Tell HN: FB tracked my sensitive buy outside FB, cant delete a suggestion in app

145 points by rathel ↗ HN
So I bought a rather sensitive item outside of FB on a retailers' webpage. Thought using private browsing was enough (I always do even for trivial stuff).

Now, somehow FB tracked me, found a similar item in FB Marketplace and shows me it in the main app menu as a suggestion next to Marketplace option. Like in this image, but the white Marketplace panel also has a thumbnail: https://brayve.net/wp-content/uploads/2020/03/echo/fb_menu_revamp2.png [1]

I deleted all the stuff from ad preferences, "activity outside FB", turned it off completely. I long-pressed the thumbnail and asked FB not to show it anymore, but it persists.

Does the HN crowd know how to disable this crap if asking FB not to show it doesn't cut it? Now I can't open FB in the public... :/

[1] Won't post my own screenshot, because image censorship is easy to screw up, I couldn't find a screenshot with such thumbnail on the web.

137 comments

[ 0.21 ms ] story [ 227 ms ] thread
In which continent or state are you? If in EU you can send a GDPR delete request, and if in California you can send a CCPA delete request.
Delete your FB account? :)
I'll do that soon , but too many of my friends ( real life people, I haven't meet anyone from the internet in over 4 years) only can contact me on FB.

I do my best to limit my use of FB services

I'm curious. They can't phone or email you?
Neither are great replacements for facebook messenger. And other IM tools aren't either because, well, the people you want to talk to don't use them.
Everyone has SMS
SMS doesn’t do groups or images. Maybe RCS will one day work?
MMS does, and does so transparently across platforms (iOS, Android). You must have a very old phone if it does not work for you.
Back when it made sense to send MMS messages (i.e. when everybody haven’t had something like WhatsApp) they were ridiculously expensive while sms was free on most plans. Nowadays it’s different but for example on my plan, sending MMS while on roaming is not plain data depending on the destination.
The criteria was that everyone needs to have access to the messaging platform. SMS checks that box. SMS does not do literally everything, but that's not the most important quality of a messaging platform.
SMS isn't a great option if you're communicating with people in multiple countries, and often not if you're traveling internationally yourself. Signal might be, if only we could get everybody to use it.
You can deactivate your Facebook profile but still continue to use Messenger, so that's an option.
Will definitely consider this. One issue maybe that I do get invited to a handful of events.

How exactly does this work. No longer having a public page , but people being able to contact me would be great .

Both have lower barriers for entry, and protect your privacy better. Given the nature of the post under discussion this seems relevant to proceedings
They won't. Been there. I asked a lot of people to contact me on phone, sms, email, etc. but not on facebook. Most of them I haven't spoken for years now, ever since I silently deactivated FB. Turns out they were/are not actually interested in me.
Better that you know. Can invest time in better friends.
This is absolutely untrue. Tell those friends to contact you via text, email, chat messenger, or maybe even a phone call!
It's kind of useless.

I don't have an FB account, and have about ~300 email addresses with different retailers etc. But some of them have my phone out of necessity. And so do my friends who use WhatsApp. Which means FB know my name, and what I buy from those retailers that share their data and have my phone number. I've recently pondered getting a trunk so I can give a different number to every retailer, like I do for emails.

There's very little one can do to avoid FB, when they've managed to turn 30% of the world (literally, and closer to 80% in the west) into snitches on you. Stasi would have been envious. And FB happily provides it to any government who would just ask.

Have you tried reinstalling the app? And perhaps deleting iOS-level app data after deleting but before reinstalling?
Deleted app data completely. Made no difference. (I'm on Android).
Unfortunately I have no advice to give to you in such a shitty situation, but this is #1 reason why I have never installed any Facebook-owned app on any smartphone I've ever owned (including WhatsApp and Instagram, of course).

I still interact with their products when I have to, but exclusively from a browser with an adblock.

And Instagram forcing people to install an app to even create an account in its early days was the sole reason why I've never had one.

Facebook worms its way into system apps. Nokia phone camera app pings FB every time you start it up.
Any source on this? I'd like to find out more. That's really messed up.
You can see it using Netguard or other vpn based monitoring apps. com.hmdglobal.camera2 contacts graph.facebook.com
Step 1. Delete the app.

