Wow that's creepy. It lists apps where a) I didn't use FB login/signup and b) used a different email address to sign up. How do they cross-reference that to me? Hand how can I prevent that outside of their tools (which I assume still violate my privacy)?
I use uBlock Origin and Privacy Badger on my desktop and phone, as well as Blokada, and yet Facebook still had a bunch of app activity even though I never ever sign in to stuff using FB (or even gave the apps my email or any other piece of personal data).
I literally just opened the app, granted no permissions, used it a bit, and Facebook associated it with my account. What the fuck.
They could be associating you server-side using persistent identifiers on your phone. For example, if an app has the Facebook SDK, it could send your IMEI to Facebook. Then, if you have a first-party Facebook app like Messenger, that too can send your IMEI to Facebook and link it back to your Facebook account.
I'm pretty sure that 95% from the activity that is listed for me comes from the Facebook tracking pixel, that every website has to embed if they want to (effectively) advertise on Facebook.
I don't think that'd really be true, since they'd just have it stored in the background without you having a FB account (and wouldn't have the ability to see how bad it is)
does that stop facebook from collecting data about you? I didn't think it did, and because you don't have an account it's not, or at least wasn't possible to control any privacy settings.
Technically, no. Legally, it means you haven't accepted their terms of service, so if/when (I hope) the political privacy landscape changes, it'll be more likely that you can sue, report a violation, request deletion, (or maybe they'd even preemptively delete it to cover their tracks / come into compliance with new laws).
That's an interesting thought. I've removed (deleted?) my Facebook account several months ago. Maybe I should have kept it around in order to manage it.
which I did a couple of years ago.
Now I have no idea what they know about me. I use adblock and friends, but I wonder how much data about me they still manage to gather
Also, if you are creeped out by this, just imagine the amount of data Google has on you. I'm convinced they have way more, just by virtue of every website having Google Analytics installed.
Even before firefox containers, I used a dedicated profile for facebook only as well as using privacy badger and ublock origin. Facebook still collected data about me from external sites. I think mainly through my phone, possibly through linking phone number or email addresses.
I found a mere four items in my activity list, all from several months ago, probably when I mistakenly used the wrong container or had uBlock turned off. It's nice to see all my anti-tracking software is working!
I use Firefox Containers to limit and logged in FB activity to that & never log in using FB other than FB website itself. I have no FB apps (including WhatsApp).
I've been running uMatrix for a few months.
My firefox tracking-prevention (similar to EFF's one, but probably not as good) is always using maximum privacy settings.
I still have a few sites appear... AND for websites I've never even visited (that I'm aware of, & I'm the only user of this machine)
There seems to be some serious fingerprinting going on, more than simple cookies.
Agreed, even with all of the above I had about 15 or so sites in that Facebook list. I suspect it's because I was logged in to Facebook on my phone's browser for a while. Not sure why I even did that...
Those are good, but they don't work for what the GP is talking about. I'm seeing games/apps associated with my FB account even though I never logged in to FB with them or gave them any info. I literally just opened the app and that activity was associated with my FB account.
I have no idea how they're doing this, since they didn't even request storage access (or I didn't give it). Can any Android developer here chime in on how an app can figure out my Facebook ID even though I don't even have Facebook installed on my phone and didn't give any sort of credential or access to the app?
Once you've logged into facebook from the device, they likely created a device fingerprint for your device: https://en.wikipedia.org/wiki/Device_fingerprint . This would allow them to identify you even without a cookie or ad id to correlate against.
Fingerprinting across devices is possible too, using things like behavioral analytics, network traffic, timing, third-party data sources etc.
The third party data sources is the easy one. Log into service A on your computer and service A on your phone. Service A fingerprints both and sells the data to service B. Now service B knows how to correlate your behavior between devices even though you never logged in.
I’m sure you’ve logged in something on both your phone and computer. It doesn’t have to be Facebook.
Try to opt out of Advertising ID (Settings -> Google -> ads) and see if apps continue to be associated with your facebook account. I suspect Swipe sent both your account ad advertising id during login.
I thought Google Analytics had a decent privacy policy that would prevent Google from doing anything with GA data. But I remember some fuzzy wording like "your data" which could simply mean that Google considers GA data to be their data.
Has anyone done a good deep dive on what Google actually does with GA data?
As an EU "customer" I'm rather surprised by this. There are services that I've signed up to since GDPR came into effect which I didn't get explicitly consent to do this. For example my business bank. Why would I give them permission to share data with my personal Facebook account? I will be digging into this more.
By far the worst thing are android phone applications (not only FB official app). They have their spyware bundled and can slurp from you the data which are normally unaccessible by web browser, from phone number, imei, mail addresses to all your contacts and there is almost nothing you can do except installing vpn based firewall (like NetGuard) and block all access and add permissions one by one for each url. This should just be illegal.
From your friends :) Or you will allow it. To use it. On the other side you can at least control that the common advertisers wont get it (like fb). For everything else get root and xposed + xprivacy. But for most users that is too much. I just gave the easiest advice. I am running microg lineage, xprivacy lua and netguard. But I wonder was this as advice worth the letters used? ;) Will someone go trough the trouble to use it? To replace the rom, install everything, run everything in block mode and allow only what is really needed, like connection to my own mail server? My own ssh tunnel? Probably not. And then comes the master villan, google. How many will remove that one from the phone? Waste of words, right?
Anyway even netguard is far better than nothing, most apps dont need their own servers. And the largest data slurpers are known. For fb just block all fb domains.
Some chat apps (like Viber and others) have Facebook SDK integrated in them, without any direct Facebook functionality people would use. Discovered after using NetgGuard, and seeing who is calling home, and not only home. (Why viber is making requests to graph.facebook.com anyway?)
Duolingo is a nice app for learning new languages, yet it might be using the same sdk, since it likes to call facebook.com domain.
Netflix is a good streaming service, but it has some option somewhere, which allows them to share data with others, and enabled by default. And yes, it's present in fb activity.
The list can go on...
There are developers who integrate dozens of SDKs, without any specific purpose for users, and not knowing what is happening. We need something like PrivacyBadger/ublockorigin for phones/laptops/routers/homes/cars. It's getting more than creepy.
And why would Facebook allow third-parties/businesses upload into FB info they have on their customers...
Same here. I suspect most of the commenters on this post that are confused about how their data got acquired have the FB app and/or Messenger installed on their phones.
I also suspect that soon Whatsapp will be doing the same sinister activity tracking once they go ahead with their plan to introduce ads later this year.
Doing retargeting for when (a) someone downloads their app but doesn't signup and (b) someone is a customer but has low engagement i.e. is likely to churn.
That may be true, but I still think it's a low-effort way for them to do it, and I expect better from Monzo than this. Plus it tracks people regardless of if they fit in a) or b) - neither of which is the case for me.
