As someone that has spent a sizable amount of my career in ad products, the outrage here is kind of (sadly) funny. A conversion pixel? Hah, if you only had an idea of what the Facebook data faucet looked like in 2007-2017, your hairs would stand.
Pretty sure they were breaking all kinds of PII laws.
> Hah, if you only had an idea of what the Facebook data faucet looked like in 2007-2017, your hairs would stand.
I really don’t understand the goal with vague statements like this that can’t even provide even the slightest hint of specifics.
What specific data? Even a single example would make this anecdote useful. Instead it feels more like a brag. “I know something but I’m not telling” but in this case the commenter doesn’t claim to have worked at Facebook (just the industry in general) so I suspect it’s hearsay anyway.
> Pretty sure they were breaking all kinds of PII laws.
Given the way Facebook has been under the microscope and dragged in front of Congress, I’m going to assume that their corporate counsel was very careful to provide at least a best-effort attempt to comply with every law available at the time. It may not be popular, but I really doubt Facebook was violating laws for a decade straight as the largest player in the space.
I really don’t understand the goal with vague statements like this that can’t even provide even the slightest hint of specifics. What specific data? Even a single example would make this anecdote useful.
A lot of people talk in broad strokes because if you use their marketing platforms you can see exactly what data is being mined. You can posit their ideological, political, and personal stances. Their friends, family, and pay more to reach people that are shown to influence them. You can choose their region, their income, their habits, hobbies, and kinks.
You can quickly create an account and look at their self-serve ads. There's no reason why anyone needs to try and "guess" what these tracking tools can do. You can just go to the endpoint of that collected data and just see what you can target.
It's better now but before you could do EVEN more. But better in the sense that someone who needs a limb amputating to stop gangrene setting in is better.
Additionally, there are different means to the same end, so being vague is keeping the discussion focused by keeping it about the general practice instead offering details that could easily derail into unproductive commentary. The ad firms probably move things around all the time, but the gist of it is, if you browser requests a resource from a server with a little metadata, god knows what’s being done with that from there.
The ubiquity of user tracking is extremely useful yet culturally absurd. Now that’s ambiguous ;)
Nefarious is defined as wicked or criminal. My usage was specific to the latter definition and not the former. I said nefarious and chose the definition the implies “illegal” but instead of having a conversation on the topic you chose to pick at specific word definitions.
Why do you give them the benefit of the doubt? There are countless examples of this kind of behavior in top companies.
The difference when it comes to other industries (e.g. food) is that the regulation has had time to develop, and most legislators understand the concepts. So it's harder to cheat.
Forgetting someones opt-out preferences by mistake doesn't ring as severe as using light carcinogens in your food mix.
It’s pretty straightforward and no secret. All those “share on Facebook” widgets you used to see everywhere are also tracking users. Since they’re embedded into basically every site ever, and each hit to the widget goes to facebook.com (so your browser helpfully sends their cookie along with it), that means Facebook knows who you are and what sites you visit without your consent or intervention, and uses that to sell targeted ads. They even have a profile on you even if you don’t use Facebook.
It’s changed a bit recently with GDPR, the Cambridge Analytica scandal and some third party cookie privacy stuff so it’s a bit less insidious now, but it’s still pretty bad.
Reminds me last week I was looking at parts on a chip makers website and wondering why page updates were taking so long. It's because at work facebook is blocked.
Frankly I do not know why corporations don't block facebook as a security risk. Seriously that stuff is bleeding info on what your employees are up to.
Doesn't matter much. Now it'll just happen server side where the server sends the same types of data directly to facebook. See the facebook CAPI. Basically a server side implementation of DataLayer and such...
I'm not particularly surprised. I always knew this day would come. In fact, I've been wondering why they haven't done this for a while. Maybe it's time to invest in a good VPN / Tor.
> if you only had an idea of what the Facebook data faucet looked like in 2007-2017, your hairs would stand.
I'm pretty sure everyone of technical aptitude knew Facebook's data faucet. But maybe I missed something.
As far as I know, Facebook:
a) Had all the freely provided data, PII/likes/social graph/etc.
b) On Facebook's site or mobile app, the were fingerprinting your device, examining your scrolling/mouse/clicking/other inputs to determine attention on a page
c) Could recreate most nonuser's social graphs just by seeing them as endpoints in registered people's contacts
c) On the web, had "like" buttons or ads and their code pretty much everywhere. Therefore they could track most people to most sites.
d.1) Sites could directly provide more information to allow retargeting
d.2) Sites could directly provide more information through a host of other services FB offered to the developers
e) On mobile, in the background, scrapped your contacts, GPS, nearby devices (other phones, WiFi, Bluetooth, although tower information may or not be included). Also, had installed by default on a lot of phones
f) On mobile, provided libraries people could import into their apps, mostly but not exclusively for ads. This let them get similar insights into usage patterns as on the web. Also, if people didn't install the FB app, let them get (e)
g) Used your real identity to purchase information about you from the various realworld data merchants
I don't think you missed anything substantial... but I'll add two extensions:
(1) Social graphs change slowly. And they still own Instagram, so for many users they have a live social graph still.
