Ask HN: How was this ad targeted to me?
Yesterday morning at home I Googled the instrument, the name of which I didn't actually know but Google came to the rescue. I browsed Google Shopping [2] but didn't purchase one.
Later I went into work where Facebook displayed an ad for the instrument in its "sponsored" section and an inline "suggested post" for a manufacturer.
My home and work computers and networks are completely different. I typically use incognito mode and "do not track" in Firefox or Chrome. I sign out of all social media and Gmail. Yesterday I was working in a large building with tens of people all using wifi used by hundreds of people across several buildings.
I assume no outright nefarious activity, such as an illicit pipe of potential customer IDs between Fb and Google.
The best I can theorise is that I had an open Fb window at home, and one of the instrument manufacturers' websites had an embedded Facebook like button or similar tracker, and they are running targeted ads on Fb. But is this direct-to-an-individual targetting even possible on Fb? Perhaps the obscurity of the instrument meant that I was very likely to see an ad, and very likely to notice it.
I typically close Fb when I'm not using it, so this doesn't immediately feel like what happened. I'll be doubly-sure to close and log-out Fb now.
I can't think of other ways that my Google activity could get to Fb. Browser fingerprinting, cellphone location etc would allow Fb to understand my location, but I can't see how they'd match this against Google activity.
I'd be very interested to read how this is, or could be, achieved.
[1] https://news.ycombinator.com/item?id=14094083
[2] https://www.google.com/shopping
92 comments
[ 4.1 ms ] story [ 151 ms ] threadI can't believe this is not a medium post.
You can use javascript to put users into a segment and re-target that segement; it's really easy. If you use the biggest ad-exchange (AppNexus) you can be sure to reach just about anyone anywhere.
Manufacturers website contains an iframe to the ad networks website. They signed up for this by placing JS snippet from the ad network on their site that created the iframe. This allows ad network to know that you've visited by placing cookie. Next time you visit site that shows ads from this network they can inspect cookie and show you the retargeted ads.
Could have been FB in this case. Their ad platform definitely allows for retargeting.
Case closed.
1. You visit website xyz.com
2. You signed up at xyz.com and you dropped during checkout funnel
3. You're email address is being added a FaceBook retargeting campaign and Adwords campaign
Its a 3 billion French company whose sole job is to show ads for products abandoned in the cart or something you bought 6 months ago or something that their personalization algorithm suggests
[0] https://www.adroll.com/
[1] http://exponential.com/
I feel with the advent of internet of shit, this will start becoming more of commonplace
They are the one DDoSing you with ads.
One could add the "burn" code every time the "segment" code is detected. On some networks that may even result in an affiliate payout.
Which employers would you recommend avoiding?
https://www.glassdoor.com/Reviews/OVH-Reviews-E523060.htm
OVH is only a hosting company. Low margin business. They have no software side, they don't make billion of dollars, they don't run thousands of projects.
Why not? If the FB like-button sends the cookie for your FB session, then it can make the connection between your account and the product.
Besides, it is also possible that you talked with a friend about the product, and this friend searched for the product in e.g. Facebook, and by being friends with this person on Facebook, they now show the ad to you as well.
If you have ever signed into FB from home, they know that machine / ip / whatever fingerprint is you. Even after you sign out, its still out. Even if you are in ingocnito mode, its still probably you. Then you sign in to FB at work, and now the same thing happens. They may not know the specific computer, but they know the network you are connected to IP wise.
This happens across many different ad networks, and they are all connected to sell ads targeting the people something wants. If you leave a potential purchase not bough, and sometimes even when you do buy it, ads are going to make it back to 'you'. They may not know 100% that it is you, but they can cast a net to try and find you. And for something like a missed sale, its worth the cost.
Note it may not be targeting you specifically. It may just be closer to: Someone in this VERY specific demographic looked for this instrument, oh hey here is someone else that meets that same demographic on this other ad network. Lets try them.
The amount of tracking on the internet nowadays is absolutely crazy. Visit practically any website, and all the major players are going to know about it and add it to their profile of you.
I get targeted ads from google all the time when logged out, even on machines where I have never logged in.
There seems to be correlation between targeting on multiple devices until I nuke all the cookies, etc.
Maybe you mean you only tie my profile to my real name and employer() while I am logged in? Or maybe there are N profiles tied to each machine, and one is "logged out but probably owned by a similar / the same person as these other machines".
