394 comments

[ 2.9 ms ] story [ 305 ms ] thread
Wow that's creepy. It lists apps where a) I didn't use FB login/signup and b) used a different email address to sign up. How do they cross-reference that to me? Hand how can I prevent that outside of their tools (which I assume still violate my privacy)?
I think they either:

- use Facebook pixel tracking on the site.

- hand over all of their user's email addresses to use for audience building.

Or most likely both. Creepy stuff indeed.

Yep - all of above....

690 App/Sites for me! Not overly surprising really

I use uBlock Origin and Privacy Badger on my desktop and phone, as well as Blokada, and yet Facebook still had a bunch of app activity even though I never ever sign in to stuff using FB (or even gave the apps my email or any other piece of personal data).

I literally just opened the app, granted no permissions, used it a bit, and Facebook associated it with my account. What the fuck.

They could be associating you server-side using persistent identifiers on your phone. For example, if an app has the Facebook SDK, it could send your IMEI to Facebook. Then, if you have a first-party Facebook app like Messenger, that too can send your IMEI to Facebook and link it back to your Facebook account.
I'm pretty sure that 95% from the activity that is listed for me comes from the Facebook tracking pixel, that every website has to embed if they want to (effectively) advertise on Facebook.
For starters you can delete your facebook account .
I don't think that'd really be true, since they'd just have it stored in the background without you having a FB account (and wouldn't have the ability to see how bad it is)

not saying that's worth having an account though.

does that stop facebook from collecting data about you? I didn't think it did, and because you don't have an account it's not, or at least wasn't possible to control any privacy settings.
Technically, no. Legally, it means you haven't accepted their terms of service, so if/when (I hope) the political privacy landscape changes, it'll be more likely that you can sue, report a violation, request deletion, (or maybe they'd even preemptively delete it to cover their tracks / come into compliance with new laws).
That's an interesting thought. I've removed (deleted?) my Facebook account several months ago. Maybe I should have kept it around in order to manage it.
which I did a couple of years ago. Now I have no idea what they know about me. I use adblock and friends, but I wonder how much data about me they still manage to gather
When I view this link, I can see no activity.

Here is my secret: I deleted my facebook account several years ago. (before it was cool)

I love how links like this are (successfully?) attempting to pull people back in.

What you can do to prevent this is:

1) Install https://www.eff.org/privacybadger to prevent trackers from being loaded

2) Install https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... to delete any cookies you might have accepted after a week time or so, which prevents the infinite gobbling-up of your data after innocently accepting a cookie once

3) Install the Google, Facebook, Twitter and Amazon containers to "separate" your browsing with these sites from the rest of your browsing. Links: https://addons.mozilla.org/en-US/firefox/addon/facebook-cont... https://addons.mozilla.org/en-US/firefox/addon/twitter-conta... https://addons.mozilla.org/en-US/firefox/addon/google-contai... https://addons.mozilla.org/en-US/firefox/addon/amazon-contai...

Also, if you are creeped out by this, just imagine the amount of data Google has on you. I'm convinced they have way more, just by virtue of every website having Google Analytics installed.

Even before firefox containers, I used a dedicated profile for facebook only as well as using privacy badger and ublock origin. Facebook still collected data about me from external sites. I think mainly through my phone, possibly through linking phone number or email addresses.
I found a mere four items in my activity list, all from several months ago, probably when I mistakenly used the wrong container or had uBlock turned off. It's nice to see all my anti-tracking software is working!
I use Firefox Containers to limit and logged in FB activity to that & never log in using FB other than FB website itself. I have no FB apps (including WhatsApp).

I've been running uMatrix for a few months.

My firefox tracking-prevention (similar to EFF's one, but probably not as good) is always using maximum privacy settings.

I still have a few sites appear... AND for websites I've never even visited (that I'm aware of, & I'm the only user of this machine)

There seems to be some serious fingerprinting going on, more than simple cookies.

Agreed, even with all of the above I had about 15 or so sites in that Facebook list. I suspect it's because I was logged in to Facebook on my phone's browser for a while. Not sure why I even did that...
(comment deleted)
Those are good, but they don't work for what the GP is talking about. I'm seeing games/apps associated with my FB account even though I never logged in to FB with them or gave them any info. I literally just opened the app and that activity was associated with my FB account.

I have no idea how they're doing this, since they didn't even request storage access (or I didn't give it). Can any Android developer here chime in on how an app can figure out my Facebook ID even though I don't even have Facebook installed on my phone and didn't give any sort of credential or access to the app?

I think they cross-reference Android Advertising ID in their SDK. Have you ever logged to Facebook from your phone?

https://developers.facebook.com/docs/app-ads/targeting/mobil...

I have, either in the browser or in Swipe (a third-party app). I've never logged in to or installed the Facebook app or Messenger.
Then FB left behind tracking data, and there's your link. Sigh.
How? It was running in a browser.
Once you've logged into facebook from the device, they likely created a device fingerprint for your device: https://en.wikipedia.org/wiki/Device_fingerprint . This would allow them to identify you even without a cookie or ad id to correlate against.
I don't think the browser fingerprint and native app fingerprint are the same, what you say sounds unlikely to me.
Fingerprinting across devices is possible too, using things like behavioral analytics, network traffic, timing, third-party data sources etc.

The third party data sources is the easy one. Log into service A on your computer and service A on your phone. Service A fingerprints both and sells the data to service B. Now service B knows how to correlate your behavior between devices even though you never logged in.

I’m sure you’ve logged in something on both your phone and computer. It doesn’t have to be Facebook.

Try to opt out of Advertising ID (Settings -> Google -> ads) and see if apps continue to be associated with your facebook account. I suspect Swipe sent both your account ad advertising id during login.
I opted out of Google advertising a long time ago, I think in the end it was Instagram/WhatsApp that did the dirtywork.
Are you using Instagram or WhatsApp?
Ahh, there we go, I forgot about those... That must be it, thanks.
The whole point of them buying WhatsApp was to have a backdoor into people's contacts (among other things).
I thought Google Analytics had a decent privacy policy that would prevent Google from doing anything with GA data. But I remember some fuzzy wording like "your data" which could simply mean that Google considers GA data to be their data.