(2) Facebook Pixel is dead. Long live Facebook Pixel!
The Facebook Pixel is now (or at least nearing) effectively dead on modern up-to-date devices running ad blockers. Of course that leaves plenty of desktop machines where people aren't running ad blockers.
But more importantly, Facebook has acknowledged the elephant in the room and moved from client side to server side with Conversions API (CAPI) (aka the new "Facebook Pixel"). And there's nothing ad blockers can do about server-side analytics...
I left out Facebook Login. That may be a help as well, although I don't think they get much from that they don't get from the other integrations in mobile apps/websites already.
Whenever someone claims expertise in a way that is so vague and unverifiable that basically anyone could have made the claim, really, it is not a citation and not a sign of expertise. But it is very sketchy.
In a completely different matter, I worked on high level space programs in the late 1970s and if you had any idea about the information that the government is hiding on extraterrestrial life TO THIS DAY, your hair would stand.
Ads targeted based on the content they are placed next to don't need to track anybody. While they might be annoying (i.e. take up space / time) they don't have any privacy concerns.
This comment adds little more than name calling.
Can ads be annoying? Yes. So is paying money for the things you enjoy.
Very few online businesses have been able to find a business model that does not amount to selling ads or selling links. Some people find ads more intrusive than others but personally I find paywalls to be much more of a nuisance than seeing a banner ad. If free as in beer comes at the cost of hearing a sales pitch then I am personally fine with that.
Ads aren't just annoying, they're often malicious and downright dangerous. Linking to apps with 0 click subscriptions, illegal porn or with recurring card payments and banking trojans. God forbid you're in the crypto space, every fucking ad is a scam or malicious, people lose their whole life savings to scams pushed through Google ads every day and there is no easy way to stop them. I run an ad blocker because Google is useless at stopping illegal scams and has been for a very long time. Google should have a policy to ban any crypto services name from adwords unless the ad is from verified from the service the word is about. It's not rocket science, but it'd hit the bottom line so until then eat adblock.
I've been a victim of google's vastly inadequate ad vetting on at least three occasions and I'm pretty savvy.
That's a lot of words, and I'm sure the pain you feel and need for Google to maintain a registry of crypto ads you find acceptable is real. But, an excuse is an excuse.
I used to tell people if they know how ad tech worked it would be banned tomorrow.
I doubt it's on FB during that period though?
I would guess though that a bunch of health tech sent (perhaps accidentally just not understanding) a bunch of patient data though. Seems they are the responsible party.
There's been other examples beyond FB of 'auto track' too. devs just don't know or forget to turn it off.
Not to mention for some reason at that time putting a FB like button on all the porn. Who clicks that?!?!
> I would guess though that a bunch of health tech sent
I worked for a "healthtech" company in London at the beginning of the pandemic. They had the Facebook SDK malware embedded in the app that people were supposed to use for GP consultations.
I don't believe any explicit health data was sent (there was no intent to do so, and I’m not sure if that would even be possible), but merely the fact that I'm talking to a doctor (and the current time, location, device fingerprint, etc) is not something I'd like Facebook to know.
I know breaching the GDPR is basically the norm in any tech company but I thought that being involved in healthcare would make them super risk-averse and make an extra effort to comply.
They were not alone in this - PatientAccess and a bunch of other sites - that you can use to book GP consultations (including through the NHS - UK’s socialised healthcare system) had a shit ton of such trackers too, obviously loaded before any GDPR consent could even be obtained.
I don't know as much about the app SDK, but from the pixel it used to auto detect things like form fill ins, clicks, url params, urls etc. So there is potential it incidentally collected something bad!
Not OP, but somewhere around 2010 I tinkered with creating a game for Facebook. I signed up for a developer account, spent some time with the docs and built a toy app.
It was a straightforward call to get info about the user, including name, email, interests, etc. Their friends list. Info about all their friends, including all the same details. And so on.
There was a EULA where the developer had to promise to delete all the info when the user signed out of the game, and not to share the info. That was the only security.
The project fizzled, but when the Cambridge Analytica news broke, it confused me, because my recollection is EVERYBODY had all those lists of user info. Seriously, tens of thousands of different companies, with the only thing stopping them was a pinky promise.
This is all true, but to get that data you had to run an app on Facebook. To my recollection, you could not grab this level of data with a Facebook JavaScript tag on 3rd party websites. Facebook offered this data on-platform to convince organizations to drive their audiences to Facebook.com instead of their own site.