Step 2. Logout of facebook on your browser / clear cookies.

Step 3. Make all private purchases in firefox.

Step 4. Create a new facebook account telling your friends you were hacked.

Step 5. Never open facebook in public and don't create that expectation with peers.

Step 6: Throw your phone and computer in the ocean
Is anyone not feeling this temptation on a daily basis?
Sadly not. I'm way too addicted to my phone.
I guess that’s why we resist the urge.
I use https://freedom.to on my devices and just block truly toxic sites like twitter/reddit in /etc/hosts. Extremely satisfying.
Even wiser: stop after step 3.
I really dont understand why ppl still use fb. There is nothing there that you need. Connecting with family is a phone call away.
Let me preface this with I have quit using facebook, but this is a naive way of thinking.

There's more to staying connected with family than calling them up, a completely synchronous action that interrupts the lives of both involved just to happen. But it's also not scalable to keep a large family or friend group up to date with whats going on in your world, or catch up with whats going on in theirs by calling every one of them up.

I don't really understand why ppl still use phones. There is nothing there that you need. Connecting with family is a drive away.
I have family that lives 1000 miles away, a phone is a better choice for me.
I know, the comment was meant to point out the flaw in this same argument for facebook.
I don’t understand why people still use cars. Connecting with family is just a short stroll away.
Facebook Groups are a great alternative to Reddit for people who don't like 'reddit people'.
Reddit people - the type that say “nice” etc. only exist on the very popular subs. There are plenty of high quality moderated subs.
(comment deleted)
I know Facebook Groups has replaced forum boards/mailing lists for many.
"Connecting with family is a phone call away."

A phone call, an email, a Zoom meeting, a Skype meeting, even a letter away for those too far away to meet in person....

Has anyone ever even used Zoom to connect with family members?
> Has anyone ever even used Zoom to connect with family members?

Most of my (large, 25+) extended family has done so.

And we've used it too. Fortunately for me, Zoom invites also provide a local call in number and I use that -- not from my smartphone, but from a bog standard cordless phone connected to an ATA[0] situated outside my firewall -- to join Zoom meetings.

No, my family doesn't get to see my shining face, but they already know what it looks like.

I've considered setting up a self-hosted Jitsi[1] instance, but it seems like overkill for my needs.

[0] https://en.wikipedia.org/wiki/Analog_telephone_adapter

[1] https://jitsi.github.io/handbook/docs/devops-guide/devops-gu...

The fact that you don't find anything that you need there does not mean it's the same for everyone.

In some circles, Facebook is the only way to communicate and organize events. If you are not there, you are cut out in real life.

which little black bits do I chisel off and microwave?
Step 3.5. Install the Facebook Container extension in Firefox.
Step 6: Use Qubes OS with self-destroying virtual machines to access Facebook. And Whonix of course.
Are you sure the data is from the purchase? For example, did you search for similar things before making the purchase?

Otherwise, sometimes I suspect ads are targeted by IP. Sometimes I see ads for things my wife is interested in.

You might want to try VPN. At least you'll see ads for all the sketchy things other VPN users buy!

I _suspect_ I might have clicked a link for order tracking outside private mode (Gmail's Chrome WebView, go figure...)

Now, to prevent such events in the future I installed Firefox on my smartphone along with uBlock Origin. I use FF on desktop since forever, should have used it on mobile as well.

Brave seems to me better at anti-tracking than Firefox nowadays. Third-party cookies are blocked by default
Just to provide more domain info: if you’re On iOS, the web view in each app has its own profile/cookie store.
FYI: My neighbor smokes cigars. After I made my post above... I saw ads for cigars.

They're probably tracking you via IP.

Oh it's simple, just use the FB/Alphabet support system: Twitter. But make sure you or a good friend have enough social cache or you will be ignored.
Did you use the same email address? I backed something on Kickstarter, and the only common factor between that web session and my facebook web sessions was my email address. I suggest you put in a GDPR request to delete everything they have on you.
Did you purchase the item from a retailer that you gave an email or phone number which matches the one on your Facebook account? If so, I would suspect such an identifier is being supplied by the retailer to Facebook for ad targeting. It could also be your credit card issuer, potentially.