Has anyone done a good deep dive on what Google actually does with GA data?

As an EU "customer" I'm rather surprised by this. There are services that I've signed up to since GDPR came into effect which I didn't get explicitly consent to do this. For example my business bank. Why would I give them permission to share data with my personal Facebook account? I will be digging into this more.
Sounds like the activities view could be some good evidence to give to a data protection commissioner.
By far the worst thing are android phone applications (not only FB official app). They have their spyware bundled and can slurp from you the data which are normally unaccessible by web browser, from phone number, imei, mail addresses to all your contacts and there is almost nothing you can do except installing vpn based firewall (like NetGuard) and block all access and add permissions one by one for each url. This should just be illegal.
How can phone apps with no permissions get my phone number?

> except installing vpn based firewall

So they can send the data instead?

From your friends :) Or you will allow it. To use it. On the other side you can at least control that the common advertisers wont get it (like fb). For everything else get root and xposed + xprivacy. But for most users that is too much. I just gave the easiest advice. I am running microg lineage, xprivacy lua and netguard. But I wonder was this as advice worth the letters used? ;) Will someone go trough the trouble to use it? To replace the rom, install everything, run everything in block mode and allow only what is really needed, like connection to my own mail server? My own ssh tunnel? Probably not. And then comes the master villan, google. How many will remove that one from the phone? Waste of words, right?

Anyway even netguard is far better than nothing, most apps dont need their own servers. And the largest data slurpers are known. For fb just block all fb domains.

Other commenters seem to have missed what you’re really saying here.

I’m on iPhone, and see apps listed where:

- I’ve never logged in on the web

- I’ve never clicked to open a link in a browser on-device

- Used a phone number to sign up that’s not associated with my fb account - Didn’t use email at all

Some chat apps (like Viber and others) have Facebook SDK integrated in them, without any direct Facebook functionality people would use. Discovered after using NetgGuard, and seeing who is calling home, and not only home. (Why viber is making requests to graph.facebook.com anyway?)

Duolingo is a nice app for learning new languages, yet it might be using the same sdk, since it likes to call facebook.com domain.

Netflix is a good streaming service, but it has some option somewhere, which allows them to share data with others, and enabled by default. And yes, it's present in fb activity.

The list can go on...

There are developers who integrate dozens of SDKs, without any specific purpose for users, and not knowing what is happening. We need something like PrivacyBadger/ublockorigin for phones/laptops/routers/homes/cars. It's getting more than creepy.

And why would Facebook allow third-parties/businesses upload into FB info they have on their customers...

PS: analysis of how a simple menstrual tracking app is leaking data about the owner https://media.ccc.de/v/36c3-10693-no_body_s_business_but_min...

(comment deleted)
A bit weird that my Monzo seems to be sending data to Facebook?
Could you say more or provide a screenshot? I’m very curious and concerned about this.
It just says <number> interactions were received from Monzo.
For Revolut, I have many many entries like:

ID 894103617218109 Event CUSTOM Received on 13 November 2019 at 09:51

The only event is "CUSTOM".

I use Revolut but my page is empty. I imagine it's because I don't have the Facebook nor Messenger apps installed on my phone.
Same here. I suspect most of the commenters on this post that are confused about how their data got acquired have the FB app and/or Messenger installed on their phones.

I also suspect that soon Whatsapp will be doing the same sinister activity tracking once they go ahead with their plan to introduce ads later this year.

As far as I can tell almost every bank with an app is sending your email/advertising id/name/etc. to Facebook(+ other surveillance companies).
I have a couple of other bank accounts and none of the others seem to be sending data to Facebook.
Not really.

They have the Facebook Pixel installed likely to do retargeting advertising when a person visits their website.

It's one of the most effective methods so it's very common to see it everywhere.

This is related to their app not their website.
Same applies to their app.

Doing retargeting for when (a) someone downloads their app but doesn't signup and (b) someone is a customer but has low engagement i.e. is likely to churn.

That may be true, but I still think it's a low-effort way for them to do it, and I expect better from Monzo than this. Plus it tracks people regardless of if they fit in a) or b) - neither of which is the case for me.
Hmm, that feels incident worthy.

My bank should send precisely zero things to advertising / marketing companies.

Have you raised it with their Help team? You should.

Unfortunately I cannot as I do not have a facebook account so cannot determine whether or not facebook hold data on me without creating an account.

You might (justifiably) not like it, and it might inspire you to boycott the business or plead for regulatory relief, but it's not an "incident" from their perspective to be intentionally doing what they do to run their business.
This is a bank, and they are regulated. Depending on the information shared, this may be a breach of that regulatory code.

I do not have access to see what the data is, but would certainly in their shoes investigate with high priority, and Would raise a security incident to do so. If it turns out to be empty and of no concern, then great. But ignoring such things is seldom wise.

I saw HSBC
I didn't see HSBC, but I did see Monzo - which I was surprised and disappointed by. I see no legitimate reason for them to be connecting me to my (disused aside from messenger because of friends' network effects) facebook account. Not impressed.
I have Monzo in my list too and downloaded the actual data. The only things listed are `ACTIVATE_APP` events. It doesn't seem to send any details to Facebook aside, from that you "activated" (opened) the app.

Still not ideal, but not completely terrible.

When I used to have https://lua.xprivacy.eu/ it used to prompt me a lot, saying "This app is calling this API, do you want to allow or deny? (or allow/deny for 1 minute or 10 minutes). The Facebook app would query what packages/apps are installed on the Android phone.

Yeah, Android devs, why is that an accessible API call?

For one thing this is how FB could figure out how popular their competitors like WhatsApp, Instagram or Snapchat were, and why they bought them, or tried to.

It's part of the Intent system in Android. It's a really nice system where you can say "someone open the file with this URL and mime type" and the system asks the user which app they want to use to open it (or use their default if they set one.