We used to have access to individual demographic data for breaking down your analytics and ad targeting, as well as being able to target users based on their specific email address or phone number. We could also target your friends.
From memory this has now all been rolled up into cohort demographics and 'look-a-like' audiences so you can no longer break your data down by specific users demographic attributes or target ads by say an email list unless they are already your users (and it's used for specific types of ads; retargeting).
From memory some of the more unsettling breakdown/targets were
- Ethnicity
- Life events
- Politics
- Pages (so other businesses) they had liked
I worked for a pure play furniture retailer you used to be able to do things like buy email lists from price comparators of gas/eletricity/home insurance with additional data like your postcode and then upload it to facebook and specifically target everyone with a FB account under that email/phone number with furniture ads. As the assumption is that if your looking for gas/eletricity/home insurance your likely to be moving home or at least be a person who had some need for furniture.
Now they just use the facebook pixel to put you into look a like audiences because they can see you went to the home insurance website and the real estate website (they all have the pixel installed) and make the same broad assumptions we were previously making but on the cohort and not your specific unique identifier.
You should be able to advertise to people that are Yankee fans on facebook, but you shouldn't be able to get John Doe's email address from the Yankees fan club directory (not on facebook) and directly target them with ads if they have zero relationship to your business.
You also shouldn't be able to upload a list of email addresses, target your ads to them, and then use Facebook's analytics to see how many of those people have divorces or an investment property via the segmentation analysis. Depending on how small that list is, a lot of that data starts getting very specific to an individual.
Facebook obviously also thought you shouldn't be able to do this since now you can't. Everything is now cohort and look-alikes.
Additionally your acting like Facebook is only putting you in the ‘recently married’ bucket if you marked yourself as married. Facebook is smarter than that, they are putting you in these buckets based on your messages, instagram activity, and browsing behaviour, not necessarily based on public information you expose in your profile.
>- Ethnicity
- Life events
- Politics
- Pages (so other businesses) they had liked
The above, is all frowned up (for the record, I 100% agree) what is interesting is, our civilization has evolved to frown up the above "categorizing" of people, but from that list (only ethnicity) is not "choose able" by the person.
I.e I can mostly choose when I get married and to whom and which party I support but I def cannot choose my race. Yet the above is all considered 'equally bad'.
Any developer can still send almost any data they want into FB to track basically anything.
'offline conversion' still allows you to send in names, age, bday, gender, etc for matching, IP, UA.
Though now it's hashed before going to FB.
And you can pass almost whatever custom data you want in. So I can in my industry optimize for a long term political donor, or potentially an early vote. Or someone accidentally sends in 'this person bought hepatitis meds'
This still exists despite what someone below said, unless I'm totally missing or misunderstanding something.
However it is not as valuable, and shrinking audience able to do deliver to because of iOS restrictions. And likely with Chrome too eventually
FB used to have more detailed interest/demographic buckets to target that they supplied. Used to be able to type in basically anything from what someone likes ___ very niche page to engages liberal political. There are still interests but there are fewer of those 'sensitive' ones. Still lots of stuff like works at ___. of course age, gender, geo.
But more fine grained interest targeting seems like going away pretty soon it's just going to be broad demographics.
The ROI is just not as good without iOS fine grained targeting FB is having to do a bunch of tricks with AI/modeling to try and make it perform but it's not as good.
I'm for targeted advertising. I think what iOS is doing is uncompetitive and bad.
But I do think there should be some sensible regulation. Like no healthcare or sensitive topic data (LGBTQ, dating, etc).
** ADDITION sorry this is long but one additional thing I think people also confusing the ad product with the old FB api.
The old FB api was an absolute sieve you could get basically any data a person has on their profile and also their friend's data. This is what happened with Cambridge Analytics.
All that has been shut down even login with fb they are way more strict about actually testing sites etc
It is however an easily-reversible hash, by design as that's how FB can correlate between the different datasets. When it comes to finite sets such as phone numbers or dates of birth it's also trivial to search the entire space by bruteforce.
For sure on a rainbow table for something like cell phone. but i don't know why that would matter? Anyone can generate all the possible phone numbers.
The whole point is that it is matchable. Like if they already have my email then they know if it's a match, but if they don't have my email they don't know what the missing email is.
Like what's my email from this (without knowing my email) below:
2c03e4a168bed89f5208250cdefbe97d4d87ba7812df896311676acc2ddfcdb4
Depends, for DOB and phone numbers the search space is finite and very small for a modern computer (especially so for a big tech adversary having access to near-infinite computing power) so you can just enumerate all the possibilities.
Names and emails can be bruteforced with various lists from existing data breaches or data brokers and you'll probably reverse 80% of them.
