Clearly I need to step it up. I was (unsurprisingly) surprised at what I've observed they've managed to correlate. I run standard pi-hole, resist fingerprinting, and normally go through a VPN (mainly because I'm on public wifi half the time when travelling). I haven't logged into facebook in about four years, just did it for the first time today to see what's been correlated.
Aside the mountain of irrelevant notifications, here's what I've observed in this report that's concerning.
1. Albeit some data has been correlated properly (banking applications which is scary on it's own part it's sending data to facebook, imgur, Xbox, my telco provider, and a few misc blogs I've visited a handful of times per year), it's correlated a significant amount of data that may not belong to me (good thing, I suppose?)
2. Why the heck are banking applications sending data to Facebook as "CUSTOM", with no context? For example, RBC bank in Canada sends "CUSTOM" data (haven't been with them for over two years, but all interacts labelled CUSTOM) and Facebook will not give any more context on the exact data it received. Little scummy, Facebook.
Well, time to sweep this up and resist tracking more. Let's see how it works this time round.
They only had two small websites for me. Great success!
I'll share my strategy.
On desktop:
Banking: Vivaldi Browser w/ privacy badger and ublock origin
Email and Commerce: Chrome Browser w/ privacy badger and ublock origin
News and other BS (like Hacker News): Firefox browser, always in private mode w/ privacy badger and ublock origin
LinkedIn (in the rare case I use it): Internet Explorer
Mobile:
Facebook: Opera
Commerce: Chrome
Reddit: Naked Browser
News and other BS: DuckDuckGo Browser
EDIT: I also do not use my credit card on my phone unless in extreme rare events. Absolutely no banking on my phone. No fancy apps (I use the web version where possible) beyond the generic stuff like email and maps. I use Signal for texting.
I use Firefox + FB container + uBlock Origin + Privacy Badger and recently started to use CanvasBlocker as well. I have Firefox configured to delete all cookies on closing (except for few sites to avoid the need to enter the 2FA code every time I log in).
I've also set Firefox Enhanced Tracking Protection to "Custom mode" with "cross-site and social media trackers" blocked [1] and to use block list "level 2".
I also have the "Do Not Track" option switched on.
I don't have a proper smartphone (never owned one), just KaiOS-powered dumb-phone on which I use Facebook mobile (i.e. their web site) all the time.
Also no Pi-Hole or similar stuff.
I use a throwaway email account for Facebook.
______
[1] Just now I've found out that there seems to be a new option, to disable "all cookies from unvisited sites", which I'm going to try as it looks even better.
Hmm, I don't use pi-hole, just uBlock Origin and Firefox containers, and they've only tracked three minor things, probably when I had some problems with my phone and uBlock wasn't working right.
So how were they able to track so much about you? Do you have the Facebook or Whatsapp app on your phone? Or is this just the difference that they track much more in the US than in Europe?
My activity was largely from apps on my phone. I just uninstalled and reviewed every one of those that was unnecessary. Unfortunately I need to find a new financial aggregator, because mine was sharing data with FB. I've seen a few self hosted ones listed on hn.
I use Facebook container and most of the sites reporting should've never even seen my Facebook account. However, many of these sites have my email address. I highly suspect they're correlating data without knowing my Facebook account itself.
if you're using android you can get add-ons for firefox. Also, you can use a firewall app like Netguard [1] to prevent apps from calling FB (graph.facebook.com)... I see most apps attempting to do this, and it's often the first thing they do.
There's similar setups on iOS, I am just not very familiar with the app names.
At the risk of a bit of inconvenience, you could use Firefox Focus. Browse (it's only one tab), erase at the end of browsing and repeat. It also has built-in blockers of different kinds.
I think GP is saying that Google itself is presenting the captchas, not the Google results they click. I've had it happen a couple of times when using VPNs before.
I might not have been clear; sometimes when using a VPN, you can't even load Google search results until you submit a captcha. If you go to "google.com", it will make you enter a captcha before you can search anything.
Out of all activities you listed, just 3rd party Cookie blocking and using any "login with Facebook" buttons would give the same result for Web. I don't think any of the activities you listed would prevent the data collected through apps though.
If you have a domain, you can give every service it’s own email address, ${service}@${domain}. They can try reporting that to Facebook, but unless someone understands that the entire domain is one account they won’t be able to correlate them.
> I don't think they will tell you the whole truth.
This is true:
>We receive more details and activity than what appears in your off-Facebook activity. For technical and accuracy reasons, we don’t show all the activity we’ve received. This includes things like information we’ve received when you’re not logged into Facebook, or when we can’t confirm that you’ve previously used Facebook on that device. We also don’t show details like the item you’ve added to your shopping cart.
Thanks for that link. Looks like the infamous "ghost profiles" are officially confirmed now.
I wish they would show the ghost profiles as well, but since it's not linked with 100% confidence they are probably not allowing it because it could be a privacy violation if it turns out that the link was incorrect (i.e. they showed a ghost profile to the wrong user).
By blocking many advertisers tracking cookies (by blocking all access to those hosts via point the DNS result elsewhere) it reduces how far your information immediately spreads.