It all works really well and lets app be loosely coupled to each other. It's also super flexible so you can use it for lots of different use cases. The API itself hasn't changed much since the first release of Android.

The issue is that you can query the Intent system to see if there is an app installed that can open your Intent. On the face of it, this makes a lot of sense. You could then display an error message to the user asking them to install and app that can handle it. The problem is that you can create an Intent that you know can only be handled by a single app (using the package name) and then you'll know if it's installed or not.

For what it's worth, iOS used to have exactly the same issue. You could query the phone could handle a specific "custom protocol scheme" (used for deep linking). You could then just query a scheme which you know is for a specific app and tell if the user had it installed. Apple fixed this by requireing you to include a predefined list of schemes which you can query for in your Info.plist (manifest file) and limiting the number you can have (30 I believe).

All APIs with good intentions, but very easy to abuse. Apple is just more comfortable breaking backward compatibility to fix these sorts of issues.

If you want to disable facebook tracking out of facebook in the future, it's possible on this link: https://www.facebook.com/off_facebook_activity/future_activi...

EDIT: the link doesn't seem to work, so you can click on "Manage Future Activity" => "Manage Future Activity" in the popup => Disable "Future Off-Facebook Activity"

You might not want to disable this completely, because it can be a useful tool to identify data leaks (similar to Troy Hunt's haveibeenpwned.com).

My off-Facebook activity had zero entries and I want to keep it that way. If they ever associate something with me I want to be alerted to the fact.

Mine had exactly one entry. And I won’t be doing business with that company anymore. No way am I disabling this. It’s too useful.
One warning it gives me:

> We will still receive future activities from companies and organisations you visit. These might be used for analytics and to improve our advertising systems, but will not be connected to your account.

(Translated from Dutch because for some reason Facebook figured I'd want this particular message in Dutch.)

Extrapolation: "Account" here means the Facebook account created by you and visible to you; probably distinct from "Profile" in their lingo, which is all the data they have on you, of which most is invisible to you. If this is true, that's not an opt-out for data collection, just a choice to keep that info from showing in your account while merrily continuing to build your profile.
I mean, they’ve already been shown to keep every tiny nugget of data, this feels more like “we won’t give anyone else tools to see that it’s you” instead of “we’ll anonymize it sufficiently”
Before you disable it, the site warns you that "This will also prevent you from logging into apps and websites with Facebook because your activity will be disconnected from your account." This annoys me, because Facebook login is actually quite convenient, and they've gone and bundled it with lots of random third-party tracking. Nothing technically required them to do this -- they could surely offer it as a separate feature.
In my profile, they managed to obtain a `PURCHASE` event from Macy's -- for an in-person purchase at a physical store. Macy's has my email address and certainly linked it to my credit card number, but this is nonetheless seriously creepy.

I just tried to change my email address on Facebook and discovered that they canonicalize plus and dot variations in gmail.com addresses, and thus claim that the new email address is already associated with an account. Ended up having to create a completely new email alias on my own domain.

This is likely based on an Offline Conversion which advertisers can bulk upload to FB
(comment deleted)
Google has long bought credit card transactions and so probably have dozens of others. The root cause is that they are allowed to be sold
are credit cards different from debit cards in this regard? Do some credit cards not sell your transactions?
No, if it's data they can collect it's data they can sell.

Can't sell cash transactions yet!

Unless you use a loyalty card at the same time ;)
Unless you are carrying your cell phone at the time—not sure anyone is doing this yet, but I have heard of at least one chain that tracks customers' cell phone locations via triangulation.
The accuracy by Bluetooth is horrendous.
How accurate does it need to be? If you shop in a market stall, or a bodega, then you could be tied to a neighboring store. But if you're in a regular-sized (American) store, it's certainly good enough.
What about wifi? My understanding is this chain uses their in-store access point mesh for this.
It used to be common to track the mac address of customers that pinged the in-store wifi. Not sure how much this happens now that some phones randomize mac addresses.
It's the card network (MasterCard, Visa, AE) that sells your data. They each have their own op out:

* https://marketingreportoptout.visa.com/OPTOUT/request.do

* https://www.mastercard.us/en-us/about-mastercard/what-we-do/....

Are these datas for sale in Europe as well?
With VISA and MasterCard yes, but e.g. the German girocard network on its own doesn’t sell anything, and there it depends on your bank (and most banks don’t sell that data either).

So if you have the choice between using a girocard or a credit/debit card to buy a product, the credit/debit card is significantly more likely to sell all your data.

It’s crazy that they do this yet still charge nearly 3%.
They don't charge 3%, they charge about a tenth of a percent (0.11%). What you think of as fees is actually a basket of charges going to different parties. almost 2% goes to your (the purchaser) credit card company to cover the risk of you not paying them, about a percent goes to the store's bank to cover the case when they have to give the money back (either because it was a fraudulent online transaction, or the store cheated the customer and the customer went to their card issuer, etc.) and that tiny little bit that's left goes to Visa/MasterCard.

Credit transaction fees actually make lots of sense and are grounded in the actual cost of the financial product. As a merchant, you can choose to accept only debit cards to avoid the cost

I get that this is how it works in the real world, but the argument that transaction fees are necessary for the credit company to cover the risk of the cardholder not paying is a bit feeble, because to my non-banker mind: that's what the interest rates are for. If someone is risky, simply don't approve their application, or raise their rate. Am I missing something?
The 2% that goes back to the credit card company is what ends up paying for all the rewards points and cash back discounts—which work as mechanisms for you to get that money back so long as you actually pay your credit card bills.
And if you’re a savvy customer you get “cash back rewards” from your credit card, meaning some of the fees just end up coming back to you.
A "savvy" customer has a card that doesn't make them perform a dog and pony show like you describe. A savvy customer's card charges the lowest reasonable rate in order to provide the service.

Giving someone money and then feeling all giddy when you get a "reward" later means you've been gamed.

> feeling all giddy when you get a "reward" later means you've been gamed.