However reversing them is not even necessary - an adversary like Facebook can infer it based on other data, for example, let's say they know your phone number but not your email - now you buy/sign up to vendors providing both that phone number and email and they provide it to Facebook - now Facebook knows that you signed up to those vendors with your number (as they have the plain text value, can hash it on their side and compare), but they also see that there's a mysterious email hash - they don't know its plaintext value, but it perfectly matches the same vendors that have your phone number. They can infer that it's probably your email address, and while they still don't know what it is, they can use the hashed value to track you across other vendors without ever having to know the plaintext value.
I would guess that's when the Cambridge Analytics thing became well known, where they were using Facebook's network/data graphs to compile their own compiled and targeted data.
Nothing. Because TikTok didn't put the tracking pixel there, UberEats did. It's from an advertising campaign that UberEats is running on TikTok. The need to related "conversions" (ie: people ordering/buying shit) on their system with whichever ad they were given on the TikTok side.
I don’t see why that would solve the issue. your browser is communicating with facebook’s servers, so if they log your communication it’s not exactly a violation of your private property rights
In principle, sending your data in a way that's decipherable to the backend isn't in principle required. WhatsApp encrypts (or at least used to, not sure about now) messages.
And no doubt it's not compatible with their current business model. Which is the point, it's a model that exploits property that isn't theirs for unfair gain.
This is it and is how the online advertising industry has worked for over 25 years.
In its simplest form the pixel is used to attribute an ad view/click to a conversion event. At the beginning of the online ad industry that’s all it did, advertisers for the first time had the ability to directly, in real time, see the effectiveness of their ads. The economic value and GDP generated due to this innovation is immeasurable, the internet economy is literally built on it.
At the beginning there was no profile building, combining with PII and data gathered from social media or even your gmail emails (yes the content of your emails). And it was magical!
It’s the innovations since that have moved the entire industry through a grey area into the blank where the way they operate is questionable at best.
The point is, this tracking pixel on its own is incredible what it unlocks. It’s the way that data is then used that we have to call into question.
Personally the simplest form of attribution to me is fine. It works and I don’t believe it’s invasive if they aren’t then combining it with pii and profile data. Sadly that time has passed and all advertising networks now rely so heavily of ML/AI that it’s impossible to manage them, as an advertiser, in the way you used to. Hopefully regulation will push the industry back to where it was.
This is also why even Apple and Mozilla (companies with a vested interest in harming the ad ecosystem) are pushing for various privacy-preserving ad attribution technologies. Nobody objects to UberEats knowing that their Tiktok ads are working or not - they object to Tiktok cross-referencing the data from UberEats and everywhere else to build an interest profile on them.
That’s not really how it works though. Uber would never allow TikTok to take and sell Uber’s own data, that’s just bad business. Secondly the only data that TikTok would have access to in such a scenario would be whatever campaign data Uber send them in the conversion request, which again, is not licensed for reuse. All anyone cares about is knowing how many conversions occurred and which targeted “audience” those users were in. Oftentimes it’s the advertiser who is bringing those with them - say, a list of emails or phone numbers they want to target. Again, the ad platform is not just taking that data for themselves, because they would not have customers for very long if they did that.
> Uber would never allow TikTok to take and sell Uber’s own data, that’s just bad business. Secondly the only data that TikTok would have access to in such a scenario would be whatever campaign data Uber send them in the conversion request, which again, is not licensed for reuse.
Is this based on your knowledge or experience in the ad industry? Or just your intuition on how it should work? What I see in OP is UberEats loading a tracking pixel directly from TikTok servers, where the “pixel” is actually a full events.js analytics script that could send user data straight to TikTok.
As a user I have the complete opposite objections: I do not see why I would have Uber run JavaScript on my machine just for them to know how well their campaigns are working, while I totally want advertisement that is highly targeted to me.
They don't have to run some weird JS, it's often just a 1px img with some query params loaded at the confirmation screen. In itself nothing annoying, the problem is how that data is combined with other data and profiling users.
I haven’t seen any codebase with an actual tracking pixel in my entire career. (11 years at this point) It’s always some massive javascript file doing God-knows-what on the page.
If they know how their campaigns are doing -> they can target better and earn more money and in turn give you more discounts.
So it’s just good karma to let them run the tiny js script which does no more harm than 100 other services running on your machine, which you never used either.
Aside from how well targeting works (it doesn't), it's a bit presumptuous to assume resources on a user's machine are free for the taking, much less justifying it with an assumption about "unused" services running on that machine. At the same time, and I imagine this might be the vantage point you're speaking from, it wouldn't be the first time advertisers played fast and loose with user resources and activity.
You don't feel like targeting works? I feel like I'm a moderately careful person (who hates ads), I use stricter browser settings and ublock origin, but I still get somewhat targeted ads when I do see them. My wife, who isn't as careful, frequently gets very targeted ads. Friends and family often remark that the phone seems to be listening with how targeted the ads are. Exposing your brand to those who are interested is very powerful.
