoidance thing, my priorities in using it are avoiding ad network related annoyances like drive-by install attempts from less reputable (and/or hacked) networks, auto-playing audio, pop-ups/-unders, bandwidth waste (particularly from auto-playing video clips), occasional attempts to access microphone and/or camera, etc.
Honestly, I think that health-related searches that are directly tied to a specific individual (especially without informed consent - I didn’t log in or receive any notice this was being done) should be covered by HIPPA just like any other personally identifiable health record.
The other weird one was the huge amount of data my bank was sending. 20+ requests per session. I have no idea why they would do that.
I wonder what Google is doing with all those health related searches I'm making...
Unauthorized copying or use of this information could be simple copyright infringement, which is apparently criminal enough to involve the FBI if you are a movie studio with enough money spend on political donations.
1) Install https://www.eff.org/privacybadger to prevent trackers from being loaded
2) Install https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... to delete any cookies you might have accepted after a week time or so, which prevents the infinite gobbling-up of your data after innocently accepting a cookie once
3) Install the Google, Facebook, Twitter and Amazon containers to "separate" your browsing with these sites from the rest of your browsing. Links: https://addons.mozilla.org/en-US/firefox/addon/facebook-cont... https://addons.mozilla.org/en-US/firefox/addon/twitter-conta... https://addons.mozilla.org/en-US/firefox/addon/google-contai... https://addons.mozilla.org/en-US/firefox/addon/amazon-contai...
Also, if you are creeped out by this, just imagine the amount of data Google has on you. I'm convinced they have way more, just by virtue of every website having Google Analytics installed.
I have no idea how they're doing this, since they didn't even request storage access (or I didn't give it). Can any Android developer here chime in on how an app can figure out my Facebook ID even though I don't even have Facebook installed on my phone and didn't give any sort of credential or access to the app?
The third party data sources is the easy one. Log into service A on your computer and service A on your phone. Service A fingerprints both and sells the data to service B. Now service B knows how to correlate your behavior between devices even though you never logged in.
I’m sure you’ve logged in something on both your phone and computer. It doesn’t have to be Facebook.
Edit: This report puts the blame mostly on Google ads ID.
I've been running uMatrix for a few months.
My firefox tracking-prevention (similar to EFF's one, but probably not as good) is always using maximum privacy settings.
I still have a few sites appear... AND for websites I've never even visited (that I'm aware of, & I'm the only user of this machine)
There seems to be some serious fingerprinting going on, more than simple cookies.
Has anyone done a good deep dive on what Google actually does with GA data?
> except installing vpn based firewall
So they can send the data instead?
Anyway even netguard is far better than nothing, most apps dont need their own servers. And the largest data slurpers are known. For fb just block all fb domains.
- use Facebook pixel tracking on the site.
- hand over all of their user's email addresses to use for audience building.
Or most likely both. Creepy stuff indeed.
I literally just opened the app, granted no permissions, used it a bit, and Facebook associated it with my account. What the fuck.
690 App/Sites for me! Not overly surprising really
Duolingo is a nice app for learning new languages, yet it might be using the same sdk, since it likes to call facebook.com domain.
Netflix is a good streaming service, but it has some option somewhere, which allows them to share data with others, and enabled by default. And yes, it's present in fb activity.
The list can go on...
There are developers who integrate dozens of SDKs, without any specific purpose for users, and not knowing what is happening. We need something like PrivacyBadger/ublockorigin for phones/laptops/routers/homes/cars. It's getting more than creepy.
And why would Facebook allow third-parties/businesses upload into FB info they have on their customers...
PS: analysis of how a simple menstrual tracking app is leaking data about the owner https://media.ccc.de/v/36c3-10693-no_body_s_business_but_min...
I’m on iPhone, and see apps listed where:
- I’ve never logged in on the web
- I’ve never clicked to open a link in a browser on-device
- Used a phone number to sign up that’s not associated with my fb account
- Didn’t use email at all
not saying that's worth having an account though.
Here is my secret: I deleted my facebook account several years ago. (before it was cool)
I love how links like this are (successfully?) attempting to pull people back in.
I just tried to change my email address on Facebook and discovered that they canonicalize plus and dot variations in gmail.com addresses, and thus claim that the new email address is already associated with an account. Ended up having to create a completely new email alias on my own domain.
While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"
Connecting purchase + email + 'where the ad happened' via social solves that.
That can still be creepy. (If you're meaning that the accusation of "creepy" should be directed at modern marketing in general and not just Facebook, yes, I'd agree with that, though a good part of how we got here is large centralized aggregators like Facebook.)
