126 comments

[ 2.8 ms ] story [ 193 ms ] thread
Is that so surprising? You're asking him to talk about the one thing that makes Facebook a viable revenue generator. I also feel like the use of "admit" in the headline is disingenuous.

I have zero expertise in this field but my intuition is that Facebook runs on an incredibly sensitive business model. Like an animal specialised to a specific biome. Adjust the conditions a bit and it might perish in a few generations. Meaningful legislative change to data collection or advertising laws might out them at risk.

Well, yes that is surprising. I can't think of any other CEO who would have even the slightest problem talking about their revenue generation capabilities.
> I also feel like the use of "admit" in the headline is disingenuous.

Yet you seem to be saying that Zuckerberg is trying to hide his business model to protect it from legislators. Doesn't that make the word "admit" appropriate? What other word would you use for something someone doesn't want to say during a hearing?

Admit implies wrongdoing. I'm not. I think it can be perfectly fair to want to be guarded about your secret sauce if that's what you believe it to be.
Admit doesn't imply wrongdoing, except insofar as hiding the truth is wrongdoing. The phrase "admit you like him" is in common enough use to have 101,000 results in a Google search, similar to "admit you were wrong" or "admit you did it". Having a crush isn't wrongdoing.

If admit is the wrong word to use here, what do you think the right word should be?

Exactly. What real time advertising network markets have done, is effectively incentivized Facebook, and anybody else selling internet ad space to create a Big Brother database in order to maximise revenue from any source that's prepared to pay.

Whilst I suspect this probably wasn't exactly what Marx meant when he said that Capitalism inevitably sews the seeds of its own destruction... combine it with a political system funded predominantly by private money, and I guess the only thing saving the US at the moment is that the oil price is so low.

"My reality was post-apocalyptic and it wasn't this fucked up" Penny Adiyodi, The Magicians.

I think the questions were also horrible. Watching two days of testimony it seemed only Congresswoman Dingell from Michigan had any grasp of how tracking technology works.

My big takeaway is that we need more engineers in congress.

Or maybe more engineers becoming aides or staff to these politicians?
Or maybe just spend more time with aides trying to grasp the technical issues?

I'm going to send some letters to my Senators and Representative asking them to work closely with the EFF, EPIC, etc. to formulate any regulation on this, rather than Facebook itself.

Or maybe just smarter politicians. Politicians aren't elected based on their ability to understand a wide range of technical issues. A lot of people in Congress campaigned on not understanding basic facts about reality.
Well yeah, engineers should participate; not only as senators.
I suspect the problem runs deeper than this. There is no shortage of clueful people willing to advise senators for free (I have personally offered to do so, for example). Also I spent 1/2 day in the company of a staffer for one of our senators last year. Based on that experience they are not really short of technology savvy. Somehow their business model depends on appearing to not understand technology.
One of my biggest issues with the current political system is that - with few exceptions - only lawyers go into politics.

This means that you have people who have never taken Econ 101 setting fiscal policy, who don't understand technology trying to regulate tech companies, etc.

I'm not sure what the solution here is, but I think we're asking for trouble when our elected representatives lack a basic comprehension of the domains in which they legislate.

>We’ve arranged a society based on science and technology, in which nobody understands anything about science and technology. And this combustible mixture of ignorance and power, sooner or later, is going to blow up in our faces. Who is running the science and technology in a democracy if the people don’t know anything about it?

Carl Sagan

This is a good point. At the same time, some of the attorneys I've worked with in tech are wicked smart. It would definitely be good for a more representative set of people to represent citizens in congress (imagine that!), but I think the existing people are smart enough to learn what they need to about the areas that they legislate. The question is whether they take the time to learn, which it looks like they don't.

EDIT: I should clarify that I mean the attorneys I've worked with are smart enough and motivated enough to learn about technical / engineering issues, despite not being engineers.

> I'm not sure what the solution here is

The solution is obvious, stop tracking and building profiles on internet users who don't agree with FB terms or are not actively accessing the FB site.

> Zuckerberg claimed not to know what "shadow profiles" are

Did he really claim outright to not know what they are? Anyone have that quote from the testimony?