I would rephrase what I said - this is one of the ways how tech companies make it affordable for us to order ‘food’ from the comfort of our home while someone is running on a bike in a snow storm to get our favorite pizza before it gets cold.
On the other hand, you always have a choice to not use UberEats(or most others) and order by phone/walk-in and save your resources.
And it would be a bit of exaggeration to say targeting doesn’t work - It’s obviously far from perfect but it generates billions everyday for a reason.
No. It's my machine, not theirs, they don't get to use it to track me. Not one single cycle. It certainly isn't "good karma" to allow advertisers free reign like that, it's letting the fox loose in the hen-house.
As I replied in the other comment, if you don’t want to be targeted or a single cycle of your machine to be used by developers, don’t open their website. no more foxes in the house :)
Not sure I see a reply to another comment of mine!
>> Don't open their website
Sure, or just don't allow them to load these things.
Honestly I'm moving in the direction of not visiting. Instead of a useless do-not-track header, I'd much rather send a "will-not-render" header. I'd be quite happy to tell your server that under no circumstances will my browser be participating in tracking or even rendering your ads. If you'd rather not serve me the page at that point then cool, lets go our separate ways.
I imagine a company like uber eats, who I am actually trying to pay when I visit their site, might still like to serve me the page. Ad-supported content less so.
> This is also why even Apple and Mozilla (companies with a vested interest in harming the ad ecosystem) are pushing for various privacy-preserving ad attribution technologies.
Really? I thought Apple's newly-implemented ATT was exactly what made attribution impossible for things like app store purchases.
My understanding is Apple imposed no additional technical restrictions, apart from nearly a consent pop up. In-app attribution is still possible, if the user approves.
Just FYI, Mozilla's commitment to privacy is smoke and mirrors. You need to install uBlock Origin and opt-out of Mozilla's telemetry and similar BS to get any meaningful privacy in Firefox.
How does including telemetry for a product make a commitment to privacy from unrelated companies' tracking "smoke and mirrors"? There's a difference between the privacy I expect from a direct service provider and from various random agents seeking to build a profile on me.
Your argument is literally exactly the same argument Facebook uses to justify all its spying. It's not a solid ideological base to build upon. I don't want ANYONE spying on ANYTHING that I'm doing, even if they think it's for my own good and it's not crossing a line.
> How does including interest-based tracking for a product make a commitment to privacy from unrelated companies' tracking "smoke and mirrors"? There's a difference between the privacy I expect from a direct service provider and from various random agents seeking to build a profile on me.
There's a difference between Facebook collecting data when I'm on their site and collecting data from embedded trackers. Draw the line wherever you want, just don't conflate different things just because they're both disagreeable to you.
At my first ever job where I was actually hired as a programmer (December 2000) my first project was to build a web stats system. I knew little enough that I flailed for the first week or two, then independently invented the tracking pixel from first principles - backed by an unbelievably ugly perl CGI script - to enable data collection.
It collected only pages visited, browser versions and referer (sic) headers - it didn't occur to me to collect anything else - and yet provided vast amounts of business value to our customers as well as a vast amounts of experience at scaling for me (though, uh, given how badly the early versions of that code scaled, not necessarily at the same time).
> The point is, this tracking pixel on its own is incredible what it unlocks. It’s the way that data is then used that we have to call into question.
I entirely agree with this statement, and what's happened since saddens me.
I'm going to pour another drink and take a moment to feel old now.
(edited to add: 'tracking pixel' seems to mean that class of instrument to many other commenters, I'm specifically talking about an <img> tag that loaded a single pixel transparent gif ... I also made bar charts for the analytics users' UI using HTML tables with a pair of <td> tags per row, one with a coloured background, one clear, using percentages to provide relative data. 2001 was a different world)
Innovation is simply building something better. (Societal) progress is subjective, which is why you could probably run a survey and any respondents with marketing degrees would likely indeed call this "progress" towards a better-understood society..
This is it but only half the equation. Yes, the pixel lets advertisers track their return on ad spend (through tracking conversions), but it's also a targeting mechanism (ie you can tell ad platforms you will pay $X / conversion, versus paying per impression or per click).
If anyone cared about privacy, a solution would be to only include the pixel when a user was redirected from tiktok to Ubereats. No need to include the other 6 pixels, or include them for users that landed via the homepage.
My first thought was that most people use TikTok on mobile, whats the point of this (if the ad takes them to play store/app store or to the Uber eats app). Then I realized that this is probably aimed at tracking for new signups, they probably send them to the app stores with a redirect to their site in the middle. TikTok probably doesnt forward them the user identifier hence the tiktok pixel on their page, so they can see the effectiveness of the ad on some TikTok ads dashboard.
This is honestly very few considering how many different places Uber Eats probably advertises on.