I think there are plenty of non-advertising contexts where "using people's data to influence their behavior more effectively" can easily cross from normal to creepy as you start collecting more data. If you give your SO a certain flower because you remember a conversation the two of you had a while ago about that flower, that's normal and even thoughtful. If you give your SO a certain flower because you hired people to follow them before you even started dating and you got a report that they always stopped to admire a certain flower on their walk to work, that's creepy.
1. Is that ok that we accept this sort of Pavlovian training from anyone, much less for-profit companies?
2. Is it ok now that the entities are so easily able to completely track the effectiveness of their advertising and thus empowered to amplify whatever works to increase their success rather than some metric like human happiness?
There's new data privacy regulations at the state and federal level going into effect which is why FB made these changes, but they don't explicitly prevent this kind of data sharing from an outside company using first-party trackers to send data to Facebook's marketing platform.
This sounds like they are going to continue using my purchase data but without anonymization? Not a native speaker so perhaps I'm just misunderstanding the sentence.
Credit transaction fees actually make lots of sense and are grounded in the actual cost of the financial product. As a merchant, you can choose to accept only debit cards to avoid the cost
Is this right? It's been my experience (in Canada) that losing a fraud case or chargeback the store takes the hit.
Giving someone money and then feeling all giddy when you get a "reward" later means you've been gamed.
* I get literal cash through their rewards program which just slowly accumulates without me having to think about it.
* I get all the nice protections and can do chargebacks.
* The money I spend every month stays in my bank account until just after the bank calculates and cuts my interest check. Like it's super negligible but hey, if I'm getting an interest free loan anyway.
2% cash back from the card + 0.25% interest from the bank ain't nothing.
Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable.
In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.
Like there’s no point to trying to punch a river as a lowly software dev completely unrelated to finance and politics.
But, you have to realize that it's not beneficial to you. You don't earn anything, you merely, barely, move the needle back up to break-even. You're not gaining. You're not winning. You're not sticking anything to any man. If the entire credit card industry got rid of rewards, and lowered their merchant fees, it would be a net benefit to you.
So feeling happy or grateful for cash-back means that they got you, they tricked you into feeling grateful for the privilege of giving away your money.
Likewise, except for small businesses whose owners don't actually price in the cost of their own time and labor, it's not entirely obvious to me that the cost of accepting credit card payments actually is any more expensive than the cost of handling cash, which is probably why cash discounts are rare. The main exception to that seems to be gas stations (which usually have a lower price for debit cards and not straight cash), except even in that case, I get an even bigger discount by using Costco's gas station, which doesn't have any such discount. You do address this point...
> > Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable. In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.
That makes no sense. If the cost of receiving credit card transactions is 2%, that doesn't imply that the cost of receiving any other kind of transaction is 0%. If there's no cash discount, the difference in cost to the consumer is zero anyway. But the difference in cost to the merchant isn't 2% either, because if they accepted a different form of payment, the difference in cost would be 2% minus the cost of accepting that different form of payment. (And if they didn't accept any form of payment at all, the cost would effectively be 100% because there would be no sales). In a world where credit card sales are ubiquitous, if anything, credit cards become a better deal for merchants because there's less economy of scale for cash-handling services.
All in all, I would even suspect there are instances where credit card rewards end up providing a net positive to a sufficiently devoted cardholder simply because most people are not going to expend the time and effort necessary to maximize their credit card rewards. It's just like Vegas in that sense--while it's true that "the house always wins", casinos will also comp you rooms and drinks, and there are documented instances in which you would expect to be better off playing video poker or blackjack for long enough to get a free room (assuming perfect play, which means memorizing a small decision tree). Why is this possible? Because the vast majority of people don't play perfect blackjack or video poker. Businesses plan for average-case expected customer behavior and not best-case (or worst-case from their perspective).
The actual cost of handling card payments is very, very low these days, but merchants are stuck paying the higher price, because there's effectively no competition in the space. To avoid having obscene profits, the cc companies give back a lot of the extra money to the consumers in the form of cashbacks and rewards, and then consumers stupidly feel grateful for being fleeced.
In an ideal world, merchants would pay only the actual cost for handling card payments, only pay for the tech itself, and the fraud risk. Naturally, such a pricing would be a fixed per-transaction-fee, because the actual cost is the same for each transaction.
In the same ideal world, the credit risk of credit cards have to be managed through the interest rate and credit worthiness management. It's completely outrageous that credit card processing fees should in any way, shape or form cover the risk side or the fraud side of the business. That's not the merchant's problem.
That would be fair. That wouldn't be gameable. Some countries did exactly this: https://en.wikipedia.org/wiki/Dankort
In other words, the cost of processing credit cards is low enough that it successfully competes with every alternative form of payment. In which case I don't see what you're outraged about. Invent a more cost-effective payment mechanism if you think there's an opportunity for it.
There's no dog and pony show involved, and I have not been gamed.