I do recall hearing live that he said he wasn't familiar with the term "shadow profiles." This may have been honest, I hadn't heard it before this hearing either, but then again I'm not the CEO of Facebook, so his answer is certainly troubling
Given that employees are told they can no longer use the word "shadow profile" to describe them, I suspect he knew what they meant.
> Given that employees are told they can no longer use the word "shadow profile"

What's the source of this information?

(comment deleted)
(comment deleted)
It may be called "preliminary profile" or similar internally. That would allow him to be "unfamiliar".
>In 2011, Schrems created Europe versus Facebook, which published the documents Facebook had sent him and flagged up where they didn't comply with EU law. He got in touch with the Office of the Irish Data Protection Commissioner (IDPC) -- Facebook Ireland is the "data controller" for its European users -- and sent 22 detailed complaints showing how Facebook wasn't compliant, five relating to it allegedly not deleting data. He also complained about "shadow profiles", where Facebook collects contact information relating to non-users when users sync their contacts from other services.

https://www.wired.co.uk/article/privacy-versus-facebook

Does he just have some cognitive dissonance, is he covering up, or does he really not understand how his business operates?

I used to say to our audiences: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

-Upton Sinclair

> Does he just have some cognitive dissonance, is he covering up, or does he really not understand how his business operates?

He's covering up. He has an history of doing that.

It would seem pretty nigh-on inconceivable that someone could build a business as successful as Facebook in hoovering up ad budgets, but to have no idea how they did it.
Here's how Zuckerberg's testimony works:

1. When he says he doesn't know, he actually knows.

2. When he says he knows, and that the answer is "more AI," he doesn't actually know.

> When he says he doesn't know, he actually knows

I don't think we have reason to believe the CEO is deeply familiar with all the strategies FB uses for session unification and user tracking. It's a fast-moving field with a lot of technical detail that a CEO doesn't actually need to keep day-to-day tabs on.

Except this CEO has an engineering/development background, and I'd expect him to be deeply familiar with the criticisms on his company.
You forgot:

3) Run down the 4 minute clock each representative had to ask questions by talking as much as possible so as to avoid a meaningful exchange.

Representative Marsha Blackburn was the only one that actually called him out on this BS:

BLACKBURN: And where does privacy rank as a corporate value for Facebook?

ZUCKERBERG: Congresswoman, giving people control of their information and how they want to set their privacy is foundational to the whole service. It's not just a — kind of an add-on feature, something we have to...

BLACKBURN: Okay.

ZUCKERBERG: ... comply with.

BLACKBURN: Well...

ZUCKERBERG: The reality is, if you have a photo — if you just think about this in your day-to-day life...

BLACKBURN: No, I can't let you filibuster right now.

[1] https://www.washingtonpost.com/news/the-switch/wp/2018/04/11...

(comment deleted)
I think the biggest thing is the HUGE disconnect with what people think Facebook is doing, and what Facebook is actually doing.

I think the whole point of this is to raise awareness about of the scope of Facebook's data collection-- It's unfathomably enormous.

If more average people had a better understanding of what Facebook was tracking, they'd be outraged. Zuckerberg's goal in this was to keep the wool pulled over their eyes. That's why he kept conflating post-visibility settings with privacy / tracking settings.

> That's why he kept conflating post-visibility settings with privacy / tracking settings.

Interesting. That's pretty clever, which gives me confidence that's exactly what he was doing.

And what's worse is that privacy controls explicitly don't control ad targeting. Years ago I had a long term relationship end. We hid our relationship status and only ended the status a year later. Immediately after changing a status marked "only me" in privacy settings I got bombarded with dating ads. I complained that this was a huge privacy violation and they said "we didn't share your relationship status with them. We matched you to them because of the relationship status"
> "we didn't share your relationship status with them. We matched you to them because of the relationship status"

Which I'm sure is acurate, that's how advertising targeting normally works.

