That's a nice quote, but I don't think it applies here in that way. I don't think any Congressman's salary actually depends on not understanding Facebook's business model.
IMO the NY Times simply isn't good enough or original enough to be worth paying for though, so I choose not to subscribe to it.
Also, I'm not very interested in being informed about the endless news cycle of daily events. It distracts focus and in the long run is mainly noise. Its main purpose seems to be to create jobs in the media for the oversupply of liberal arts graduates.
journalism is actually extremely cheap, and is probably why the NYT finds itself in the unenviable position of playing second fiddle to new medias these days
that's definitely true, i just think that even the "reputable" newspapers have fallen in line and while they do still execute detailed investigate journalism, they are also pumping out clickbait. the recent WaPo article on the child who died in CBP custody was quite disappointing.
Sounds like you've never paid for a subscription to the New York Times! The Ads don't go away. And eventually when you realize they're just another ad-serving, user-tracking, biased, hypocritical corporation and go to cancel the service the same way you signed up (online)... Surprise! You can't. You have to call them up and drudge through an hour of their sales bullshit trying to prevent you from cancelling. NYT is full of dark patterns.
In fairness, maybe that's because journalism isn't cheap?
I don't know? I'd need data from inside of NYTimes, or AFP, or Al Jazeera, or whatever to know for sure. But I suspect stuff like that costs a great deal of money. Subscriptions that would fully fund something like NYTimes, or WSJ, or Le Monde, or what have you would likely be unaffordable for the majority of information consumers. (Again, that's just my guess. I don't know?)
I disagree with the premise. The accusation only holds if your definition of "selling data" includes any transaction
where data is leaked as part of a transaction. Importantly, in the ad model the information leakage is an unintended (but unavoidable) side effect. If Facebook could sell ad slots without revealing information about you they would. In fact over the years they've tightened their constraints around targetting to ensure that individuals cannot be targetted and data about individuals can't be derived by targetting hacks.
If you asked an average person what "selling data" means, they would describe a much more straightforward exchange: you pay me, and I tell you the names of woman interested in skiing.
Consider a real world comparison. You run a ski class for woman. I pay you $100 to distribute vouchers for a range of ski equipment at my store. If a customer shows up with a voucher then I know that they're taking your lessons. I can infer their skill level and that they can afford to pay for private lessons. Was that an instance of you selling your customer's data?
Facebook has a large network of adtech partners who integrate with Facebooks advertising APIs. This used to be FBX, then they replaced it custom audiences.
I used to work at one of these firms and AFAIK, I worked in sales, Facebook didn't exchange any data with us.
I believe with FBX was implemented using tokens but this changed with custom audiences.
What we could do was match email addresses from our clients, think newsletter list, and get custom audience segment to advertise towards on Facebook.
I seem to recall that we needed at least 1000 emails and we could see how many of them matched a Facebook user.
A possible covert channel of confidentiality breach could be that you feed it 999 bogus emails and one target email to find out if a particular email matched a Facebook user.
But then I don't think you would've been able to target ads to that small of an audience.
If there is a possibility to get data, my guess is that it would be through inference using this kind of covert channel.
Except that I'm not sure I do, now that computers are involved and can pick up every scrap of maybe-data and correlate sets of maybes into probable identities. Twenty years ago walking into a shop with a voucher wasn't an identifying action, now it may be. Twenty years ago what the shop owner got from the voucher distributor wasn't a list of names, now it may be.
If the shop owner gets a list of names at the end of the day, then arguably that list is what Facebook sold. Maybe Facebook sold it with plausible deniability, maybe Facebook would prefer not to sell it, but the shop owner paid money and got something in return.
Companies exist solely to gather and de-anonimize this data to the fullest extent possible. As an example of what you can do, in Google Adwords, you can download multiple aggregated click/cost reports across many dimensions (age range, zip code etc), set up and solve a mixed integer linear programming problem, and get detailed information about every click. Not sure if Google ever caught on or cared enough to fuzz the data.
You can’t get a list of names from Facebook unless each customer individually allows the company to access it. Happy to upload the modal when that happens.
