As anyone who is, or has, worked in ad-tech would tell you, this is pretty _tame_ in terms of the "offline conversion problem."
When there are $billions$ of dollars at stake for this type of information, you can guarantee there will be many companies attacking this problem.
Therefore, not to be a pessimist, but if you think that 1) using a fake cell number on Facebook is going to help or that 2) there aren't services like Google doing this already, potentially with just as good match rates as Facebook, or 3) that using Firefox + adblock is all you need, then you're going to be constantly plugging holes in a leaking boat.
> you're going to be constantly plugging holes in a leaking boat.
True, but the ad industry isn't like a boat. They don't want to track everything or build a complete profile about everyone. They just want to track most things and build a fairly complete profile about most people.
That means every privacy step you make has some incremental gains. Just because a private detective could use the collected data to build a complete profile of you, doesn't mean the ad company will - they'll collect data from the easiest sources, and if you make it too hard for them to get data about you, they'll simply collect data about other people.
> and if you make it too hard for them to get data about you, they'll simply collect data about other people.
I strongly disagree, and with all respect, this is a naive view.
This might be true when you're looking at the mapping of individual company to individual person (ex: "You to Facebook" or "You to Google.")
But the ecosystem approach to building a profile on you is more comprehensive than you think.
Example: you might get very very good at removing your phone and TV/Movie interests from Facebook, or never having it on there to begin with. But then Media Conglomerate X owns a cell/wireless provider, internet provider, and hell maybe even a cable company. There's a high probability that you pay for >= 1 service from this company, that can be matched back to your Google profile and/or Facebook profile - via a DMP (data management platform) or something similar.
Oh and remember when you used your real phone number to make a reservation at a restaurant? AND they needed a credit card on file, just in case you don't show up? Well those are uploaded and grouped in the same data pools.
And then when enough stores / restaurants / ecommerce sites pool this information, they can build a pretty reasonable shopping profile for you, make (very good) estimates on your demographics, etc. Almost like it's crowd-sourced!
Therefore the "you" that is supposedly a "small, statistically irrelevant piece" is actually part of a group that has an ecosystem of companies and DMPs pooling data to make that group smaller and smaller.
> you might get very very good at removing your phone and TV/Movie interests from Facebook
Also, your Smart TV may simply be spying on you and sending that data back to the manufacturer[1] either by sending a hash of portions of your screen, or in Samsung's case, straight-up sending screenshots.
And then, they throw away all that information and give you targeted ads that are so bad that you couldn't make a worse job if your life depended on it.
They use all of that info to target you, limit the number of times you’ve seen an ad, and stop sending you ads after you buy the product. Obviously it’s a really hard problem though, because the above list doesn’t always work as intended.
This is because of the vastly different amounts of work involved on either end.
Knowing you browsed a product is as simple as firing a tracking image on the product page from the adtech platform. Knowing you actually bought it means having a connection from the ecommerce system back to your email then back to the id that used used in the adtech and then setup as an exclusion filter in all of the campaigns.
It's also usually not worth it since conversions are low and ads are cheap so better to keep advertising and get net new sales then worry about the people who already bought seeing the same ad.
it would be good for them to work that out because showing me the same ads for lawn mowers for months straight is a waste of their advertising space and their clients' dollars.
I also do things like look up something on Google for someone else, then see ads about it for months. While I understand the simple way of this technology works, they might want to rethink the idea that I need to see ads endlessly for everything I did one search for.
I explained it's not worth it in the last sentence. It's year of work and millions in cost, and now regulation prevents tying PII from your purchase to the anonymous IDs used in adtech. You're going to get new ads anyway, retargeting campaigns rarely last beyond a few weeks from the last product page visit.
Yeah that happens often. I ran these campaigns for two years - you effectively get 200 dials, knobs, and levers to pull all making minor changes to an incredibly complicated adtech ecosystem. My first year I ran 80 of these campaigns, and could spend <20 minutes a week on each.
Missing something like “exclude recent purchasers” was easy to forget, but easier to not even have time to set up. (It might take 10-30 minutes to set that up)
I've noticed a lot of Instagram ads where the advertisers seemed to ignore a regional target, or Instagram does. I get ads for restaurants all over the country, which makes no sense for the advertiser. I'm not about to go eat at some Mexican restaurant 2000 miles away from me in a suburb.
Okay, I've generally wavered on this between "assume the online advertising sector is nefarious and evil and perfectly competent" to "assume the standard level of bureaucratic incompetence". Your comments here are moving the needle back towards the former.
So what in your opinion can people do, that are reasonable, actionable steps to take, to avoid being an unwilling part of this ecosystem?
You have to be a part of the ecosystem. If you need any connectivity (internet or phone), you really have no choice. Unless you buy prepay cell phones with cash, change the number every few months, only use public WiFi, wipe your computer, change browsing habits, etc.
Even if you Adblock and never give away personal info, like op said, your cable, bank, insurance, dmv, internet, and phone provider will still collect and sell your data.
Your comment and the sibling comment are both saying this is an all-or-nothing situation with no degrees of variation at all. That flies in the face of pretty much all other data science, so I find it hard to believe.
I mean you can have some impact, but at the end of the day the variables you control are relatively minor in the grand scheme. For example, uBlock will prevent your browsing habits from being used.. but browsing habits aren't really a great signal anymore. I only ever used audiences that are based on strong signals like purchases, location visits, verified demographics, etc.
> You have to be a part of the ecosystem. If you need any connectivity (internet or phone), you really have no choice.
Which is why we need really tough legislation to put a stop to this abuse. The GDPR and CCPA are good starts, but both of those are much too weak. Here's hoping that such legislation will get better, and more pervasive, over time.
This is completely unreasonable. There is no network for uploading and matching customer phone numbers across businesses. Who owns this company, in your mind? They must have tens of thousands of customers and be making billions in revenue to have the kind of scale and reach you're describing.
It generally takes years for a big company to completely ingest the data of a company that they acquire, and even then everything is siloed in 20 different ways. People only wish that company X buying company Y meant that the two merged all of their databases synergistically. The world definitely does not work this way
You literally upload any offline data (phone numbers, names, address, whatever you have) and they match it to online profiles. They take the data you give them and use it in their cross-device graph, which is the exact thing you said doesn’t exist. Any business can go license or use that cross device graph in a variety of ways. $RAMP, 2.2B market cap.
Same service is provided by oracle with their cdp and dmp, and a few other companies. If you want to do more research the terms to look for are identity graph, cross device graph, offline matching, and other variants of those. Fb, google, LinkedIn, etc all offer some version of this in their walled garden. In the blog post they talk more about offline conversions, but it’s the same idea.
There are a lot of companies in the cross-device graph space. As I said, they do not have nearly the level of integration described in the great-grand parent comment.
If I'm wrong, sign up with Liveramp and use my phone number to tell me what restaurants I've booked reservations at in the last month. Is that how it works?
So yeah the restaurant or restaurant group doesn't have that great of a profile, it is built by companies like liveramp who get data from tens of thousands of sources and pool it into their own graph + audience data. Then they license it back out to those same companies. FB/Google and Oracle (crosswise) probably have the best identity graphs and are on par with what the original comment was describing. (I used to work at oracle on their audience products)
Liveramp is b2b and definitely won't support anything you want to do with them, but there are some comically bad tools (haven't been updated and are purposefully inaccurate) that let you check what data pools you're currently in.
Liveramp has been particularly irritating me of late, because they seem to be trying to position themselves as if they were defenders of customer privacy -- when they are, in fact, doing the opposite of that.
If you're going to be bad, at least don't try to pretend that you're good.
Yes, but they're lying when they do so. What's required legally, and the industry-wide standards that are currently in place are both insufficient. Adhering to them is great, but companies doing so cannot reasonably be characterized as being defenders of privacy if that's all they're doing.
From your perspective, yes they are definitely lying. From their perspective they've implemented a pro-privacy feature and advertise it and their company as doing so. I'm not saying either side is 100% correct, but there are two sides. The industry groups call something like the below pro-privacy and adtech/pubs do the same.
> From their perspective they've implemented a pro-privacy feature and advertise it and their company as doing so.
If that were the specific claim they made, I wouldn't call them lying. But I was talking about Liveramp specifically, and they're making claims well beyond that -- they're claiming that they're actually defenders of privacy. That's a straight-up lie.
I keep a close eye on the adtech/martech world ("know your enemy"), and it's clear that on the whole they've managed to reframe the issue in their own minds in a way that is favorable to them (mostly by doing what Facebook is doing: considering themselves as "pro-privacy" by defending the data they collect against outside attackers and abuse rather than considering their own collection and data use).