() We use google's office suite instead of microsoft at work, leading to hilarious privacy snafus.
There seems to be correlation between targeting on multiple devices until I nuke all the cookies, etc.
Do you have a specific example? Was this on a Google property (search, youtube, gmail) or on a third party site? Are you sure that those ads came from Google?
Is it possible that we just identified both of your cookies as a user who is interested in topic X without linking them?
In other words, when you're signed out, ads can follow you around, but in the network it should seem like you are a different user from your signed-in version. This way, signing out has a consequence.
So, even if you're not connecting logged-out users, it seems to me that you might be connecting different logged-in users accounts.
I don't mind; I'd rather have targeted ads than not; though it does seem a bit creepy and often it's useless - I'm sick of seeing ads for stuff I already bought; you're losing cash there!
Even if you signed out, they probably still have a cookie tracking who you are, and when your browser fetches that Like button, it will still send that cookie to the Facebook server. It'd be interesting on a shared computer where 2 people (e.g. a brother and sister) log in to FB alternatively, but I guess they can still distinguish who is who (e.g. person visits gaming forum, person visits this product page, person visits page with pics of a female supermodel: presumably it's the brother visiting all 3 sites. It's a bit sexist but that's what the algorithm would guess.)
Indeed: https://www.nikcub.com/posts/logging-out-of-facebook-is-not-...
"Surprise Gifts" mode pretty much immediately became a euphemism for "I'm going to watch porn" here.
I'm a big fan of Noscript, but could you explain more about self-destructing cookies?
It stops the Visit Foo, Foo sets a cookie, You go visit Bar, then Fizz, Fizz has a tracker from Foo which gets the cookie problem (at least partially).
Where it gets interesting is when Foo, Bar, Fizz and Buzz all have trackers in some form or another and co-operate.
Privacy is pretty much dead at this point without extreme effort.
If you visited the manufacturer's site, you would have hit a re-targeting pixel for the network, that will track you around the internet to remind you. At work, on your phone, at school, and at home.
A few suggestions to help mitigate this:
- Use a browser dedicated to all your social media browsing and another browser for everything else. Say Firefox for Facebook and Twitter, and Chrome for everything else. That will restrict what they can capture. - Browser Facebook in your browser's incognito it private mode. - Minimize third-party links you follow from your Facebook timeline. And don't shop and Facebook in the same browser! - Don't interact with Facebook outside of their actual site. This includes likes and comments. - Don't use Facebook as your log-in credential. - Use an ad blocker! - Have your browsers delete all cookies on log out. This is both your day-to-day and social media browsers. Facebook is not the only media company tracking you.
(I've worked in ad tech in a previous life)
I don't understand how cookies could explain the scenario described in the question. Can you explain?
Where do Facebook or Google claim not to share advertising data with their partners?
- you opened a web page with a facebook's like button and facebook analyzed your browse history. If you browse for something in google shopping you might want to buy it, so facebook added it to your interests and showed an ad later to you. (Probably this was the cause)
- google and facebook knows your location because you have a google/facebook app in your mobile. It is easy to know where you work and where do you live. Even without GPS, as they can use the wifi public IP to know your location (among other things)
- your browse makes a fingerprint unique to you, even if you are not logged into any platform or you don't have an account on them they know you are you. So they can collect data. If you later login into facebook/google they match the fingerprint with your user. They can also use several fingerprint, because you use several devices. I think this is called supercookies. There are companies that just do this.
- you have two different devices with two different accounts, but you have the phone number of the other in your contact list and sometimes you have both devices with you. Facebook/google will suppose you both share same interests and show ads that match one of your devices to the other.
- "do not track" is a suggestion, some people ignore it because they really want to track you.
- google and facebook probably use other ad networks to sever ads, so facebook probably asked google (or another ad network) for an ad for you. You probably shared your phone number / email in both facebook and google.
- if you want to be fancy, machine learning could also help to target ads for you, but I think the other ways are so easy to do and work so well that you don't need complex things to show ads, just track the user.
How could facebook (or any website) access your browsing history? they know what link you access from their pages, but apart from that, can they get any info from the browser?
But there are ways to get information of you browse history:
with a facebook like button (other facebook library, or google analytics), which it is in almost all websites, you have the previous web.