You might (justifiably) not like it, and it might inspire you to boycott the business or plead for regulatory relief, but it's not an "incident" from their perspective to be intentionally doing what they do to run their business.
This is a bank, and they are regulated. Depending on the information shared, this may be a breach of that regulatory code.
I do not have access to see what the data is, but would certainly in their shoes investigate with high priority, and Would raise a security incident to do so. If it turns out to be empty and of no concern, then great. But ignoring such things is seldom wise.
I didn't see HSBC, but I did see Monzo - which I was surprised and disappointed by. I see no legitimate reason for them to be connecting me to my (disused aside from messenger because of friends' network effects) facebook account. Not impressed.
I have Monzo in my list too and downloaded the actual data. The only things listed are `ACTIVATE_APP` events. It doesn't seem to send any details to Facebook aside, from that you "activated" (opened) the app.
When I used to have https://lua.xprivacy.eu/ it used to prompt me a lot, saying "This app is calling this API, do you want to allow or deny? (or allow/deny for 1 minute or 10 minutes). The Facebook app would query what packages/apps are installed on the Android phone.
Yeah, Android devs, why is that an accessible API call?
For one thing this is how FB could figure out how popular their competitors like WhatsApp, Instagram or Snapchat were, and why they bought them, or tried to.
It's part of the Intent system in Android. It's a really nice system where you can say "someone open the file with this URL and mime type" and the system asks the user which app they want to use to open it (or use their default if they set one.
It all works really well and lets app be loosely coupled to each other. It's also super flexible so you can use it for lots of different use cases. The API itself hasn't changed much since the first release of Android.
The issue is that you can query the Intent system to see if there is an app installed that can open your Intent. On the face of it, this makes a lot of sense. You could then display an error message to the user asking them to install and app that can handle it. The problem is that you can create an Intent that you know can only be handled by a single app (using the package name) and then you'll know if it's installed or not.
For what it's worth, iOS used to have exactly the same issue. You could query the phone could handle a specific "custom protocol scheme" (used for deep linking). You could then just query a scheme which you know is for a specific app and tell if the user had it installed. Apple fixed this by requireing you to include a predefined list of schemes which you can query for in your Info.plist (manifest file) and limiting the number you can have (30 I believe).
All APIs with good intentions, but very easy to abuse. Apple is just more comfortable breaking backward compatibility to fix these sorts of issues.
EDIT: the link doesn't seem to work, so you can click on "Manage Future Activity" => "Manage Future Activity" in the popup => Disable "Future Off-Facebook Activity"
> We will still receive future activities from companies and organisations you visit. These might be used for analytics and to improve our advertising systems, but will not be connected to your account.
(Translated from Dutch because for some reason Facebook figured I'd want this particular message in Dutch.)
Extrapolation: "Account" here means the Facebook account created by you and visible to you; probably distinct from "Profile" in their lingo, which is all the data they have on you, of which most is invisible to you. If this is true, that's not an opt-out for data collection, just a choice to keep that info from showing in your account while merrily continuing to build your profile.
I mean, they’ve already been shown to keep every tiny nugget of data, this feels more like “we won’t give anyone else tools to see that it’s you” instead of “we’ll anonymize it sufficiently”
Before you disable it, the site warns you that "This will also prevent you from logging into apps and websites with Facebook because your activity will be disconnected from your account." This annoys me, because Facebook login is actually quite convenient, and they've gone and bundled it with lots of random third-party tracking. Nothing technically required them to do this -- they could surely offer it as a separate feature.
In my profile, they managed to obtain a `PURCHASE` event from Macy's -- for an in-person purchase at a physical store. Macy's has my email address and certainly linked it to my credit card number, but this is nonetheless seriously creepy.
I just tried to change my email address on Facebook and discovered that they canonicalize plus and dot variations in gmail.com addresses, and thus claim that the new email address is already associated with an account. Ended up having to create a completely new email alias on my own domain.
Unless you are carrying your cell phone at the time—not sure anyone is doing this yet, but I have heard of at least one chain that tracks customers' cell phone locations via triangulation.
How accurate does it need to be? If you shop in a market stall, or a bodega, then you could be tied to a neighboring store. But if you're in a regular-sized (American) store, it's certainly good enough.
It used to be common to track the mac address of customers that pinged the in-store wifi. Not sure how much this happens now that some phones randomize mac addresses.
With VISA and MasterCard yes, but e.g. the German girocard network on its own doesn’t sell anything, and there it depends on your bank (and most banks don’t sell that data either).
So if you have the choice between using a girocard or a credit/debit card to buy a product, the credit/debit card is significantly more likely to sell all your data.
They don't charge 3%, they charge about a tenth of a percent (0.11%). What you think of as fees is actually a basket of charges going to different parties. almost 2% goes to your (the purchaser) credit card company to cover the risk of you not paying them, about a percent goes to the store's bank to cover the case when they have to give the money back (either because it was a fraudulent online transaction, or the store cheated the customer and the customer went to their card issuer, etc.) and that tiny little bit that's left goes to Visa/MasterCard.
Credit transaction fees actually make lots of sense and are grounded in the actual cost of the financial product. As a merchant, you can choose to accept only debit cards to avoid the cost
I get that this is how it works in the real world, but the argument that transaction fees are necessary for the credit company to cover the risk of the cardholder not paying is a bit feeble, because to my non-banker mind: that's what the interest rates are for. If someone is risky, simply don't approve their application, or raise their rate. Am I missing something?
The 2% that goes back to the credit card company is what ends up paying for all the rewards points and cash back discounts—which work as mechanisms for you to get that money back so long as you actually pay your credit card bills.
A "savvy" customer has a card that doesn't make them perform a dog and pony show like you describe. A savvy customer's card charges the lowest reasonable rate in order to provide the service.
Giving someone money and then feeling all giddy when you get a "reward" later means you've been gamed.
In this particular case all of the people without premium cards who pay with cash or debit cards with no rewards are paying for our free lunch and flight to Hawaii. It's a tax on basically every transaction, paid to those participating in the rewards scheme
You're not flying to Hawaii for free. Every single purchase you made with the card was more expensive than it had to be, because the merchants needed to cover their credit card fees.
What you're doing is the equivalent of always paying with bills, and dropping your spare change in a jar. And when the jar is full, you buy a ticket to Hawaii with the money in it. Except with a credit card, they keep the jar, take half the quarters, give you back the rest, and make you feel grateful for the entire experience.
The rate a card charges differs from applicant to applicant. Without knowing your credit score, credit history, and other financial information I cannot recommend a card for you.
The rate a card charges is immaterial since if you pay the entire balance each month, you pay zero interest. (And if you don't, you're making a big mistake.)