Far from massively effective because it does nothing to stop 1st party tracking and those 1st parties sharing further, or 3rd party cookies for new hosts not in the blocklists yet, but it can still help.
My use of PiHole isn't really an anonymity/tracking avoidance thing, my priorities in using it are avoiding ad network related annoyances like drive-by install attempts from less reputable (and/or hacked) networks, auto-playing audio, pop-ups/-unders, bandwidth waste (particularly from auto-playing video clips), occasional attempts to access microphone and/or camera, etc.
Block requests to all of FB's domains in the hope that it can't load FB's scripts or buttons or "like" buttons; literally anything from FB as far as humanly possible.
It allows you to block the domains of known third-party tracking companies. However, this measure is going to become less effective over time with the increasing usage of first-party tracking.
To me the thing that bothered me most was that a mental health site (Psychologytoday.com) that I used to find a therapist was passing the information on my searches to Facebook, presumably to aid in targeted advertising.
Honestly, I think that health-related searches that are directly tied to a specific individual (especially without informed consent - I didn’t log in or receive any notice this was being done) should be covered by HIPPA just like any other personally identifiable health record.
The other weird one was the huge amount of data my bank was sending. 20+ requests per session. I have no idea why they would do that.
I think a solution would be for people to own their own personally identifiable information, in much the same way that a celebrity can own their “likeness”.
Unauthorized copying or use of this information could be simple copyright infringement, which is apparently criminal enough to involve the FBI if you are a movie studio with enough money spend on political donations.
Thanks to this comment I noticed mine has a hospital:
bannerhealth.com (8)
The portal where I access my records is on a third-party vendor's domain and this is likely just from Like buttons on their public site. But I wouldn't be surprised to see the name of the specialist I saw (just to look up their phone number) or a condition they treated (the portal links to articles there) in those 8 entries. Haven't bothered to download my entire history just to see...yet.
Wow that's creepy. It lists apps where a) I didn't use FB login/signup and b) used a different email address to sign up. How do they cross-reference that to me? Hand how can I prevent that outside of their tools (which I assume still violate my privacy)?
Also, if you are creeped out by this, just imagine the amount of data Google has on you. I'm convinced they have way more, just by virtue of every website having Google Analytics installed.
Those are good, but they don't work for what the GP is talking about. I'm seeing games/apps associated with my FB account even though I never logged in to FB with them or gave them any info. I literally just opened the app and that activity was associated with my FB account.
I have no idea how they're doing this, since they didn't even request storage access (or I didn't give it). Can any Android developer here chime in on how an app can figure out my Facebook ID even though I don't even have Facebook installed on my phone and didn't give any sort of credential or access to the app?
Try to opt out of Advertising ID (Settings -> Google -> ads) and see if apps continue to be associated with your facebook account. I suspect Swipe sent both your account ad advertising id during login.
Once you've logged into facebook from the device, they likely created a device fingerprint for your device: https://en.wikipedia.org/wiki/Device_fingerprint . This would allow them to identify you even without a cookie or ad id to correlate against.
Fingerprinting across devices is possible too, using things like behavioral analytics, network traffic, timing, third-party data sources etc.
The third party data sources is the easy one. Log into service A on your computer and service A on your phone. Service A fingerprints both and sells the data to service B. Now service B knows how to correlate your behavior between devices even though you never logged in.
I’m sure you’ve logged in something on both your phone and computer. It doesn’t have to be Facebook.
I found a mere four items in my activity list, all from several months ago, probably when I mistakenly used the wrong container or had uBlock turned off. It's nice to see all my anti-tracking software is working!
I use Firefox Containers to limit and logged in FB activity to that & never log in using FB other than FB website itself. I have no FB apps (including WhatsApp).
I've been running uMatrix for a few months.
My firefox tracking-prevention (similar to EFF's one, but probably not as good) is always using maximum privacy settings.
I still have a few sites appear... AND for websites I've never even visited (that I'm aware of, & I'm the only user of this machine)
There seems to be some serious fingerprinting going on, more than simple cookies.
Agreed, even with all of the above I had about 15 or so sites in that Facebook list. I suspect it's because I was logged in to Facebook on my phone's browser for a while. Not sure why I even did that...
I thought Google Analytics had a decent privacy policy that would prevent Google from doing anything with GA data. But I remember some fuzzy wording like "your data" which could simply mean that Google considers GA data to be their data.
Has anyone done a good deep dive on what Google actually does with GA data?
Even before firefox containers, I used a dedicated profile for facebook only as well as using privacy badger and ublock origin. Facebook still collected data about me from external sites. I think mainly through my phone, possibly through linking phone number or email addresses.
By far the worst thing are android phone applications (not only FB official app). They have their spyware bundled and can slurp from you the data which are normally unaccessible by web browser, from phone number, imei, mail addresses to all your contacts and there is almost nothing you can do except installing vpn based firewall (like NetGuard) and block all access and add permissions one by one for each url. This should just be illegal.
From your friends :) Or you will allow it. To use it. On the other side you can at least control that the common advertisers wont get it (like fb). For everything else get root and xposed + xprivacy. But for most users that is too much. I just gave the easiest advice. I am running microg lineage, xprivacy lua and netguard. But I wonder was this as advice worth the letters used? ;) Will someone go trough the trouble to use it? To replace the rom, install everything, run everything in block mode and allow only what is really needed, like connection to my own mail server? My own ssh tunnel? Probably not. And then comes the master villan, google. How many will remove that one from the phone? Waste of words, right?