I don't think they're lying when they do this, I think they've managed to delude themselves in the way that salespeople often do: by convincing themselves that the lie is actually true. It's not lying, after all, if you believe it.
But Liveramp has elevated this to a level that I believe is intentionally deceptive.
In the sense that they will only put in a finite amount of effort (compatible with profitability), and take everything they can get. Over years, the amount of effort or technological means might increase, but it’s not like they operate with the singular focus of collecting everything about everyone.
This is only really true of marketing campaigns, and even then only in some instances. In certain kinds of marketing (e.g. direct campaigns), there may be downside risks to casting too wide a net beyond just cost vs profit.
It's also important to understand that these data aren't just used for shotgun marketing campaigns, they're also used in highly targeted applications. For example, if you give a company a small amount of information about yourself, for example through a insurance or financial services "estimate" page, that company has very good reasons for wanting as much (and as accurate) data about you as possible. The two biggest reasons are:
1. If they're smart, they're running models to associate those and other things with purchasing behavior. Notwithstanding the fact that they need to stay on top of the model's accuracy, having information about you that is too incomplete or too inaccurate can really fuck up their shit.
2. In domains where customers are extremely profitable (again, e.g. insurance and financial services), it can likewise be extremely expensive to acquire the data needed for robust modeling, even dirty data.
In both of these cases, they do very much care "about having data about 'you' in particular".
At the moment, from various advertising agency surveys, it seems that small/local businesses are still "dipping their toes" into digital ads and not really trying to track their audience at all beyond simple geographic segmentation.
The bigger agencies are building their own databases, but they haven't been able to link ad spend and customer purchases effectively, so that's the main focus at present. In particular they need to know ROI to effectively budget ad spend. Obviously, they have estimates of these numbers, but not an accurate per-ad-buy prediction. Google/Facebook are full of clickbots and there seems to be minimal incentive on their part to remove the bots. They've made some efforts with pay-per-conversion but it seems like marketing theater rather than a business model shift.
So until the fraud problem is solved, I don't think they care about microtargeting too much, except for its anti-fraud properties (attractive ad profiles are hard to fake).
False flags and information is the only way to deal with this stuff...
If FB thinks you're a 72 yr old retired dentist from OK, and you buy nothing but feminine hygiene products and 3 wheel wheel barrels, you're pretty worthless as a consumer.
The future of ad block is disinformation. Makes the entire ecosystem worthless
Vernor Vinge's "Rainbows End" novel has the Friends of Privacy who spew falsehoods into the Network so as to disrupt attempts to track everybody all the time. My first "Agent" contribution when I worked as a researcher was just code which listened in to other conversations and then lied about stuff. If another agent said "X = 4" my agent would state "X is not 4" just to disrupt things.
I suspect it's much harder to do this successfully in real life than it is in a novel where it's just an excuse as to why otherwise resourceful intelligence agencies don't know who the central character Rabbit is (Vinge says he's not sure either, to me it seems obvious Rabbit is an AI, surely the whole point of all Vinge novels is that there's a Singularitarian Apocalypse, and in Rainbows End the humans think they've averted that apocalypse but actually the thing that just saved them is the Apocalypse and they ought to be terrified)
Thanks for sharing this. Looks very interesting but with the fraud filtering in place for most ads, I wonder how effective this can be in the long run. Seems as if it'd be filtered out but maybe, that's the point???
i think that's exactly it - hopefully you'd get put on some adnauseum users list where your traffic is just dropped. OTOH maybe google et al just uses that list for working on fraud denial/defeat so you're probably feeding the beast no matter what.
There is a very cool book on the topic. If anyone is interested in finding out some potential mitigations (some implemented, some theoretical), I'd recommend giving it a read: https://mitpress.mit.edu/books/obfuscation
That relies on the majority of people putting in constant vigilance to be implausibly decoded as as 72-yrs old buying feminine hygiene products. Your specific profile may be worthless as a consumer, but unless you can convince 100 of your close friends to similarly feed the system disinformation, you've made it ever so slightly less effective. The metric used evolves (CPC) and the pay rates for them, but until more people actually care to disinform, I don't see that advertising will die any time soon. (Hopefully I'm wrong!)
You are so right. People forget that the cell companies know who you are and where you are 100% of the time. They also know every site you visit on their network. Things like this remind me of people using TOR and then signing into Instagram or Facebook. You just destroyed your anonymity. These sites would need to allow for anonymous login structures that almost none do.
"You are so right. People forget that the cell companies know who you are and where you are 100% of the time."
My mobile phone company has no idea who I am. It was trivially easy to purchase an iphone, at the Apple store, with cash and then purchase a Verizon MVNO SIM from US Mobile (which I prefer over StraightTalk because they allow tethering).
Neither Apple nor my MVNO nor Verizon knows who I am.
I, personally, am not a customer of any mobile provider.
Certainly my mobile provider could find out if they dug deeply enough - specifically, they could (somehow) check the Visa card I use for payment and see the corporation that that Visa card was issued to and then look up the corporate records and then ... they would know that somebody at X Corp is their customer. Possibly me.
Remember: neither Visa nor Mastercard verifies purchaser name. Only AMEX does this. You can purchase online with your personal or corp Visa/MC and put in "Mickey Mouse" as the name - it will always work unless they are a very, very rare merchant (usually European) that has put the "Verified by Visa" component into their workflow.
1. sample the HSS (HLR in old-money) every night to find which phones are camping in which location areas (LAC)s;
2. this given them a phone → area location for every phone in the country, where area is about 200 cells (a few km²);
3. then they could draw out the call detail_record (CDR) of very outgoing call, SMS, and even data session to get the cell identity;
4. this gets the phone → area mapping down to a few hundred m²;
5. then if they are motivated, they will use the location services in the Mobile Application Part (MAP) to silently move every unknown phone into dedicated mode and repeatedly determine its location to within 10m - 50m;
6. if the phone has control plane, GPS, they just ask it that. Many, many phones do;
7. this information is collected all the time and passed to in-house and 'external' GIS teams to cross-reference against all sorts of wonderful data;
8. they know who you are.
The good news is they don't care. They just want you to spend more. ARPU is everything.
All points well taken - and that I have a firm grasp on.
My threat model is "telco or ISP employee decides to see if John is a customer and, if so, just what John does with his phone". They will not find me in their customer database and they'd have to dig fairly deeply, and possibly involve banks and/or LEAs which are not my threat model.
Also, just as a coincidence, and not by design, my place of residence has zero bars of mobile service ... I lose it about two miles from where I live ...
When I was playing the game we cross licensed with banks, credit agencies, and etc. I couldn't evade my own nets because I have a drivers license, property, and bank accounts.
They generally know your location via tower triangulation. They know the sites you visiting via DNS or IP > reverse DNS. Combined with other data sources, they can get pretty close, probably exact. If you are not in a high rise apartment, they can guess your address and/or your work address based on normal 9-5 work patterns. They can map business to LinkedIn for employees of that company. I'm just trying to say that we leak a LOT of personal data to a LOT of people practically all the time. It is very very hard to stay anonymous today.
Also, I wouldn't be surprised if in the near future, KYC is required to buy any SIM that connects to the network. It isn't here yet but is coming.
"They generally know your location via tower triangulation."
Correct, but to clarify - they know your SIM cards location. In my case this correlates to a corp name and no actual personal name (mine or otherwise).
"Also, I wouldn't be surprised if in the near future, KYC is required to buy any SIM that connects to the network."
I suspect you are correct and I think this is already de facto practice for a consumer purchasing mobile phone service in the United States. I suspect, however, that an EIN and a corp name will continue to allow SIM provisioning without associated PII.
Something to consider: we are promised many, many more 5G SIM cards on the network than there are people on the planet. Most of those SIMs will be provisioned by corporate entities and, therefore, the ability to procure and deploy SIMs with no PII will persist ...
This is naive. Via triangulation they know your approximate location, and there are likely cameras with facial recognition and/or license plate readers in the area that can be used to correlate with arrival/departure to get your identity. Unless every single thing you use is in somebody else's name and you wear some kind of disguise everywhere it is already possible to bypass anonymity in most urban areas. If someone isn't doing it already someone will be soon, there's a lot of money at stake.
No it won't. Anonymous SIMs were already wiped out in large areas of the world. The way KYC works is you need to know the "beneficial owner" i.e. ultimate owner of an asset. The bazillions of 5G sims we're promised will all be tied to a strongly verified corporate identity and to get on a network will require you to present ID if an individual, or do corp KYC if a firm (which will in turn require the heads of the company to do personal KYC to establish beneficial ownership information).
> My mobile phone company has no idea who I am. It was trivially easy to purchase an iphone, at the Apple store, with cash and then purchase a Verizon MVNO SIM from US Mobile (which I prefer over StraightTalk because they allow tethering).