I pay $89/year for my card, which I use for every purchase. I get hundreds if not thousands of dollars in rewards each year, and have never paid a penny in interest.
There's no dog and pony show involved, and I have not been gamed.
The merchant pays the interchange rate regardless if you get a reward or not. If you have a no annual fee card with no rewards, you are simply leaving money on the table (which your card issuer pockets), since you can get 1-1.5% cash back, also with no annual fee.
But this is such a weird way to think about it. Credit cards don't cost anything. In some vague grandiose sense prices are slightly higher since credit cards exists and merchants want to cover their fees but my perspective as a customer spending via a credit card is basically free money. There's no dog and pony show except buying things like I normally would.
* I get literal cash through their rewards program which just slowly accumulates without me having to think about it.
* I get all the nice protections and can do chargebacks.
* The money I spend every month stays in my bank account until just after the bank calculates and cuts my interest check. Like it's super negligible but hey, if I'm getting an interest free loan anyway.
2% cash back from the card + 0.25% interest from the bank ain't nothing.
The point is that everything you buy with the card is at least 2% more expensive, because the merchants are just passing on their credit card fees to the consumer. You are not saving money in any way, shape or form.
Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable.
In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.
Yes, you absolutely should use a credit card in the US and get your cashback or rewards or whatever. You have to play the game, because everyone is playing the game.
But, you have to realize that it's not beneficial to you. You don't earn anything, you merely, barely, move the needle back up to break-even. You're not gaining. You're not winning. You're not sticking anything to any man. If the entire credit card industry got rid of rewards, and lowered their merchant fees, it would be a net benefit to you.
So feeling happy or grateful for cash-back means that they got you, they tricked you into feeling grateful for the privilege of giving away your money.
If you paid cash, in virtually every case you'd pay exactly the same price because most merchants don't provide cash discounts. If your merchant does provide a cash discount, I would suggest taking advantage of it. But if they don't provide a cash discount, you're still paying that 2% margin anyway without receiving any benefit from it.
Likewise, except for small businesses whose owners don't actually price in the cost of their own time and labor, it's not entirely obvious to me that the cost of accepting credit card payments actually is any more expensive than the cost of handling cash, which is probably why cash discounts are rare. The main exception to that seems to be gas stations (which usually have a lower price for debit cards and not straight cash), except even in that case, I get an even bigger discount by using Costco's gas station, which doesn't have any such discount. You do address this point...
> > Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable. In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.
That makes no sense. If the cost of receiving credit card transactions is 2%, that doesn't imply that the cost of receiving any other kind of transaction is 0%. If there's no cash discount, the difference in cost to the consumer is zero anyway. But the difference in cost to the merchant isn't 2% either, because if they accepted a different form of payment, the difference in cost would be 2% minus the cost of accepting that different form of payment. (And if they didn't accept any form of payment at all, the cost would effectively be 100% because there would be no sales). In a world where credit card sales are ubiquitous, if anything, credit cards become a better deal for merchants because there's less economy of scale for cash-handling services.
All in all, I would even suspect there are instances where credit card rewards end up providing a net positive to a sufficiently devoted cardholder simply because most people are not going to expend the time and effort necessary to maximize their credit card rewards. It's just like Vegas in that sense--while it's true that "the house always wins", casinos will also comp you rooms and drinks, and there are documented instances in which you would expect to be better off playing video poker or blackjack for long enough to get a free room (assuming perfect play, which means memorizing a small decision tree). Why is this possible? Because the vast majority of people don't play perfect blackjack or video poker. Businesses plan for average-case expected customer behavior and not best-case (or worst-case from their perspective).
The cost for a merchant to handle credit cards is whatever the credit card companies can get away with.
The actual cost of handling card payments is very, very low these days, but merchants are stuck paying the higher price, because there's effectively no competition in the space. To avoid having obscene profits, the cc companies give back a lot of the extra money to the consumers in the form of cashbacks and rewards, and then consumers stupidly feel grateful for being fleeced.
In an ideal world, merchants would pay only the actual cost for handling card payments, only pay for the tech itself, and the fraud risk. Naturally, such a pricing would be a fixed per-transaction-fee, because the actual cost is the same for each transaction.
In the same ideal world, the credit risk of credit cards have to be managed through the interest rate and credit worthiness management. It's completely outrageous that credit card processing fees should in any way, shape or form cover the risk side or the fraud side of the business. That's not the merchant's problem.
> The actual cost of handling card payments is very, very low these days, but merchants are stuck paying the higher price, because there's effectively no competition in the space.
In other words, the cost of processing credit cards is low enough that it successfully competes with every alternative form of payment. In which case I don't see what you're outraged about. Invent a more cost-effective payment mechanism if you think there's an opportunity for it.
It's also worth mentioning that cash isn't necessarily any less expensive for merchants to accept. It is if you're talking about a small local business or something, but if you're paying for the actual labor of counting cash, delivering and depositing it to the bank, as well as the increased security risks and costs of holding large sums of cash, it starts to add up.
A "savvy" customer pays their entire credit card bill every month, so the actual interest paid is zero. At that point, the rewards are the only meaningful difference in return from one card to another.
> about a percent goes to the store's bank to cover the case when they have to give the money back (either because it was a fraudulent online transaction, or the store cheated the customer and the customer went to their card issuer, etc.)
Is this right? It's been my experience (in Canada) that losing a fraud case or chargeback the store takes the hit.
I'm not sure that the "Device Account Number" matters. As I recall from the presentation, that number changes with each purchase. And Goldman has promised (ha!) not to sell your information for marketing purposes.
But it's still worth opting-out of your Apple Card's virtual number.
The number is in the wallet app, ... > Card Information
Your Mastercard URL got truncated somehow. It's a pretty easy search, though. Just the same, thanks for linking because I had no idea this was even an option:
> To opt-out from our anonymization of your personal information to perform data analyses, please provide your Mastercard or Maestro payment card number below.
This sounds like they are going to continue using my purchase data but without anonymization? Not a native speaker so perhaps I'm just misunderstanding the sentence.
I think they tried to formulate it so it will sound less damning for them, like they want to make it explicit that what they performed their data analysis on is your anonymized personal information.
interesting.. they could use that to predict earnings..
A few years ago when Chipolte had its little food scare, Foursquare used its data to predict how much the restaurant chain's revenues would decline. IIRC, it was accurate to within 1%.
You don't even necessarily have to predict earnings. If you've ever connected to your financial account via a service like Plaid or it's ilk, that service has an API endpoint[1] they can call to neatly package up your income information. Sometimes it seems innocuous and unassuming for a one time use like identity verification, or to set up automated payments, or a one off transfer/disbursement. Other times it's for stuff like getting a consolidated view of your personal finance (i.e. a transaction aggregator such as Mint). But if you authenticate for anything, that service has access to everything.