Anyway even netguard is far better than nothing, most apps dont need their own servers. And the largest data slurpers are known. For fb just block all fb domains.
I use uBlock Origin and Privacy Badger on my desktop and phone, as well as Blokada, and yet Facebook still had a bunch of app activity even though I never ever sign in to stuff using FB (or even gave the apps my email or any other piece of personal data).
I literally just opened the app, granted no permissions, used it a bit, and Facebook associated it with my account. What the fuck.
They could be associating you server-side using persistent identifiers on your phone. For example, if an app has the Facebook SDK, it could send your IMEI to Facebook. Then, if you have a first-party Facebook app like Messenger, that too can send your IMEI to Facebook and link it back to your Facebook account.
I'm pretty sure that 95% from the activity that is listed for me comes from the Facebook tracking pixel, that every website has to embed if they want to (effectively) advertise on Facebook.
Some chat apps (like Viber and others) have Facebook SDK integrated in them, without any direct Facebook functionality people would use. Discovered after using NetgGuard, and seeing who is calling home, and not only home. (Why viber is making requests to graph.facebook.com anyway?)
Duolingo is a nice app for learning new languages, yet it might be using the same sdk, since it likes to call facebook.com domain.
Netflix is a good streaming service, but it has some option somewhere, which allows them to share data with others, and enabled by default. And yes, it's present in fb activity.
The list can go on...
There are developers who integrate dozens of SDKs, without any specific purpose for users, and not knowing what is happening. We need something like PrivacyBadger/ublockorigin for phones/laptops/routers/homes/cars. It's getting more than creepy.
And why would Facebook allow third-parties/businesses upload into FB info they have on their customers...
As an EU "customer" I'm rather surprised by this. There are services that I've signed up to since GDPR came into effect which I didn't get explicitly consent to do this. For example my business bank. Why would I give them permission to share data with my personal Facebook account? I will be digging into this more.
I don't think that'd really be true, since they'd just have it stored in the background without you having a FB account (and wouldn't have the ability to see how bad it is)
does that stop facebook from collecting data about you? I didn't think it did, and because you don't have an account it's not, or at least wasn't possible to control any privacy settings.
Technically, no. Legally, it means you haven't accepted their terms of service, so if/when (I hope) the political privacy landscape changes, it'll be more likely that you can sue, report a violation, request deletion, (or maybe they'd even preemptively delete it to cover their tracks / come into compliance with new laws).
That's an interesting thought. I've removed (deleted?) my Facebook account several months ago. Maybe I should have kept it around in order to manage it.
which I did a couple of years ago.
Now I have no idea what they know about me. I use adblock and friends, but I wonder how much data about me they still manage to gather
In my profile, they managed to obtain a `PURCHASE` event from Macy's -- for an in-person purchase at a physical store. Macy's has my email address and certainly linked it to my credit card number, but this is nonetheless seriously creepy.
I just tried to change my email address on Facebook and discovered that they canonicalize plus and dot variations in gmail.com addresses, and thus claim that the new email address is already associated with an account. Ended up having to create a completely new email alias on my own domain.
It’s not a situation where FB “managed to obtain”. It’s Macy’s directly uploading transactions in order to attribute purchases to their online ad campaigns. It uses email and name etc to match.
While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"
Connecting purchase + email + 'where the ad happened' via social solves that.
> While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"
That can still be creepy. (If you're meaning that the accusation of "creepy" should be directed at modern marketing in general and not just Facebook, yes, I'd agree with that, though a good part of how we got here is large centralized aggregators like Facebook.)
I think there are plenty of non-advertising contexts where "using people's data to influence their behavior more effectively" can easily cross from normal to creepy as you start collecting more data. If you give your SO a certain flower because you remember a conversation the two of you had a while ago about that flower, that's normal and even thoughtful. If you give your SO a certain flower because you hired people to follow them before you even started dating and you got a report that they always stopped to admire a certain flower on their walk to work, that's creepy.
Absolutely, but I think it's time to start asking:
1. Is that ok that we accept this sort of Pavlovian training from anyone, much less for-profit companies?
2. Is it ok now that the entities are so easily able to completely track the effectiveness of their advertising and thus empowered to amplify whatever works to increase their success rather than some metric like human happiness?
Imagine all of our phones' lockscreens being unlockable only by face unlock and not fingerprint... you know, our face which is all over the internet and trackable across websites and in-store and public cameras.
The right of privacy. The right of dominion of ones own affairs. There right to not be harassed by soulless individuals and companies who are 'merely' seeking to gratify their greed.
If rights were violated then this would all be illegal. Clearly it isn't. In the US, there is no constitutional right to privacy, and any legal precedents are mostly about government surveillance.
There's new data privacy regulations at the state and federal level going into effect which is why FB made these changes, but they don't explicitly prevent this kind of data sharing from an outside company using first-party trackers to send data to Facebook's marketing platform.