You may be able to do this in the US for the time being. However, in many countries already – a list that is steadily increasing – you cannot purchase a SIM card without showing ID, a copy of which is made and forwarded to state authorities. In other countries – I know of at least Chile – you may have to register the IMEI of the phone as well.
Hold up. GPS coordinates - yes, but not the sites visited. HTTPS traffic hides the URLs. This is the reason why I can't block anything with HTTPS in it from my Netgear router. By the time the packets hit the router, it's all encoded.
You can hide content, except where the sender is mirroring it. You can hide your DNS lookup by using a DNS aggregator (are you?), unless you are using 1.1.1.1 or something, where the business model is harvesting. But unless you route everything through a foreign VPN, the phone company knows what site you asked for a connection to.
And who owns that VPN, and what is their real business model? The bigger they are, the more their customer list is worth.
Unavoidably if you aren't using Tor the network can see the IP address, which would pin down that this is say, Facebook or Wikimedia, or Porn Hub. On its own you can't be sure this is Wiktionary not Wikipedia, or which type of porn.
In almost all cases the HTTPS traffic uses SNI (Server Name Indication) which deliberately carries the name of the server (the news.ycombinator.com in the URL you're looking at right now) in plain text. This enables Virtual Hosting - otherwise how would a bulk hosting company give you the certificate for bumsex.tinyblog.example rather than cats-in-boxes.example which are run by entirely different customers but hosted on the same cheap Apache server in a rack in Ohio? So that's enough to know it's the English language Wikipedia not Wiktionary or whatever.
But yes, it's only the site and so they won't know (at least just from this) if you looked up Bowel Cancer or Elizabeth Warren; if you are watching a Youtube video about Minecraft or Venezuela; and so on.
Medium term the plan is to deploy two technologies that mean the site's name isn't available, improving privacy. DPRIVE (encrypted DNS, often via DNS over HTTPS) and eSNI (Encrypted Server Name Indication) but while DPRIVE is complete and being rolled out (controversially as you may have seen right here on HN) eSNI isn't finished and is tricky to get right, it may be some years before you get much benefit. We need both for (hopefully) obvious reasons although DPRIVE already makes a lot of cheap censorship options impossible, and making censorship expensive makes it de facto unpopular in democratic countries where voters don't want to pay lots of money for something that seems mostly to inconvenience them. See also: popularity of the American TSA.
Even after all that work is done though, if the mere IP address you're connecting to is enough to be a problem you must use Tor today, and then, and likely forever.
Interestingly the Network described in Stephenson's "The Diamond Age" actually works exactly like Tor all the time, with (apparently) no way to directly send things to an address whatsoever. But this will always be more expensive to do with technologies we know about today, and so it is unlikely that we're destined to replace the Internet with a network that always behaves like Tor.
Working in ad-tech I know these problems are ubiquitous but apart from trying to patch these issues when we notice them in whatever in significant ways we can what else can you do?
Spinning it in a way that doing it becomes a threat to business continuity?
If they’re deducted $0.15 from income, paid to you, on spot each time they query that information, or if it adds 0.015% to probability of their stock crashing in that quarter quantifiably, then I’d expect it’ll be gone forever before any of their C-class stands up for some coffee next time. The reality is roughly reverse of that.
Revenue sharing is not my point. Some platforms do and makes no difference.
What I am describing is a destructive change to revenue streams for ad companies. That is as nonsense as reversing direction of couple major rivers and I know obvious open question will be how in the world.
Paying facebook’s users for facebook’s spy network isn’t quite the right [dis]incentive though. I don’t use Facebook but they still pay others to spy on me. Those others should have to pay me for the spying they do on me.
If you have location history enabled in Google Maps, they tie it to ad impressions and offline credit card transactions they buy from Visa and friends.
It helps some, but not enough. Some of these social networks (such as Facebook) will develop a profile on you whether or not you have an account with them.
Just checked mine. Literally hundreds of entries. 700+
Crikey. Just downloaded all the data and having a browse. 22k line location file (about 3k locations) stored too. I don't have the app installed on any device i own. I presumed the mobile page wouldn't have permission. Checking the data it does seem to stop when I changed phone (samsung preinstall fb app)
$ date -d @1495296127
Sat 20 May 17:02:07 BST 2017
$ date -d @1573424412
Sun 10 Nov 22:20:12 GMT 2019
What are they doing with ancient location data?
Also have every deliveroo purchase I've made in there
they have an entry for every deliveroo purchase i've made
Same here, I have the Facebook Apps but I dont use my Facebook Login for anything, turns out other Apps still get my Facebook login Account info and send my Data to Facebook.
Basically these Apps are betraying me and sending Data to Facebook without my consent.
Majority of the apps with user signup, phone verification etc use the Facebook SDK. So even if you haven’t installed their app, they are probably getting info via those SDKs.
I just got mine too. Under advertisers who uploaded a contact list are pages and pages of US-based businesses I've never dealt with. I assume this is based on the same guy who keeps giving companies my email address by mistake because he doesn't know his own.
Deleting Facebook doesn't mean they won't stop stalking you. In this case it isn't about Facebook collecting data about you, it's about other companies willingly sending data to Facebook. Deleting your Facebook account won't stop those companies from sending data to them. The solution is to stop doing business with all the companies that did share data with Facebook, whenever possible.
> Suppose I go to a restaurant, and I booked using my name and phone number. The restaurant sends that data to Facebook to say "Terence Eden ate at this restaurant on this day."
Do I read this correctly that a restaurant will just dump its complete visitor log to FB and then let FB "sort it out".
Meaning that FB gets to vacuum the info on everyone including those without FB accounts?
Why are all these companies giving data to FB? What are they getting in return? I've looked at this page and they don't mention benefits to businesses at all.
>"see your results in Events Manager and Facebook ads reporting."
businesses want to see if their ads are working. by uploading their visitor records, they can get reports of how many people who saw their ads visited the restaurant.
Better placement in search and greater reach with posts, I'm sure. That's pretty much all FB can use to trade without displaying a currency sign anywhere.
OpenTable sounds like it would be open-source, but it appears that it isn't
I think the parent comment to yours made a sarcastic take using a variation of the popular ambiguity Free as in Beer [1] that usually differentiates between free as 0 cost and free as freedom as a reaction to the OpenTable software being free to use rather than open-source
You go into a bar, you order the IPA you liked someplace else, you see they've got a heap of cans... the bartender reaches under the bar and hands you... an open can.
No right? You don't want that one. Why the hell is it open?
Really what is happening here is that companies that advertise on Facebook push conversions to Facebook to “close the loop”.
Unless a company is advertising a service on Facebook, there is nothing to push to them for this purpose. Are there Yelp and OpenTable ads on Facebook targeting users booking reservations? Have you pulled your results and see those?
So one of the comments on the post got my pressure up before coffee had a chance to kick in:
"It's just offline conversion events being uploaded so you'd stop getting these ads, or so they can market to you again in the future. You purchased this product, gave them a phone number.. Not sure where the issue lies? You agreed to the terms on Spreadshirt which is probably where you opted for marketing."
This is the basic approach. You give it to us. You agree to whatever we put in legalese and now we can do whatever we want. What?
It is disheartening, but I agree with the rest of the posts on HN that it is not at all surprising.
Devil's advocate for a moment: why can't the business do whatever they want with the data? It's not clear to me that I own the data in any single transaction with a business. I could see us both owning it, either shared or independently.
For VISA to sell transaction data, that's one thing. But a business that uses it to run their marketing, using transactions with their business? That seems less clear.
To further muddy the waters, if I can tell the business how they can use transaction data, shouldn't they also be able to tell me how I can/cannot use it? That seems like it would infringe upon bad reviews/etc., but it feels more consistent.
> But a business that uses it to run their marketing, using transactions with their business?
It's about informed consent. The businesses should at least warn their customers that they're doing this, and who they're ratting us out to. That way we can each make an informed decision about whether or not to use that business.
What would be even better is if not only would they have to tell you this, but that you could say, "No. I don't agree to this nonsense" and they would have to refrain. They wouldn't even be able to deny you service based on that. They would, of course, be able to use the data if they needed to fulfill the contract with the customer, or if they had some legitimate reason for using it, or if there was some legal requirement for using it. Otherwise they would have to get consent.
It would be a kind of General Data Protection Regulation. All joking aside, and as much as I've grumbled about implementing it at the company where I work, I really wish this was a thing world wide.
It is a good question to ask. I still am kinda struggling with deciding where exactly I stand on this.