And unless you rotate your financial passwords on a frequent basis, that access continues pretty much indefinitely[2].
By “they” I assumed the GP was talking about Facebook being able to predict Macy’s earnings before they were publicly announced. That would be pretty interesting to see :)
It’s not a situation where FB “managed to obtain”. It’s Macy’s directly uploading transactions in order to attribute purchases to their online ad campaigns. It uses email and name etc to match.
While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"
Connecting purchase + email + 'where the ad happened' via social solves that.
"Attribution" in this sense is always going to be the enemy of privacy, because it boils down to the question of "what was on your screen when you decided to make this purchase".
> While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"
That can still be creepy. (If you're meaning that the accusation of "creepy" should be directed at modern marketing in general and not just Facebook, yes, I'd agree with that, though a good part of how we got here is large centralized aggregators like Facebook.)
I think there are plenty of non-advertising contexts where "using people's data to influence their behavior more effectively" can easily cross from normal to creepy as you start collecting more data. If you give your SO a certain flower because you remember a conversation the two of you had a while ago about that flower, that's normal and even thoughtful. If you give your SO a certain flower because you hired people to follow them before you even started dating and you got a report that they always stopped to admire a certain flower on their walk to work, that's creepy.
The right of privacy. The right of dominion of ones own affairs. There right to not be harassed by soulless individuals and companies who are 'merely' seeking to gratify their greed.
If rights were violated then this would all be illegal. Clearly it isn't. In the US, there is no constitutional right to privacy, and any legal precedents are mostly about government surveillance.
There's new data privacy regulations at the state and federal level going into effect which is why FB made these changes, but they don't explicitly prevent this kind of data sharing from an outside company using first-party trackers to send data to Facebook's marketing platform.
You are right, of course. It just goes to prove that we are little more than slaves to the system of governments who dictate what is lawful, who usurp their position in order to bestow rights back to us that used to be intrinsically ours to begin with. It doesn't make it right however.
Absolutely, but I think it's time to start asking:
1. Is that ok that we accept this sort of Pavlovian training from anyone, much less for-profit companies?
2. Is it ok now that the entities are so easily able to completely track the effectiveness of their advertising and thus empowered to amplify whatever works to increase their success rather than some metric like human happiness?
Imagine all of our phones' lockscreens being unlockable only by face unlock and not fingerprint... you know, our face which is all over the internet and trackable across websites and in-store and public cameras.
Remember all of those times Facebook was telling us it doesn't "sell" our data to other companies?
Technically true, it was merely "bartering" our data (exchanging its users' data to data from other data brokers, large companies like Macy's, and many of the phone manufacturers that pre-install the Facebook app).
In other words, a distinction without a difference.
That last part makes sense. If you want a different identity, you need to choose a different ID. Better to make you be more explicit about what you are trying to do (multiple accounts), then accidentally split accounts of people who aren't trying to do that.
Because Revolut is the only fintech/banking app that is actually on the list. I do have other 3 banking applications installed on my phone that I regularly use + N26 (another fintech) -- none of these are in the data sharing list.
And the last date they received information about me according to Facebook is the last date I used the app. Revolut mentions "Analytics providers" in their privacy policy as companies they are sharing my data with.
>The summary doesn't contain your most recent activity. It may take a few days for your activity to show in your off-Facebook activity. The dates in your activity summary are when we received the activity.
> I don't think they will tell you the whole truth.
This is true:
>We receive more details and activity than what appears in your off-Facebook activity. For technical and accuracy reasons, we don’t show all the activity we’ve received. This includes things like information we’ve received when you’re not logged into Facebook, or when we can’t confirm that you’ve previously used Facebook on that device. We also don’t show details like the item you’ve added to your shopping cart.
Thanks for that link. Looks like the infamous "ghost profiles" are officially confirmed now.
I wish they would show the ghost profiles as well, but since it's not linked with 100% confidence they are probably not allowing it because it could be a privacy violation if it turns out that the link was incorrect (i.e. they showed a ghost profile to the wrong user).
By blocking many advertisers tracking cookies (by blocking all access to those hosts via point the DNS result elsewhere) it reduces how far your information immediately spreads.
Far from massively effective because it does nothing to stop 1st party tracking and those 1st parties sharing further, or 3rd party cookies for new hosts not in the blocklists yet, but it can still help.
My use of PiHole isn't really an anonymity/tracking avoidance thing, my priorities in using it are avoiding ad network related annoyances like drive-by install attempts from less reputable (and/or hacked) networks, auto-playing audio, pop-ups/-unders, bandwidth waste (particularly from auto-playing video clips), occasional attempts to access microphone and/or camera, etc.
Block requests to all of FB's domains in the hope that it can't load FB's scripts or buttons or "like" buttons; literally anything from FB as far as humanly possible.
It allows you to block the domains of known third-party tracking companies. However, this measure is going to become less effective over time with the increasing usage of first-party tracking.
I think GP is saying that Google itself is presenting the captchas, not the Google results they click. I've had it happen a couple of times when using VPNs before.
I might not have been clear; sometimes when using a VPN, you can't even load Google search results until you submit a captcha. If you go to "google.com", it will make you enter a captcha before you can search anything.
I had exactly one item, and it's a store I never shop at, so assuming they are actually showing all the information they "have" on me, I also feel encouraged that my opsec is sufficient.
I guess the only thing better would be 50 stores I never shop at. I might experiment in the future with finding ways to deliberately poison companies' data wells with incorrect information...
Out of all activities you listed, just 3rd party Cookie blocking and using any "login with Facebook" buttons would give the same result for Web. I don't think any of the activities you listed would prevent the data collected through apps though.
If you have a domain, you can give every service it’s own email address, ${service}@${domain}. They can try reporting that to Facebook, but unless someone understands that the entire domain is one account they won’t be able to correlate them.
It's a page for people with an account at FB that lists the 3rd party websites that have given information to FB.
> Off-Facebook activity includes information that businesses and organisations share with us about your interactions with them, such as visiting their apps or websites.
It's creepy.
> We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all of the activity that we've received. Activity that is not shown includes information that we've received when you're not logged in to Facebook, or when we can't confirm that you've previously used Facebook on that device. It also includes details such as the item that you added to your shopping basket.
Seems like most of my data they got from apps on my Android phone, there was even an app that I just installed, opened and uninstalled in less then a minute without even logging in or anything.
set the "limit ad tracking" feature on your phone at the os level and the advertising id will become unavailable to everything. On Android this is Settings > Privacy > Advanced > Opt out
INAL but will guess it is to make facebook GDPR-compliant. They show the data they have about us, but don't know if the apps that send the data to fb have used opt-in to enable sending data to fb. Maybe time to start writing emails to the companies who have uploaded our information without consent?
