In my profile, they managed to obtain a `PURCHASE` event from Macy's -- for an in-person purchase at a physical store. Macy's has my email address and certainly linked it to my credit card number, but this is nonetheless seriously creepy.
I just tried to change my email address on Facebook and discovered that they canonicalize plus and dot variations in gmail.com addresses, and thus claim that the new email address is already associated with an account. Ended up having to create a completely new email alias on my own domain.
It’s not a situation where FB “managed to obtain”. It’s Macy’s directly uploading transactions in order to attribute purchases to their online ad campaigns. It uses email and name etc to match.
With VISA and MasterCard yes, but e.g. the German girocard network on its own doesn’t sell anything, and there it depends on your bank (and most banks don’t sell that data either).
So if you have the choice between using a girocard or a credit/debit card to buy a product, the credit/debit card is significantly more likely to sell all your data.
Unless you are carrying your cell phone at the time—not sure anyone is doing this yet, but I have heard of at least one chain that tracks customers' cell phone locations via triangulation.
Clearly I need to step it up. I was (unsurprisingly) surprised at what I've observed they've managed to correlate. I run standard pi-hole, resist fingerprinting, and normally go through a VPN (mainly because I'm on public wifi half the time when travelling). I haven't logged into facebook in about four years, just did it for the first time today to see what's been correlated.
Aside the mountain of irrelevant notifications, here's what I've observed in this report that's concerning.
1. Albeit some data has been correlated properly (banking applications which is scary on it's own part it's sending data to facebook, imgur, Xbox, my telco provider, and a few misc blogs I've visited a handful of times per year), it's correlated a significant amount of data that may not belong to me (good thing, I suppose?)
2. Why the heck are banking applications sending data to Facebook as "CUSTOM", with no context? For example, RBC bank in Canada sends "CUSTOM" data (haven't been with them for over two years, but all interacts labelled CUSTOM) and Facebook will not give any more context on the exact data it received. Little scummy, Facebook.
Well, time to sweep this up and resist tracking more. Let's see how it works this time round.
I use Facebook container and most of the sites reporting should've never even seen my Facebook account. However, many of these sites have my email address. I highly suspect they're correlating data without knowing my Facebook account itself.
if you're using android you can get add-ons for firefox. Also, you can use a firewall app like Netguard [1] to prevent apps from calling FB (graph.facebook.com)... I see most apps attempting to do this, and it's often the first thing they do.
There's similar setups on iOS, I am just not very familiar with the app names.
By blocking many advertisers tracking cookies (by blocking all access to those hosts via point the DNS result elsewhere) it reduces how far your information immediately spreads.
Far from massively effective because it does nothing to stop 1st party tracking and those 1st parties sharing further, or 3rd party cookies for new hosts not in the blocklists yet, but it can still help.
My use of PiHole isn't really an anonymity/tracking avoidance thing, my priorities in using it are avoiding ad network related annoyances like drive-by install attempts from less reputable (and/or hacked) networks, auto-playing audio, pop-ups/-unders, bandwidth waste (particularly from auto-playing video clips), occasional attempts to access microphone and/or camera, etc.
It allows you to block the domains of known third-party tracking companies. However, this measure is going to become less effective over time with the increasing usage of first-party tracking.
Block requests to all of FB's domains in the hope that it can't load FB's scripts or buttons or "like" buttons; literally anything from FB as far as humanly possible.
> I don't think they will tell you the whole truth.
This is true:
>We receive more details and activity than what appears in your off-Facebook activity. For technical and accuracy reasons, we don’t show all the activity we’ve received. This includes things like information we’ve received when you’re not logged into Facebook, or when we can’t confirm that you’ve previously used Facebook on that device. We also don’t show details like the item you’ve added to your shopping cart.
Thanks for that link. Looks like the infamous "ghost profiles" are officially confirmed now.
I wish they would show the ghost profiles as well, but since it's not linked with 100% confidence they are probably not allowing it because it could be a privacy violation if it turns out that the link was incorrect (i.e. they showed a ghost profile to the wrong user).
Wow that's creepy. It lists apps where a) I didn't use FB login/signup and b) used a different email address to sign up. How do they cross-reference that to me? Hand how can I prevent that outside of their tools (which I assume still violate my privacy)?
Also, if you are creeped out by this, just imagine the amount of data Google has on you. I'm convinced they have way more, just by virtue of every website having Google Analytics installed.
Those are good, but they don't work for what the GP is talking about. I'm seeing games/apps associated with my FB account even though I never logged in to FB with them or gave them any info. I literally just opened the app and that activity was associated with my FB account.