Some years ago I read an essay about how the words we have limit the kind of phenomena we think about. I think the example at the time was about piracy and "stealing". Before computers existed it was impossible to make exact copies of something at zero cost. Therefore, stealing was morally wrong because if you take one of something, the person you took it from will have one less of that something. With computers the situation is less obvious. If you make a copy of something (say a movie) A) you're not really taking one copy of a movie from them; instead you created a copy of a movie for yourself, B) it's not clear that you're damaging their revenues either, as not all people who make copies of movies would've bought the movies in the absense of the possibility of making copies. Probably a more acurate picture is something in the middle, but the point here was that anti-piracy lobbies knowingly conflated "making copies" with "stealing". We entered the computer era without a morally charged word to describe an activity that used to be impossible, and instead they used one that misrepresents the new situation of things.

I think when it comes to privacy we're in a similar situation. Pre-computers, "privacy" meant that (phrase A) "people won't know attributes of you", and that is absolutely equivalent to (phrase B) "people (in this case advertisers) aren't able to take actions that depend on attributes of you". Post-computers the two phrases are not equivalent: Facebook didn't tell advertisers attributes of you, but it gave them the possibility to make decisions which depend on attributes of you. Conveniently, Facebook understands privacy to mean the former. I suspect the reason for why Facebook got away with it for so long is that we don't have two words that differenciate between the two phrases. We need to once and for all decide if we want the word "privacy" to mean phrase A, phrase B, or phrase A AND phrase B.

To be absolutely clear, I'm not saying "advertisers can only target you, they aren't being given your data, and therefore all is good". The only thing I'm saying is that the word "privacy" is lacking in a post-computers world.

> "Before computers existed it was impossible to make exact copies of something at zero cost. Therefore, stealing was morally wrong because if you take one of something, the person you took it from will have one less of that something."

I know this wasn't your main point, but I think it's worth rethinking the basis of your (or possibly, just this essay's) view on copyright.

A "copyright" is so named because it is precisely the right to prevent other people from making copies. When it originated (in the 1700s), its goal was to prevent the copying of books, even though copying--then and now--did not deprive the owner of their own access to the work.

What has changed is not the invention of a new fundamental concept (making a thing like another thing), but the ease with which this can be done by the unscrupulous. If you really liked a poem in 1720, wanted to be able to read it, but didn't want to buy a copy, you could get it by copying it word-for-word from someone else's version. The effect on the author was no different from copying a friend's MP3 file. The only difference is it feels like "a smaller act," so it can't be "a big deal."

Ok, so it's not that we went from non-zero cost to zero cost, but instead that cost of copy is a continuum and the lower we went the more prevalent it became.
Well, but ad targeting (if it's done in-house) can be done without violating privacy.

I mean, if FB would sell a service "show an ad to 10000 people born on 13th April 1998", and then doing so is perfectly compatible with keeping birthdays private as long as they don't tell the advertiser which people got shown that ad. A setting marked "only me" can be reasonably used to affect content that's shown only to you, e.g. targeted ads - assuming that you know your birthdate and relationship status, nothing that's shown to you is a privacy issue as long as no information is given to others. Such ad-targeting may be unwanted and intrusive, but that's not disclosing any private information. The upcoming EU GDPR law would likely require your consent for such usage of private data, though.

I understand the point that you and Facebook each made. That is a different point than the one I did.

I felt violated. I don't care what tools Facebook used to make sure my PII wasn't given to a third party, that was personal data. It was data I explicitly marked as "nobody's business" but they used it invasively. Their long-form response was summarized "so what? We probably knew you broke up without telling us anyway"

Can we once and for all accept that what you give to a website can be used by that website? Don't give your relationship status to Facebook if you don't want them to have it. It's a simple solution isn't it?

I think for so long people ignored the impact of what they did with their data. Facebook isn't your doctor or your lawyer. Facebook make cash out of targeted ads, it's their business models, they WILL use the data you gave them to target you with ads.

If it was only for you, why tell FB at all?
Actually "average people" in my experience very likely wildly over estimate how much information Facebook has about them. The default assumption I've seen non-technical people make is "they know everything". They understand at an intuitive level that when a company provides services for free and is worth so much, it probably uses a lot of their data. When these "average people" are business managers, this leads them to expect miracles out of Facebook ad targeting:-)

Technical people on the other hand who get into details and try to work out what and how FB is collecting data consistently under estimate FB and so get outraged.