It doesn't really feel that way as you're flying to Hawaii for free.
What you're doing is the equivalent of always paying with bills, and dropping your spare change in a jar. And when the jar is full, you buy a ticket to Hawaii with the money in it. Except with a credit card, they keep the jar, take half the quarters, give you back the rest, and make you feel grateful for the entire experience.
There is no free lunch.
The lunch is not free. You're buying it for us.
So if you have the choice between using a girocard or a credit/debit card to buy a product, the credit/debit card is significantly more likely to sell all your data.
Also, the opt-out of each number is only honored for FIVE years after which you need to opt-out again.
But it's still worth opting-out of your Apple Card's virtual number.
The number is in the wallet app, ... > Card Information
It's possible that this is an implementation detail and some banks do it without a unique card number...
Can't sell cash transactions yet!
interesting.. they could use that to predict earnings..
And unless you rotate your financial passwords on a frequent basis, that access continues pretty much indefinitely.
 Not true for 100% of cases, but a general rule of thumb that's applicable to the majority of institutions they log into with your credentials.
A few years ago when Chipolte had its little food scare, Foursquare used its data to predict how much the restaurant chain's revenues would decline. IIRC, it was accurate to within 1%.
I just tell them that I don't have one. On the very rate occasions anyone has balked I tell them I just moved and haven't set up my internet yet.
But then I went from creeped out to oh shit as sites I run were on the list. The way Facebook puts it, these businesses are actively sharing data with Facebook for the businesses benefit. But as a developer who has been asked to put a pixel on a site many times, I have to rethink the data exchange here. Obviously the sites are not getting the benefit that Facebook is receiving from everyone piping in data – often unknowingly.
How is that obvious?
Surely sites would eventually stop going through the extra effort to maintain trackers if they didn't get a benefit?
The biggest impact, for me, is that the dominance of Google and Facebook based on having access to this data for the general population has led to worse advertising revenue for the news industry and some of my favorite websites. That has caused some of them to rely on memberships and paywalls.
I also don't appreciate that the money that they've accrued due to their dominance as a result of data like this has led to undue political influence. That comes at the expense, I believe, of voters (and I'm one of them). I don't think that power is healthy for a democracy, generally. I believe this about non-tech companies, too, so I wouldn't suggest anybody just pick on this industry.
This isn't to say that I'm not concerned about privacy. It's only to say that IF YOU AREN'T, then there are other reasons to root for people to have transparency around how their data gets passed around.
Edit: I have now deleted the DNS records so the website will be down until I have time to fix this properly.
I’d look into static site generators but the problems with them is that I will always be tempted to tinker with it which is why I went with a hosted solution.
I will look into Substack as I’ve seen it used quite a bit around here recently. If not, I’ll see what Squarespace has to offer.
I actually tried emailing the owner of Svbtle (the platform I used) about removing GA but haven’t had a reply.
So at the end of the day, it means I don't get to enjoy as much quality content from the publications that I love.
In my view, I end up with the best content when advertisers aren't going to one or two central places for their ad buys online. I'm actually an advertiser, myself (as just one part of my job). And I certainly know how my own buying practices have shifted over the past 14 years to now be 100% focused on FB/Google. Some of the Google money trickles down to other publications, and certainly this makes my job easier, but I don't think it's a good thing as somebody who also loves reading online.
I don't have a problem with bad content out there, so long as there's a ton of really good content. For the great publications I read, I want them to be successful businesses so they can expand. A better ad market, or even a return to how it was before the dominance of FB/Google, would enable them to do that in a way that relying mostly on subscriptions hasn't.
Any sensible way of stopping this?
Instructions on changing DNS settings https://joyofandroid.com/how-to-change-dns-on-android/
> Is it even possible to do this on an iOS device that's on [...] someone else's wifi
Yes, since you can do it on your device, and do not have to do it on the router. Drawback is you have to do it for each Wifi network anew.
> Do iOS devices have the same "leak"
Yes, there is nothing that prevents apps from phoning home (or phoning every one of a dozen data collection "partners")
If it is a DNS server change on 4G/LTE, it can be done by using FOSS apps like DNSCloak on iOS. 
So you can ask https://www.radb.net/ for the IP addresses that are associated with this AS and, after a quick manual sanity check, insert it into the firewall of your choice. For example:
whois -h whois.radb.net '!gAS32934'| tr ' ' "\n" | sed 's/^/saddr /'| sed 's/$/ DROP;/'
> "Privacy International has tested both opt-outs and found that they had no discernible impact on the data sharing that we have described in this report."
So there's that. I wonder if any opt-out really helps. I think the best approach is still to use a good blocker such as uBlock Origin.