You are right, of course. It just goes to prove that we are little more than slaves to the system of governments who dictate what is lawful, who usurp their position in order to bestow rights back to us that used to be intrinsically ours to begin with. It doesn't make it right however.
"Attribution" in this sense is always going to be the enemy of privacy, because it boils down to the question of "what was on your screen when you decided to make this purchase".
Your Mastercard URL got truncated somehow. It's a pretty easy search, though. Just the same, thanks for linking because I had no idea this was even an option:
> To opt-out from our anonymization of your personal information to perform data analyses, please provide your Mastercard or Maestro payment card number below.
This sounds like they are going to continue using my purchase data but without anonymization? Not a native speaker so perhaps I'm just misunderstanding the sentence.
I think they tried to formulate it so it will sound less damning for them, like they want to make it explicit that what they performed their data analysis on is your anonymized personal information.
They don't charge 3%, they charge about a tenth of a percent (0.11%). What you think of as fees is actually a basket of charges going to different parties. almost 2% goes to your (the purchaser) credit card company to cover the risk of you not paying them, about a percent goes to the store's bank to cover the case when they have to give the money back (either because it was a fraudulent online transaction, or the store cheated the customer and the customer went to their card issuer, etc.) and that tiny little bit that's left goes to Visa/MasterCard.
Credit transaction fees actually make lots of sense and are grounded in the actual cost of the financial product. As a merchant, you can choose to accept only debit cards to avoid the cost
I get that this is how it works in the real world, but the argument that transaction fees are necessary for the credit company to cover the risk of the cardholder not paying is a bit feeble, because to my non-banker mind: that's what the interest rates are for. If someone is risky, simply don't approve their application, or raise their rate. Am I missing something?
The 2% that goes back to the credit card company is what ends up paying for all the rewards points and cash back discounts—which work as mechanisms for you to get that money back so long as you actually pay your credit card bills.
> about a percent goes to the store's bank to cover the case when they have to give the money back (either because it was a fraudulent online transaction, or the store cheated the customer and the customer went to their card issuer, etc.)
Is this right? It's been my experience (in Canada) that losing a fraud case or chargeback the store takes the hit.
A "savvy" customer has a card that doesn't make them perform a dog and pony show like you describe. A savvy customer's card charges the lowest reasonable rate in order to provide the service.
Giving someone money and then feeling all giddy when you get a "reward" later means you've been gamed.
But this is such a weird way to think about it. Credit cards don't cost anything. In some vague grandiose sense prices are slightly higher since credit cards exists and merchants want to cover their fees but my perspective as a customer spending via a credit card is basically free money. There's no dog and pony show except buying things like I normally would.
* I get literal cash through their rewards program which just slowly accumulates without me having to think about it.
* I get all the nice protections and can do chargebacks.
* The money I spend every month stays in my bank account until just after the bank calculates and cuts my interest check. Like it's super negligible but hey, if I'm getting an interest free loan anyway.
2% cash back from the card + 0.25% interest from the bank ain't nothing.
The point is that everything you buy with the card is at least 2% more expensive, because the merchants are just passing on their credit card fees to the consumer. You are not saving money in any way, shape or form.
Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable.
In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.
Yes, you absolutely should use a credit card in the US and get your cashback or rewards or whatever. You have to play the game, because everyone is playing the game.
But, you have to realize that it's not beneficial to you. You don't earn anything, you merely, barely, move the needle back up to break-even. You're not gaining. You're not winning. You're not sticking anything to any man. If the entire credit card industry got rid of rewards, and lowered their merchant fees, it would be a net benefit to you.
So feeling happy or grateful for cash-back means that they got you, they tricked you into feeling grateful for the privilege of giving away your money.
If you paid cash, in virtually every case you'd pay exactly the same price because most merchants don't provide cash discounts. If your merchant does provide a cash discount, I would suggest taking advantage of it. But if they don't provide a cash discount, you're still paying that 2% margin anyway without receiving any benefit from it.
Likewise, except for small businesses whose owners don't actually price in the cost of their own time and labor, it's not entirely obvious to me that the cost of accepting credit card payments actually is any more expensive than the cost of handling cash, which is probably why cash discounts are rare. The main exception to that seems to be gas stations (which usually have a lower price for debit cards and not straight cash), except even in that case, I get an even bigger discount by using Costco's gas station, which doesn't have any such discount. You do address this point...
> > Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable. In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.
That makes no sense. If the cost of receiving credit card transactions is 2%, that doesn't imply that the cost of receiving any other kind of transaction is 0%. If there's no cash discount, the difference in cost to the consumer is zero anyway. But the difference in cost to the merchant isn't 2% either, because if they accepted a different form of payment, the difference in cost would be 2% minus the cost of accepting that different form of payment. (And if they didn't accept any form of payment at all, the cost would effectively be 100% because there would be no sales). In a world where credit card sales are ubiquitous, if anything, credit cards become a better deal for merchants because there's less economy of scale for cash-handling services.