In my case, it always seems to be some sort of invisible line that I can't quite articulate. For lack of a better term, it feels like transgression. For example, I give the business my credit card information, but I don't give them permission to use that card on anything other than that one transaction ( or more if recurring ). If I give them my phone, it is for the express purpose of handling my business. That phone is not there to be sold to the highest bidder.
For the record, I am agreeing with you. The waters are definitely muddy, but we need some sort of enforceable and enforced ground rules.
You are struggling to articulate why it's not okay for a company to quietly hand all of your purchases over to facebook without ever telling you about it or asking you if that is okay?
Neither. I am not certain where the line should be drawn. I am not a zealot. I evaluate both positions and see if there is a way to balance both interests. If there is none, I err on the side of the customer ( ie. me ).
And I am saying all this, because there is a reason for business to gather this information. I am willing to entertain an argument for keeping some of that data for efficient processing of my business. I am less charitable with hoarding data for no other reason than selling me more stuff and or outright selling that information to 3rd party to that in some other way.
So yeah. Neither. But there is a line. I just don't know where it should be.
It reminds me of a landlord who charged me $300 for returning my girlfriend's key late since she was out of town. I talked to him before and he said oh sure, no problem just bring it by the office... Then charged $50 a day. Of course, anyone decent would have warned me or not charged me. His defense for this was that "the contract allows me to do that".
In UK law some terms in a residential lease are considered Unfair and so you (a person) can't agree to them. The lease is read as though those terms weren't there. Landlords responded to this by adding a paragraph of legalese that says you (the signatory) know the terms are unfair but you agree to them anyway.
Judges went "I see exactly what you're doing here, No" and just struck the offending paragraphs and unfair terms.
Of course just because you'd easily win in court doesn't mean they'll stop bullshitting you outside court but some things a landlord might want to do (e.g. kicking you out) already require a figleaf of court approval, and the court ain't going to approve when the contract is clearly Unfair.
When I was younger and rented I ran into plenty of scumbag agencies who tried to screw me over. One of the most popular ideas back then was to charge a high fee for the "service" of photocopying your lease and writing new dates in. The Housing Act says if your residential lease reaches its end date but you're still paying and nobody sent you paperwork requiring you leave then that lease hasn't ended until they do. So no thanks, I don't want to pay £100 for photocopying. If you want this lease to run for another whole year you can do the photocopying and I'll consider signing but I'm not paying you for that.
The government eventually just forbade fees for residential tenants all together. If big agencies want £100 to make a photocopy they are welcome to try charging that fee to the person or company that owns the building instead of the tenant. As you'd expect despite dire warnings from the industry in the end it just stopped charging fees and took a small dent in profits.
Yes, in the state I was living in landlords often include clauses in the lease that are specifically banned by state law. for instance, we had a landlord to say that we had to give them 30 days to move out, but they could ask us to move out with only one day notice. It's not legal and not enforceable, regardless of what we signed.
However, the market is so tilted towards landlords that basically if you want to live somewhere, you sign it. However in court, these clauses would not be enforceable and might be enough to strike down the entire agreement, in which case the tenancy terms become default tenant law.
regardless of the contract, it's very difficult to say that this was reasonable and that he's not taking advantage of us.
I had actually already turned over my key, done a walk-through, and the house was completely empty. It's hard to argue that he needed to charge me $300 to returning a key late. If he had informed me of this, I would have been more than happy to replace the deadbolt for $20 and give him the new keys.
I actually did not see anything like this on the contract. It's also not clear if it's legal in my state. If it's in the contract and not legal, I believe the entire contract is void. In any event, this is a small fraction of the nearly $1,000 that he withheld from us. It was apparent that taking him to court was not going to be effective.
Perhaps ironically, I'm frankly astounded at the apparent naïveté still held about Facebook, Google, et al.
> I have never used FaceBook [sic] login for anything
> Facebook doesn't even have my phone number, only my name and my business email address.
People, if any company has A-N-Y-thing that can be associated with you, online or offline, you have no privacy. None. It is gone forever.
There is billions of dollars at stake for companies to build as complete a picture as possible of you and every detail of your life. And billions more remains on the table. That is plenty motivation to fuel a highly-lucrative market for accurate, meaningful profiling for years.
Sure, there's a long list of actions you could take to begin minimizing your exposure, the practicality of each varying widely. But frankly, most of them would only serve to make going about daily life inconvenient. (And the correlation between effectiveness and convenience isn't 1:1...)
The best case scenario is your data becoming stale, such that its values diminishes to a degree that makes it effectively background noise.
There is simply no means of unembedding yourself. But also, more discouragingly, for most people there is no practical means to avoid being ingested.
You entirely missed the point of my comment when I said
> I have never used FaceBook [sic] login for anything
That was in response to someone saying you could avoid this by not using Facebook login. Maybe before calling out others' naïveté you should work on your reading comprehension.
Fair enough, I misinterpreted the context of your comment. But I wasn’t calling anyone out and my point is still valid regardless. (And besides which, my “point” was just expressing surprise, which doesn’t need validation or qualification.)
> There is billions of dollars at stake for companies to build as complete a picture as possible of you and every detail of your life
Do you mean that purely in the sense of marketing and advertising? i.e. they want to market to me as effectively as possible, so that's why they're going to these great lengths?
Yes. Google and Facebook revenues, for example, are almost entirely from advertising and their ad business models hinge on being able to sell their ability to target very precisely.
Every data point gathered builds towards a more comprehensive knowledge they have on you. It hardly matters if you never log in to a third-party site using credentials from Facebook/Google/etc., that's just icing on the icing on the icing for them. They'll know if you logged in regardless, as long as their widgets or services are in place on a site.
While cookies are certainly the most common means of following you around the internet, there's other means of fingerprinting that, while perhaps not as laser precise, certainly provide more data than most people realize.
Why do you think ISPs are so ardently against people's ability to use them as dumb pipes? And why has the smart TV platform landscape grown like gangbusters (spoiler alert: Roku's CEO has outright said why https://www.theverge.com/2018/7/20/17595384/roku-ceo-anthony...)?
Thanks. Sorry if my question seemed like I was challenging you, I was genuinely curious to know if that was the reason why. Makes perfect sense and your explanation is very helpful.
I like to think none of it applies to me because I don't consume, but that's another story :)
> It goes to show, Facebook's level of transparency of data isn't good enough.
I'm actually quite (pleasantly) surprised that Facebook provides this information, and somewhat curious why the author is angry at them rather than "Lan Tim 2".
The problem is, they don't give me any meaningful data other than a code name and an incorrect date. If they'd said "This is from Company X on or around date Y regarding action Z" that would be more transparent, and more useful.
Fair, but they might not always have that data. As the other examples show, they do provide human-facing company names; perhaps in this case there was none and/or "Lan Tim 2" are the ones that handle all this without Facebook knowing what's going on behind them.
Maybe because Facebook doesn't tell you anything past "Lan Tim 2" so how do you know who to be angry with? Who is "Lan Tim 2"? What business or what transaction is behind that entry?
If Facebook doesn't know this, then things are far worse with Facebook than I thought. At a minimum, they should know who is feeding them data just as much as they should know who they're giving data to.
Home Depot lets you sign up to have your receipts emailed to you. Turns out if you do this they will send what you purchase to Facebook with your email, which was connected to my account.
I use Firefox to avoid being tracked by Facebook, and never login with Facebook. But it looks like I slipped up in signing up for email receipts!
Even if I didn't have a Facebook account, Facebook would still be building a profile on me using my email address /phone number in anticipation of the day I made an account.
"I bought a donut and they gave me a receipt for the donut. I don't need a receipt for the donut. I give you money and you give me the donut, end of transaction. We don't need to bring ink and paper into this. I can't imagine a scenario that I would have to prove that I bought a donut."
--Mitch Hedberg
Mitch Hedberg is great, but I've expensed Dunkin Donuts while traveling for work many-a-time. And HR/Accounts Payable definitely want to see a receipt... even for a donut.
My accountant gets upset if I don't expense stuff like that. If you go on a business trip and don't buy the kinds of stuff the government expects you to buy, then they start to question whether or not you actually went on the business trip. It's not so difficult to book a room somewhere and then change the booking or get a refund. But if you are saying that you went to SomeCity and you buy Dunkin Doughnuts in SomeCity, it keeps the auditors happy. I'm always getting in trouble for that (especially for things like local train tickets, bus tickets, etc, etc).
In an isolated instance, sure. But for those who live on the road, 5 bucks a day (minimum) would add up quickly enough. Those people are usually going to be doing the paperwork for other expenses anyway, so just tag it on.