It doesn't really feel that way as you're flying to Hawaii for free.

It doesn't really feel that way as you're flying to Hawaii for free.

There is no free lunch.

In this particular case all of the people without premium cards who pay with cash or debit cards with no rewards are paying for our free lunch and flight to Hawaii. It's a tax on basically every transaction, paid to those participating in the rewards scheme

The lunch is not free. You're buying it for us.

You're not flying to Hawaii for free. Every single purchase you made with the card was more expensive than it had to be, because the merchants needed to cover their credit card fees.

What you're doing is the equivalent of always paying with bills, and dropping your spare change in a jar. And when the jar is full, you buy a ticket to Hawaii with the money in it. Except with a credit card, they keep the jar, take half the quarters, give you back the rest, and make you feel grateful for the entire experience.

(comment deleted)
So you must have a recommendation for a card that charges lowest reasonable rate?
The rate a card charges differs from applicant to applicant. Without knowing your credit score, credit history, and other financial information I cannot recommend a card for you.
If you're just talking about interest rate, the trick is to not even have to care about that.
The rate a card charges is immaterial since if you pay the entire balance each month, you pay zero interest. (And if you don't, you're making a big mistake.)
I pay $89/year for my card, which I use for every purchase. I get hundreds if not thousands of dollars in rewards each year, and have never paid a penny in interest.

There's no dog and pony show involved, and I have not been gamed.

The merchant pays the interchange rate regardless if you get a reward or not. If you have a no annual fee card with no rewards, you are simply leaving money on the table (which your card issuer pockets), since you can get 1-1.5% cash back, also with no annual fee.
But this is such a weird way to think about it. Credit cards don't cost anything. In some vague grandiose sense prices are slightly higher since credit cards exists and merchants want to cover their fees but my perspective as a customer spending via a credit card is basically free money. There's no dog and pony show except buying things like I normally would.

* I get literal cash through their rewards program which just slowly accumulates without me having to think about it.

* I get all the nice protections and can do chargebacks.

* The money I spend every month stays in my bank account until just after the bank calculates and cuts my interest check. Like it's super negligible but hey, if I'm getting an interest free loan anyway.

2% cash back from the card + 0.25% interest from the bank ain't nothing.

The point is that everything you buy with the card is at least 2% more expensive, because the merchants are just passing on their credit card fees to the consumer. You are not saving money in any way, shape or form.

Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable.

In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.

Which is all fine and good but my options are pay 2+% more for everything and get nothing or pay 2+% more and get something.

Like there’s no point to trying to punch a river as a lowly software dev completely unrelated to finance and politics.

Yes, you absolutely should use a credit card in the US and get your cashback or rewards or whatever. You have to play the game, because everyone is playing the game.

But, you have to realize that it's not beneficial to you. You don't earn anything, you merely, barely, move the needle back up to break-even. You're not gaining. You're not winning. You're not sticking anything to any man. If the entire credit card industry got rid of rewards, and lowered their merchant fees, it would be a net benefit to you.

So feeling happy or grateful for cash-back means that they got you, they tricked you into feeling grateful for the privilege of giving away your money.

If you paid cash, in virtually every case you'd pay exactly the same price because most merchants don't provide cash discounts. If your merchant does provide a cash discount, I would suggest taking advantage of it. But if they don't provide a cash discount, you're still paying that 2% margin anyway without receiving any benefit from it.

Likewise, except for small businesses whose owners don't actually price in the cost of their own time and labor, it's not entirely obvious to me that the cost of accepting credit card payments actually is any more expensive than the cost of handling cash, which is probably why cash discounts are rare. The main exception to that seems to be gas stations (which usually have a lower price for debit cards and not straight cash), except even in that case, I get an even bigger discount by using Costco's gas station, which doesn't have any such discount. You do address this point...

> > Once upon a time, it was beneficial for a merchant to accept credit cards, it lowered their costs for handling cash, which meant they saved money and the 2% cost for each transaction was reasonable. In a world where everyone is using credit cards for every purchase, that 2% is essentially a tax instead.

That makes no sense. If the cost of receiving credit card transactions is 2%, that doesn't imply that the cost of receiving any other kind of transaction is 0%. If there's no cash discount, the difference in cost to the consumer is zero anyway. But the difference in cost to the merchant isn't 2% either, because if they accepted a different form of payment, the difference in cost would be 2% minus the cost of accepting that different form of payment. (And if they didn't accept any form of payment at all, the cost would effectively be 100% because there would be no sales). In a world where credit card sales are ubiquitous, if anything, credit cards become a better deal for merchants because there's less economy of scale for cash-handling services.

All in all, I would even suspect there are instances where credit card rewards end up providing a net positive to a sufficiently devoted cardholder simply because most people are not going to expend the time and effort necessary to maximize their credit card rewards. It's just like Vegas in that sense--while it's true that "the house always wins", casinos will also comp you rooms and drinks, and there are documented instances in which you would expect to be better off playing video poker or blackjack for long enough to get a free room (assuming perfect play, which means memorizing a small decision tree). Why is this possible? Because the vast majority of people don't play perfect blackjack or video poker. Businesses plan for average-case expected customer behavior and not best-case (or worst-case from their perspective).

The cost for a merchant to handle credit cards is whatever the credit card companies can get away with.

The actual cost of handling card payments is very, very low these days, but merchants are stuck paying the higher price, because there's effectively no competition in the space. To avoid having obscene profits, the cc companies give back a lot of the extra money to the consumers in the form of cashbacks and rewards, and then consumers stupidly feel grateful for being fleeced.

In an ideal world, merchants would pay only the actual cost for handling card payments, only pay for the tech itself, and the fraud risk. Naturally, such a pricing would be a fixed per-transaction-fee, because the actual cost is the same for each transaction.

In the same ideal world, the credit risk of credit cards have to be managed through the interest rate and credit worthiness management. It's completely outrageous that credit card processing fees should in any way, shape or form cover the risk side or the fraud side of the business. That's not the merchant's problem.