I work on helping new Shopify merchants get more early sales, and ads are super important for that to happen. Open up any small and growing e-commerce store and you'll see at least this many.
Without ads, you don't find these small businesses, and all consumers just go to Amazon, or other large established marketplaces.
It's a hard topic. My team mostly does experiments, A/B tests on new merchants to see what nudges leads to better results overall. The reality is we have a lot of ideas and we're trying to get data to figure out those answers. But we don't truly know yet.
The hard part (as far as I can tell) is product market fit and finding your customer base. Once that's established, you have some momentum, leading to repeat customers and lower acquisition costs. IE: once an ad network has some existing customers to build a model on, it's cheaper to target ads on similar customers.
But that initial part is very hard. New privacy rules, like Apple's changes, are a good thing generally, but they make it more expensive for small businesses to acquire initial customers because ads are less effective, so you have to pay for more of them to find your customers. That gives Amazon (and other established competition) a massive advantage. They know everyone deeply and can target everywhere very precisely.
I've heard that the Shopify subreddits are well liked by merchants. Good info there.
There's also the Gurus that can provide some support for free, as well as you can hire an 'Expert' through Shopify to get even more help.
All this is to say the most groan-inducing phrase in business: you've got to spend more to make more. And there's no guarantee that you'll earn it back because business is hard.
Thanks - do you have any brief tips on the best apps for ad delivery or retargeting in Shopify? Any thoughts on the most cost effective ad networks for small shops (FB, Google, Pinterest, other?).
From their profile it looks as if they work at Shopify, so probably just through the generic contact page would get you to at least the right department.
Just in general look at those cookie consent dialogs at any site living on advertising or using it and really see the insanity of number of partners... That should show that we might actually need to burn it all down...
Just install uBlock on your friends and families browsers. Most people seems fine with being tracked if that means they get "offers" they don't want to miss. I however detest anything connected to advertisement to the level that I frequently hang up when our own sales people call me because I directly spot a salesperson, even before I recognize the voice... Quite embarrasing sometimes :-)
So I install uBlock, uMatrix and Pi-hole everywhere. Also help customers do the same with sane defaults so they get rid of most stuff without burning their whole browser.
And as an advertiser we don't have to pay for the people that didn't want to see our ads in the first place, win win loose :-)
iPhone has AdGuard which is decent. There's also Lockdown Privacy which acts as a local VPN server (that the device itself connects to) which can filter in-app spyware such as the Facebook SDK.
Not sure - I recommend just using Invidious for this. Host your own private instance on a small computer at home. Put it on a random domain/port and it's unlikely to be discovered so you don't even need auth.
YouTube has a setting to pause watch/search history. I'm sure they still track these things being the scenes, but I've found that removing videos from watch history is enough to keep similar things off my feed.
As many people have pointed out these are for tracking the performance of ad traffic. Savvy, "privacy minded" businesses may listen to this sort of outrage, and pull the pixels off their websites. But you are kidding yourself if you think you aren't being tracked because the frontend JS is all first party.
The same thing can, and is happening server side. Every platform out there now has an event/conversion API [1]. If you are logging in to Uber Eats with a email/phone number you have used elsewhere then you are going to be tracked full-stop.
No. This needs to be criminalized. Not liking a good or service is one thing. Having things done to you or your information without consent for the purpose of spying on you is stalking with extra steps. Many of these companies still deprive you of your privacy even without using their services by developing shadow profiles on you.
>people who don’t know what’s happening can’t make informed choices.
it's really distasteful how privacy advocates always assume that everybody who doesn't feel the same way they do is uninformed. the average person has a basic understanding that companies keep track of them online. everybody who's spent more than five minutes online without an adblocker understands retargeting.
it's not that people don't understand, it's that they don't care. telling people they're not informed enough to make their own decisions isn't going to convince them to start caring about the issue you care about.
> everybody who's spent more than five minutes online without an adblocker understands retargeting.
I think you’re being absurdly generous here. I think there are way more people online who have no idea what this sentence even means than people who understand it. Like 99:1 ‘way more’. I can’t think of a single person I know who doesn’t work in the computer field who would understand that without being explicitly told. It simply isn’t something your average person ever even thinks about.
Even people like my parents - who have been using computers in some capacity since the late 90s but don’t work in anything related to computing - had no idea that Verizon was selling their browsing data despite being account holders who ‘agreed’ to the T&C and received e-mails warning them that it was going to start doing so.
Yes, everyone knows. That's why there are people in this thread and others like it, on a website catering to highly technical people, who are surprised at how deep the tracking goes and what it is used for.
Surely then, the average person is much more informed!
i encourage you to talk to an "average person" about this some time. check with your parents to see how much they assume they're being tracked online.
most people i've discussed the topic with misunderstand how much they're being tracked, but assume that they are being tracked more than they actually are, not less. and they're totally okay with that.