I have no idea how they're doing this, since they didn't even request storage access (or I didn't give it). Can any Android developer here chime in on how an app can figure out my Facebook ID even though I don't even have Facebook installed on my phone and didn't give any sort of credential or access to the app?
Once you've logged into facebook from the device, they likely created a device fingerprint for your device: https://en.wikipedia.org/wiki/Device_fingerprint . This would allow them to identify you even without a cookie or ad id to correlate against.
I found a mere four items in my activity list, all from several months ago, probably when I mistakenly used the wrong container or had uBlock turned off. It's nice to see all my anti-tracking software is working!
I use Firefox Containers to limit and logged in FB activity to that & never log in using FB other than FB website itself. I have no FB apps (including WhatsApp).
I've been running uMatrix for a few months.
My firefox tracking-prevention (similar to EFF's one, but probably not as good) is always using maximum privacy settings.
I still have a few sites appear... AND for websites I've never even visited (that I'm aware of, & I'm the only user of this machine)
There seems to be some serious fingerprinting going on, more than simple cookies.
Agreed, even with all of the above I had about 15 or so sites in that Facebook list. I suspect it's because I was logged in to Facebook on my phone's browser for a while. Not sure why I even did that...
Even before firefox containers, I used a dedicated profile for facebook only as well as using privacy badger and ublock origin. Facebook still collected data about me from external sites. I think mainly through my phone, possibly through linking phone number or email addresses.
Some chat apps (like Viber and others) have Facebook SDK integrated in them, without any direct Facebook functionality people would use. Discovered after using NetgGuard, and seeing who is calling home, and not only home. (Why viber is making requests to graph.facebook.com anyway?)
Duolingo is a nice app for learning new languages, yet it might be using the same sdk, since it likes to call facebook.com domain.
Netflix is a good streaming service, but it has some option somewhere, which allows them to share data with others, and enabled by default. And yes, it's present in fb activity.
The list can go on...
There are developers who integrate dozens of SDKs, without any specific purpose for users, and not knowing what is happening. We need something like PrivacyBadger/ublockorigin for phones/laptops/routers/homes/cars. It's getting more than creepy.
And why would Facebook allow third-parties/businesses upload into FB info they have on their customers...
I'm pretty sure that 95% from the activity that is listed for me comes from the Facebook tracking pixel, that every website has to embed if they want to (effectively) advertise on Facebook.
I use uBlock Origin and Privacy Badger on my desktop and phone, as well as Blokada, and yet Facebook still had a bunch of app activity even though I never ever sign in to stuff using FB (or even gave the apps my email or any other piece of personal data).
I literally just opened the app, granted no permissions, used it a bit, and Facebook associated it with my account. What the fuck.
By far the worst thing are android phone applications (not only FB official app). They have their spyware bundled and can slurp from you the data which are normally unaccessible by web browser, from phone number, imei, mail addresses to all your contacts and there is almost nothing you can do except installing vpn based firewall (like NetGuard) and block all access and add permissions one by one for each url. This should just be illegal.
As an EU "customer" I'm rather surprised by this. There are services that I've signed up to since GDPR came into effect which I didn't get explicitly consent to do this. For example my business bank. Why would I give them permission to share data with my personal Facebook account? I will be digging into this more.
I don't think that'd really be true, since they'd just have it stored in the background without you having a FB account (and wouldn't have the ability to see how bad it is)
does that stop facebook from collecting data about you? I didn't think it did, and because you don't have an account it's not, or at least wasn't possible to control any privacy settings.
Technically, no. Legally, it means you haven't accepted their terms of service, so if/when (I hope) the political privacy landscape changes, it'll be more likely that you can sue, report a violation, request deletion, (or maybe they'd even preemptively delete it to cover their tracks / come into compliance with new laws).
which I did a couple of years ago.
Now I have no idea what they know about me. I use adblock and friends, but I wonder how much data about me they still manage to gather
Allegedly, I ditched my Facebook account years ago. Not just deactivated but delete, though I don’t really believe it. Is there anyway to see what’s in this (or to see if my account really is gone) without accidentally re-upping?
Hmm. I have no website activity listed - but seemingly every single Android game and a few other apps is sending "activity" to FB, despite me never using any feature to associate the two. This sounds like: https://privacyinternational.org/report/2647/how-apps-androi...
> "Privacy International has tested both opt-outs and found that they had no discernible impact on the data sharing that we have described in this report."
So there's that. I wonder if any opt-out really helps. I think the best approach is still to use a good blocker such as uBlock Origin.
Blocking the entire Facebook ASN at the firewall/network level stops this. Google is a bit more tricky as they also have GCP so you can’t block their ASN without also blocking innocent services.
