1) Install https://www.eff.org/privacybadger to prevent trackers from being loaded
2) Install https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... to delete any cookies you might have accepted after a week time or so, which prevents the infinite gobbling-up of your data after innocently accepting a cookie once
3) Install the Google, Facebook, Twitter and Amazon containers to "separate" your browsing with these sites from the rest of your browsing. Links: https://addons.mozilla.org/en-US/firefox/addon/facebook-cont... https://addons.mozilla.org/en-US/firefox/addon/twitter-conta... https://addons.mozilla.org/en-US/firefox/addon/google-contai... https://addons.mozilla.org/en-US/firefox/addon/amazon-contai...
Also, if you are creeped out by this, just imagine the amount of data Google has on you. I'm convinced they have way more, just by virtue of every website having Google Analytics installed.
I have no idea how they're doing this, since they didn't even request storage access (or I didn't give it). Can any Android developer here chime in on how an app can figure out my Facebook ID even though I don't even have Facebook installed on my phone and didn't give any sort of credential or access to the app?
I've been running uMatrix for a few months.
My firefox tracking-prevention (similar to EFF's one, but probably not as good) is always using maximum privacy settings.
I still have a few sites appear... AND for websites I've never even visited (that I'm aware of, & I'm the only user of this machine)
There seems to be some serious fingerprinting going on, more than simple cookies.
Has anyone done a good deep dive on what Google actually does with GA data?
> except installing vpn based firewall
So they can send the data instead?
- use Facebook pixel tracking on the site.
- hand over all of their user's email addresses to use for audience building.
Or most likely both. Creepy stuff indeed.
I literally just opened the app, granted no permissions, used it a bit, and Facebook associated it with my account. What the fuck.
690 App/Sites for me! Not overly surprising really
Duolingo is a nice app for learning new languages, yet it might be using the same sdk, since it likes to call facebook.com domain.
Netflix is a good streaming service, but it has some option somewhere, which allows them to share data with others, and enabled by default. And yes, it's present in fb activity.
The list can go on...
There are developers who integrate dozens of SDKs, without any specific purpose for users, and not knowing what is happening. We need something like PrivacyBadger/ublockorigin for phones/laptops/routers/homes/cars. It's getting more than creepy.
And why would Facebook allow third-parties/businesses upload into FB info they have on their customers...
PS: analysis of how a simple menstrual tracking app is leaking data about the owner https://media.ccc.de/v/36c3-10693-no_body_s_business_but_min...
I’m on iPhone, and see apps listed where:
- I’ve never logged in on the web
- I’ve never clicked to open a link in a browser on-device
- Used a phone number to sign up that’s not associated with my fb account - Didn’t use email at all
not saying that's worth having an account though.
Here is my secret: I deleted my facebook account several years ago. (before it was cool)
I love how links like this are (successfully?) attempting to pull people back in.
I just tried to change my email address on Facebook and discovered that they canonicalize plus and dot variations in gmail.com addresses, and thus claim that the new email address is already associated with an account. Ended up having to create a completely new email alias on my own domain.
While its easy to point at Facebook and say "they are so creepy" - this sounds like the type of challenge every marketing department faces. "What is the attribution of X,Y,Z ad campaigns?"
Connecting purchase + email + 'where the ad happened' via social solves that.
interesting.. they could use that to predict earnings..
And unless you rotate your financial passwords on a frequent basis, that access continues pretty much indefinitely[2].
[1] https://plaid.com/products/income/
[2] Not true for 100% of cases, but a general rule of thumb that's applicable to the majority of institutions they log into with your credentials.
A few years ago when Chipolte had its little food scare, Foursquare used its data to predict how much the restaurant chain's revenues would decline. IIRC, it was accurate to within 1%.
I just tell them that I don't have one. On the very rate occasions anyone has balked I tell them I just moved and haven't set up my internet yet.