Hmm. I have no website activity listed - but seemingly every single Android game and a few other apps is sending "activity" to FB, despite me never using any feature to associate the two. This sounds like: https://privacyinternational.org/report/2647/how-apps-androi...
Realise that you don't really need those android apps, or the google or facebook account. The utility and entertainment you get is half of surveillance capitalism ecosystem, and the other half is that they compile all this information about you.
I know it sounds preachy and it's not a conclusion most people will like. But, like fasting, going without something you like but don't really need does help you focus on what you really do need.
I don't actually care all that much and I like my luxuries. Do I "need" the Google account? No. Do I want to tell every person and business currently using it that I've changed email? Also no, that's a huge amount of work. Likewise for facebook, which is now down to once-a-day-ish use for coordination with a specific group of people whom I do not want to do the work of moving all of them off Facebook too.
Yeah, I make similar trade-offs. The sunk cost of a few TV shows purchses keep me from closing my Google account. But I won't let it anywhere near my phone.
I think the process of honestly asking the question is more useful than the actual answer. Life & society is full of compromises.
Blocking the entire Facebook ASN at the firewall/network level stops this. Google is a bit more tricky as they also have GCP so you can’t block their ASN without also blocking innocent services.
Specifically, how do you do it on a normal Android device? Is it even possible to do this on an iOS device that's on 4G or someone else's wifi? Do iOS devices have the same "leak"?
You either need to control the mobile side of things and never connect to unrestricted Wi-Fi or use Apple Configurator to create a profile for an always-on VPN to a place you control where you can apply the restrictions.
I am unable to verify this right now for the obvious reason, but facebook operates on ASN gAS32934[0]
So you can ask https://www.radb.net/ for the IP addresses that are associated with this AS and, after a quick manual sanity check, insert it into the firewall of your choice. For example:
whois -h whois.radb.net '!gAS32934'| tr ' ' "\n" | sed 's/^/saddr /'| sed 's/$/ DROP;/'
This is assuming that all data sharing to Facebook is done from the client which is obviously not true. If your desired service wants to share data with Facebook they can and will do so and there's nothing you can do about it except not use the service.
> "Privacy International has tested both opt-outs and found that they had no discernible impact on the data sharing that we have described in this report."
So there's that. I wonder if any opt-out really helps. I think the best approach is still to use a good blocker such as uBlock Origin.
the Android advertising_id property and the ios IDFA (identifier for advertisers) are available to every app, and once an association against the id and your Facebook account is made further interactions can be attributed to your identity.
Both of these identifiers can be reset at any time via os features, making you appear as a new user (at least until fingerprinted or a new association with PII is made)
Deliveroo has evidently been sending them all my orders. Or at least, there are as many 'interactions' as I have made orders. I don't log in via my Facebook so that is an unwelcome surprise.
Same here. I had to recollect if I even signed up with Facebook. After checking my Deliveroo settings, it seems that my FB account isn't even connected. This is insane...
Do you use the same e-mail address for both Deliveroo and Facebook?
If so, that could be how they matched you. Facebook lets businesses create custom retargeting audiences[1] from existing customers, and you can (obviously) include interaction data in order to segment e.g. frequent customers from occasional customers.
I suppose that would explain it. I can't see what Deliveroo get out of it though, and how they might expect Facebook to have a better handle on what sort of food I would order and how often as opposed to Deliveroo themselves, who know. I wonder if they have plans for service expansion into "Deliveroo but for X" and want to see what their customers are into. Or perhaps they want to see if I am two-timing them with Just Eat!
Funny, I now remember reading a post from someone claiming that if they ordered an online grocery shop off a company that was not their usual, like magic a voucher would appear from their original company. I assumed this was coincidence, but this is the exact mechanism that such a thing could happen.
Of course this could also just be a manifestation of the trend of companies desiring data for data's sake, and a load of deliveroo managers are sitting in a meeting somewhere looking at a graph showing an intersection of people who are into retro computing and also like burritos and trying to brainstorm some strategy off such trivia.
> how they might expect Facebook to have a better handle on what sort of food I would order and how often as opposed to Deliveroo themselves
That's not really the idea - they're just trying to serve you ads wherever they think you might see them. Retargeting (whether it's through Facebook ads or AdWords or what have you) is one more engagement lever alongside push notifications, emails, etc.
You don't need anything on your frontend to share data with Facebook. Facebook doesn't acquire information like what shirt you bought by putting a like button a page. Your clothing retailer is willfully sharing that information for marketing benefits.
What are the best ways to protect against this kind of tracking? I would argue it's probably better to keep a Facebook account so you can see what they're tracking and work to prevent it.
In my browser I'm running uBlock Origin, HTTPS Everywhere, and Privacy Badger. I'm guessing those will help quite a lot. However on an iPhone what can I do (as that's where a lot of this data seems to be coming from)?
There is nothing on this page I was not aware of and intentionally linked (e.g. Strava).
So does this mean I am successfully stopping them from tracking websites I visit via tracking pixels / IP mapping / whatever other nefarious shit they do, or are they just not showing this information here?
Is it just me, or is there no way to download activity details? I click on an activity, then there's a few examples and a link to download, but this leads to a generic "Download your information" page and I cannot see an entry for the app or off-facebook specifically...
How can I block it? some apps are on my iPhone, but I don't have the Facebook app on it (I do have messenger), and only used the apps on the phone. Aren't they isolated in some way?
For downloading the data there is an option to download "Ads and Businesses" under "Information About You". I just downloaded it, and it includes all data that was shared.
However, the data only shows the source, timestamp and activity ID. The actual event data is not included..
I believe the vague wording is intentional, so they can just stop displaying it to you, while continuing to collect the data. It's like how "delete account" works.
You can disable to storage of this data on the linked page.
But I'd recommend going to the source: Read the privacy policy of each party delivering data and check if they mention it. I already sent a mail to the DPO of an app provider which shows up in this list and doesn't mentions Facebook in their privacy policy.
I'm not anyone's lawyer. These are questions, not answers: GDPR is about collecting data from you, right? If Site X is sending data about you to Facebook, perhaps that's an issue with Site X's GDPR compliance, not Facebook's?
I apparently have no records of off-Facebook activity. This is probably because of blocking all 3rd-party cookies and enabling the blocking of social media trackers in both uBlock as well as that built into Firefox.
I don't use Facebook, but I do use Messenger as I have a couple of close family members who refuse to use anything else. I've just logged into Facebook (which has no history as I've purged it[1]), and still there are 5 apps sharing my activity with Facebook. These 5 apps are all on my phone, so I guess Messenger is also sharing back to FB. :(
---
I can't believe that this stuff is acceptible, or even legal. The fact that you're tracked off-Facebook (for instance), even if you're not logged in or on Facebook is not just creepy, but borderline abusive.