Your experience "actually" doesn't trump the experience of others, or facts.
I liked your second paragraph.

But from my experience interacting with non-technical people, your first paragraph is completely wrong. At least from my experience, most people DON'T think "facebook knows everything".

Most consumers don't know what data Facebook has or what can be done with it. They do often have a helpless, fatalistic response though: "The Internet already has all of my data, so there's nothing I can do." They don't realize that the statement is false.
Yeah, this. I mean, "technical debt" doesn't begin to cover it.

As the overlap in the Venn diagram of "people who give a crap" and "people who understand what FB actually is" inevitably gets larger I have no doubt that we'll reach a pitchforks-and-torches tipping point.

By getting up in front of Congress and stonewalling (or outright lying) he's jammed his public perception over towards the "Martin Shkreli" zone.

>"hat's why he kept conflating post-visibility settings with privacy / tracking settings."

Indeed and if Congress had bothered to bring in some subject matter experts they would have been able to him out on these disingenuous answers and deceitful statements.

I'm sure Zuckerberg believes he may have won here but I think he lost in the court of public opinion. I think his testimony did him a lot of damage as it shows just how disingenuous and dishonest he really is.

I hope a lot of FB employees were able to tune in to these hearing so they could see their leader for who and what he really is. His scripted and willfully misleading testimony was fundamentally no different than the big banking or big pharmaceutical CEOs that get called to Washington during a crisis.

> I'm sure Zuckerberg believes he may have won here but I think he lost in the court of public opinion. I think his testimony did him a lot of damage as it shows just how disingenuous and dishonest he really is.

I highly doubt this. If the court of public opinion is an average of general public sentiment, my hunch is the probability a vast majority of the public paid any attention at all—and understood enough to see through the cleverly scripted and misleading answers—is far closer to 0 than 1.

I can point to three articles in three major daily news outlets(NY Times, Washington Post and Bloomberg) in the last 48 hours that question the sincerity and accuracy of his congressional testimony. There's plenty more but these are off the top of my head.
That doesn’t reflect the court of public opinion (at least not yet). That’s merely a measure of journalist opinion at 3 outlets.
>"That’s merely a measure of journalist opinion at 3 outlets."

No as per my actual comment - those are but three off the top of my head. The same sentiments have been echoed in many many more outlets since Wednesday.

Not just Facebook but also Google. They do the same thing and they monopolized the internet.
""" Zuckerberg reluctantly acknowledged that Facebook gathers information on people who aren't signed up for Facebook for what he said were "security purposes." """

That's a pretty disingenuous way to phrase Zuckerberg's response to a question of whether Facebook uses cookie tracking for logged-out users. Which of course it does, and it's of course used for security purposes; one has to be able to unify sessions from people with multiple accounts to do the most basic of bad-actor tracking against the most basic of attack scenarios.

No. There is no need to be able to do this.
Please elaborate.
A competent adversary won't carry cookies between sessions, so there is no security afforded by it. These cookies are solely to track the general population.
I agree, but I also note you may be underestimating the number of competent adversaries in the world and the cost / benefit analysis of doing something like this to eliminate a large-percentage case of bad behavior.
The cost is immense (tracking of non-users) the benefit is low (being able to detect multi accounts).
Incognito mode makes cookie avoidance easy, even for average users.
Or using another browser. And yes your average user is able to do that.
Average users are able to do a lot of simple things to afford themselves basic protection from some of these practices. The problem is that the vast majority of them don't know what those things are and don't know that they should be doing them.

Even among the few who do take steps, the majority misunderstand what they're even achieving, in a "I use incognito mode so the NSA can't track me" kind of way.

The even bigger problem, is that they shouldn't have to do anything to begin with, because these practices shouldn't be allowed in the first place. Governmental and societal complacency has allowed massive corporations to turn the internet into a largely adversarial entity for users. Use of the internet has become just easy enough to allow unsophisticated users to become a danger to themselves due to lack of understanding of what the simplified high level actions they take are actually doing underneath it all.