That would be fair. That wouldn't be gameable. Some countries did exactly this: https://en.wikipedia.org/wiki/Dankort

> The actual cost of handling card payments is very, very low these days, but merchants are stuck paying the higher price, because there's effectively no competition in the space.

In other words, the cost of processing credit cards is low enough that it successfully competes with every alternative form of payment. In which case I don't see what you're outraged about. Invent a more cost-effective payment mechanism if you think there's an opportunity for it.

It's also worth mentioning that cash isn't necessarily any less expensive for merchants to accept. It is if you're talking about a small local business or something, but if you're paying for the actual labor of counting cash, delivering and depositing it to the bank, as well as the increased security risks and costs of holding large sums of cash, it starts to add up.
A "savvy" customer pays their entire credit card bill every month, so the actual interest paid is zero. At that point, the rewards are the only meaningful difference in return from one card to another.
> about a percent goes to the store's bank to cover the case when they have to give the money back (either because it was a fraudulent online transaction, or the store cheated the customer and the customer went to their card issuer, etc.)

Is this right? It's been my experience (in Canada) that losing a fraud case or chargeback the store takes the hit.

With the new "elite" cards that have higher transaction costs that you can't disallow as a merchant, it's becoming more like a tax.
They force merchants to accept the 3% as a function of their oligopoly power. Merchants don’t negotiate anything inside the basket.
Anyone who wants to do this: Make sure that you also opt out your virtual card numbers (such as Apple Pay or Android Pay).

Also, the opt-out of each number is only honored for FIVE years after which you need to opt-out again.

How can I opt out a virtual card number through Apple Pay? It doesn't seem that you can get the full "Device Account Number".
I'm not sure that the "Device Account Number" matters. As I recall from the presentation, that number changes with each purchase. And Goldman has promised (ha!) not to sell your information for marketing purposes.

But it's still worth opting-out of your Apple Card's virtual number.

The number is in the wallet app, ... > Card Information

I don't see the number exposed in Apple's UI, but I can definitely see it on my bank's website.

It's possible that this is an implementation detail and some banks do it without a unique card number...

Your Mastercard URL got truncated somehow. It's a pretty easy search, though. Just the same, thanks for linking because I had no idea this was even an option:

https://www.mastercard.us/en-us/about-mastercard/what-we-do/...

> To opt-out from our anonymization of your personal information to perform data analyses, please provide your Mastercard or Maestro payment card number below.

This sounds like they are going to continue using my purchase data but without anonymization? Not a native speaker so perhaps I'm just misunderstanding the sentence.

You're right. I don't think that's the intention, but that is certainly what the language implies. It's rather vaguely worded.
I think they tried to formulate it so it will sound less damning for them, like they want to make it explicit that what they performed their data analysis on is your anonymized personal information.
Do they have access to purchase line items or only the overall transaction metadata?
How does Capital One give back 2% on all purchases? They must be monetizing purchase data as well, right?
I'd argue that the root cause is that they have any value whatsoever.
It’s better to not use the same email address everywhere. I use SimpleLogin to create email alias and it works great so far.
I just don't give my e-mail address to anyone. Anyone. Doctors, vets, especially retail stores.

I just tell them that I don't have one. On the very rate occasions anyone has balked I tell them I just moved and haven't set up my internet yet.

>, they managed to obtain a `PURCHASE` event from Macy's

interesting.. they could use that to predict earnings..

A lot of hedge funds purchase credit card data to do exactly that.
Predict? Facebook buys earnings data directly from payroll companies.
interesting.. they could use that to predict earnings..

A few years ago when Chipolte had its little food scare, Foursquare used its data to predict how much the restaurant chain's revenues would decline. IIRC, it was accurate to within 1%.

You don't even necessarily have to predict earnings. If you've ever connected to your financial account via a service like Plaid or it's ilk, that service has an API endpoint[1] they can call to neatly package up your income information. Sometimes it seems innocuous and unassuming for a one time use like identity verification, or to set up automated payments, or a one off transfer/disbursement. Other times it's for stuff like getting a consolidated view of your personal finance (i.e. a transaction aggregator such as Mint). But if you authenticate for anything, that service has access to everything.

And unless you rotate your financial passwords on a frequent basis, that access continues pretty much indefinitely[2].

[1] https://plaid.com/products/income/

[2] Not true for 100% of cases, but a general rule of thumb that's applicable to the majority of institutions they log into with your credentials.

By “they” I assumed the GP was talking about Facebook being able to predict Macy’s earnings before they were publicly announced. That would be pretty interesting to see :)
I saw the same for Gap inc for a list of in-store purchases at Old Navy. Incredibly on the nose about how screwed privacy is going to be soon.
old navy is owned by gap - not sure if this counts..
It’s not a situation where FB “managed to obtain”. It’s Macy’s directly uploading transactions in order to attribute purchases to their online ad campaigns. It uses email and name etc to match.
I agree.

While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"

Connecting purchase + email + 'where the ad happened' via social solves that.

"Attribution" in this sense is always going to be the enemy of privacy, because it boils down to the question of "what was on your screen when you decided to make this purchase".
> While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"

That can still be creepy. (If you're meaning that the accusation of "creepy" should be directed at modern marketing in general and not just Facebook, yes, I'd agree with that, though a good part of how we got here is large centralized aggregators like Facebook.)

I think there are plenty of non-advertising contexts where "using people's data to influence their behavior more effectively" can easily cross from normal to creepy as you start collecting more data. If you give your SO a certain flower because you remember a conversation the two of you had a while ago about that flower, that's normal and even thoughtful. If you give your SO a certain flower because you hired people to follow them before you even started dating and you got a report that they always stopped to admire a certain flower on their walk to work, that's creepy.

Every profession has challenges. Most of them don’t resort to violating the rights of others to solve those challenges.
What rights are being violated here?
The right of privacy. The right of dominion of ones own affairs. There right to not be harassed by soulless individuals and companies who are 'merely' seeking to gratify their greed.
If rights were violated then this would all be illegal. Clearly it isn't. In the US, there is no constitutional right to privacy, and any legal precedents are mostly about government surveillance.