- Fingerprinting resistance in Firefox (privacy.resistFingerprinting = true)
- First-party isolation in Firefox (privacy.firstparty.isolate = true)
- Blocking third-party cookies in Firefox (network.cookie.cookieBehavior = 1)
- Firefox container when I need to login to ad/tracking companies (Facebook, Google)
- uBlock Origin
- Cookie AutoDelete
- PiHole on my home network
It's just like with Google history you can "delete".
They have the data stored for the authorities anyway.
They are required to do it by law (Patriot Act etc.)
This is true:
>We receive more details and activity than what appears in your off-Facebook activity. For technical and accuracy reasons, we don’t show all the activity we’ve received. This includes things like information we’ve received when you’re not logged into Facebook, or when we can’t confirm that you’ve previously used Facebook on that device. We also don’t show details like the item you’ve added to your shopping cart.
I guess the only thing better would be 50 stores I never shop at. I might experiment in the future with finding ways to deliberately poison companies' data wells with incorrect information...
BTW, how does PiHole help in regards to anonymity?
By blocking many advertisers tracking cookies (by blocking all access to those hosts via point the DNS result elsewhere) it reduces how far your information immediately spreads.
Far from massively effective because it does nothing to stop 1st party tracking and those 1st parties sharing further, or 3rd party cookies for new hosts not in the blocklists yet, but it can still help.
My use of PiHole isn't really an anonymity/tracking avoidance thing, my priorities in using it are avoiding ad network related annoyances like drive-by install attempts from less reputable (and/or hacked) networks, auto-playing audio, pop-ups/-unders, bandwidth waste (particularly from auto-playing video clips), occasional attempts to access microphone and/or camera, etc.
My bank should send precisely zero things to advertising / marketing companies.
Have you raised it with their Help team? You should.
Unfortunately I cannot as I do not have a facebook account so cannot determine whether or not facebook hold data on me without creating an account.
They have the Facebook Pixel installed likely to do retargeting advertising when a person visits their website.
It's one of the most effective methods so it's very common to see it everywhere.
Still not ideal, but not completely terrible.
Yeah, Android devs, why is that an accessible API call?
For one thing this is how FB could figure out how popular their competitors like WhatsApp, Instagram or Snapchat were, and why they bought them, or tried to.
Aside the mountain of irrelevant notifications, here's what I've observed in this report that's concerning.
1. Albeit some data has been correlated properly (banking applications which is scary on it's own part it's sending data to facebook, imgur, Xbox, my telco provider, and a few misc blogs I've visited a handful of times per year), it's correlated a significant amount of data that may not belong to me (good thing, I suppose?)
2. Why the heck are banking applications sending data to Facebook as "CUSTOM", with no context? For example, RBC bank in Canada sends "CUSTOM" data (haven't been with them for over two years, but all interacts labelled CUSTOM) and Facebook will not give any more context on the exact data it received. Little scummy, Facebook.
Well, time to sweep this up and resist tracking more. Let's see how it works this time round.
I'll share my strategy.
On desktop:
Banking: Vivaldi Browser w/ privacy badger and ublock origin
Email and Commerce: Chrome Browser w/ privacy badger and ublock origin
News and other BS (like Hacker News): Firefox browser, always in private mode w/ privacy badger and ublock origin
LinkedIn (in the rare case I use it): Internet Explorer
Mobile:
Facebook: Opera
Commerce: Chrome
Reddit: Naked Browser
News and other BS: DuckDuckGo Browser
EDIT: I also do not use my credit card on my phone unless in extreme rare events. Absolutely no banking on my phone. No fancy apps (I use the web version where possible) beyond the generic stuff like email and maps. I use Signal for texting.
My strategy (Desktop & Mobile):
Firefox + Facebook Container & uBlock Origin & Privacy Badger & DDG as search.
So how were they able to track so much about you? Do you have the Facebook or Whatsapp app on your phone? Or is this just the difference that they track much more in the US than in Europe?
Any sensible way of stopping this?
> "Privacy International has tested both opt-outs and found that they had no discernible impact on the data sharing that we have described in this report."
So there's that. I wonder if any opt-out really helps. I think the best approach is still to use a good blocker such as uBlock Origin.