Would you say that then gives you the right to get the fingerprints off of the voucher and examine it for traces of other molecules, such as perfumes, cigarette brands, or sexual activity? There are certain lines that people assume others won't cross. What we're finding is that people do cross those lines. Your example honors those lines. The problem, however, lies in what the companies that don't honor those lines are willing to do.
In the case of tech, most people have no idea how to even articulate what crossing those lines would mean in terms of the data they give up. If someone has a medical procedure, most of us assume that sharing that information is a line that shouldn't be crossed. We have laws that even prevent directly sharing the directly acquired information, and those laws make sense to people.
But when you say that the same information can be obtained in other, more roundabout ways, it's hard for them to conceptualize the risk. Companies can't back down because they have no compelling reason to argue against making that next dollar other than "it feels immoral."
That's why we need strong regulations. Strong regulations actually protect the honorable businesses by giving compelling reasons to not cross those lines.
I'm not sure how you are going to get strong regulations passed (or even written) in an environment where "most people have no idea how to even articulate what crossing those lines would mean." The reason theft, libel and feeding poison directly to restaurant-goers are not options for companies are because the effects are immediate and everyone understands why they are bad. Slowly polluting the water supply, unlike feeding fast-acting poison directly to everyone, is not off-limits in practice because it is slow-acting and not everyone understands what is happening.
Agreed. Eventually, hopefully, people become educated. Unfortunately it seems to take knowing someone who knows someone who suffers directly to change these minds. But in the early stages it's freaking impossible. Even when someone on the 'inside' suggests changing things, such as Warren Buffet saying we need to increase taxes on the rich, it is very hard to convince people that there's a real problem.
> I disagree with the premise. The accusation only holds if your definition of "selling data" includes any transaction where data is leaked as part of a transaction.
This seems equivalent to arguing that poachers don't actually "kill" elephants, it's just an unintended side effect of shooting them and ripping their tusks out.
> The accusation only holds if your definition of "selling data" includes any transaction where data is leaked as part of a transaction. Importantly, in the ad model the information leakage is an unintended (but unavoidable) side effect.
So, if leaking data isn't their primary intent, it's cool if it happens — even if Facebook knows there's a causal relationship between their advertising model and data leakage? Why should a company not be liable for known externalities of their business?
Should a clothing store be held liable because some people wear its clothes as gang signs? It’s simply not a workable standard to demand that companies make it impossible in principle for third parties to do shady things with their stuff.
I agree, and I think your point can be even more generalized -- businesses can collect information about their customers, there's nothing wrong with it.
The key difference is that, while a website may know from your ad click that you were targeted by a campaign looking for college-aged men or whatever, it doesn't necessarily know who you are. That's the difference between personally identifiable information and simply targeted information.
There needs to be safeguards to avoid abuse. For example, if the targeting dimensions of an ad campaign are so narrow that the few people fall into it, it shouldn't be targeted (a good example would be geographic targeting of devices that are inside of your house -- too granular).
But, I don't care if a website knows that I am likely male or my coarse age or whatever, because i don't have to tell the website who I am in the real world if I don't want to. "Selling your data" is commonly understood by the public to mean something like this -- people suspect that facebook just gives lists of their users to third parties and asks them who they want to send ads to, which is the accusation that Facebook is denying.
If I end up making a purchase w/ a website, then sure, they'll know some things about me from the FB ad click referral and the underlying ad campaign they ran. I feel fine with that, I'm entering a relationship with the business where they know quite a bit about me anyway -- like my name, my address, what I'm buying, etc. I don't buy things from places if I can't trust them.
I've become convinced that people were already looking for a concrete reason to dislike Facebook. They resent the presence of social media in their lives and the influence it has, not to mention the annoyance and over-saturation.
But they see some usefulness too and/or don't want to be out of the loop, so they're not ready to totally walk away. So they remain in a situation they don't like, and there's been a lot of simmering frustration.
Then this data collection thing came along, and it became a way of venting some of that frustration. So it became a myth that a lot of people believe in. A myth because, while Facebook definitely isn't perfect, people believe it is doing certain bad things it really isn't.