There's new data privacy regulations at the state and federal level going into effect which is why FB made these changes, but they don't explicitly prevent this kind of data sharing from an outside company using first-party trackers to send data to Facebook's marketing platform.

You are right, of course. It just goes to prove that we are little more than slaves to the system of governments who dictate what is lawful, who usurp their position in order to bestow rights back to us that used to be intrinsically ours to begin with. It doesn't make it right however.
Absolutely, but I think it's time to start asking:

1. Is that ok that we accept this sort of Pavlovian training from anyone, much less for-profit companies?

2. Is it ok now that the entities are so easily able to completely track the effectiveness of their advertising and thus empowered to amplify whatever works to increase their success rather than some metric like human happiness?

Imagine all of our phones' lockscreens being unlockable only by face unlock and not fingerprint... you know, our face which is all over the internet and trackable across websites and in-store and public cameras.
The fact that there is a commercial motivation doesn't make it less creepy.
Match backs? Or offline conversions? Looks like Zapier offers a match back service too.
Remember all of those times Facebook was telling us it doesn't "sell" our data to other companies?

Technically true, it was merely "bartering" our data (exchanging its users' data to data from other data brokers, large companies like Macy's, and many of the phone manufacturers that pre-install the Facebook app).

In other words, a distinction without a difference.

That last part makes sense. If you want a different identity, you need to choose a different ID. Better to make you be more explicit about what you are trying to do (multiple accounts), then accidentally split accounts of people who aren't trying to do that.
Dot variations in Gmail all belong to you by default. That's a Gmail thing not a Facebook thing.
Revolut is sending data to them, too. 202 interactions for my account.
That one surprised me as well.
Why is it surprising?
Because Revolut is the only fintech/banking app that is actually on the list. I do have other 3 banking applications installed on my phone that I regularly use + N26 (another fintech) -- none of these are in the data sharing list.
And the last date they received information about me according to Facebook is the last date I used the app. Revolut mentions "Analytics providers" in their privacy policy as companies they are sharing my data with.
For me it seems there is a 3-day difference between the last time I've used the app (today) and the last time they shared data with facebook.
(comment deleted)
My off-facebook activity was empty. That's encouraging, because it looks like my countermeasures have been working:

- Fingerprinting resistance in Firefox (privacy.resistFingerprinting = true)

- First-party isolation in Firefox (privacy.firstparty.isolate = true)

- Blocking third-party cookies in Firefox (network.cookie.cookieBehavior = 1)

- Firefox container when I need to login to ad/tracking companies (Facebook, Google)

- uBlock Origin

- Cookie AutoDelete

- PiHole on my home network

I don't think they will tell you the whole truth.

It's just like with Google history you can "delete".

They have the data stored for the authorities anyway.

They are required to do it by law (Patriot Act etc.)

> I don't think they will tell you the whole truth.

This is true:

>We receive more details and activity than what appears in your off-Facebook activity. For technical and accuracy reasons, we don’t show all the activity we’ve received. This includes things like information we’ve received when you’re not logged into Facebook, or when we can’t confirm that you’ve previously used Facebook on that device. We also don’t show details like the item you’ve added to your shopping cart.

https://www.facebook.com/help/2207256696182627

Thanks for that link. Looks like the infamous "ghost profiles" are officially confirmed now.

I wish they would show the ghost profiles as well, but since it's not linked with 100% confidence they are probably not allowing it because it could be a privacy violation if it turns out that the link was incorrect (i.e. they showed a ghost profile to the wrong user).

I'm not sure how ghost profiles are legal within the EU.
They can’t be I think. No way to opt in. Or even to inform the person.
Thanks for sharing

BTW, how does PiHole help in regards to anonymity?

> how does PiHole help in regards to anonymity?

By blocking many advertisers tracking cookies (by blocking all access to those hosts via point the DNS result elsewhere) it reduces how far your information immediately spreads.

Far from massively effective because it does nothing to stop 1st party tracking and those 1st parties sharing further, or 3rd party cookies for new hosts not in the blocklists yet, but it can still help.

My use of PiHole isn't really an anonymity/tracking avoidance thing, my priorities in using it are avoiding ad network related annoyances like drive-by install attempts from less reputable (and/or hacked) networks, auto-playing audio, pop-ups/-unders, bandwidth waste (particularly from auto-playing video clips), occasional attempts to access microphone and/or camera, etc.

Block requests to all of FB's domains in the hope that it can't load FB's scripts or buttons or "like" buttons; literally anything from FB as far as humanly possible.
It allows you to block the domains of known third-party tracking companies. However, this measure is going to become less effective over time with the increasing usage of first-party tracking.
How do you cope with constant reCAPTCHA prompts? I get prompted by Google when using search, because it thinks I'm a bot if I'm anonymous enough.
Have you tried using another search engine like DuckDuckGo?
There should be an extension to automatically filter the reCAPTCHA-using sites out of the results of the search engines.
I think GP is saying that Google itself is presenting the captchas, not the Google results they click. I've had it happen a couple of times when using VPNs before.
reCAPTCHA is a Google product, but the owner site needs to actually integrate it, so it's a conscientious decision
I might not have been clear; sometimes when using a VPN, you can't even load Google search results until you submit a captcha. If you go to "google.com", it will make you enter a captcha before you can search anything.
Ah that's fair, Google captchas VPN users, but I don't think it's recaptcha, it doesn't look exactly the same.

Having done this in a previous life, they do this because they fight against scrapping their search results.

You learn to derive some satisfaction from feeding it inaccurate labels.
I had exactly one item, and it's a store I never shop at, so assuming they are actually showing all the information they "have" on me, I also feel encouraged that my opsec is sufficient.

I guess the only thing better would be 50 stores I never shop at. I might experiment in the future with finding ways to deliberately poison companies' data wells with incorrect information...