Private browsing helps prevent browser-based tracking, but doesn't help at all if both sides are playing together and have ways of correlating your identity.

For FB, I use an e-mail that is no longer my primary one for almost a decade - all other activity is on a different one.
I applied this same strategy, but I must have let my guard down for a moment and somehow Facebook figured out my new email address.

I find this incredibly annoying, and also pretty spooky.

It doesn't have to be you: your old friend has both, and shares their data with Facebook, Snapchat, and/or Whatsapp (all are Facebook) so you have no hope of concealing this.
> It doesn't have to be you: your old friend has both, and shares their data with Facebook, Snapchat, and/or Whatsapp (all are Facebook) so you have no hope of concealing this.

Instagram, not Snapchat, but yes. That's the main part of how they build "shadow profiles" of people without accounts, afaik.

Here I thought I was being paranoid by practicing complete identity separation opsec. Now it turns out to be barely sufficient for dodging targeted ads. Ugh.
I actually created an email address just for the purpose of creating a facebook account with it. Never shared it with anyone, never really used it for anything other than facebook.

They got me still.

Your friends uploaded their addressbooks, knowingly or unknowingly (e.g. regular use of Instagram, FB Messenger, or WhatsApp, or the FB App would make that seem completely innocent)

So they know "John Smith" whose friends with "Joe User" on Facebook, has an email address for "Joe User" that is different than the one listed for "John Smith"'s account; now they have both. That's part of their business.

Personally, I own a domain. Every retailer, website, etc. I interact with gets their own email address. I have no doubt Facebook knows some of them, and can maybe even connect some of them to my profile -- but it's not certain.

P.S: I don't even use facebook myself.

In several years of doing this, I have not gotten one single piece of spam. Not sure if it's related, but I wonder if $COMPANY is less likely to sell $COMPANY@domain.com to a third party.
I’ve gotten quite a bit of spam, mostly from well known breaches - surprisingly few leaked out to become pure spam.

However, I’ve received several LinkedIn and Facebook invites to these emails from businesses I interacted with - so I know LinkedIn and Facebook (at the very least) have — at least in the past — failed to make the connection between identities.

I think fb also links together emails if your friends have shared their contacts list.

Also, I think FB recognizes residential IP addresses and associates activity from the same IP. I occasionally see Friend recommendations with ppl from ppl that I shared the same IP address with, but normally would not know.

That's not particularly helpful for ecommerce.

One of Facebook's largest businesses is allowing companies to advertise against first-party data, ie lists of activities the customers upload. Crucially, these don't require a cookie sync; facebook matches against any of name, phone, zip9.

https://www.facebook.com/business/help/2082575038703844?id=2...

Naturally, there's not really a way to buy something without presenting this information to the retailer.

What can help OP is this: if in CA, go to the ecommerce company and submit a Do Not Sell request. If in EU, submit a deletion request. NB: for the latter, they will be able to retain information like shipping, etc. If in none of the above geos, hope the retailer is nice and gives the whole world the same rights.

Like others have pointed out, there are a lot of ways for FB to connect an email account you haven't explicitly given them to you. That's been a core 'feature' of FB forever. The other part is - when you made the purchase, the retailer just fed your data to FB for their ad targeting. This covers the vast majority of FB 'spookily' figuring out someone still collects Beanie Babies cases.

Edit: You can also go into your FB ad 'privacy' settings and turn off some of the targeting stuff, for instance 'Ad based on data from partners'. You can also dig around there for a log of partners FB thinks you've 'interacted' with. Turning this stuff off gets rid of the spookiest ads and things like retirement facilities ads because you set your age to 103 when you created the account.

> If so, I would suspect such an identifier is being supplied by the retailer to Facebook for ad targeting. It could also be your credit card issuer, potentially.

This is the problem, so many companies are harvesting our data now it's almost impossible to know how your personal data is being acquired anymore.

That being said, another thing to look out for is sites and apps running Facebook's integration crap. If the e-commerce site in question is running Facebook's code on the site, FB could easily correlate the data (IP address, browser fingerprint, etc.) and connect it back to you even if you are using Private Browsing.