All in all, I would even suspect there are instances where credit card rewards end up providing a net positive to a sufficiently devoted cardholder simply because most people are not going to expend the time and effort necessary to maximize their credit card rewards. It's just like Vegas in that sense--while it's true that "the house always wins", casinos will also comp you rooms and drinks, and there are documented instances in which you would expect to be better off playing video poker or blackjack for long enough to get a free room (assuming perfect play, which means memorizing a small decision tree). Why is this possible? Because the vast majority of people don't play perfect blackjack or video poker. Businesses plan for average-case expected customer behavior and not best-case (or worst-case from their perspective).
The cost for a merchant to handle credit cards is whatever the credit card companies can get away with.
The actual cost of handling card payments is very, very low these days, but merchants are stuck paying the higher price, because there's effectively no competition in the space. To avoid having obscene profits, the cc companies give back a lot of the extra money to the consumers in the form of cashbacks and rewards, and then consumers stupidly feel grateful for being fleeced.
In an ideal world, merchants would pay only the actual cost for handling card payments, only pay for the tech itself, and the fraud risk. Naturally, such a pricing would be a fixed per-transaction-fee, because the actual cost is the same for each transaction.
In the same ideal world, the credit risk of credit cards have to be managed through the interest rate and credit worthiness management. It's completely outrageous that credit card processing fees should in any way, shape or form cover the risk side or the fraud side of the business. That's not the merchant's problem.
> The actual cost of handling card payments is very, very low these days, but merchants are stuck paying the higher price, because there's effectively no competition in the space.
In other words, the cost of processing credit cards is low enough that it successfully competes with every alternative form of payment. In which case I don't see what you're outraged about. Invent a more cost-effective payment mechanism if you think there's an opportunity for it.
It's also worth mentioning that cash isn't necessarily any less expensive for merchants to accept. It is if you're talking about a small local business or something, but if you're paying for the actual labor of counting cash, delivering and depositing it to the bank, as well as the increased security risks and costs of holding large sums of cash, it starts to add up.
I pay $89/year for my card, which I use for every purchase. I get hundreds if not thousands of dollars in rewards each year, and have never paid a penny in interest.
There's no dog and pony show involved, and I have not been gamed.
The merchant pays the interchange rate regardless if you get a reward or not. If you have a no annual fee card with no rewards, you are simply leaving money on the table (which your card issuer pockets), since you can get 1-1.5% cash back, also with no annual fee.
A "savvy" customer pays their entire credit card bill every month, so the actual interest paid is zero. At that point, the rewards are the only meaningful difference in return from one card to another.
The rate a card charges differs from applicant to applicant. Without knowing your credit score, credit history, and other financial information I cannot recommend a card for you.
The rate a card charges is immaterial since if you pay the entire balance each month, you pay zero interest. (And if you don't, you're making a big mistake.)
You're not flying to Hawaii for free. Every single purchase you made with the card was more expensive than it had to be, because the merchants needed to cover their credit card fees.
What you're doing is the equivalent of always paying with bills, and dropping your spare change in a jar. And when the jar is full, you buy a ticket to Hawaii with the money in it. Except with a credit card, they keep the jar, take half the quarters, give you back the rest, and make you feel grateful for the entire experience.
In this particular case all of the people without premium cards who pay with cash or debit cards with no rewards are paying for our free lunch and flight to Hawaii. It's a tax on basically every transaction, paid to those participating in the rewards scheme
With VISA and MasterCard yes, but e.g. the German girocard network on its own doesn’t sell anything, and there it depends on your bank (and most banks don’t sell that data either).
So if you have the choice between using a girocard or a credit/debit card to buy a product, the credit/debit card is significantly more likely to sell all your data.
I'm not sure that the "Device Account Number" matters. As I recall from the presentation, that number changes with each purchase. And Goldman has promised (ha!) not to sell your information for marketing purposes.
But it's still worth opting-out of your Apple Card's virtual number.
The number is in the wallet app, ... > Card Information
Unless you are carrying your cell phone at the time—not sure anyone is doing this yet, but I have heard of at least one chain that tracks customers' cell phone locations via triangulation.
It used to be common to track the mac address of customers that pinged the in-store wifi. Not sure how much this happens now that some phones randomize mac addresses.
How accurate does it need to be? If you shop in a market stall, or a bodega, then you could be tied to a neighboring store. But if you're in a regular-sized (American) store, it's certainly good enough.
You don't even necessarily have to predict earnings. If you've ever connected to your financial account via a service like Plaid or it's ilk, that service has an API endpoint[1] they can call to neatly package up your income information. Sometimes it seems innocuous and unassuming for a one time use like identity verification, or to set up automated payments, or a one off transfer/disbursement. Other times it's for stuff like getting a consolidated view of your personal finance (i.e. a transaction aggregator such as Mint). But if you authenticate for anything, that service has access to everything.
And unless you rotate your financial passwords on a frequent basis, that access continues pretty much indefinitely[2].
By “they” I assumed the GP was talking about Facebook being able to predict Macy’s earnings before they were publicly announced. That would be pretty interesting to see :)
interesting.. they could use that to predict earnings..
A few years ago when Chipolte had its little food scare, Foursquare used its data to predict how much the restaurant chain's revenues would decline. IIRC, it was accurate to within 1%.
That last part makes sense. If you want a different identity, you need to choose a different ID. Better to make you be more explicit about what you are trying to do (multiple accounts), then accidentally split accounts of people who aren't trying to do that.