Prefer a per diem rule. This can be a problem if you're my friend who services CT scanners around the globe because cost of living varies so much (the same price of overnight stay in two cities is the difference between a nightmare hostel and 5 star luxury) but if you mostly do the same trips especially in country a rule that says here's say $20 per day for food is easier than collecting and uploading receipts for every burger and coke.
It's easier for you, and instead of fighting expenses abuse and having a bunch of workers to check the expenses paperwork the business just has an understandable cost when it sends people to do their jobs.
This is seriously just a purchase event for a t-shirt that OP got. There is no mysterious Lan Tim 2 its just a random app for a random merchant that uses FB Ads and uses offline conversion / uploads.
Quite simply so that "lan tim 2" can track their customer acquisition, they give the data to FB, FB correlate it with "did the customer see ads on our network, which ones, how often, etc." and give that back to the supplier.
Which means they are sharing their entire customer activity, everyone, including personal data you never forfeited for this purpose (like the phone number / address used for shipping).
"Some chat apps (like Viber and others) have Facebook SDK integrated in them, without any direct Facebook functionality people would use. Discovered after using NetgGuard, and seeing who is calling home, and not only home. (Why viber is making requests to graph.facebook.com anyway?)
Duolingo is a nice app for learning new languages, yet it might be using the same sdk, since it likes to call facebook.com domain.
Netflix is a good streaming service, but it has some option somewhere, which allows them to share data with others, and enabled by default. And yes, it's present in fb activity.
The list can go on...
There are developers who integrate dozens of SDKs, without any specific purpose for users, and not knowing what is happening. We need something like PrivacyBadger/ublockorigin for phones/laptops/routers/homes/cars. It's getting more than creepy.
And why would Facebook allow third-parties/businesses upload into FB info they have on their customers...
You can't really blame developers for this. Most aren't integrating SDKs for no reason at all -- they're integrating them because users are asking for a feature the SDK provides.
For one app I worked on, we made a decision not to include Facebook or Google login and only support email/password login, specifically to avoid leaking information.
A subset of users was not pleased at all -- and they sure let us know about it. Maybe around a third of our support requests were asking for third-party sign-in. People often made privacy arguments in support of it: they'd say "why do I have to give you my email address to create an account?" (though usually much less politely). And they kind of had a point. You may trust yourself more than you trust Facebook, but most people are going to trust Facebook more than they trust [random developer].
Anyway, it takes a lot of effort to deal with these support requests, it sucks getting yelled at (even in text). Some of these users probably went on to give the app a 1-star rating, and just a small percentage of those will really drag down your overall score. Dealing with this was not fun. It would have been much easier to just add FB or Google login.
Sure I can. And I do. Developers are making these choices, after all. I understand the economic drive behind them, but that doesn't get the devs off the hook.
My point is that some users want Facebook or Google login and get mad if you don't have it. Other users don't want them and get mad if you do. Because you have to decide whether to include the SDK when you build the app, it's impossible to make both groups happy at the same time.
Honestly, I don't think that there's a general expectation in the digital or brick-and-mortar world that when you buy something from a merchant the information related to that transaction is "your data" and they cannot use it. Certainly there are businesses that promise discretion, but that's normally a selling point for a particular reason. On the other hand, there is a reason to expect privacy when you are using Facebook for personal communications, photo sharing, etc. This scheme, then, is the more privacy safe way to do it. The T-Shirt company isn't saying "hey, Facebook, can you tell me some interesting personal info about my customers so I can target ads better?" and Facebook isn't responding with "here's all the stuff they're into based on their Facebook activity." Instead, they say "here are my transaction records" and Facebook says "OK, we'll use this to show your ads to people who are likely to want your T-Shirts." So, yes, to some extent Facebook has data on lots of stuff you do in the world because the businesses you interact with opt-in to share the data. This doesn't really bother me, just like my credit card company knowing all of my purchases doesn't bother me. If it bothers you, though, it does really work to a) periodically reset your IDFA/AdID on your mobile device, and b) delete cookies on your browsers.
> Honestly, I don't think that there's a general expectation in the digital or brick-and-mortar world that when you buy something from a merchant the information related to that transaction is "your data" and they cannot use it.
It would be nice if it were, or that they promised that they wouldn't just hand it out to everyone.
> If it bothers you, though, it does really work to a) periodically reset your IDFA/AdID on your mobile device, and b) delete cookies on your browsers.
> I don't think that there's a general expectation in the digital or brick-and-mortar world that when you buy something from a merchant the information related to that transaction is "your data" and they cannot use it.
True, but that's not the expectation in play here. I think there is a general expectation that when you're doing business in a brick-and-mortar store, that store is not going to be reporting your business to the likes of Facebook, Google, etc.
To fix this by the way, just install the Facebook Container in Firefox. Somebody else (presumably a Mozilla employee?) does the extensive curation needed to get this to work and stay working. You are logged into Facebook inside the Container, but everything else is pristine, on the outside of the Container you can log into whatever and it's not connected back to Facebook.
Firefox's Container system is a powerful solution to this general problem, but normally you need to do curation work proportional to the effort being taken to track you. Their Facebook Container though comes with that curation done.
If you use Login with Facebook (you want Privacy, but you choose to Login with Facebook? Maybe reconsider your life choices) the Container puts everything you logged into this way inside the Container too, so that dissolves your privacy but you chose to have it happen.
They even have a better version, the Multi Container plugin. You can separate multiple contexts (fb, goog, banking, memes..), and each lives in a separate container. Takes a little time to get used to, and if used with privacy badger, ublock origin, FF built-in anti-tracking, might give good results in reducing your exposure to online tracking.
> Suppose I go to a restaurant, and I booked using my name and phone number. The restaurant sends that data to Facebook to say "Terence Eden ate at this restaurant on this day." Facebook can then tell if I saw an advert which led me to make a purchase.
That's just great. So I guess the gift that marketing agencies have given us is that we can't trust anybody. The only thing left to do is go entirely cash-only and never give any personal details to any business whatsoever.
The marketing industry has become so toxic that it is now poisoning everything.
The marketing industry is just an extension of human greed, which has a long history of ruining everything. Things don’t change. They just take on different forms.
Marketing can be legitimate. Marketing includes putting up information about your products and services on your own website that people need to proactively go to to be exposed to. The problematic industry is push advertising, which is pushing information onto people that they didn't seek. That's basically never legitimate.
Not in my area. But if that trend goes so far that I can no longer simply avoid using shops that do that, I can always use a one-off card for them, much like I do when buying things online.
Not sure how you got to that conclusion. A simple ad blocker and not using fb would solve this issue entirely. Transaction data like restaurant purchases is only useful in this scenario if it’s linkable to other online tracking data on you.
That's BS. Even if you don't have an FB account, they can link all the offline places you've been to and purchases you've made through all this data uploaded by merchants.
This data can be sold or leaked. And is readily accessible to governments.
>Browser ad blocker can't protect you from the actions of restaurant staff
Then use a restaurant details blocker? Celebrities have been doing this since the beginning of time. Use an alias. The notion that physical places of business are collecting our data for their own purpose is not really a new one.
Yeah that's not actually true. Celebrities call and give their real names because being famous means there's always a table available even if when there isn't one for regular people. Source: In a past life I worked at a destination restaurant in the front of the house.
Yes I know a guy who looks like a C-list celebrity, he has called ahead and gets a table with bottle service. A little bit of research would show the real celebrity is in another city at the moment but they never do that.
I don't recall that ever happening. I suppose you could although I think most people would be too embarrassed to do so. Seems like a Seinfeld kind of a situation(John Voight's car.)
> A simple ad blocker and not using fb would solve this issue entirely.
No, it doesn't. This issue is unrelated to using the web or Facebook.
> Transaction data like restaurant purchases is only useful in this scenario if it’s linkable to other online tracking data on you.
It's also useful if it's linkable to to other offline tracking. But that's beside the point -- the point is that I don't want this data to be sent to these companies without my consent. Whether or not it's actually useful to those companies is a completely separate issue.
I'm not sure how you are drawing that conclusion based on what this post presented:
>"Suppose I go to a restaurant, and I booked using my name and phone number. The restaurant sends that data to Facebook to say "Terence Eden ate at this restaurant on this day." Facebook can then tell if I saw an advert which led me to make a purchase."
An ad blocker and not having FB isn't going to stop a restaurant from participating in this FB program. And if you follow the short URL of the Twitter user the author quotes, it links to a Privacy International report that states:
Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools. App developers share data with Facebook through the Facebook Software Development Kit (SDK)"[1]
So the combination of some random app on someones phone built with FB's SDK and a brick and mortar retail establishment using Facebook Business Tools seems like it is enough to thwart even a fairly ardent privacy advocate. I'm not seeing how an ad blocker would help against the combination of these two things. It's also well known that FB maintains shadow profiles and buys offline data.