Much of the time, these people are running apps which they don't understand to be connecting to the internet at all. The average grandparent isn't going to understand that the "free" solitaire game they installed is slurping down their contact list and call/SMS history.

Well they installed the apps, so they are presented with the permissions. And sometimes even before first access to SMS/Call with another option dialog to tell them that.
This is not a security feature you should rely on solely. Anyone who wants to stuff with multiple accounts, can circumvent this easily. So this is not a security issue. It is for tracking people, first and foremost.
Or as facebook is doing just people tracking.
How can one protect himself against this?
To a first approximation: you can install browser extensions (or modify your /etc/hosts file or a router up-the-chain from your device) to re-route requests to Facebook URLs / IP addresses to a black hole.

To a larger approximation: if a third-party chooses to share their information on your browsing habits with Facebook, that's not something you can control. But it's probably a much rarer, much smaller attack surface.

This isn't just basic cookie tracking. They have an actual profile on you, without your consent, with the people who have you in their address book and even potentially your purchasing habits, from the data they purchase from data brokers like Datalogix. They maintain this profile on you separately from other users, and they make immediate use of it if you create an account.

That's why it's called a shadow profile.

How does such a practice differ morally from consumer credit reporting agencies?
You sign up for those when you get a credit card. You don't sign up for Facebook, they just start tracking you. You don't even have to go online for it to happen. They'll do it from your friend's profiles. It's quite different.
Ah, quite correct. I meant to say "Consumer reporting agencies" and let "credit" slip in there as a side-effect of my personal experience. :)

https://files.consumerfinance.gov/f/201604_cfpb_list-of-cons...

... but I think you answered the relevant question, which is that you consider opt-in to having your behavior tracked (even when that behavior interacts with third parties, e.g. visiting someone's website or buying a product from someone's company) morally key. I think the CFPB document I linked above indicates that this is not a universally-accepted principle.

> You sign up for those when you get a credit card

That is incorrect. Credit agencies create shadow profiles too, they call them 'thin files'. I have had to code around those situations.

Like Facebook they suck-up every scrap of data they can get from their sources. They absolutely do not throw away any of it just because you don't have a credit card ( else they'd omit half of Europe ).

It doesn't really - we need to get to a point where all of these surveillance companies are out of business.

Using data about a user with their consent seems perfectly fine. The fiction where this consent can be granted in perpetuity is not.

> Using data about a user with their consent seems perfectly fine. The fiction where this consent can be granted in perpetuity is not.

Not only that, but I think there is considerable trouble in interpreting consent when users cannot demonstrate or articulate a thorough understanding of exactly what such consent and data usage entails.

Unfortunately, as long as consumers can't be uniformly and universally trusted, there's but a market and a compelling, morally-acceptable use case for consumer tracking and reporting in that regard. So if what Facebook doesn't differ from consumer reporting in some other way, I don't see a compelling argument to toss it for the same reason I don't see a compelling argument to toss, say, return fraud tracking.
(comment deleted)
Is there any real evidence of "shadow profiles" or are people just speculating due to confirmation bias? If you give millions of mutual friend recommendations there's bound to be a few that hit.
I have on my phone Facebook app and Facebook Lite, on Lite I have a fake account that I intended to use to like other things (see beyond my bubble) short story -never used account. I receive push notification from Lite app to connect to new friends. People suggested are from my real account friend list and between the 2 accounts we don't have mutual accounts. I've visited my parents and suggestion to be friend with them pop up.
Though it seems like it would be ok to say "ONE of the reasons we do this is security" because it really does seem like they can get some decent security stuff out of doing some of the things they do. It's probably not the primary purpose though, more like a happy accident?

Though I'd guess for people who don't follow any of this close (like the vast majority of people) hearing "this will make you safe" probably works quite well, and that's why he's told to say these things.

Zuckerberg is the one being disingenuous. By acknowledging cookie tracking or scraper tracking, he answers the question that indeed FB tracks offline usage, but only mentions the innocuous cases and fails to acknowledge the Shadow Profiles[1] they clearly have

1. https://www.dailydot.com/news/facebook-shadow-profiles-priva...