To me this suggests that, like a couple who has a big argument over some trivial non-issue, there is probably some other real issue that needs to be sorted out.
As a culture, we all signed up to participate in a business model funded by collecting our data and selling it. The natural outcome is that people with money would use that money to influence public opinion. We walked straight into this trap.
You probably could use this type of granular targeting described, and infer personal data from Facebook users using UTM codes on your campaigns.
But it doesn't tell you who this information is about. You'd have to trick the user to reveal their identity on the attacker website.
I guess this could happen if the victim had previously visited the attacker website and identified themselves using say their email. Store a cookie of this user. Then when the click the information leaking ad they identify themselves on the attacking website with this cookie. Now you can link the information leaking targeting with the user and potentially leak data.
It's misleading to say that Facebook is selling data to advertisers. Rather they might leak personal data through covert channels.
Real question: Should opinion editors be judged by the practice of the journal that publishes them?
The NYTimes does admittedly worst than Facebook on that front (the key aspects for me: I can’t see the targeting for their ads before clicking on it, refuse some ads on their website, I can’t access, edit or delete what their partners know about me; I can do all that on Facebook). That makes the claims of that editor seem very disingenuous.
Should we judge him based on that? Or is he a user of NYTimes and a victim of their disputable privacy practice, like he is a user of Facebook and an avowed victim of the Mark & Boz’s decisions?
I agree with this article, thanks for sharing. With the advent of big data and capabilities to draw conclusions from what seems like an anonymous information Mr. Zuck sill goes for the simplified explanation "but we're not giving it directly..." The violence case in Myanmar showed that Facebook has much broader consequences without directly doing anything. The same goes for third party involvement, they can deny it and it makes me question do they themselves understand the scope of the problem and manipulation.
Its not only advertisers buying your data. I had a boss who paid a subscription to a service that monitors as much of your internet activity as possible. He got alerts everytime i and other colleages did anything public. He bought it cause he was paranoid, or a voyer. Stuff that you do that is public, is more than just a facebook post, it is slso a google+, steam, wordpress, gravatar, linkedin, discuss, readdit, and loads more. The more you can link up a particular person, the more you can track across domains, the more its worth, even to the person being tracked. Think credit scoring companies who sell there tracking back to you and also to banks. Your governments pay billions to security contractors to collect your data.
Newsagencies that suggest your data is only valuable to adveriserz are engaging in distraction.
One of the many benefits of a full-time job doing open source development: it has absolutely flooded out everything else about me on the Internet. My Dad used to have a service like this alerting him about anything I did. He turned it off because he got sick of all the notifications about my work. If you Google my name now, it takes until like page 10 before you find anything remotely personal.
Yes, i had a similar perspective, ive also posted a lot of open source and i thought if you are still inclined to be following me with your draw dropped in awe, then youd need to be getting yourself a life. Surely im not that important. But actually, my data and activity genrates enough money amongst those who sell security to the government, that it would contribute a significant part to my weekly wage. If only we knew how much our data was really worth.
Just because a person ends up on an advertiser's site after clicking on an add targeted to [whatever] doesn't mean the advertiser has the data. It doesn't know the identity of the person that clicked on the ad.
Of course it does. That is the whole point of the article. By clicking on a targeted ad, the info used to target you can be and also is very much transferred. Just imagine a string attached to the ad URL containing the characteristics of the targeted group:
"Likely" is a strong word there. For most organizations, I'd go with "might have." But yes, that's true.
Still, "Facebook tells you which ad someone clicked on, and that can give you some demographic information, and if you can at some later point determine that person's identity you can connect the two" is a very different thing from "Facebook sells your data."
It might be different from a technical perspective, but from a privacy perspective information about the user has been transferred to the advertiser, who paid Facebook for the privilege. And "at some later point" may not be that far-fetched, if the adtech company operating the fingerprinting code happens to sell their data to other companies, etc.
How is ad matching performed exactly? Is a users data profile basically matched against some set of ad network defined properties and then served to the end user?
A lot of comments are missing the fact that there are data sources other than Facebook that can turn a click into an identity, or near enough. Facebook can't claim ignorance of all of those.