Thank you for the details, but I must still be missing something. FB shadow profiles aren't valuable to anyone unless they also know who you are, which is my point. Say the restaurant sells your transaction data to FB and they add it to your shadow profile... now what? If you're using an ad blocker, FB won't be able to link any other online activity to your profile and ad targeting won't work because you're blocking them.
The next step someone would probably say is that other sites you transact on might also be selling your info to FB, but again how is that valuable if they can't know who you are until you either login or enter your payment details? Generally speaking, your profile info is only valuable for advertising (people want to get you to their property to buy things - once you're already there your profile value is a lot lower). If you effectively shut down the advertising funnel entirely what's the issue here. Yes, it's bad from a general privacy standpoint, but what else?
>"Thank you for the details, but I must still be missing something. FB shadow profiles aren't valuable to anyone unless they also know who you are, which is my point."
Shadow profiles are valuable to FB as it provides data on the interests of a FB user's real life friends. I don't doubt there's categories along the lines of "has 2 or more friends who regularly frequent wine bars in West London" or something similar.
You've made the mistake of assuming that any significant fraction of the population even cares.
Whether or not anyone has this information is totally irrelevant to me, and I'd imagine this is true of upwards of 95% of the population. And hey, if it leads to restaurants bringing in more people, it'll lead to more restaurants I like staying open instead of going under...
I only had half a dozen, all from the last month. This is pretty surprising. I use Instagram regularly, though I only sign into Facebook occasionally.
All of the activity I had was from games that I casually installed and then deleted in the past month. These are games that I signed into with Google Play, which displayed advertisements primarily for Facebook.
Speaking of which, some of Facebook's advertisements are absurd.
"This is a summary of the 285 apps and websites that have shared your activity." hmmm, that's more than I expected. A lot of them are from sites which probably had a Facebook pixel on them.
I have LAN TIM 2 on my facebook account and I have never bought anything from spreadshirt.
Moreover my facebook account is just a dummy one which only has the bare minimum of information to own my business page, which I don't even post to (I have dedicated social media people who do that).
Facebook doesn't even have my phone number, only my name and my business email address.
> I have LAN TIM 2 on my facebook account and I have never bought anything from spreadshirt.
Lan Tim 2 is likely a contract manufacturer. Spreadshirt outsources the production of their t-shirts to Lan Tim 2. Likely, many companies do this as well. Lan Tim 2 probably does more than just t-shirts.
It's like with most craft beer sold in cans. The individual breweries cannot supply the demand for their product, so they have another company that specializes in mass production do it according to their recipe.
The contract manufacturer is likely the one giving data to FB, not the spreadshirt.
I design Ad Tech systems, currently work as an architect for a DSP, and I deleted my Facebook accounts years ago. People who think they are privacy conscious and use Facebook are a living oxymoron.
I moved to B2B, doing ads for companies targeting employees of other companies. Convincing you to buy a bad database is not harmful compared to convincing you buy unhealthy food or feel anxious about not having the latest in fashion.
Have any of the systems you've designed ever been used for something they weren't originally meant for? Will they ever? Do you have any guarantees of that?
You can say that the systems that you're building are not being used in a dystopic fashion, but in doing so you're ignoring the fact that you're still building scaffolding for the rest of the industry.
I agree that sounds less harmful, but why not do something that's not harmful at all? Or maybe even beneficial? Getting a software job is so easy right now. If you don't feel like you're helping the world at all, why do it?
Does B2B advertising still rely on stalking and collecting personal data? Personally my problem isn't as much as what the ads are about and more about the data they collect, essentially creating an ever growing liability for me up until the entire thing blows up when the data finally leaks.
We don’t use fingerprinting besides cookies and don’t rely on third party identity graphs; we have over a decade of experience doing B2B and understand what works. Also, anticipating the death of the cookie, we are moving towards contextual technologies over individual identifiers.
Understanding a company’s buying intent is a whole different ball game, takes a lot of data that doesn’t belong to any single individual. It is intrusive to individuals because we infer your employer, but we don’t care about anything else; we operate at a macro level and that keeps us ahead.
We don’t collect PII, emails, scrap profiles, etc. We are not in a situation in which someone could perform a few joins and know who was reading what, that’s not how we designed it. If anything, we use a lot of financial and CRM data.
Er... maybe you're not being clear in what you do, but when I think of "financial data", I think of information that the general public would prefer nobody outside of their bank would have access to. Am I missing something?
I swear I'm not trying to be overly confrontational, but... what you're saying makes me think that you're just a bad guy who uses naive mental gymnastics to rationalize their dystopic contributions to the world. Please prove me wrong. I want to give you the benefit of the doubt, but... you're not making it easy.
Think industry financial firmo graphics type data. Not your CC transactions.
Also, I am not a moral compass. I have just done enough to feel proud of what I do while still making bank.
Edit: If you're not a moral compass (ie, you haven't put any thought about whether you're actively causing harm in the world), then you should at least try to say that on the onset.
What constitutes financial and CRM data, how is it obtained and how is it tied to a user just browsing and running the JavaScript of one of your ads?
(Not looking for any special techniques or trade secrets, just trying to understand where the data comes from and how is it tied to a pseudonymous browser fingerprint so I can make an opinion on whether I think it’s ethical and how can I defend against it.)
You know better than anyone that deleting your fb account doesn’t really accomplish anything though. All you did was change some flag in their device graph.
If you stopped using facebook it would have an effect, but I don't think deleting your profile does. Your still tagged as the same user, every fb pixel still sends data back about you, and all your transaction are still linked to you.
I cannot possibly believe that deleting your fb account removes all the info about you in their identity graph. It would just convert your active profile to a shadow one.
If I delete my account I stop using it, hence I stop giving tracking data to them and their partners.
Why do you think that cutting that heartbeat signal, even a single login once a month, has no impact? Over time all of the relationships weaken in the data graph. Think of it as bad credit history. After a while, they only use the last set of info; using stale information biases the models and is just expensive.
Also deleting profiles excludes them from tons of data model recalculations since they cannot deliver impressions, it is a waste. Sorry I thought that was clear.
My point was that they don't actually delete your account and so don't lose any data with the exception of your on-facebook behavior. I would assume that your profile still exists and is treated the exact same way as before you deleted it, just with a flag that it was "deleted".
So they still can tie back impressions to your account in the exact same way.
They cannot tie back impressions as they only deliver those on their platforms, they dont’t have an exchange like Google. If you are talking about third party identifier online syncs, any decent ad blocker will stop those. Offline syncs break after time. Data policies don’t allow you to keep anything older than 13 months.
I see the distinction you are making, and it is a very fine one. One hand you have "deleting and not using Facebook" and on the other hand "not using Facebook" - I would say they are almost equivalent to Facebook (since they don't really worry about the Delete flag).
But, once you delete your Facebook profile, you will not revert to logging in occassionally, so psychologically, it does make a difference to you (but not to Facebook).
Exactly ! I don't know why folks want to have it both ways - you cannot separate the good Facebook features from its bad privacy violating features - folks need to choose what shade of gray they are ok with.
Facebook started off as a very white shade of gray and has slowly turned to the dark side, getting darker and darker shades of gray until the present day, when they are nearly black, gamma channel 1/255.
I don't understand your point. In one sentence, you say that we should collectively be more okay with gray areas, but in the next you point out the triviality of going from gray to black. OP is still contributing to a massive surveillance system. I'm not sure why you'd think that leans on the lighter side of gray. Could you explain your point a bit more please?
When the game is at this stage it's better to just not play.
When an advertising platform has to pay fartsniffers to follow you around to offer marginally better ctr than email spam, maybe just don't run ads?
Work manually on growing networks of users, actually walk up to them and chat, talk in relevant business forums and you won't spend thousands of dollars you don't have casting a net in hopes of finding people who more likely than not just don't want to be associated with your practices.
That is very true. Also the Google Page Rank has evolved strongly towards that direction. If you have meaningful content, praised by your peers, you get better organic traffic.
Am I the only one who thinks it would be pretty cool to hook this up as SaaS product that sends me an alert when I get a new offline conversion? Kind of like how my credit card sends me a push notification when I get charged for something. I like the level of transparency it provides.
Then you could also do something on a case by case basis where you can click to say “I don’t want Facebook to have this offline conversion.”
I just checked, and have "LAN TIM 2" and "DiepTrinh" on my list.
The data from "LAN TIM 2" was sent to Facebook on the 5th of March 2020, yesterday that is.
The only stores I've shopped at lately were ALDI and EDEKA, and yesterday I bought a Webhosting offer directly at the hoster's site, no third party involved.
I have never bought a custom shirt.