A common one is noticing that targeting works so well they see ads for things they've talked about and assume their phone is listening in on them. Though I wouldn't say they're okay with it.
No. In my experience they are very much not ok with it at all but have absolutely no idea what to do about it. I know what I'm doing with computers and I have difficulty figuring out all the different ways info can leak and how to plug those holes. In many cases you can't plug those holes without opting out of various services entirely. We badly need regulation preventing this stuff because in practice you can't vote with your feet or your wallet.
The fact that people suspect Facebook of outright listening to them (even when that's not the case) suggest people aren't fully aware of what data is collected, how it is used and how it can be misused.
"Facebook listening to people" wouldn't be noteworthy if people weren't creeped out by it.
Please, no more annoying popups asking me if i want to accept cookies or be tracked. I am in the ‘do not care’ camp and i just want to be able to visit sites without having to click accept every time.
These consent banners are a false sense of privacy. People who “dont know” are most likely just going to give consent anyway. It’s the same thing as TOS consent.
It would be nice if we could get standardized browser headers similar to DNT that sites could use to automatically fill those things out for us. A standardized set of bit flags like { third party, first party, none } versus { all, only necessary } versus { trackers, cookies, ... } that could go in a "data processing consent header" or some such.
Then you would only see those popups if either your browser or the website didn't support or wasn't sending those headers for whatever reason.
> These consent banners are a false sense of privacy.
They are also a set of dark patterns. They annoy you so you just click OK, they make it sound like if you want to opt out you're the unreasonable one, and they hide the options as best they can. Sometimes they hide them entirely.
If they weren't intent on tracking and reselling that data, they wouldn't need to ask. They don't need to have these dialogues, that is their choice.
Which aren't compliant with the GDPR, the regulation they're pretending to comply with. The problem is enforcement has been severely lacking and the regulators are useless at handling complaints even when you do waste hours submitting one.
People give consent all the time when it is still bad for them. It is a moral question in the end, the same way, we can say people consent to selling their body for sex, but have made it illegal, or say people consent to gambling knowing the odds put them at a disadvantage every single bet, or how people consent to credit card debt at insane rates not knowing just how much they are being taken advantage of. Consent matters, but in the end it's what we all believe should be tolerated from an ethical standpoint. Personally I see many issues with data collection and data sharing, even if not malicious, but that give the opportunity to be abused by others with a grudge or agenda I might not support. Not just banking information, but location data, purchasing history, and more. I'm not saying every has enemies out there but if anyone wanted to cause harm with that information they could.
> it's really distasteful how privacy advocates always assume that everybody who doesn't feel the same way they do is uninformed
The problem with pervasive user tracking and surveillance capitalism is that is impossible to be informed. No user has any idea what happens to their data once it gets collected by a 3rd party, and there is zero way for them to know who has it now, how accurate that data is, or how it will be leveraged against them.
Increasingly the data being taken from us in secret is used in far reaching ways. It's not just about what ad gets pushed at us, but it's how much we pay for things, how long you wait on hold, what a company will tell you their policies are, what jobs you are offered, etc.
While you might find it distasteful, I can tell you that you yourself don't understand what data has been collected about you, who has it now, or what impacts it will have on your life and your future. You can't make an informed choice about what services to use because you aren't even allowed to know what the costs are, or will be. Jjust like how nobody who uses ubereats had any idea that data was being secretly collected by tiktoc or what it will be used for.
> Neither of these companies will create a shell profile if you never visit them.
Citation? I bet TikTok will create shadow profiles for anyone who browses the web (and sure, somewhere in the 89 zillion line small print for whatever tools they offer to small time webmasters will be a carefully phrased line about how it might occasionally send small amounts of visitor information to them) just like Google does.
Which collects data on you and creates a profile. Whether it's currently used to increment an impression counter doesn't mean it can't be used for something more nefarious down the line.
Collecting data about what you did is not necessarily spying. If a game keeps tracks of my wins. That's not spying even though it's collecting data on what I did.
It's not just about telling if an ad has been seen, but what a user does on your site after clicking on the ad. Do they immediately bounce? Do they buy something?
You want to be able to see that you are actually getting a positive return from the money you are spending on ads.
Given the, uh, highly variable, quality of government legislation wrt the internet I am seriously skeptical they'd do more good than harm if they tried.
Then again we as an industry and/or community don't seem to be doing too well either.
> This is how you get a legal code like America's, where a cop and prosecutor can put almost anyone in jail with the flimsiest excuse.
Then how come America, with its strict procedural safeguards, has that legal environment where people now feel unsafe even talking to cops, whereas many European countries with a more common-sense, less rules-lawyery approach (like the big fines handed out to a lot of privacy-violating tech companies lately) have a much friendlier culture with fewer obvious abuses?