My first reaction to this was to be creeped out. Even being in the industry how did all of these sites (560) have data about me that they were willingly sending to Facebook without my permission. And while I have a Facebook account, I am not a Facebook user – as in I've logged in twice in the last year to see a neighborhood post or the like.
But then I went from creeped out to oh shit as sites I run were on the list. The way Facebook puts it, these businesses are actively sharing data with Facebook for the businesses benefit. But as a developer who has been asked to put a pixel on a site many times, I have to rethink the data exchange here. Obviously the sites are not getting the benefit that Facebook is receiving from everyone piping in data – often unknowingly.
I realize this is an unpopular opinion around here... but can anyone explain how they have actually been harmed by this? Like for real not in abstract notions of "creepiness" or whatever. I, for one with Facebook actually figured how to do something useful with that data and not be that raw sewage stream that basically led to stop logging in.
The harm is that Facebook gains control over prediction markets that they then sell to the rich and powerful to nudge enough of the population to their points of view. These points of view are often not in the general public interest.
Agree here; Given the insane hours that people spend in FB, the feed becomes part of their reality and better nudges affect their outlook on the world, their spending decisions and their political directions.
My particular issues are different from most people here.
The biggest impact, for me, is that the dominance of Google and Facebook based on having access to this data for the general population has led to worse advertising revenue for the news industry and some of my favorite websites. That has caused some of them to rely on memberships and paywalls.
I also don't appreciate that the money that they've accrued due to their dominance as a result of data like this has led to undue political influence. That comes at the expense, I believe, of voters (and I'm one of them). I don't think that power is healthy for a democracy, generally. I believe this about non-tech companies, too, so I wouldn't suggest anybody just pick on this industry.
This isn't to say that I'm not concerned about privacy. It's only to say that IF YOU AREN'T, then there are other reasons to root for people to have transparency around how their data gets passed around.
Most news websites load trackers regardless on paying so you can be both the customer and the product. This is also why I will never subscribe to a news website. I'd rather let them try their luck with tracking rather than just hand them in all my personal & payment info on a platter.
Yes that is something I plan to address by switching to another blogging platform. If you look at the GA ID you'll notice it's not mine and it belongs to my blogging platform (which apparently enables GA with their own ID even if you don't provide a custom one instead of just disabling the feature).
Edit: I have now deleted the DNS records so the website will be down until I have time to fix this properly.
Do you have another platform (ideally self-hosted) in mind? I used to run a WordPress instance for my personal site but took it down after it got annoying to stay on top of the frequent updates and security fixes.
I have the same problems regarding Wordpress so it definitely won’t be that.
I’d look into static site generators but the problems with them is that I will always be tempted to tinker with it which is why I went with a hosted solution.
I will look into Substack as I’ve seen it used quite a bit around here recently. If not, I’ll see what Squarespace has to offer.
I actually tried emailing the owner of Svbtle (the platform I used) about removing GA but haven’t had a reply.
My issue isn't that I don't want to pay the paywall -- it's that because people broadly don't prefer paywalls that relying on them rather than a thriving online ad business means they can't hire more reporters, video people, data folks, etc.
So at the end of the day, it means I don't get to enjoy as much quality content from the publications that I love.
In my view, I end up with the best content when advertisers aren't going to one or two central places for their ad buys online. I'm actually an advertiser, myself (as just one part of my job). And I certainly know how my own buying practices have shifted over the past 14 years to now be 100% focused on FB/Google. Some of the Google money trickles down to other publications, and certainly this makes my job easier, but I don't think it's a good thing as somebody who also loves reading online.
Online advertising is pretty much always going to be a race to the bottom because everything a website does is just a dog and pony show to get people to watch ads. Why bother putting together quality content when churning out clickbait and low-effort crap generates far more clicks with far less work?
Yeah I agree advertisers would rather have their ads next to quality content. Publishers don't always have the same incentives while it's easy to fill lots of inventory with at lower prices but make up for it in volume. A fine dining restaurant might make more money per diner than a McDonald's, but your average McDonald's probably makes way more money.
If something benefits McDonalds AND the fine dining places I enjoy, that's fine with me.
I don't have a problem with bad content out there, so long as there's a ton of really good content. For the great publications I read, I want them to be successful businesses so they can expand. A better ad market, or even a return to how it was before the dominance of FB/Google, would enable them to do that in a way that relying mostly on subscriptions hasn't.
Hmm. I have no website activity listed - but seemingly every single Android game and a few other apps is sending "activity" to FB, despite me never using any feature to associate the two. This sounds like: https://privacyinternational.org/report/2647/how-apps-androi...
Blocking the entire Facebook ASN at the firewall/network level stops this. Google is a bit more tricky as they also have GCP so you can’t block their ASN without also blocking innocent services.
This is assuming that all data sharing to Facebook is done from the client which is obviously not true. If your desired service wants to share data with Facebook they can and will do so and there's nothing you can do about it except not use the service.
Specifically, how do you do it on a normal Android device? Is it even possible to do this on an iOS device that's on 4G or someone else's wifi? Do iOS devices have the same "leak"?