Congratulations, of all the people who have responded with outrage on this thread, you are the only person I've found that has a website listed that DOESN'T run Google Analytics or some other third party analytics platform.
394 comments
[ 2.9 ms ] story [ 305 ms ] thread- use Facebook pixel tracking on the site.
- hand over all of their user's email addresses to use for audience building.
Or most likely both. Creepy stuff indeed.
690 App/Sites for me! Not overly surprising really
I literally just opened the app, granted no permissions, used it a bit, and Facebook associated it with my account. What the fuck.
not saying that's worth having an account though.
Here is my secret: I deleted my facebook account several years ago. (before it was cool)
I love how links like this are (successfully?) attempting to pull people back in.
1) Install https://www.eff.org/privacybadger to prevent trackers from being loaded
2) Install https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... to delete any cookies you might have accepted after a week time or so, which prevents the infinite gobbling-up of your data after innocently accepting a cookie once
3) Install the Google, Facebook, Twitter and Amazon containers to "separate" your browsing with these sites from the rest of your browsing. Links: https://addons.mozilla.org/en-US/firefox/addon/facebook-cont... https://addons.mozilla.org/en-US/firefox/addon/twitter-conta... https://addons.mozilla.org/en-US/firefox/addon/google-contai... https://addons.mozilla.org/en-US/firefox/addon/amazon-contai...
Also, if you are creeped out by this, just imagine the amount of data Google has on you. I'm convinced they have way more, just by virtue of every website having Google Analytics installed.
I've been running uMatrix for a few months.
My firefox tracking-prevention (similar to EFF's one, but probably not as good) is always using maximum privacy settings.
I still have a few sites appear... AND for websites I've never even visited (that I'm aware of, & I'm the only user of this machine)
There seems to be some serious fingerprinting going on, more than simple cookies.
I have no idea how they're doing this, since they didn't even request storage access (or I didn't give it). Can any Android developer here chime in on how an app can figure out my Facebook ID even though I don't even have Facebook installed on my phone and didn't give any sort of credential or access to the app?
https://developers.facebook.com/docs/app-ads/targeting/mobil...
The third party data sources is the easy one. Log into service A on your computer and service A on your phone. Service A fingerprints both and sells the data to service B. Now service B knows how to correlate your behavior between devices even though you never logged in.
I’m sure you’ve logged in something on both your phone and computer. It doesn’t have to be Facebook.
Edit: This report[1] puts the blame mostly on Google ads ID.
[1] https://privacyinternational.org/report/2647/how-apps-androi...
Has anyone done a good deep dive on what Google actually does with GA data?
> except installing vpn based firewall
So they can send the data instead?
Anyway even netguard is far better than nothing, most apps dont need their own servers. And the largest data slurpers are known. For fb just block all fb domains.
I’m on iPhone, and see apps listed where:
- I’ve never logged in on the web
- I’ve never clicked to open a link in a browser on-device
- Used a phone number to sign up that’s not associated with my fb account - Didn’t use email at all
Duolingo is a nice app for learning new languages, yet it might be using the same sdk, since it likes to call facebook.com domain.
Netflix is a good streaming service, but it has some option somewhere, which allows them to share data with others, and enabled by default. And yes, it's present in fb activity.
The list can go on...
There are developers who integrate dozens of SDKs, without any specific purpose for users, and not knowing what is happening. We need something like PrivacyBadger/ublockorigin for phones/laptops/routers/homes/cars. It's getting more than creepy.
And why would Facebook allow third-parties/businesses upload into FB info they have on their customers...
PS: analysis of how a simple menstrual tracking app is leaking data about the owner https://media.ccc.de/v/36c3-10693-no_body_s_business_but_min...
ID 894103617218109 Event CUSTOM Received on 13 November 2019 at 09:51
The only event is "CUSTOM".
I also suspect that soon Whatsapp will be doing the same sinister activity tracking once they go ahead with their plan to introduce ads later this year.
They have the Facebook Pixel installed likely to do retargeting advertising when a person visits their website.
It's one of the most effective methods so it's very common to see it everywhere.
Doing retargeting for when (a) someone downloads their app but doesn't signup and (b) someone is a customer but has low engagement i.e. is likely to churn.
My bank should send precisely zero things to advertising / marketing companies.
Have you raised it with their Help team? You should.
Unfortunately I cannot as I do not have a facebook account so cannot determine whether or not facebook hold data on me without creating an account.
I do not have access to see what the data is, but would certainly in their shoes investigate with high priority, and Would raise a security incident to do so. If it turns out to be empty and of no concern, then great. But ignoring such things is seldom wise.
https://monzo.com/help/legal-stuff/information-facebook
Still not ideal, but not completely terrible.
Yeah, Android devs, why is that an accessible API call?
For one thing this is how FB could figure out how popular their competitors like WhatsApp, Instagram or Snapchat were, and why they bought them, or tried to.
It all works really well and lets app be loosely coupled to each other. It's also super flexible so you can use it for lots of different use cases. The API itself hasn't changed much since the first release of Android.
The issue is that you can query the Intent system to see if there is an app installed that can open your Intent. On the face of it, this makes a lot of sense. You could then display an error message to the user asking them to install and app that can handle it. The problem is that you can create an Intent that you know can only be handled by a single app (using the package name) and then you'll know if it's installed or not.
For what it's worth, iOS used to have exactly the same issue. You could query the phone could handle a specific "custom protocol scheme" (used for deep linking). You could then just query a scheme which you know is for a specific app and tell if the user had it installed. Apple fixed this by requireing you to include a predefined list of schemes which you can query for in your Info.plist (manifest file) and limiting the number you can have (30 I believe).
All APIs with good intentions, but very easy to abuse. Apple is just more comfortable breaking backward compatibility to fix these sorts of issues.
EDIT: the link doesn't seem to work, so you can click on "Manage Future Activity" => "Manage Future Activity" in the popup => Disable "Future Off-Facebook Activity"
My off-Facebook activity had zero entries and I want to keep it that way. If they ever associate something with me I want to be alerted to the fact.
> We will still receive future activities from companies and organisations you visit. These might be used for analytics and to improve our advertising systems, but will not be connected to your account.
(Translated from Dutch because for some reason Facebook figured I'd want this particular message in Dutch.)
I just tried to change my email address on Facebook and discovered that they canonicalize plus and dot variations in gmail.com addresses, and thus claim that the new email address is already associated with an account. Ended up having to create a completely new email alias on my own domain.
Can't sell cash transactions yet!
* https://marketingreportoptout.visa.com/OPTOUT/request.do
* https://www.mastercard.us/en-us/about-mastercard/what-we-do/....
So if you have the choice between using a girocard or a credit/debit card to buy a product, the credit/debit card is significantly more likely to sell all your data.