There were bugs before in browsers that exposed the previous history (sorry I cannot find the link)
You could have an extension in your browser that analyzes the whole history.
You can also get information by opening an iframe and accessing other site cookies.
Doing history sniffing (although unlikely)
https://en.wikipedia.org/wiki/Web_beacon
I haven't delved into this in a while, so I can't say I've tested anytime in the last 5 years. I did a quick search and found this page that talks about how to disable the functionality in chrome:
https://www.technipages.com/google-chrome-prefetch
I'm always surprised that more people don't seem to know about this.
Many ecommerce sites use both google and facebook for their campaigns. So by you landing on the product page, a standard facebook event would be fired. The website or the advertiser doesn't really need to know who you are but facebook does know who you are once that event is fired. Facebook can then tie you to a campaign around that product for that same website (if they have an active campaign going).
You can think of this as a two step process. First, connecting your Facebook UID to structured data about a specific product in a product catalog. Second, connecting your FB UID to multiple devices/browsers without cookies.
I think the second part (cross-device matching) has been explained well by other commenters: tere are multiple techniques involving IPs, hardware footprints, browser footprints, browsing habits, etc.
I want to clarify a few things about how the first part most likely occurred. There's been a lot of emphasis in discussion on the FB "Like" button. It's true that this is a possible way for FB to observe you have visited a specific webpage. However, it's more likely that there was a Facebook "pixel" on a retailer's website (some commenters have been referring to this as "javascript" or "retargeting"). Most e-commerce sellers use these today. They're basically a FB web endpoint that the retailer can pass structured metadata to that lets the retailer communicate to FB that an event has occurred on their website. FB allows retailers to send all kinds of metadata about all sorts of events - page loads, add to carts, checkouts, purchases, in-app events, and custom events. The retailer can also send very detailed info about the content being interacted with on a webpage, down to sub-SKU granularity (e.g. not just a particular shoe, but a specific color/size/variant of that shoe).
Historically, the FB web endpoint would return a 1x1 transparent image so that a retailer could embed it on their website's HTML and a customer's browser is "tricked" into loading the image from a third-party domain. Thus the name "pixel". This is still frequently done, but nowadays the endpoint may just be a REST endpoint and/or may be called via AJAX (or via an SDK within a mobile app).
Facebook also allows retailers to upload their Product Catalogs to Facebook. These are basically a CSV of structured metadata about every product the retailer has for sale. Then, when the retailer sends a pixel event to say SKU 12345 has been interacted with by a user, Facebook can reference that SKU in the retailer's Product Catalog to learn all kinds of info about it.
A really interesting exercise is to install the FB Pixel Helper extension for Chrome (I'm sure there are equivalents for other browsers). It will show you all FB pixels loaded on a given page and what metadata was passed along. Keep an eye on it as you browse the web, especially the next time you browse an e-commerce website. Facebook basically sees everything that happens. They may as well be ingesting everyone's Apache/Nginx logs. :-P
https://chrome.google.com/webstore/detail/facebook-pixel-hel... (Note: I'm not affiliated with this extension in any way)
It was a Theremin, wasn't it?
The only thing that makes me feel better is that "my data" is being handled by a piece of software somewhere for the EXPRESS purpose of pushing advertising to me.
I don't believe it will feel like a privacy violation for most people UNTIL we start seeing high-profile incidents where actual human beings get caught looking up and acting upon individuals and their data as people and not programmatically as GUID's with bunch of metadata.
It makes me wonder if entities are buying their way into these adtech data streams for purposes OTHER than market research or directed advertising ?
That said, thanks for pointing out this functionality. While I might be suspicious of the degree of truth it offers, it's at least something (honestly).
"what are the odds this is a woman? a doctor? a person living in Louisville? Is this Jane Doe?"
each of the answers to those questions get a confidence score and a rank. then you're shown ads based on whichever verticals you rank the highest.
I think it just means their statistical approximations are getting good.
theories idk
However, I did some searches over the weekend on my iPhone, Safari in private mode, not logged in.
Back home, opened the macbook, did some search with an incognito browser window. And Google told me: You are in another city X, based on your browser history (!).
What?! Privacy is hard nowadays.
0: https://slack-files.com/T0317T6QB-F04FJ2YAC-88e35e6787
Edit: Using something like https://www.eff.org/privacybadger helps avoid this kind of tracking while not being too painful to use visiting web-sites.