Both of these identifiers can be reset at any time via os features, making you appear as a new user (at least until fingerprinted or a new association with PII is made)
I know it sounds preachy and it's not a conclusion most people will like. But, like fasting, going without something you like but don't really need does help you focus on what you really do need.
Here's an example to what extents they will go in order to not give you what you're entitled to by law: https://ruben.verborgh.org/facebook/
In fact, if they were GDPR compliant, they wouldn't be collecting this data in the first place.
EDIT: the link doesn't seem to work, so you can click on "Manage Future Activity" => "Manage Future Activity" in the popup => Disable "Future Off-Facebook Activity"
My off-Facebook activity had zero entries and I want to keep it that way. If they ever associate something with me I want to be alerted to the fact.
> We will still receive future activities from companies and organisations you visit. These might be used for analytics and to improve our advertising systems, but will not be connected to your account.
(Translated from Dutch because for some reason Facebook figured I'd want this particular message in Dutch.)
I have not connected my Facebook account for over 90% of these sites/apps but they still sent my data to Facebook.
But some are essential. Transferwise is not connected to my FB account but is sending data to Facebook.
I'm assuming Facebook keeps a history of my email addresses that it can still associate it to my account.
Another option is to change all my email address at these sites.
The biggest impact, for me, is that the dominance of Google and Facebook based on having access to this data for the general population has led to worse advertising revenue for the news industry and some of my favorite websites. That has caused some of them to rely on memberships and paywalls.
I also don't appreciate that the money that they've accrued due to their dominance as a result of data like this has led to undue political influence. That comes at the expense, I believe, of voters (and I'm one of them). I don't think that power is healthy for a democracy, generally. I believe this about non-tech companies, too, so I wouldn't suggest anybody just pick on this industry.
This isn't to say that I'm not concerned about privacy. It's only to say that IF YOU AREN'T, then there are other reasons to root for people to have transparency around how their data gets passed around.
/s
Honestly, I think that health-related searches that are directly tied to a specific individual (especially without informed consent - I didn’t log in or receive any notice this was being done) should be covered by HIPPA just like any other personally identifiable health record.
The other weird one was the huge amount of data my bank was sending. 20+ requests per session. I have no idea why they would do that.
I wonder what Google is doing with all those health related searches I'm making...
Unauthorized copying or use of this information could be simple copyright infringement, which is apparently criminal enough to involve the FBI if you are a movie studio with enough money spend on political donations.
bannerhealth.com (8)
One of their employees says this is in error[2] so hopefully it will be fixed.
I guess signing in with email is pretty much equivalent to contacting Facebook if this is possible to do.
Besides that there are physical retailers that send data to Facebook even though I don't recall giving them any idea identifying info. I feel powerless since I rely on Messenger for communication with friends, who I've tried and failed to convince to switch elsewhere.
[1] https://www.plex.tv/about/privacy-legal/privacy-preferences/
[2] https://forums.plex.tv/t/why-is-plex-sharing-my-activities-w...
Could you elaborate on why this is an issue? Plex doesn't really have network effects and is usually only managed by 1 person.
Maybe you give your friends access to your instance? In which case it seems like they are in no position to complain.
If so, that could be how they matched you. Facebook lets businesses create custom retargeting audiences[1] from existing customers, and you can (obviously) include interaction data in order to segment e.g. frequent customers from occasional customers.
But in the end I still would have deleted it. Facebook clearly can't be trusted with my data. Idc what connections it gives me. They have shown time and time again that they will exploit the tiniest things to predict and manipulate your behavior.
And apparently companies desperate for even slight up ticks in conversion rates will upload everything they know about you.
No wonder Cambridge Analytica, AggregateIQ, and Robert Mercer had such an easy time compiling psychological profiles and categories of Americans and Brits.
In the end, it's real simple. The human brain adjusts based on the environment and events around it. Id rather not have Zuckerberg, Dorsey, or anyone else they deem worthy, intentionally or otherwise playing around in my head.