Specifically, how do you do it on a normal Android device? Is it even possible to do this on an iOS device that's on 4G or someone else's wifi? Do iOS devices have the same "leak"?
You either need to control the mobile side of things and never connect to unrestricted Wi-Fi or use Apple Configurator to create a profile for an always-on VPN to a place you control where you can apply the restrictions.
the Android advertising_id property and the ios IDFA (identifier for advertisers) are available to every app, and once an association against the id and your Facebook account is made further interactions can be attributed to your identity.
Both of these identifiers can be reset at any time via os features, making you appear as a new user (at least until fingerprinted or a new association with PII is made)
Realise that you don't really need those android apps, or the google or facebook account. The utility and entertainment you get is half of surveillance capitalism ecosystem, and the other half is that they compile all this information about you.
I know it sounds preachy and it's not a conclusion most people will like. But, like fasting, going without something you like but don't really need does help you focus on what you really do need.
I don't actually care all that much and I like my luxuries. Do I "need" the Google account? No. Do I want to tell every person and business currently using it that I've changed email? Also no, that's a huge amount of work. Likewise for facebook, which is now down to once-a-day-ish use for coordination with a specific group of people whom I do not want to do the work of moving all of them off Facebook too.
Yeah, I make similar trade-offs. The sunk cost of a few TV shows purchses keep me from closing my Google account. But I won't let it anywhere near my phone.
I think the process of honestly asking the question is more useful than the actual answer. Life & society is full of compromises.
Is it just me, or is there no way to download activity details? I click on an activity, then there's a few examples and a link to download, but this leads to a generic "Download your information" page and I cannot see an entry for the app or off-facebook specifically...
How can I block it? some apps are on my iPhone, but I don't have the Facebook app on it (I do have messenger), and only used the apps on the phone. Aren't they isolated in some way?
For downloading the data there is an option to download "Ads and Businesses" under "Information About You". I just downloaded it, and it includes all data that was shared.
However, the data only shows the source, timestamp and activity ID. The actual event data is not included..
EDIT: the link doesn't seem to work, so you can click on "Manage Future Activity" => "Manage Future Activity" in the popup => Disable "Future Off-Facebook Activity"
> We will still receive future activities from companies and organisations you visit. These might be used for analytics and to improve our advertising systems, but will not be connected to your account.
(Translated from Dutch because for some reason Facebook figured I'd want this particular message in Dutch.)
Extrapolation: "Account" here means the Facebook account created by you and visible to you; probably distinct from "Profile" in their lingo, which is all the data they have on you, of which most is invisible to you. If this is true, that's not an opt-out for data collection, just a choice to keep that info from showing in your account while merrily continuing to build your profile.
I mean, they’ve already been shown to keep every tiny nugget of data, this feels more like “we won’t give anyone else tools to see that it’s you” instead of “we’ll anonymize it sufficiently”
I know many, including myself that do not have a facebook account (so can't login to this) but do have an instagram account. Is there an off_instagram page? I'm sure that's also collecting data in someway.
Deliveroo has evidently been sending them all my orders. Or at least, there are as many 'interactions' as I have made orders. I don't log in via my Facebook so that is an unwelcome surprise.
Same here. I had to recollect if I even signed up with Facebook. After checking my Deliveroo settings, it seems that my FB account isn't even connected. This is insane...
Do you use the same e-mail address for both Deliveroo and Facebook?
If so, that could be how they matched you. Facebook lets businesses create custom retargeting audiences[1] from existing customers, and you can (obviously) include interaction data in order to segment e.g. frequent customers from occasional customers.
I suppose that would explain it. I can't see what Deliveroo get out of it though, and how they might expect Facebook to have a better handle on what sort of food I would order and how often as opposed to Deliveroo themselves, who know. I wonder if they have plans for service expansion into "Deliveroo but for X" and want to see what their customers are into. Or perhaps they want to see if I am two-timing them with Just Eat!
Funny, I now remember reading a post from someone claiming that if they ordered an online grocery shop off a company that was not their usual, like magic a voucher would appear from their original company. I assumed this was coincidence, but this is the exact mechanism that such a thing could happen.
Of course this could also just be a manifestation of the trend of companies desiring data for data's sake, and a load of deliveroo managers are sitting in a meeting somewhere looking at a graph showing an intersection of people who are into retro computing and also like burritos and trying to brainstorm some strategy off such trivia.
Anyone else thrown off that “Download Activity Details” (which seems to be the only way you can find out what interaction was sent) leads to the main Download Your Information page, and not to anything specific to that app or that interaction?