Credit transaction fees actually make lots of sense and are grounded in the actual cost of the financial product. As a merchant, you can choose to accept only debit cards to avoid the cost
Giving someone money and then feeling all giddy when you get a "reward" later means you've been gamed.
It doesn't really feel that way as you're flying to Hawaii for free.
There is no free lunch.
The lunch is not free. You're buying it for us.
What you're doing is the equivalent of always paying with bills, and dropping your spare change in a jar. And when the jar is full, you buy a ticket to Hawaii with the money in it. Except with a credit card, they keep the jar, take half the quarters, give you back the rest, and make you feel grateful for the entire experience.
There's no dog and pony show involved, and I have not been gamed.
* I get literal cash through their rewards program which just slowly accumulates without me having to think about it.
* I get all the nice protections and can do chargebacks.
* The money I spend every month stays in my bank account until just after the bank calculates and cuts my interest check. Like it's super negligible but hey, if I'm getting an interest free loan anyway.
2% cash back from the card + 0.25% interest from the bank ain't nothing.
Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable.
In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.
Like there’s no point to trying to punch a river as a lowly software dev completely unrelated to finance and politics.
But, you have to realize that it's not beneficial to you. You don't earn anything, you merely, barely, move the needle back up to break-even. You're not gaining. You're not winning. You're not sticking anything to any man. If the entire credit card industry got rid of rewards, and lowered their merchant fees, it would be a net benefit to you.
So feeling happy or grateful for cash-back means that they got you, they tricked you into feeling grateful for the privilege of giving away your money.
Likewise, except for small businesses whose owners don't actually price in the cost of their own time and labor, it's not entirely obvious to me that the cost of accepting credit card payments actually is any more expensive than the cost of handling cash, which is probably why cash discounts are rare. The main exception to that seems to be gas stations (which usually have a lower price for debit cards and not straight cash), except even in that case, I get an even bigger discount by using Costco's gas station, which doesn't have any such discount. You do address this point...
> > Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable. In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.
That makes no sense. If the cost of receiving credit card transactions is 2%, that doesn't imply that the cost of receiving any other kind of transaction is 0%. If there's no cash discount, the difference in cost to the consumer is zero anyway. But the difference in cost to the merchant isn't 2% either, because if they accepted a different form of payment, the difference in cost would be 2% minus the cost of accepting that different form of payment. (And if they didn't accept any form of payment at all, the cost would effectively be 100% because there would be no sales). In a world where credit card sales are ubiquitous, if anything, credit cards become a better deal for merchants because there's less economy of scale for cash-handling services.
All in all, I would even suspect there are instances where credit card rewards end up providing a net positive to a sufficiently devoted cardholder simply because most people are not going to expend the time and effort necessary to maximize their credit card rewards. It's just like Vegas in that sense--while it's true that "the house always wins", casinos will also comp you rooms and drinks, and there are documented instances in which you would expect to be better off playing video poker or blackjack for long enough to get a free room (assuming perfect play, which means memorizing a small decision tree). Why is this possible? Because the vast majority of people don't play perfect blackjack or video poker. Businesses plan for average-case expected customer behavior and not best-case (or worst-case from their perspective).
The actual cost of handling card payments is very, very low these days, but merchants are stuck paying the higher price, because there's effectively no competition in the space. To avoid having obscene profits, the cc companies give back a lot of the extra money to the consumers in the form of cashbacks and rewards, and then consumers stupidly feel grateful for being fleeced.
In an ideal world, merchants would pay only the actual cost for handling card payments, only pay for the tech itself, and the fraud risk. Naturally, such a pricing would be a fixed per-transaction-fee, because the actual cost is the same for each transaction.
In the same ideal world, the credit risk of credit cards have to be managed through the interest rate and credit worthiness management. It's completely outrageous that credit card processing fees should in any way, shape or form cover the risk side or the fraud side of the business. That's not the merchant's problem.
That would be fair. That wouldn't be gameable. Some countries did exactly this: https://en.wikipedia.org/wiki/Dankort
In other words, the cost of processing credit cards is low enough that it successfully competes with every alternative form of payment. In which case I don't see what you're outraged about. Invent a more cost-effective payment mechanism if you think there's an opportunity for it.
Is this right? It's been my experience (in Canada) that losing a fraud case or chargeback the store takes the hit.
Also, the opt-out of each number is only honored for FIVE years after which you need to opt-out again.
But it's still worth opting-out of your Apple Card's virtual number.
The number is in the wallet app, ... > Card Information
It's possible that this is an implementation detail and some banks do it without a unique card number...
https://www.mastercard.us/en-us/about-mastercard/what-we-do/...
This sounds like they are going to continue using my purchase data but without anonymization? Not a native speaker so perhaps I'm just misunderstanding the sentence.
I just tell them that I don't have one. On the very rate occasions anyone has balked I tell them I just moved and haven't set up my internet yet.
interesting.. they could use that to predict earnings..
A few years ago when Chipolte had its little food scare, Foursquare used its data to predict how much the restaurant chain's revenues would decline. IIRC, it was accurate to within 1%.
And unless you rotate your financial passwords on a frequent basis, that access continues pretty much indefinitely[2].
[1] https://plaid.com/products/income/
[2] Not true for 100% of cases, but a general rule of thumb that's applicable to the majority of institutions they log into with your credentials.
While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"
Connecting purchase + email + 'where the ad happened' via social solves that.
That can still be creepy. (If you're meaning that the accusation of "creepy" should be directed at modern marketing in general and not just Facebook, yes, I'd agree with that, though a good part of how we got here is large centralized aggregators like Facebook.)
I think there are plenty of non-advertising contexts where "using people's data to influence their behavior more effectively" can easily cross from normal to creepy as you start collecting more data. If you give your SO a certain flower because you remember a conversation the two of you had a while ago about that flower, that's normal and even thoughtful. If you give your SO a certain flower because you hired people to follow them before you even started dating and you got a report that they always stopped to admire a certain flower on their walk to work, that's creepy.
There's new data privacy regulations at the state and federal level going into effect which is why FB made these changes, but they don't explicitly prevent this kind of data sharing from an outside company using first-party trackers to send data to Facebook's marketing platform.
1. Is that ok that we accept this sort of Pavlovian training from anyone, much less for-profit companies?
2. Is it ok now that the entities are so easily able to completely track the effectiveness of their advertising and thus empowered to amplify whatever works to increase their success rather than some metric like human happiness?
Technically true, it was merely "bartering" our data (exchanging its users' data to data from other data brokers, large companies like Macy's, and many of the phone manufacturers that pre-install the Facebook app).