He actually mentions both in the original quote (if Bloomberg was sourcing to the section of the hearing I assume they're sourcing from).
He acknowledged that they made shadow profiles and collected information not necessary for security from people who did not possess facebook accounts?
That's not what the question was. The man asking the question wasn't technically sophisticated enough to ask about using cookies, and if he were, he would not have asked that question anyway.

The question was, does Facebook collect data on non-users?

What that means is, if I have not signed up for facebook, are you tracking my behavior anyway through the like button and other methods?

That, I suppose, would have been a useful question for the Senator to ask. It wasn't the question asked.
Yes, the Congressman's question actually was "Facebook has detailed profiles on people who have never signed up for Facebook. Yes or no?"
Do you mean the like button simply being present on pages or actual clicking of the like button? My understanding is clicking on the like button is pointless unless you're actually signed in to facebook.
The like button actually being present means that your client makes a request to FB to fetch the relevant image resources and JS to display the button.

When that occurs, FB has some limited ability to get information on your browsing habits based on what that like-button JS is allowed to see of your current session (which given browser fingerprinting techniques, can be enough to unify your behavior with high probability across multiple disparate "blips" of signal).

The loading of the Like button will give Facebook information about your user agent - it's like a tracking pixel. It's been shown that user agent information together with IP pretty much uniquely identify a user. You dont have to click anything
>"That's a pretty disingenuous way to phrase Zuckerberg's response to a question of whether Facebook uses cookie tracking for logged-out users."

Except it wasn't a response to a "to a question of whether Facebook uses cookie tracking for logged-out users." It was a response to the question of:

"Facebook has detailed profiles on people who have never signed up for facebook, yes or no?"

See the video here:

https://mashable.com/2018/04/11/zuckerberg-testimony-shadow-...

So why should anyone trust him? People should use open source social networks that can be audited.
The most fascinating thing about human behavior is that in spite of what people know, they still trust Facebook.

Hell, I've been a Facebook app developer. I'm deeply familiar with the breadth and depth of information Facebook allowed an app to harvest ca. 2008 or so.

I still use FB multiple times a day because I don't care about my privacy vis-a-vis the things I post there and that my friends post there.

I do care, that's why I don't use FB. Problem in using it is the network effect itself multiplied by the untrustworthy, closed and centralized foundation. I.e. you don't just harm yourself by using it, you are harming others by proliferating its use, because by using it, you are encouraging others to use it too.
That's if you're already approaching it from the point of view that it's a bad thing. I believe that question is unsettled.
It's pretty much settled that exploiting lack of privacy is a bad thing. Potential of such practice misuse was clearly demonstrated in the recent history.
Can you give us the specific case in history that you are referring to? You can get back to met later if you don't have that information with you right now.
Brexit / Trump's campaign designers pretty much admitted manipulating the masses using Facebook feedback loop paired with big data analysis. Putting it more bluntly, it's a massive scale brainwashing. It's hard not to see the potential of pretty shady usage of such power.
I've never used it. For some reason this makes some people extremely curious as to my reasons and then very angry with me after I state them.
Why angry? In my experience most understand the problem well, but feel too dependent on FB to ditch it for good.
There are lots of things people"should" do. But in general, the more indispensable a thing becomes, the more governments try to help people decide better or even try to decide for people, as people will do whatever is convenient to them.
> (Zuckerberg reluctantly acknowledged that Facebook gathers information on people who aren't signed up for Facebook for what he said were "security purposes.")

This sort of information gathering is necessary for DDoS/Spam/Fraud prevention and so on. I'm not saying I trust Zuckerberg wasn't hiding something else, but also I understand why he didn't want to publicly comment on the heuristics they use to combat attackers.

Although at this point I don't know why Zuckerberg would be obfuscating if they really have detailed advertising profiles on logged-out users. (What would said advertising profiles be used for? Selling them to other advertisers?)

"I'll have my team get back to you on that" sounds so much nicer than "I plead the fifth" doesn't it though?
>Make the most of every campaign with these four strategies. Unlike display ads which target people based on cookies, Facebook lets you define and reach the exact target audience you want. You'll get the right eyes on your ads, while maximizing your time, budget and growth potential.