I don't use Facebook, but I do use Messenger as I have a couple of close family members who refuse to use anything else. I've just logged into Facebook (which has no history as I've purged it[1]), and still there are 5 apps sharing my activity with Facebook. These 5 apps are all on my phone, so I guess Messenger is also sharing back to FB. :(
---
Doing retargeting for when (a) someone downloads their app but doesn't signup and (b) someone is a customer but has low engagement i.e. is likely to churn.
I have Monzo in my list too and downloaded the actual data. The only things listed are `ACTIVATE_APP` events. It doesn't seem to send any details to Facebook aside, from that you "activated" (opened) the app.
When I used to have https://lua.xprivacy.eu/ it used to prompt me a lot, saying "This app is calling this API, do you want to allow or deny? (or allow/deny for 1 minute or 10 minutes). The Facebook app would query what packages/apps are installed on the Android phone.
Yeah, Android devs, why is that an accessible API call?
For one thing this is how FB could figure out how popular their competitors like WhatsApp, Instagram or Snapchat were, and why they bought them, or tried to.
Four days before the UK general election, Facebook apparently "received activity" relating to me from an anonymous, icon-less organisation with a cryptic name, who appear to be completely un-googleable.
I believe the vague wording is intentional, so they can just stop displaying it to you, while continuing to collect the data. It's like how "delete account" works.
There is nothing on this page I was not aware of and intentionally linked (e.g. Strava).
So does this mean I am successfully stopping them from tracking websites I visit via tracking pixels / IP mapping / whatever other nefarious shit they do, or are they just not showing this information here?
And the last date they received information about me according to Facebook is the last date I used the app. Revolut mentions "Analytics providers" in their privacy policy as companies they are sharing my data with.
>The summary doesn't contain your most recent activity. It may take a few days for your activity to show in your off-Facebook activity. The dates in your activity summary are when we received the activity.
Because Revolut is the only fintech/banking app that is actually on the list. I do have other 3 banking applications installed on my phone that I regularly use + N26 (another fintech) -- none of these are in the data sharing list.
What are the best ways to protect against this kind of tracking? I would argue it's probably better to keep a Facebook account so you can see what they're tracking and work to prevent it.
In my browser I'm running uBlock Origin, HTTPS Everywhere, and Privacy Badger. I'm guessing those will help quite a lot. However on an iPhone what can I do (as that's where a lot of this data seems to be coming from)?
I can't believe that this stuff is acceptible, or even legal. The fact that you're tracked off-Facebook (for instance), even if you're not logged in or on Facebook is not just creepy, but borderline abusive.
It would be good to name and shame every vendor that shares data with Facebook and have them in a searchable list, so people can check before engaging with them.
It's a page for people with an account at FB that lists the 3rd party websites that have given information to FB.
> Off-Facebook activity includes information that businesses and organisations share with us about your interactions with them, such as visiting their apps or websites.
It's creepy.
> We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all of the activity that we've received. Activity that is not shown includes information that we've received when you're not logged in to Facebook, or when we can't confirm that you've previously used Facebook on that device. It also includes details such as the item that you added to your shopping basket.
In case of Facebook, one has to wonder, is this a move towards consumer privacy, or a way for Facebook to clear cache so they could build a more up to date profile of you.
I apparently have no records of off-Facebook activity. This is probably because of blocking all 3rd-party cookies and enabling the blocking of social media trackers in both uBlock as well as that built into Firefox.
Seems like most of my data they got from apps on my Android phone, there was even an app that I just installed, opened and uninstalled in less then a minute without even logging in or anything.
set the "limit ad tracking" feature on your phone at the os level and the advertising id will become unavailable to everything. On Android this is Settings > Privacy > Advanced > Opt out
You can disable to storage of this data on the linked page.
But I'd recommend going to the source: Read the privacy policy of each party delivering data and check if they mention it. I already sent a mail to the DPO of an app provider which shows up in this list and doesn't mentions Facebook in their privacy policy.
That's so funny that they come up with this page these days.
"We receive Jane's off-Facebook activity and we save it with her Facebook account. The activity is saved as "visited the Clothes and Shoes website" and "made a purchase"."
I downloaded my data before, and never have I seen what exactly the listed companies sent to FB.
I have a list of just a few companies (mainly by using a different email address for FB only) but still, I have no idea what these companies sent to FB about me.
Edit: I found the data now - it's now available for export.
I just tried to change my email address on Facebook and discovered that they canonicalize plus and dot variations in gmail.com addresses, and thus claim that the new email address is already associated with an account. Ended up having to create a completely new email alias on my own domain.
reply