You either need to control the mobile side of things and never connect to unrestricted Wi-Fi or use Apple Configurator to create a profile for an always-on VPN to a place you control where you can apply the restrictions.
I am unable to verify this right now for the obvious reason, but facebook operates on ASN gAS32934[0]
So you can ask https://www.radb.net/ for the IP addresses that are associated with this AS and, after a quick manual sanity check, insert it into the firewall of your choice. For example:
whois -h whois.radb.net '!gAS32934'| tr ' ' "\n" | sed 's/^/saddr /'| sed 's/$/ DROP;/'
> "Privacy International has tested both opt-outs and found that they had no discernible impact on the data sharing that we have described in this report."
So there's that. I wonder if any opt-out really helps. I think the best approach is still to use a good blocker such as uBlock Origin.
the Android advertising_id property and the ios IDFA (identifier for advertisers) are available to every app, and once an association against the id and your Facebook account is made further interactions can be attributed to your identity.
Both of these identifiers can be reset at any time via os features, making you appear as a new user (at least until fingerprinted or a new association with PII is made)
Realise that you don't really need those android apps, or the google or facebook account. The utility and entertainment you get is half of surveillance capitalism ecosystem, and the other half is that they compile all this information about you.
I know it sounds preachy and it's not a conclusion most people will like. But, like fasting, going without something you like but don't really need does help you focus on what you really do need.
I don't actually care all that much and I like my luxuries. Do I "need" the Google account? No. Do I want to tell every person and business currently using it that I've changed email? Also no, that's a huge amount of work. Likewise for facebook, which is now down to once-a-day-ish use for coordination with a specific group of people whom I do not want to do the work of moving all of them off Facebook too.
Yeah, I make similar trade-offs. The sunk cost of a few TV shows purchses keep me from closing my Google account. But I won't let it anywhere near my phone.
I think the process of honestly asking the question is more useful than the actual answer. Life & society is full of compromises.
I was surprised to see that Plex is sharing a bunch of interactions with Facebook despite me only signing in with email. They seem to just blindly correlate the email address with whatever Facebook account it points to. There is no mention of Facebook on their privacy page[1]. As a lifetime Plex Pass holder this has damaged my credibility with them.
One of their employees says this is in error[2] so hopefully it will be fixed.
I guess signing in with email is pretty much equivalent to contacting Facebook if this is possible to do.
Besides that there are physical retailers that send data to Facebook even though I don't recall giving them any idea identifying info. I feel powerless since I rely on Messenger for communication with friends, who I've tried and failed to convince to switch elsewhere.
Yeah, I was really surprised to see Plex in my friend's off-FB-activity list. I've been wanting to switch to Emby, but I already have a Plex lifetime membership, and it would be difficult to get friends to make the switch. I'm not liking Plex's direction with getting into the streaming business, along with this FB spyware mishap.
I don't think it's be email (or at least not ONLY email). The page shows a company is sharing my data with Facebook and my email address is different from the one I use with that company.
Deliveroo has evidently been sending them all my orders. Or at least, there are as many 'interactions' as I have made orders. I don't log in via my Facebook so that is an unwelcome surprise.
Same here. I had to recollect if I even signed up with Facebook. After checking my Deliveroo settings, it seems that my FB account isn't even connected. This is insane...
Do you use the same e-mail address for both Deliveroo and Facebook?
If so, that could be how they matched you. Facebook lets businesses create custom retargeting audiences[1] from existing customers, and you can (obviously) include interaction data in order to segment e.g. frequent customers from occasional customers.
I suppose that would explain it. I can't see what Deliveroo get out of it though, and how they might expect Facebook to have a better handle on what sort of food I would order and how often as opposed to Deliveroo themselves, who know. I wonder if they have plans for service expansion into "Deliveroo but for X" and want to see what their customers are into. Or perhaps they want to see if I am two-timing them with Just Eat!
Funny, I now remember reading a post from someone claiming that if they ordered an online grocery shop off a company that was not their usual, like magic a voucher would appear from their original company. I assumed this was coincidence, but this is the exact mechanism that such a thing could happen.
Of course this could also just be a manifestation of the trend of companies desiring data for data's sake, and a load of deliveroo managers are sitting in a meeting somewhere looking at a graph showing an intersection of people who are into retro computing and also like burritos and trying to brainstorm some strategy off such trivia.
> how they might expect Facebook to have a better handle on what sort of food I would order and how often as opposed to Deliveroo themselves
That's not really the idea - they're just trying to serve you ads wherever they think you might see them. Retargeting (whether it's through Facebook ads or AdWords or what have you) is one more engagement lever alongside push notifications, emails, etc.
I had a few - all of them from my Android apps and via Facebook business tools i.e. the vendors are actively pushing my data to Facebook. One utility app that I'm not surprised about, one that I'm a bit more surprised about but the interesting bit was G-Shock Connect (for the watch).
I installed their app once, figured it doesn't properly do the only thing I needed it for (show battery charge level), and I went to uninstall it. How did it find itself on Facebook?
The app wasn't given any permissions and I did not enter any personal information. The TOS did require giving consent to sending app and watch usage data but I didn't tick allowing that for marketing purposes nor was personal information mentioned, just identification data from the phone itself, operating system etc.