There are databases with much higher accuracy. I once had a pizza delivery website I had never before used pre-populate the complete address for my location (on a desktop PC with no GPS). They don't do that anymore though, so I can't take a screenshot.
Retailers buy and sell customer data as part of "data cleanup" efforts, that data can be correlated with geo-IP and third-party cookies, etc.
I don't know why we pick on FB for this practice, just because they're better at it than existing marketing data out there that's been accumulating for the past 40 years on people. Companies like Axciom, Experian, etc. have been doing this far longer than FB...
This is tricky. I sort of agree with the author and sort of don't.
It boils down to: if you own an algorithm f: H->R^n and show m number of (k, v) pairings such
that f(k) = v, does it follow that you have revealed all or part of the algorithm? (Where user data is folded into f.)
This would necessarily have to do with how big m is and whether it is enough to infer a f with reasonable accuracy. Not sure what are good metrics for "reasonable accuracy" though.
57 comments
[ 3.1 ms ] story [ 112 ms ] threadInternet advertising fuels the Facebook problem.
The smaller we can make internet advertising, the smaller the Facebook problem becomes.
IMO the NY Times simply isn't good enough or original enough to be worth paying for though, so I choose not to subscribe to it.
Also, I'm not very interested in being informed about the endless news cycle of daily events. It distracts focus and in the long run is mainly noise. Its main purpose seems to be to create jobs in the media for the oversupply of liberal arts graduates.
In fairness, maybe that's because journalism isn't cheap?
I don't know? I'd need data from inside of NYTimes, or AFP, or Al Jazeera, or whatever to know for sure. But I suspect stuff like that costs a great deal of money. Subscriptions that would fully fund something like NYTimes, or WSJ, or Le Monde, or what have you would likely be unaffordable for the majority of information consumers. (Again, that's just my guess. I don't know?)
If you asked an average person what "selling data" means, they would describe a much more straightforward exchange: you pay me, and I tell you the names of woman interested in skiing.
Consider a real world comparison. You run a ski class for woman. I pay you $100 to distribute vouchers for a range of ski equipment at my store. If a customer shows up with a voucher then I know that they're taking your lessons. I can infer their skill level and that they can afford to pay for private lessons. Was that an instance of you selling your customer's data?
Can anyone clarify if there still exists a way for 3rd parties to get data out of Facebook for users that haven't clicked on the 3rd party ad?
I used to work at one of these firms and AFAIK, I worked in sales, Facebook didn't exchange any data with us.
I believe with FBX was implemented using tokens but this changed with custom audiences.
What we could do was match email addresses from our clients, think newsletter list, and get custom audience segment to advertise towards on Facebook.
I seem to recall that we needed at least 1000 emails and we could see how many of them matched a Facebook user.
A possible covert channel of confidentiality breach could be that you feed it 999 bogus emails and one target email to find out if a particular email matched a Facebook user.
But then I don't think you would've been able to target ads to that small of an audience.
If there is a possibility to get data, my guess is that it would be through inference using this kind of covert channel.
Except that I'm not sure I do, now that computers are involved and can pick up every scrap of maybe-data and correlate sets of maybes into probable identities. Twenty years ago walking into a shop with a voucher wasn't an identifying action, now it may be. Twenty years ago what the shop owner got from the voucher distributor wasn't a list of names, now it may be.
If the shop owner gets a list of names at the end of the day, then arguably that list is what Facebook sold. Maybe Facebook sold it with plausible deniability, maybe Facebook would prefer not to sell it, but the shop owner paid money and got something in return.
In the case of tech, most people have no idea how to even articulate what crossing those lines would mean in terms of the data they give up. If someone has a medical procedure, most of us assume that sharing that information is a line that shouldn't be crossed. We have laws that even prevent directly sharing the directly acquired information, and those laws make sense to people.
But when you say that the same information can be obtained in other, more roundabout ways, it's hard for them to conceptualize the risk. Companies can't back down because they have no compelling reason to argue against making that next dollar other than "it feels immoral."
That's why we need strong regulations. Strong regulations actually protect the honorable businesses by giving compelling reasons to not cross those lines.