What I do have is a Motorola G7 Plus, which is filled with uninstallable background services from Facebook. Two days ago I upgraded it to Android 10 and now all those background services, like "Facebook App Manager" or "Facebook Installer", "Facebook Services", all names which truly frighten me, are activated again. I had deactivated them months ago on Android 9 as soon as I got this phone. I really am wondering about the data this phone is pushing to Facebook without my consent.
I really wonder what caused those two entries, I never give any consent to any company to share my data.
God I hate Facebook, they are the cancer of the internet.
From the article, it sounds like Spreadshirt outsources its manufacturing. (Just guessing, but they may even do drop shipping.)
There's no specific reason to believe this isn't the real name of the manufacturer. I tried to find more information about Lan Tim to see if that's likely the case, but I couldn't, but that's not very conclusive.
I don’t have an account, not have i ever had one, but assume they are tracking me in various ways. It would be very nice to see what that is without having to provide more PII.
That’s a bit of a flawed argument. Facebook isn’t the only place online or offline where humans can socialise. Making the argument that staying with Facebook just for one potential (and flawed) avenue for socialising is to ignore myriad other ways to socialise.
Except that it's where the people that I would choose to socialize are. My twitter social graph is has nearly no overlap with my FB graph. For me twitter is mostly writers/literary types, FB is mostly people I know in real life (although most of my interaction on FB has been with interest-based communities for which no analogue exists outside of FB).
That said, I'm doing a social media fast for Lent. It's entirely possible that when Easter comes I might not go back to either Twitter or Facebook.
I deleted my Facebook account some years ago. Even when I had one, most of my friends used it as a micro blog, image host, or free ad platform (e.g. "network marketing"), and the amount of meaningful socializing was slim to none.
Most of my socializing has been and continues to be done in person, over text, or over email. I do miss out on updates from distant family and friends, but the interaction on Facebook was always shallow anyway, so I don't feel like I'm missing much.
Comparing not using FB to complete social and sexual abstinence is quite absurd indeed; like an alcoholic who knows its bad for them but doesn't want to stop going to bars and clubs because they think that's the only way they can socialize and find sexual partners.
I have friends around the world I still IM. Maybe I could get some of them onto Signal or do international texts (Which get expensive) but many of them I can only communicate with via Messenger.
What? Each slack workspace is entirely different. You can't just add someone on Slack!
"Hey friend, I'm getting off Facebook, What's a Slack workspace you're in? I'll send you messages that way .."
...you delete your facebook and never talk to this friend ever again.
It's not that there aren't alternatives. It's that people don't use them. It's not like back when everyone had AIM, Yahoo and MSN and you could add people on all three and group them together in Audium/Pidgin/Trillian. Facebook has literally bought most of the competitors (Instagram, WhatsApp, etc.)
> It's not that there aren't alternatives. It's that people don't use them.
They do if they value the relationship. I left Facebook almost 10 years ago, and the people on Facebook that I had actual, valuable relationships with had no problem continuing to communicate with me though alternate means.
Based on some of the network analysis I did on my phone, I think this is related to Facebook's analytics engine. Most apps I've seen communicate with graph.facebook.com to send telemetry (when which screen was opened etc.).
It wouldn't be beyond Facebook to immediately connect that telemetry to your user profile, making these apps show up in your profile.
Why would Google send anything to Facebook from its Home app ( the one used to control Chromecasts )? It's beyond short sighted to feed data to a competitor.
They have the same customers and customers have a finite advertising budgets. When Facebook gets more Google data it benefits the "result" of the ads on facebook which in turn over time gets more $$ shifted there.
1. Who knows what data Google is giving back in return?
2. Neither want a monopoly. A duopoly is far more resistant to regulation.
3. Many business will advertise on multiple channels. So long as they edge out the others it's fine by them. They know they are the two premium outlets.
Root your phone and use a community made ROM? Vendor bloatware that comes with your phone is and always has been garbage. The only reason phone vendors have to develop and ship apps on their phones is to sell you out, to improve their unit economics.
This seems like a decent level of effort to build out especially if it’s to become an effective thing. What’s driving it, is it to show that facebook ads are delivering a total value in excess of the online conversions? Is this being done because there’s questions over Facebook ads value return? Are we sure that Facebook ads even do deliver good value prop, like is this program showing successful linkage / is that linkage ad-related or organic?
A bit off-topic, but does any one know how to get to the Off-Facebook Activity page by clicking through the interface? I've only seen links to it in articles, but I'd like to be able to show it to people who are logged in to Facebook.
If you have given the FB website permission to use your browser's location, then it could track you. If you haven't, the best it can do is IP location.
For example, if you try to login from an unknown computer, you'll get an email asking if it was you - that usually contains a rough location based on IP.
This reminds me of a meme, "My wife asked why I spoke so softly in house, I said I was afraid Mack Zuckerberg was listening! She laughed, I laughed, Siri laughed, Alexa laughed"
A while ago, I switched to per-site email addresses and a burner phone number I give to anything that isn't a financial institution or healthcare provider.
Even if Twilio did leak the fact that the author signed up to Facebook it is still a lot better than leaking every single merchant to where the user has been.
I am aware of this. I just don't understand what Twilio will gain from sending every single phone number you provision through them to Facebook or another advertising partner. It would actually pollute the data if they were to send these events from a high-volume customer that resells Twilio numbers to their own customers (who aren't doing business directly with Twilio and most likely aren't aware of it at all).
This is in blatant violation of GDPR. At what moment did you as a user authorize Spreadshirt to communicate your private information to its partner "Lan Tim 2", and how does "Lan Tim 2" assume it can transfer your data to Facebook?
Lan Tim 2 was a subcontractor for the merchandise, and probably shipped it themselves. I'm no expert on the GDPR but I'm sure it has some kind of carve out for this kind of (very traditional, very routine) business arrangement.
The sharing with Facebook seems presumptively illegal. But I'm guessing the author isn't in Europe.
Nope, GDPR (and similar legislation before it) is explicit, you (even an individual "Sole Trader" in the course of business) need to explicitly get permission to store or process people's personal information and you need to explain what will get done with it. You can't say "Eh, you know, stuff" and you aren't allowed to change your mind without requesting fresh permission (which obviously most users won't grant). You also need to make it possible for anybody to see what you've stored about them, and ensure you fix any mistakes promptly.
You might get away with being somewhat vague about who needs it, e.g. maybe you can say "Our delivery contractors need to know your address" and not spell out which companies you've contracted with for delivery. But it's on you, the outfit the user gave their personal information to, to enforce that e.g. "This phone number is for calling our recipient about the delivery, you can't keep it after the delivery is successful and you can't give it to anybody else" through contractual arrangements or whatever other reasonable legal steps.
I am in Europe (though it's England, so eventually no longer subject to EU regulations sadly but it does have a Data Protection law anyway) and I see this "Lan Tim 2" crap in my Facebook as well. If I have bought anything from Spreadshirt it was months (maybe years?) before the supposed "Off-Facebook interaction" listed by Lan Tim 2.
I actually wouldn't be astonished if this comes down to:
* There's an incentive (maybe not by Facebook) to create tremendous numbers of "Interactions".
* It is possible to create fake Interactions by generating garbage, e.g. lists of randomly chosen phone numbers or email addresses and sending them to Facebook.
* So somebody creates accounts maybe initially with real business names "South China Air Freight Inc." and then they get lazy "So Lee" ... "Lan Tim" ... "Lan Tim 2" and they upload random garbage to harvest the incentive.
* This publicity drives Facebook to eliminate the incentive or make it too hard to upload garbage so that the incentive isn't worth it, and the "problem" goes away.
Ah! This might explain some of the weirder "wow, how could Facebook have known about this short of using the microphone" moments that I've had recently... well, short of either (a) using the microphone or (b) grovelling through vast piles of much more easily accessible external-to-Facebook data. Interesting.
This is a good reason to use a service like Burner ( https://www.burnerapp.com/ ), and also probably to cycle your GSM handset number at your carrier multiple times per year, as TFA notes. (Switch to TOTP or U2F for two factor.)
I already use anonymous single-use email addresses for a lot of services (anonaddy.com is good for this), and I think in the future I'm going to just decline to use anything that demands a phone number of me. Far, far too much of it is being sold to third parties as soon as it's obtained by these companies.
Ironic that the service that's supposed to protect my privacy redirects me to a tracker (adjust.io) when trying to download their app. I'm also willing to bet good money the app itself will have creepy tracking built-in.
OKCupid is making a lot of noise these days about requiring a phone number, right after Facebook themselves had a massive breach (267+ million numbers):
Either it's a bizdev scam that they're all trying to get in on, or they're clueless. I lean toward the latter but expect it to be the former. Surely they can raise ad rates with the extra PII, I'm guessing?