The app must have obtained my phone number or email from the phone's personal data. Apparently that's possible even if I declined all explicit permissions. They might be able to find my Google email by using Android's AccountManager apis. Phone number might be possible but slightly tricky and I think I disconnected my phone number from Facebook way before installing their app.
Interesting stuff - looks like everything should run in an anonymous container by default on phones, too. I hope we'll get there soon. Still, a lot of this is based on trust rather than technical countermeasures. Will you trust the vendor or not?
Allegedly, I ditched my Facebook account years ago. Not just deactivated but delete, though I don’t really believe it. Is there anyway to see what’s in this (or to see if my account really is gone) without accidentally re-upping?
I had followed a guide in ~2010 to delete my account (since the magic incantations to delete your account at that point were really obscure). I was told via email that my account would be deleted a certain amount of time (90 days IIRC); I got curious in 2015 and logged back in. I was not terribly surprised to find that I could log back into the account and all my old data was still there. They may actually delete accounts now, but this certainly hasn't always been true.
I had deactivated my account about a year ago. I tried logging in to view this page, and it reactivated everything immediately. Also, it has clearly been linking a vast quantity of off-facebook activity despite my account being deactivated.
Facebook provides two different options, one is deactivation and the other one is deleting. They are not the same thing. If you merely deactivated it, then your account never was deleted.
Facebook doesn't really comply with the GDPR. The data displayed on this new page wasn't part of their data export and I'm sure is still not part of it.
EDIT: the link doesn't seem to work, so you can click on "Manage Future Activity" => "Manage Future Activity" in the popup => Disable "Future Off-Facebook Activity"
> We will still receive future activities from companies and organisations you visit. These might be used for analytics and to improve our advertising systems, but will not be connected to your account.
(Translated from Dutch because for some reason Facebook figured I'd want this particular message in Dutch.)
Extrapolation: "Account" here means the Facebook account created by you and visible to you; probably distinct from "Profile" in their lingo, which is all the data they have on you, of which most is invisible to you. If this is true, that's not an opt-out for data collection, just a choice to keep that info from showing in your account while merrily continuing to build your profile.
I mean, they’ve already been shown to keep every tiny nugget of data, this feels more like “we won’t give anyone else tools to see that it’s you” instead of “we’ll anonymize it sufficiently”
Before you disable it, the site warns you that "This will also prevent you from logging into apps and websites with Facebook because your activity will be disconnected from your account." This annoys me, because Facebook login is actually quite convenient, and they've gone and bundled it with lots of random third-party tracking. Nothing technically required them to do this -- they could surely offer it as a separate feature.
You don't need anything on your frontend to share data with Facebook. Facebook doesn't acquire information like what shirt you bought by putting a like button a page. Your clothing retailer is willfully sharing that information for marketing benefits.
Is it just me, or is there no way to download activity details? I click on an activity, then there's a few examples and a link to download, but this leads to a generic "Download your information" page and I cannot see an entry for the app or off-facebook specifically...
How can I block it? some apps are on my iPhone, but I don't have the Facebook app on it (I do have messenger), and only used the apps on the phone. Aren't they isolated in some way?
For downloading the data there is an option to download "Ads and Businesses" under "Information About You". I just downloaded it, and it includes all data that was shared.
However, the data only shows the source, timestamp and activity ID. The actual event data is not included..
I deleted my Facebook a couple months ago. Now I wish I would have kept it just a little longer to see what they had on me.
But in the end I still would have deleted it. Facebook clearly can't be trusted with my data. Idc what connections it gives me. They have shown time and time again that they will exploit the tiniest things to predict and manipulate your behavior.
And apparently companies desperate for even slight up ticks in conversion rates will upload everything they know about you.
No wonder Cambridge Analytica, AggregateIQ, and Robert Mercer had such an easy time compiling psychological profiles and categories of Americans and Brits.
In the end, it's real simple. The human brain adjusts based on the environment and events around it. Id rather not have Zuckerberg, Dorsey, or anyone else they deem worthy, intentionally or otherwise playing around in my head.
Back when I got rid of my account there wasn't an option to immediately delete an account. It first had to be deactivated, and would supposedly be deleted after a two-week cool-down period.
I know people who have left Facebook and then much later come back, setting up a new account with new credentials and Facebook could still begin to suggest old friends and interests.
Isn't that because they can still match the friends side to the new data? They still have half of the matches and once you give them your half they will suggest the same stuff.
Aside the mountain of irrelevant notifications, here's what I've observed in this report that's concerning.
1. Albeit some data has been correlated properly (banking applications which is scary on it's own part it's sending data to facebook, imgur, Xbox, my telco provider, and a few misc blogs I've visited a handful of times per year), it's correlated a significant amount of data that may not belong to me (good thing, I suppose?)
2. Why the heck are banking applications sending data to Facebook as "CUSTOM", with no context? For example, RBC bank in Canada sends "CUSTOM" data (haven't been with them for over two years, but all interacts labelled CUSTOM) and Facebook will not give any more context on the exact data it received. Little scummy, Facebook.
Well, time to sweep this up and resist tracking more. Let's see how it works this time round.