Out of all activities you listed, just 3rd party Cookie blocking and using any "login with Facebook" buttons would give the same result for Web. I don't think any of the activities you listed would prevent the data collected through apps though.
If you have a domain, you can give every service it’s own email address, ${service}@${domain}. They can try reporting that to Facebook, but unless someone understands that the entire domain is one account they won’t be able to correlate them.
Apparently Blind made the list. So much for 'anonymous'
"just must log in to read this"

Can someone please share it?

It's a page for people with an account at FB that lists the 3rd party websites that have given information to FB.

> Off-Facebook activity includes information that businesses and organisations share with us about your interactions with them, such as visiting their apps or websites.

It's creepy.

> We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all of the activity that we've received. Activity that is not shown includes information that we've received when you're not logged in to Facebook, or when we can't confirm that you've previously used Facebook on that device. It also includes details such as the item that you added to your shopping basket.

Seems like most of my data they got from apps on my Android phone, there was even an app that I just installed, opened and uninstalled in less then a minute without even logging in or anything.

How can I block them in the future?

set the "limit ad tracking" feature on your phone at the os level and the advertising id will become unavailable to everything. On Android this is Settings > Privacy > Advanced > Opt out
If Google and Facebook is ready to "show" these data, I wonder what and how much data they are hiding.
Good point. I also wonder what the motivation behind this tool is.

Furthermore, I don't understand how any of this is GDPR-compliant.

> Good point. I also wonder what the motivation behind this tool is.

Probably to tell regulators and politicians that "transparency is in our dna" we design tools to help users know who is interacting with their data

INAL but will guess it is to make facebook GDPR-compliant. They show the data they have about us, but don't know if the apps that send the data to fb have used opt-in to enable sending data to fb. Maybe time to start writing emails to the companies who have uploaded our information without consent?
Hmm. I have no website activity listed - but seemingly every single Android game and a few other apps is sending "activity" to FB, despite me never using any feature to associate the two. This sounds like: https://privacyinternational.org/report/2647/how-apps-androi...

Any sensible way of stopping this?

Realise that you don't really need those android apps, or the google or facebook account. The utility and entertainment you get is half of surveillance capitalism ecosystem, and the other half is that they compile all this information about you.

I know it sounds preachy and it's not a conclusion most people will like. But, like fasting, going without something you like but don't really need does help you focus on what you really do need.

I don't actually care all that much and I like my luxuries. Do I "need" the Google account? No. Do I want to tell every person and business currently using it that I've changed email? Also no, that's a huge amount of work. Likewise for facebook, which is now down to once-a-day-ish use for coordination with a specific group of people whom I do not want to do the work of moving all of them off Facebook too.
Yeah, I make similar trade-offs. The sunk cost of a few TV shows purchses keep me from closing my Google account. But I won't let it anywhere near my phone.

I think the process of honestly asking the question is more useful than the actual answer. Life & society is full of compromises.

Blocking the entire Facebook ASN at the firewall/network level stops this. Google is a bit more tricky as they also have GCP so you can’t block their ASN without also blocking innocent services.
How does one do this?
Specifically, how do you do it on a normal Android device? Is it even possible to do this on an iOS device that's on 4G or someone else's wifi? Do iOS devices have the same "leak"?
You either need to control the mobile side of things and never connect to unrestricted Wi-Fi or use Apple Configurator to create a profile for an always-on VPN to a place you control where you can apply the restrictions.
> Is it even possible to do this on an iOS device that's on 4G

No.

> Is it even possible to do this on an iOS device that's on [...] someone else's wifi

Yes, since you can do it on your device, and do not have to do it on the router. Drawback is you have to do it for each Wifi network anew.

> Do iOS devices have the same "leak"

Yes, there is nothing that prevents apps from phoning home (or phoning every one of a dozen data collection "partners")

>> Is it even possible to do this on an iOS device that's on 4G

> No.

If it is a DNS server change on 4G/LTE, it can be done by using FOSS apps like DNSCloak on iOS. [1]

[1]: http://github.com/s-s/dnscloak

I'm blocking Facebook DNS requests using DNS66. I'd also be interested in how to block their entire ASN, though.
I am unable to verify this right now for the obvious reason, but facebook operates on ASN gAS32934[0]

So you can ask https://www.radb.net/ for the IP addresses that are associated with this AS and, after a quick manual sanity check, insert it into the firewall of your choice. For example:

  whois -h whois.radb.net '!gAS32934'|  tr ' ' "\n" | sed 's/^/saddr /'| sed 's/$/ DROP;/'
[0] https://www.facebook.com/peering/
This is assuming that all data sharing to Facebook is done from the client which is obviously not true. If your desired service wants to share data with Facebook they can and will do so and there's nothing you can do about it except not use the service.
From your link:

> "Privacy International has tested both opt-outs and found that they had no discernible impact on the data sharing that we have described in this report."

So there's that. I wonder if any opt-out really helps. I think the best approach is still to use a good blocker such as uBlock Origin.

the Android advertising_id property and the ios IDFA (identifier for advertisers) are available to every app, and once an association against the id and your Facebook account is made further interactions can be attributed to your identity.

Both of these identifiers can be reset at any time via os features, making you appear as a new user (at least until fingerprinted or a new association with PII is made)

Deliveroo has evidently been sending them all my orders. Or at least, there are as many 'interactions' as I have made orders. I don't log in via my Facebook so that is an unwelcome surprise.
Yeah that is insane especially for a paid product.
Same here. I had to recollect if I even signed up with Facebook. After checking my Deliveroo settings, it seems that my FB account isn't even connected. This is insane...
Do you use the same e-mail address for both Deliveroo and Facebook?

If so, that could be how they matched you. Facebook lets businesses create custom retargeting audiences[1] from existing customers, and you can (obviously) include interaction data in order to segment e.g. frequent customers from occasional customers.

1. https://www.facebook.com/business/help/1472206006327390

I suppose that would explain it. I can't see what Deliveroo get out of it though, and how they might expect Facebook to have a better handle on what sort of food I would order and how often as opposed to Deliveroo themselves, who know. I wonder if they have plans for service expansion into "Deliveroo but for X" and want to see what their customers are into. Or perhaps they want to see if I am two-timing them with Just Eat!