What would a "Real Privacy Problems" website/blog, aimed at individuals/consumers, look like and need to do to be an effective site to a) inform, and b) empower people to hold companies and our governments more accountable for the regulatory and industry environment in which we operate, and c) empower those individuals to make the changes in their own tech and behavior to minimize their own exposure?
A few comments and op were trying to align dates listed in fb to dates they made purchases based on cc data and haven’t been successful. I don’t know if it’s the case here, but working with dates in facebook ads is a bit of headache. Those dates might be when the transaction was made, when it processed, when the product was shipped, when the user first saw an as, when they last saw an ad, etc.
You need something like Multi-account Containers in Firefox to fully isolate Facebook from anything else. Basically if you are signed into Facebook in the browser, they can track you across any sites that use their Like buttons, comments or just tracking pixels. Some of it is blocked by Privacy Badger, FF built-in tracking protection and the like, but not all. By using a container to isolate Facebook's session from other tabs, you can prevent that.
You have little control over businesses transmitting purchase data to Facebook or other data aggregators.
Best you can do is withhold information at time of purchase. Use cash, don't give your email, phone number, etc.
Some businesses are clever and dangle a carrot with the request for PII such as emailing you the receipt or texting you status updates. You will have to learn to be "that guy" and politely refuse, or give bogus information.
I made the mistake of using the same "throwaway" email address for Facebook as all my online orders. Of course many of the stores uploaded their data on me to Facebook...
The bitchy thing is, even an Android app like MX Player or Maps.ME was sending events to Facebook, but FB's JSON just said "custom event"...
I don't know the technical details, but the name itself looks like Vietnamese name, stripped from Vietnamese accent. The one with accent might be "Lan Tím 2".
Also since it is related to Spreadshirt, many Vietnamese are working in t-shirt making MMO, which make it even more suspicious to me.
It's really pretty simple. If you use Facebook to login to other services, they're connected. If you're concerned about it, don't use Facebook as your ticket to all the other services out there.
It's not just about facebook logins. Any website that you visit can send information to facebook and that's where most of these websites are sharing info with facebook.
I just checked my own off-facebook activity and I am blown away at just how much information is available on me. They have a fairly concise list of all the websites that I have visited in the past month, none of which I used facebook for logging in.
Facebook has your phone number even if you've never used Facebook, because all of your friends that have your name and phone number in their address book uploaded their complete address books to Facebook.
Then, when you use another service, and don't even create an account or log in, and simply provide that service with your phone number (e.g. OpenTable, Deliveroo, AirBnb, others), and then that service provides a complete log of all of their transactions to Facebook with phone numbers and email addresses, now Facebook can associate your purchase history with your name, email address, and phone number provided to them by your contacts. It's called a Shadow Profile.
It has nothing to do with "us[ing] Facebook as your ticket to all the other services". They track you even if you don't have a Facebook account at all, and don't create accounts on other sites, simply through your telephone number or email address. I wouldn't be surprised if they're also storing credit card numbers (or one-way hashes thereof) to cross-link purchases, too.
Not using Facebook to log into services does not exclude you from this. Almost all mobile games I've used (and only those) are listed on my FB activity despite not giving them my login or even having the Facebook or Messenger apps installed.
I think this may be by correlating the Android advertising ID?
Interesting … it occurs to me that Signal ties everything to phone numbers, and is presumably able to see which phone numbers are communicating with one another (since they route messages between accounts and don't use private information retrieval). I wonder if they resell any of that information.
Signal doesn't know who sent most messages between friends.
Signal users have a "profile" which is encrypted, and their device can give the keys to other people. By default it'll give keys to Contacts you message on Signal, and this encrypted profile has more keys and tokens inside it that people can use to send you stuff. So when you send a Signal message to your friend Alice, what Signal sees is that somebody sent this encrypted message, which comes with a token proving Alice authorised somebody to send her a message.
Alice's device decrypts the message, and in doing so it decrypts a MAC which it can then examine to prove that this is a message from zeveb (or Alice has faked a message to herself but like, why?). Signal never learns who you were in this process.
So, if you use Signal to communicate with strangers and they haven't overridden the defaults (you can say you love strangers and don't mind spam, in which case this Sealed Sender technology works for anybody sending you messages) they would if they wanted to be able to figure out this relationship, and then monetize it. They explicitly promise not to, but I guess if you want to you could believe that Signal is the problem and we shouldn't worry about Facebook.
I definitely have a bridge for sale you should enquire about, also that big iron tower in France? I can get you a good deal on the scrap.
> Signal doesn't know who sent most messages between friends.
Why not? They know which device sent the message (because Signal were sent it) and they know which device received it (because Signal sent it). I know that they have some really clever ways to forget the sender information and still route the messages, but we really don't know that they actually do forget it.
> They explicitly promise not to, but I guess if you want to you could believe that Signal is the problem and we shouldn't worry about Facebook.
I think Facebook is a far greater problem, but I also worry that Signal is a problem too. It's not either/or but both/and.
> They know which device sent the message (because Signal were sent it)
"Which device" here meaning they have an origin IP address for the traffic? Is that what you think most people mean by "sender" ?
Like, who sent this postcard "A pillar box in Westminster, London" ?
If your quibble was that this isn't technically completely anonymous I'm down with that. But the original claim was that Signal can tie this to a phone number, and "We could tell the IP address of the sending device" isn't that at all.
If you are worried about IP addresses then just as with literally everything else the only effective way to hide your IP is Tor. But then why bring Signal into this?
It's shown on my account too, it's the only thing shown. I use a Container to ensure Facebook doesn't connect my presence there to anything else, but evidently "Lan Tim 2" wasn't fooled and somehow connected... something to that account.
I also have access to an account for a fictitious member of an old web comedy group I was part of. They don't have anything from Lan Tim 2, but Lê Linh did register some "Off-Facebook Activity". Which is impressive for a person who doesn't even exist. Good quality data, obviously, from both Lan Tim 2 and Lê Linh.
I've never made a Facebook account because I haven't wanted to agree to their data collection practices, terms of service, privacy policy, etc. How can I see what they have on me without agreeing to those things? (At minimum they should have records of their attempts to recruit me as an employee, but I never initiated those and never proceeded beyond a polite "no thanks" email reply.)
I don't get the benefit of GDPR or CCPA since I live in Quebec, Canada rather than the EU or California. But, I wonder if there's a way for me to send a request based on Canadian or Quebec privacy law, since they do have an office and plenty of users here in Quebec? Or have they effectively firewalled that stuff off from whatever entity controls or processes the data?
> How can I see what they have on me without agreeing to those things?
You can't. It's part of the perversity that is Facebook -- in order to be able to see (and delete-ish) the data they have about you, you need to sign up for an account and give them more data about you.
Other situations where Facebook processes data sent by third parties to show relevant ads for said third party and not use the data to match for other ads is also legal under GDPR, since Facebook only acts as a data processor to act on behalf of said third party.
When ordering from Spreadshirt, you may be ordering from a partner that uses Facebook for Business and their privacy policy apply to you. This is also stated in Spreadshirt's privacy policy.
GDPR is not an umbrella protection for all type of tracking, even though it usually is brought up as such. It only makes sure you have insight in what is getting shared, a way to export, modify and delete said information. In shop/partner situations, you have to contact the partner to request deletion as the shop is not responsible after your approval.
I may be completely wrong, but this is my general understanding.
Just putting it in the privacy policy isn’t good enough. The general consensus is that unless you’re claiming another legal basis for your processing of data (which would be hard to argue here), consent needs to be informed, opt-in, and granular per usage. I don’t see evidence of that in this story.
the fact there is no "household" or "user targeting" to be found in this comment thread with currently 265 comments tell me there are only clueless pundits.
every single advertising company already sell advertisements by "household" where they clump together all accounts assumed to be from one user and their family/roommates, effectively going back to aggregate IP targeting, but not saying its using IPs because that tarnish things with GDPR et al.
also, even if not using household, they sell by "people targeting" vs the old "device targeting", which again breaks all account separation people here assume.
I strongly suggest people minimally interested in privacy or advertising to create an account with any advertising network, or at the very least look up youtube videos on how marketers create and target campaigns.
When there are $billions$ of dollars at stake for this type of information, you can guarantee there will be many companies attacking this problem.
Therefore, not to be a pessimist, but if you think that 1) using a fake cell number on Facebook is going to help or that 2) there aren't services like Google doing this already, potentially with just as good match rates as Facebook, or 3) that using Firefox + adblock is all you need, then you're going to be constantly plugging holes in a leaking boat.