Both of these identifiers can be reset at any time via os features, making you appear as a new user (at least until fingerprinted or a new association with PII is made)
I know it sounds preachy and it's not a conclusion most people will like. But, like fasting, going without something you like but don't really need does help you focus on what you really do need.
I think the process of honestly asking the question is more useful than the actual answer. Life & society is full of compromises.
One of their employees says this is in error so hopefully it will be fixed.
I guess signing in with email is pretty much equivalent to contacting Facebook if this is possible to do.
Besides that there are physical retailers that send data to Facebook even though I don't recall giving them any idea identifying info. I feel powerless since I rely on Messenger for communication with friends, who I've tried and failed to convince to switch elsewhere.
Could you elaborate on why this is an issue? Plex doesn't really have network effects and is usually only managed by 1 person.
Maybe you give your friends access to your instance? In which case it seems like they are in no position to complain.
I'm also not the only one in my group maintaining a Plex server, so they'd incur a transitioning cost as well.
If so, that could be how they matched you. Facebook lets businesses create custom retargeting audiences from existing customers, and you can (obviously) include interaction data in order to segment e.g. frequent customers from occasional customers.
Funny, I now remember reading a post from someone claiming that if they ordered an online grocery shop off a company that was not their usual, like magic a voucher would appear from their original company. I assumed this was coincidence, but this is the exact mechanism that such a thing could happen.
Of course this could also just be a manifestation of the trend of companies desiring data for data's sake, and a load of deliveroo managers are sitting in a meeting somewhere looking at a graph showing an intersection of people who are into retro computing and also like burritos and trying to brainstorm some strategy off such trivia.
That's not really the idea - they're just trying to serve you ads wherever they think you might see them. Retargeting (whether it's through Facebook ads or AdWords or what have you) is one more engagement lever alongside push notifications, emails, etc.
I installed their app once, figured it doesn't properly do the only thing I needed it for (show battery charge level), and I went to uninstall it. How did it find itself on Facebook?
The app wasn't given any permissions and I did not enter any personal information. The TOS did require giving consent to sending app and watch usage data but I didn't tick allowing that for marketing purposes nor was personal information mentioned, just identification data from the phone itself, operating system etc.
The app must have obtained my phone number or email from the phone's personal data. Apparently that's possible even if I declined all explicit permissions. They might be able to find my Google email by using Android's AccountManager apis. Phone number might be possible but slightly tricky and I think I disconnected my phone number from Facebook way before installing their app.
Interesting stuff - looks like everything should run in an anonymous container by default on phones, too. I hope we'll get there soon. Still, a lot of this is based on trust rather than technical countermeasures. Will you trust the vendor or not?
Here's an example to what extents they will go in order to not give you what you're entitled to by law: https://ruben.verborgh.org/facebook/
In fact, if they were GDPR compliant, they wouldn't be collecting this data in the first place.
EDIT: the link doesn't seem to work, so you can click on "Manage Future Activity" => "Manage Future Activity" in the popup => Disable "Future Off-Facebook Activity"
My off-Facebook activity had zero entries and I want to keep it that way. If they ever associate something with me I want to be alerted to the fact.
> We will still receive future activities from companies and organisations you visit. These might be used for analytics and to improve our advertising systems, but will not be connected to your account.
(Translated from Dutch because for some reason Facebook figured I'd want this particular message in Dutch.)
I have not connected my Facebook account for over 90% of these sites/apps but they still sent my data to Facebook.
But some are essential. Transferwise is not connected to my FB account but is sending data to Facebook.
I'm assuming Facebook keeps a history of my email addresses that it can still associate it to my account.
Another option is to change all my email address at these sites.
This is true: if you download your Facebook information file, you'll see it stores all the previous emails as well as all the previous IPs used.
How can I block it? some apps are on my iPhone, but I don't have the Facebook app on it (I do have messenger), and only used the apps on the phone. Aren't they isolated in some way?
However, the data only shows the source, timestamp and activity ID. The actual event data is not included..
But in the end I still would have deleted it. Facebook clearly can't be trusted with my data. Idc what connections it gives me. They have shown time and time again that they will exploit the tiniest things to predict and manipulate your behavior.
And apparently companies desperate for even slight up ticks in conversion rates will upload everything they know about you.
No wonder Cambridge Analytica, AggregateIQ, and Robert Mercer had such an easy time compiling psychological profiles and categories of Americans and Brits.
In the end, it's real simple. The human brain adjusts based on the environment and events around it. Id rather not have Zuckerberg, Dorsey, or anyone else they deem worthy, intentionally or otherwise playing around in my head.
Try logging in. You might have to reset your password, but the bastard's haven't really deleted it.
I'm near 100% sure they're still trying to track & sell me, but without an account I can't even see it.
They sent me all the warnings that they were deleting anything.
Do I believe them at all? Not really?