Usually what I find is that the American companies/people usually try to follow the "bare" letter of the law, where Europeans need to follow the spirit, as this is how it is "usually" enforced.
And while the former might let you get away with "one weird trick" the latter usually leaves more margin to interpretation which can be both a blessing and a curse.
If only it was that easy. The supermarket near me has a "data collection" notice about some tracking BS and to ask an associate for details and to opt-out (yes, as if the minimum-wage teenager would know anything about it, and how would the opt-out even work).
Your list of companies is too short. Throw out the market leaders who spend on brand and cheat somewhere else in the chain and look for a smaller company.
The best bypass for this process is to cut Ubereats entirely out of the picture and call the local restaurant directly to place your order. Ubereats in this case is a third party so what difference does it make? None of you start to think about it.
Because Uber Eats provides me some service that I value and I am happy for them to be part of the process as a result.
TikTok, Facebook, Google, etc following me around provides me no value on the other hand - in fact, I have no account with any and would not see their ads even if I wanted to, so it's technically in their best interest to not waste processing power on stalking me.
Not handing your data to companies will result in poor data and bad decisions on their end, which is bad for them and the customers.
What's super idiotic in all this is that the "data companies bad" is often spread by the very companies which would rather have data themselves than their competitors.
I used to be extremely privacy focused. I was the stereotypical noscript, don't load email remote content, all services off on phone, etc kind of guy. But recently at a certain point, I just stopped caring. I use ad blockers, so what harm is there to Google knowing my information?
I don't really have any information worth hiding. Even the worst case catostrophic leak scenarios are really not a big deal for me. So I just decided to stop making my life harder; I got a smartphone, I turned on the convenience services that track me, I started looking at pictures in my emails. I still think privacy is important, but I stopped caring about mine.
People here talking about PII reminds me every day that we still haven't grasped what Personal Data is, and how incredibly different it is from PII. Ah, sad.
The answer to this is the same as to all similar questions: why are you not blocking third-party content by default? To which the reaction tends to be that this is too difficult/too much hassle/should not be necessary. No, it should not be necessary just like locking your door should be necessary. Unfortunately, it is.
By the way, in this specific case another answer is "UberEats? Learn To Cook™!"
I don't know why this doesn't get as much love as it deserves. It is a bit of a pain to use, however, using it becomes second nature after a while, just like uMatrix for the browser originally had a learning curve associated with it. Although no longer actively maintained by gorhill -- it is still a staple in my toolbox, as is TrackerControl for Android.
DNT status is not readable by JS (by design), so DNT cannot be implemented in the client. So all tracking calls are still made over the network. It is then up to the server processing those calls to drop them if the DNT header is present. Thus, there is no way for a user to verify that DNT is actually honored.
Hotjar is probably the only one (claiming to be) honoring DNT consistently. Luckily Hotjar is a SaaS where the customer cannot influence this decision. But for all other tracking solutions, whenever marketeers are given the option, they will always choose to ignore DNT.
If DNT is sent when loading the initial page it is totally possible to serve HTML that doesn't include the tracking scripts. If you load your tracking scripts you've already gone against your objective since even the initial HTTP request that loads the tracking library leaks the user's IP address and browser fingerprint back to the tracker.
This is not a defense of DNT by the way - it has other problems such as the increased fingerprinting surface, etc.
> DNT status is not readable by JS (by design), so DNT cannot be implemented in the client.
But the JS is served by a server, which can read the DNT header, so why can't it just write different JS based on the content of the header? It can be as simple as writing "let do_not_track = true;" if the header is present.
As one can see from comments on HN, it bothers some website developers when these basic tactics are openly discussed. The user gets no choice over whether her data is shared, or with whom it is shared. The expectation appears to be that no one will ever complain, whether for the first time or on a consistent basis. Perhaps there is a belief that if a certain amount of time passes without any complaints, this signifies a common "ad tech" practice is acceptable to the general population, and passes any sort of ethical, regulatory or legal analysis. A sort of "waiver". Silence equals acceptance.
"Everyone else was doing it, so therefore we in particular are not guilty of any wrongdoing." Perhaps some folks think that is a good defense.
> As one can see from comments on HN, it bothers some website developers when these basic tactics are openly discussed.
no in this case i think this post has everything to do with OP believing that this pixel tracking by a non-American/non-Western firm (in this case Chinese) is somehow less kosher compared to tracking by Silicon Valley social media platforms/firms (who, as others have pointed out, use exactly the same tools/strategies).
At a quick glance it seems rather easy for tiktok to slip in whatever it wants in that source from time to time. Is this the status quo for third party cookies?
I bet it's loaded by Google Tag Manager which acts as a "dropper" to load further malware. If you block that (which I assume you do if you have uBlock Origin) you don't get to see the rest.
Pretty sure they were breaking all kinds of PII laws.