> Now I can't open FB in the public... :/

Sure you can. Let your freak flag fly man ... I wouldn't be too worried about whatever it is you bought. You bought it after all, didn't you?

(I am coming at the context of this being an adult purchase, like a dildo or something)

The situation is a bummer, but don't let something in your FB account give you any amount of shame over this.

Depends where you live I guess. Now I assume these ads aren't showing in contries like dubai since I presume they'd be censored at the isp level, but you never know...
No. You don't get to invalidate someones right to privacy because you've given yours up.

The argument that if you don't have anything to hide you don't need privacy has been beaten to death already.

And when it comes to sexual preferences there are still many countries/states where being able to hide it is a life or death situation.

> No. You don't get to invalidate someones right to privacy because you've given yours up.

I am not invalidating someone's right to privacy.

> The argument that if you don't have anything to hide you don't need privacy has been beaten to death already.

Also not suggesting this at all. I am merely trying to offer a different viewpoint. I interpret the original post as, "I made a mistake, I need need help fixing this so I am not found out" - to which I would say no mistake has been made. That is all I am saying.

If you really value your privacy you don't use Facebook, it's that simple... you can't have one foot in the door and the other outside and think it'll work to your favor.

> I am not invalidating someone's right to privacy.

You are saying that not having the choice to choose what to share is acceptable though. Privacy isn't about having something to hide, it's about having the same rights you have with your day-to-day thoughts; you aren't forced to shout every single thought that pops into your mind, you are able to pick and choose what you would like to express and share. Privacy and encryption aim towards that goal.

In some regions such a purchase could result in community ostracism or rental evictions. It’s okay to encourage people to be brave, but never assume that they refuse to be open purely out of shame.
Or in Saudi Arabia you could be murdered by the State.
I'm pretty sure Facebook does simple IP address tracking to serve ads. I've noticed my wife and I both get served ads for things the other has recently searched for.
Not just Facebook, lots of folks do this.

I was reading an news article on my phone on NYT just yesterday while someone else in the house was buying things from a big online clothing store (not amazon) on her phone at the other end of the couch. In real time the ad slots on the article on my phone switched to show ads for the site she was buying from and for similar products. The had previously been showing me something i bought a few days ago.

I have 2 Youtube accounts on which I watch completely diffent types of videos. One is on Chrome, the other inside a Firefox Container. When I do a google search or just browse something in Chrome, the YT account inside FF will recommend me videos related to the search / browsing, even if they're not at all related to the videos I watch on that account. The YT account on FF will also regularly suggest me videos related to the ones I watch on my Chrome YT account.

The reverse doesn't happen: my DDG searches and FF browsing never bleed on Youtube.

Google (and many others) doesn't care about private mode, separate accounts, profiles or containers.

This is because it's IP based tracking.
And people, even on HN, constantly say I'm being "behind the times" and "overly paranoid" when I point out how happy I am to still be on IPv4 with an address that changes every few days or when I restart the router.
IPv6 != static addresses. My IPv6 prefix changes at least once a day too.
Technically possible, of course, but that’s the first time I’ve ever heard of that happening.

Every single ISP available to me advertises it as a feature: “get fixed IP for free when you use IPv6 (usually $5/month for IPv4)”. When I asked if there’s non-fixed IPv6 they were perplexed at my request and said no.

FYI using a "private window" in your browser makes your traffic private to pretty much no one. it just means that the browser won't collect certain data, but will still collect some, and everything else that tracks you still tracks you
At least in Chrome or Edge. FF and Brave enable some basic tracking protection in private windows, and the latter also gives you the option of obscuring your IP adress with Tor.
> basic tracking protection

Which does not help at all: https://panopticlick.eff.org.

It certainly doesn’t compare to Tor’s anti-fingerprinting, disabling JavaScript, etc., but I think there’s a fair chance it might help decrease the likelihood of a situation like the OP’s by a bit.
I am sure it won’t work against Facebook at all.
Your IP address, browser fingerprinting (despite the private browsing) and so on.

There are just too many ways to identify you, and therein lies the problem.

If this kind of thing is concerning to you, you have no option but to delete the FB account.