Funny, I now remember reading a post from someone claiming that if they ordered an online grocery shop off a company that was not their usual, like magic a voucher would appear from their original company. I assumed this was coincidence, but this is the exact mechanism that such a thing could happen.

Of course this could also just be a manifestation of the trend of companies desiring data for data's sake, and a load of deliveroo managers are sitting in a meeting somewhere looking at a graph showing an intersection of people who are into retro computing and also like burritos and trying to brainstorm some strategy off such trivia.

> how they might expect Facebook to have a better handle on what sort of food I would order and how often as opposed to Deliveroo themselves

That's not really the idea - they're just trying to serve you ads wherever they think you might see them. Retargeting (whether it's through Facebook ads or AdWords or what have you) is one more engagement lever alongside push notifications, emails, etc.

(comment deleted)
Man I feel hopeless.

I have not connected my Facebook account for over 90% of these sites/apps but they still sent my data to Facebook.

Same here. At least you can just turn it off on this page, and hopefully that will do something.
Is is too late to change my email address on Facebook?

I'm assuming Facebook keeps a history of my email addresses that it can still associate it to my account.

Another option is to change all my email address at these sites.

It's not even that (though it might be part of it), I use a different email address per site (sitename@mydomain.com).
I have an address unique to facebook, and they still managed to associate it with some stores.
>I'm assuming Facebook keeps a history of my email addresses that it can still associate it to my account.

This is true: if you download your Facebook information file, you'll see it stores all the previous emails as well as all the previous IPs used.

Do you have the option to stop using those sites or using those vendors? At least now you have more data on the externalities of using each service.
They probably just have a Like button on their website, which passes on data even if you don't click it. Use a request blocker like uBlock Origin.
You don't need anything on your frontend to share data with Facebook. Facebook doesn't acquire information like what shirt you bought by putting a like button a page. Your clothing retailer is willfully sharing that information for marketing benefits.
What are the best ways to protect against this kind of tracking? I would argue it's probably better to keep a Facebook account so you can see what they're tracking and work to prevent it.

In my browser I'm running uBlock Origin, HTTPS Everywhere, and Privacy Badger. I'm guessing those will help quite a lot. However on an iPhone what can I do (as that's where a lot of this data seems to be coming from)?

Keep in mind that Facebook probably has a few unique identifiers from you apart from browser cookies:

- Email address

- Cell phone number (even if you only used it for 2FA)

- Credit card number (if you ever made a donation via Facebook or bought digital currency in a Facebook game)

- Advertising ID of your mobile device (can be reset in Android as well as iOS)

In order to avoid tracking, you have to make sure that none of these are known to Facebook and to other companies.

There is nothing on this page I was not aware of and intentionally linked (e.g. Strava).

So does this mean I am successfully stopping them from tracking websites I visit via tracking pixels / IP mapping / whatever other nefarious shit they do, or are they just not showing this information here?

Is it just me, or is there no way to download activity details? I click on an activity, then there's a few examples and a link to download, but this leads to a generic "Download your information" page and I cannot see an entry for the app or off-facebook specifically...

How can I block it? some apps are on my iPhone, but I don't have the Facebook app on it (I do have messenger), and only used the apps on the phone. Aren't they isolated in some way?

For downloading the data there is an option to download "Ads and Businesses" under "Information About You". I just downloaded it, and it includes all data that was shared.

However, the data only shows the source, timestamp and activity ID. The actual event data is not included..

One thing I'm not clear on - when I click on Coinbase (just one example) I see the following under 'What you can do';

- View coinbase.com

- Turn off future activity from coinbase.com

- Give feedback about this activity

Does 'turn off' mean they won't share this information again, or that I won't be told about it again?

I believe the vague wording is intentional, so they can just stop displaying it to you, while continuing to collect the data. It's like how "delete account" works.
It's not that vague, if you do click to disable you are taken to page that words it quite directly.
OK, maybe "misleading" is more suitable.. :)
Literally the first result in the list of companies that shared data about me with FB is my pharmacy. My pharmacy! That's just... wrong.
I am in Europe, so by law (GDPR) I have the right to make them delete all of this data.

How do I do so?

Also, I never consented to this being collected. How can their practice of collecting this type of data be GDPR compliant?

You can disable to storage of this data on the linked page.

But I'd recommend going to the source: Read the privacy policy of each party delivering data and check if they mention it. I already sent a mail to the DPO of an app provider which shows up in this list and doesn't mentions Facebook in their privacy policy.

Even if the app had it in their privacy policy, that would not mean it is legal to send your data to Facebook.

GDPR requires the users consent to do so. Having a statement in a privacy policy is imho not enough to qualify as consent.

I'm not anyone's lawyer. These are questions, not answers: GDPR is about collecting data from you, right? If Site X is sending data about you to Facebook, perhaps that's an issue with Site X's GDPR compliance, not Facebook's?
I apparently have no records of off-Facebook activity. This is probably because of blocking all 3rd-party cookies and enabling the blocking of social media trackers in both uBlock as well as that built into Firefox.
> You must log in to continue.

Nah, I will pass.

I couldn't open the link either. I have only the URL to go on, but the irony is... glaring.
I don't use Facebook, but I do use Messenger as I have a couple of close family members who refuse to use anything else. I've just logged into Facebook (which has no history as I've purged it[1]), and still there are 5 apps sharing my activity with Facebook. These 5 apps are all on my phone, so I guess Messenger is also sharing back to FB. :( ---

[1] Shameless plug: https://github.com/Jaruzel/DeleteFacebookActivity

[Cross-posted from the other thread]

I can't believe that this stuff is acceptible, or even legal. The fact that you're tracked off-Facebook (for instance), even if you're not logged in or on Facebook is not just creepy, but borderline abusive.
Congratulations, of all the people who have responded with outrage on this thread, you are the only person I've found that has a website listed that DOESN'T run Google Analytics or some other third party analytics platform.