In other words, a distinction without a difference.
https://www.facebook.com/help/2207256696182627
- Fingerprinting resistance in Firefox (privacy.resistFingerprinting = true)
- First-party isolation in Firefox (privacy.firstparty.isolate = true)
- Blocking third-party cookies in Firefox (network.cookie.cookieBehavior = 1)
- Firefox container when I need to login to ad/tracking companies (Facebook, Google)
- uBlock Origin
- Cookie AutoDelete
- PiHole on my home network
It's just like with Google history you can "delete".
They have the data stored for the authorities anyway.
They are required to do it by law (Patriot Act etc.)
This is true:
>We receive more details and activity than what appears in your off-Facebook activity. For technical and accuracy reasons, we don’t show all the activity we’ve received. This includes things like information we’ve received when you’re not logged into Facebook, or when we can’t confirm that you’ve previously used Facebook on that device. We also don’t show details like the item you’ve added to your shopping cart.
https://www.facebook.com/help/2207256696182627
I wish they would show the ghost profiles as well, but since it's not linked with 100% confidence they are probably not allowing it because it could be a privacy violation if it turns out that the link was incorrect (i.e. they showed a ghost profile to the wrong user).
BTW, how does PiHole help in regards to anonymity?
By blocking many advertisers tracking cookies (by blocking all access to those hosts via point the DNS result elsewhere) it reduces how far your information immediately spreads.
Far from massively effective because it does nothing to stop 1st party tracking and those 1st parties sharing further, or 3rd party cookies for new hosts not in the blocklists yet, but it can still help.
My use of PiHole isn't really an anonymity/tracking avoidance thing, my priorities in using it are avoiding ad network related annoyances like drive-by install attempts from less reputable (and/or hacked) networks, auto-playing audio, pop-ups/-unders, bandwidth waste (particularly from auto-playing video clips), occasional attempts to access microphone and/or camera, etc.
Having done this in a previous life, they do this because they fight against scrapping their search results.
I guess the only thing better would be 50 stores I never shop at. I might experiment in the future with finding ways to deliberately poison companies' data wells with incorrect information...
Can someone please share it?
> Off-Facebook activity includes information that businesses and organisations share with us about your interactions with them, such as visiting their apps or websites.
It's creepy.
> We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all of the activity that we've received. Activity that is not shown includes information that we've received when you're not logged in to Facebook, or when we can't confirm that you've previously used Facebook on that device. It also includes details such as the item that you added to your shopping basket.
How can I block them in the future?
Furthermore, I don't understand how any of this is GDPR-compliant.
Probably to tell regulators and politicians that "transparency is in our dna" we design tools to help users know who is interacting with their data
Any sensible way of stopping this?
I know it sounds preachy and it's not a conclusion most people will like. But, like fasting, going without something you like but don't really need does help you focus on what you really do need.
I think the process of honestly asking the question is more useful than the actual answer. Life & society is full of compromises.
No.
> Is it even possible to do this on an iOS device that's on [...] someone else's wifi
Yes, since you can do it on your device, and do not have to do it on the router. Drawback is you have to do it for each Wifi network anew.
> Do iOS devices have the same "leak"
Yes, there is nothing that prevents apps from phoning home (or phoning every one of a dozen data collection "partners")
> No.
If it is a DNS server change on 4G/LTE, it can be done by using FOSS apps like DNSCloak on iOS. [1]
[1]: http://github.com/s-s/dnscloak
Instructions on changing DNS settings https://joyofandroid.com/how-to-change-dns-on-android/
So you can ask https://www.radb.net/ for the IP addresses that are associated with this AS and, after a quick manual sanity check, insert it into the firewall of your choice. For example:
[0] https://www.facebook.com/peering/> "Privacy International has tested both opt-outs and found that they had no discernible impact on the data sharing that we have described in this report."
So there's that. I wonder if any opt-out really helps. I think the best approach is still to use a good blocker such as uBlock Origin.
Both of these identifiers can be reset at any time via os features, making you appear as a new user (at least until fingerprinted or a new association with PII is made)
If so, that could be how they matched you. Facebook lets businesses create custom retargeting audiences[1] from existing customers, and you can (obviously) include interaction data in order to segment e.g. frequent customers from occasional customers.
1. https://www.facebook.com/business/help/1472206006327390
Funny, I now remember reading a post from someone claiming that if they ordered an online grocery shop off a company that was not their usual, like magic a voucher would appear from their original company. I assumed this was coincidence, but this is the exact mechanism that such a thing could happen.
Of course this could also just be a manifestation of the trend of companies desiring data for data's sake, and a load of deliveroo managers are sitting in a meeting somewhere looking at a graph showing an intersection of people who are into retro computing and also like burritos and trying to brainstorm some strategy off such trivia.
That's not really the idea - they're just trying to serve you ads wherever they think you might see them. Retargeting (whether it's through Facebook ads or AdWords or what have you) is one more engagement lever alongside push notifications, emails, etc.
I have not connected my Facebook account for over 90% of these sites/apps but they still sent my data to Facebook.
I'm assuming Facebook keeps a history of my email addresses that it can still associate it to my account.
Another option is to change all my email address at these sites.
This is true: if you download your Facebook information file, you'll see it stores all the previous emails as well as all the previous IPs used.
But some are essential. Transferwise is not connected to my FB account but is sending data to Facebook.
In my browser I'm running uBlock Origin, HTTPS Everywhere, and Privacy Badger. I'm guessing those will help quite a lot. However on an iPhone what can I do (as that's where a lot of this data seems to be coming from)?
- Email address
- Cell phone number (even if you only used it for 2FA)
- Credit card number (if you ever made a donation via Facebook or bought digital currency in a Facebook game)
- Advertising ID of your mobile device (can be reset in Android as well as iOS)
In order to avoid tracking, you have to make sure that none of these are known to Facebook and to other companies.
So does this mean I am successfully stopping them from tracking websites I visit via tracking pixels / IP mapping / whatever other nefarious shit they do, or are they just not showing this information here?
How can I block it? some apps are on my iPhone, but I don't have the Facebook app on it (I do have messenger), and only used the apps on the phone. Aren't they isolated in some way?
However, the data only shows the source, timestamp and activity ID. The actual event data is not included..
- View coinbase.com
- Turn off future activity from coinbase.com
- Give feedback about this activity
Does 'turn off' mean they won't share this information again, or that I won't be told about it again?
How do I do so?
Also, I never consented to this being collected. How can their practice of collecting this type of data be GDPR compliant?
But I'd recommend going to the source: Read the privacy policy of each party delivering data and check if they mention it. I already sent a mail to the DPO of an app provider which shows up in this list and doesn't mentions Facebook in their privacy policy.
GDPR requires the users consent to do so. Having a statement in a privacy policy is imho not enough to qualify as consent.
Nah, I will pass.
[1] Shameless plug: https://github.com/Jaruzel/DeleteFacebookActivity
[Cross-posted from the other thread]
[0]: https://en.wikipedia.org/wiki/Tu_quoque