Zuckerberg is going to lose his shit when he sees what his Digital Ads team has done behind his back. Facebook is brazen about being a grossly invasive advertising company, just not when they're talking to their users. [1]

[1] https://www.facebook.com/business/a/performance-marketing-st...

Is lying in front of congress a crime?

If I was a senator, I would have asked these two questions:

When I look at a product in an onlineshop like Amazon, afterwards I see adverts for this product on Facebook. How does this work?

When I visit a physical store, afterwards I see adverts for this store on Facebook. Even on my desktop computer. Even though I don't have any facebook apps on my phone. How does this work?

If he lies and says he don't know, from then on he would be at the mercy of many employees at FB whith whom he has talked about this type of data collection and sharing.

1. Since Amazon uses Facebook for advertising, they can feed their data to both Google and Facebook ads. It's easy to do with cookies.

2. If you don't have Facebook app on your phone or if you did not open your Facebook app when you are in store, you won't see ads for that store. Unless you have a loyalty program with the store or the store decides to target advertise you based on your payment info, etc. In any case, it is the physical store that shares those information.

1: How is that easy? If I had a cookie on Amazons domain, how would that enable Amazon to show me personalized ads on FB? I don't keep cookies though. So the targeting must use other types of user identification.

2: I don't have a FB app nor do I use FB on my phone. But I see ads related to the places I went to. So the flow of information must be via other channels. One part is probably Google (I use Android).

They can also use Local Storage if necessary. I know quite a few Ad tech companies were using local storage to get around no 3rd party cookies in Safari.
Given how things are taken out of context in today's media, giving a resounding Yes to an answer which requires a detailed answer is a bade idea. Congress/Senate hearings are not exactly CS101 class. So, it is better to be keeping answers short and maybe it comes off vague.

Politician clue-ness on the issue also doesn't help.

Zuckerburg is in the unenviable position of having to defend the entire ad-tech industry.

If he describes in granular detail how user profiling and ad serving works on Facebook, then Facebook is going to take the hit on practices that are basically industry standards. If he obfuscates, and focuses on FB controls then he seems like a liar.

If he explained how ad-tech works across the internet then it would look like whataboutism and him invoking the bandwagon fallacy.

At the end of the day it seems like someone/some company is eventually going to take the fall for the whole ad-tech industry and cause major reform - is Facebook the one who's going to take the arrow?

Good. The whole ad-tech "industry" should be burned to the ground; the sooner the better.
The internet will be very different if the whole ad tech industry disappears. It will be driven largely by subscription, but I believe that is the model that Apple is encouraging.
Facebook has to infer intent, unlike, say Google Search, which can get it directly from your keywords. FB has built a data halo around its users to try and infer that intent. Hard to imagine them ever giving you control over that additional data they collect around you, since it's their competitive advantage. But also proving to be a double edged sword because it's creeping out their users and other actors are starting to exploit it for political ends.
Okay, I guess I'm the contrarian here, but I'm not sure why any of this is surprising, or even a problem.

Facebook users signed up for a free service that allows them to communicate with other people in an enjoyable manner. Facebook even went so far as to make it so enjoyable it's addictive. Free online crack. Facebook users, you're having your fun.

What would you expect Facebook to do to finance all this? They're selling the shit out of you. They sell you sideways to Sunday, then sell your Mom, too.

Why would you be upset, or even surprised? Facebook should be able to do whatever they want with your data if you're gullible enough to use their free service.

Yeah, I can't figure it out either ... what could possibly be wrong with giving drugs to an addict? They agreed to becoming an addict, so why shouldn't I profit from their inability to protect themselves?
You're clearly satisfied with yourself for not being a Facebook user, but your comment has no bearing on the article. Do you have an opinion on Zuckerberg refusing to admit any of this?
So while your point was apt at the beginning of Faceboot's existence, at this point in time most everybody has been "gullible enough to use their free service". So the only current applicability of your point that anything Faceboot does is fine based on the idea that their users have consented in perpetuity.

Your point also does nothing to address the surveillance that Faceboot performs on people without accounts, or data they glean from sources other than explicit Faceboot usage.