Google literally does this with adsense. It is definitely possible.
This is quite a spin! The leakage is unavoidable because it is an essential part of the sale.
>Was that an instance of you selling your customer's data?
Yes. The reason you distribute targeted vouchers is to use the data to help identify qualifying customers.
This seems equivalent to arguing that poachers don't actually "kill" elephants, it's just an unintended side effect of shooting them and ripping their tusks out.
So, if leaking data isn't their primary intent, it's cool if it happens — even if Facebook knows there's a causal relationship between their advertising model and data leakage? Why should a company not be liable for known externalities of their business?
The key difference is that, while a website may know from your ad click that you were targeted by a campaign looking for college-aged men or whatever, it doesn't necessarily know who you are. That's the difference between personally identifiable information and simply targeted information.
There needs to be safeguards to avoid abuse. For example, if the targeting dimensions of an ad campaign are so narrow that the few people fall into it, it shouldn't be targeted (a good example would be geographic targeting of devices that are inside of your house -- too granular).
But, I don't care if a website knows that I am likely male or my coarse age or whatever, because i don't have to tell the website who I am in the real world if I don't want to. "Selling your data" is commonly understood by the public to mean something like this -- people suspect that facebook just gives lists of their users to third parties and asks them who they want to send ads to, which is the accusation that Facebook is denying.
If I end up making a purchase w/ a website, then sure, they'll know some things about me from the FB ad click referral and the underlying ad campaign they ran. I feel fine with that, I'm entering a relationship with the business where they know quite a bit about me anyway -- like my name, my address, what I'm buying, etc. I don't buy things from places if I can't trust them.
But they see some usefulness too and/or don't want to be out of the loop, so they're not ready to totally walk away. So they remain in a situation they don't like, and there's been a lot of simmering frustration.
Then this data collection thing came along, and it became a way of venting some of that frustration. So it became a myth that a lot of people believe in. A myth because, while Facebook definitely isn't perfect, people believe it is doing certain bad things it really isn't.
To me this suggests that, like a couple who has a big argument over some trivial non-issue, there is probably some other real issue that needs to be sorted out.
But it doesn't tell you who this information is about. You'd have to trick the user to reveal their identity on the attacker website.
I guess this could happen if the victim had previously visited the attacker website and identified themselves using say their email. Store a cookie of this user. Then when the click the information leaking ad they identify themselves on the attacking website with this cookie. Now you can link the information leaking targeting with the user and potentially leak data.
It's misleading to say that Facebook is selling data to advertisers. Rather they might leak personal data through covert channels.
The NYTimes does admittedly worst than Facebook on that front (the key aspects for me: I can’t see the targeting for their ads before clicking on it, refuse some ads on their website, I can’t access, edit or delete what their partners know about me; I can do all that on Facebook). That makes the claims of that editor seem very disingenuous.
Should we judge him based on that? Or is he a user of NYTimes and a victim of their disputable privacy practice, like he is a user of Facebook and an avowed victim of the Mark & Boz’s decisions?
Just because a person ends up on an advertiser's site after clicking on an add targeted to [whatever] doesn't mean the advertiser has the data. It doesn't know the identity of the person that clicked on the ad.
Still, "Facebook tells you which ad someone clicked on, and that can give you some demographic information, and if you can at some later point determine that person's identity you can connect the two" is a very different thing from "Facebook sells your data."
See https://panopticlick.eff.org/ for one conceptual demo.
As an innocuous example, have you ever noticed that Maps seems to show the right neighborhood when you connect a non-GPS laptop to a friend's wifi?
Isn't that just matching the IP to the correct town? Using a database like maxmind's.
Retailers buy and sell customer data as part of "data cleanup" efforts, that data can be correlated with geo-IP and third-party cookies, etc.
It boils down to: if you own an algorithm f: H->R^n and show m number of (k, v) pairings such that f(k) = v, does it follow that you have revealed all or part of the algorithm? (Where user data is folded into f.)
This would necessarily have to do with how big m is and whether it is enough to infer a f with reasonable accuracy. Not sure what are good metrics for "reasonable accuracy" though.