EDIT 1: Removed MAC address from my comment, which was incorrect as noted below.

EDIT 2: This is a test that is available from EFF to test your browser fingerprinting: https://panopticlick.eff.org/

FB also has "shadow" accounts, so even this may not be super helpful.
(comment deleted)
can Facebook see your mac-address?
How are merchants and Facebook getting your MAC address?
(comment deleted)
FB app, and several merchants run .swf and java applets that request MAC locally and upload it. Also enumerate WebRTC for lan

FB used to also websocket portscan your localhost + LAN on login from a fbsbx.com domain that also attempted to load native code/windows media player playlists/SWF/Java/Shockwave

> FB used to also websocket portscan your localhost + LAN on login from a fbsbx.com domain that also attempted to load native code/windows media player playlists/SWF/Java/Shockwave

That's straight up malware behavior.

I love panopticlick, but hate it as well. They just tell you ' yup, you're screwed' but they don't tell you how to avoid being so. I get that there are likely some legal reasons, but the tool almost does more harm than good in this way. I don't want to have a browser fingerprint, tell me how to not have one.
And how do you even imagine it working without it doing even more harm by providing false sense of security?
What legal reasons? The first that comes to mind is liability for bad advice, but people give computer privacy and security advice online all the time, and not all of it is good.
Brave. According to Panopticlick "your browser has a randomized fingerprint", and "Your browser fingerprint has been randomized among the 234,060 tested in the past 45 days. Although sophisticated adversaries may still able to track you to some extent, randomization provides a very strong protection against tracking companies trying to fingerprint your browser."
> I don't want to have a browser fingerprint, tell me how to not have one.

Use Tor Browser.

Sure but this is simpler than that. The merchant used their name, address, and email/phone to match to FB. Doesn't really matter what browser/cookies
It is more likely the retailer uploaded this purchase to Facebook with hopes to target you in the future. If you used the same email address or the phone number associated with your Facebook account at the checkout, Facebook "enriched" your interest graph with this information.

In these cases private browsing or a VPN or a using Tor would not help. This is a much common vector for interest targeting at Facebook. Retailers willfully share what you believed would be private with ad targeting platforms like Facebook and Google. Twitter has something similar too I think.

(comment deleted)
Seems rather trivial to simply not go on Facebook. I haven't in years and my life has only gotten better because of it.
Try using an adblocker. Never see any suggestions again.
> Now I can't open FB in the public

The problem here is that the ads would still show on other devices that have no ad block.

(comment deleted)
Full disclosure, I nuked my facebook account in 2016. Having said that can't you just block the ads with ublock origin? If that doesn't work, I'd start going one level deeper and start blocking individual javascript files until I found the one that controlled the adverts. None of this may work, but it's worth a shot?
I don’t know about marketplace ads, but timeline ads are remarkably hard to block. The only differentiator between timeline ads and regular posts is a little bit of text that says “Sponsored”, and FB absolutely goes out of its way to make it very hard to key on the presence of that text (each character in its own span with randomized CSS IDs, interspersed with random characters, with various CSS hiding techniques, sometimes even using the CSS :after properties to inject extra text). That "sponsored" text is present on every timeline post and just selectively hidden on non-ad posts with the same CSS tricks. So, if your filter is even a little bit wrong, it’ll hide every timeline post and make your adblocker look broken.

The solution to not seeing ads on Facebook is to not use Facebook, IMO...

Private browsing doesn't help with this type of tracking. You need to use a browser or a browser add-on that blocks Facebook as a third-party connection. So if any site or app has a Facebook pixel that sends data back to Facebook it will block it from doing so. Alternative is not to use Facebook.
It's a bit of a nightmare we've created for ourselves, isn't it? How did we get to the point where your purchase at one store has become a kind of commercial gossip bought and sold by companies, leveraged to sell even more things?

Why can't a singular purchase be just that?

As many commenters have pointed out, Facebook (and a lot of other sites) have many myriad ways to track you, and so something such using private browsing mode was insufficient to protect your privacy.

What should trouble you, however, is that this sort of correlation is going on all the time in the background. It's not necessarily always the case that the correlation is made apparent to you. Often times (most times?) it will be totally invisible.