So-called "shadow profiles" are built for people who are not even Facebook users.

I do not have a Facebook account, and yet my friends and family members have been prompted to tag photos of me with my name.

I did not sign up for a free service. I am not a Facebook user, I'm not "having my fun." And yet Facebook has collected enough of a profile on me to recognize my face in photos and know who my friends and family are.

Is it a crime to hire a PI to tail someone and log their every move?

Online tracking is basically the same thing.

Depending on the state, I believe it can be. Many states have "stalking" laws preventing just the sort of behavior Facebook engages in as part of their business plan.

In most (or all?) states, PIs are licensed and also have limitations on what they're allowed to do. There is currently no license for Facebook, nor any limits that they recognize.

Even Zuckerberg doesn't seem to know, he appears to have lost control of what's going on. Unfortunately, the hearing didn't dive into details to better demonstrate that he can't tell why somebody sees what they see, and who uses the data (inside and outside of Facebook). Also, the whole collecting data "for security purposes" is pretty unbelievable. Does that mean they share information with governments around the world? This can be interpreted as anything.
Well.. He did look uneasy when asked about Palantir.
If you're still using FB/IG/WA you're complicit.
This particular article from Bloomberg loads (for me this time, it likely varies from one pageload to another) javascript files from these (and more, I stopped after reaching m, alphabetically) domains, many of whom are likely tracking users across sites and Bloomberg is doing so despite having no affirmative consent from me whatsoever:

  a.quora.com
  action.media6degrees.com
  ad.crwdcntrl.net
  ads.pubmatic.com
  ak.sail-horizon.com
  amplify.outbrain.com
  amplifypixel.outbrain.com
  analytics.twitter.com
  assets.bwbx.io
  bat.bing.com
  bcp.crwdcntrl.net
  cdn.perfdrive.com
  cdn.taboola.com
  cdn.teads.tv
  cdn.tinypass.com
  connect.facebook.com
  consent.truste.com
  dt.adfaceprotected.com
  horizon.sailthru.com
  in.ml314.com
  insight.adsrvr.org
  js-sec.indexww.com
  ml314.com
  ...
It's important to blame the right party here - pubmatic doesn't have a relationship with you and taboola doesn't have a relationship with you - it's Bloomberg that is sending your usage data to them. The same is true when Facebook or Google pixels are loaded (I'm sure they are there) - they are not tracking you directly, the publishers that are loading those pixels are sharing your browsing information with them. The media companies, that are manufacturing lots of faux outrage of how the internet works, largely because they mistakenly believe that if not for large tech companies, they'd make more money, which is unlikely to be true, are not only complicit here, but they are far worse about their blatant misuse of user data.

So however you feel about Facebook or Google or whoever happens to be on the hot seat at the moment, this is just how the internet works today and says more about the advertising ecosystem at large. The data collection also includes offline entities that are selling or at least "sharing" purchase data, gym check-in data, and so on. It's also important to realize that trying to stop this through regulations likely kills smaller publishers that cannot directly monetize their inventory with advertisers (because they are too small and cannot prove their trustworthiness) while benefiting larger entities that advertisers can reach directly. Google and Facebook don't need to load all these third-party JS because they can sell directly to advertisers. Google also happens to be an ad-tech intermediary but they don't need to be.

So be careful what you wish for here - while some of these privacy regulations are, in spirit, the right path forward but the articles currently bashing Facebook largely come from writers whose salaries are paid for by selling user data without affirmative consent to anyone who's willing to pay. It's likely that the publishing world won't be able to support the same number of writers once of some of the ad-tech data pipelines are broken. It's also likely that lots of people here and elsewhere who are currently complaining about privacy are likely complicit in many ways. Salesforce? It's a tracking tool where a lot of this sensitive data ends up. Oracle? Same (through their marketing cloud). Verizon? It's also an ad-tech vendor. Random Fortune 500? They are probably both selling/sharing whatever user data while their marketing teams are busy acquiring data for their campaigns. Small technology consulting firm? If you deal with lots of data, at least some of the data you're dealing was harvested this way.