I'm near 100% sure they're still trying to track & sell me, but without an account I can't even see it.
They sent me all the warnings that they were deleting anything.
Do I believe them at all? Not really?
https://i.imgur.com/Wz7O8HU.png
Edit: typo complacenet to complicit, thanks Zarel.
https://www.grandviewresearch.com/industry-analysis/cardboar...
https://www.ibisworld.com/united-states/market-research-repo...
If you went there to buy moving boxes, they might show you ads for paint or other things someone who just moved might want.
Well, that's reassuring.
> icon-less organisation with a cryptic name
Oh my god what if they're foreign? Isn't it terrifying to think about foreigners? Better take that fear into the voting booth with you.
How do I do so?
Also, I never consented to this being collected. How can their practice of collecting this type of data be GDPR compliant?
But I'd recommend going to the source: Read the privacy policy of each party delivering data and check if they mention it. I already sent a mail to the DPO of an app provider which shows up in this list and doesn't mentions Facebook in their privacy policy.
But then I went from creeped out to oh shit as sites I run were on the list. The way Facebook puts it, these businesses are actively sharing data with Facebook for the businesses benefit. But as a developer who has been asked to put a pixel on a site many times, I have to rethink the data exchange here. Obviously the sites are not getting the benefit that Facebook is receiving from everyone piping in data – often unknowingly.
How is that obvious?
Surely sites would eventually stop going through the extra effort to maintain trackers if they didn't get a benefit?
How can I block it? some apps are on my iPhone, but I don't have the Facebook app on it (I do have messenger), and only used the apps on the phone. Aren't they isolated in some way?
However, the data only shows the source, timestamp and activity ID. The actual event data is not included..
(seriously, concerned citizens should consider browsing fb incognito and never stay signed-in)
Furthermore, I don't understand how any of this is GDPR-compliant.
- View coinbase.com
- Turn off future activity from coinbase.com
- Give feedback about this activity
Does 'turn off' mean they won't share this information again, or that I won't be told about it again?
Can someone please share it?
> Off-Facebook activity includes information that businesses and organisations share with us about your interactions with them, such as visiting their apps or websites.
It's creepy.
> We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all of the activity that we've received. Activity that is not shown includes information that we've received when you're not logged in to Facebook, or when we can't confirm that you've previously used Facebook on that device. It also includes details such as the item that you added to your shopping basket.
Including one specific app that they have 356 interactions from that I really do not want associated with my facebook account.
Looks like I am going to be spending the next couple of days digging through the report I just generated.
When this is all server side is the only option to make an email that is only for facebook and hope they can't link data any other way?
I suggest stopping doing business with that vendor and letting them know why.
In my browser I'm running uBlock Origin, HTTPS Everywhere, and Privacy Badger. I'm guessing those will help quite a lot. However on an iPhone what can I do (as that's where a lot of this data seems to be coming from)?
- Email address
- Cell phone number (even if you only used it for 2FA)
- Credit card number (if you ever made a donation via Facebook or bought digital currency in a Facebook game)
- Advertising ID of your mobile device (can be reset in Android as well as iOS)
In order to avoid tracking, you have to make sure that none of these are known to Facebook and to other companies.
Nah, I will pass.
How can I block them in the future?
Is it necessary to have a FB account in order to read TFA?
Surely, Facebook must be collecting this on non-users as well who obviously have not agreed to their terms.
I installed their app once, figured it doesn't properly do the only thing I needed it for (show battery charge level), and I went to uninstall it. How did it find itself on Facebook?
The app wasn't given any permissions and I did not enter any personal information. The TOS did require giving consent to sending app and watch usage data but I didn't tick allowing that for marketing purposes nor was personal information mentioned, just identification data from the phone itself, operating system etc.
The app must have obtained my phone number or email from the phone's personal data. Apparently that's possible even if I declined all explicit permissions. They might be able to find my Google email by using Android's AccountManager apis. Phone number might be possible but slightly tricky and I think I disconnected my phone number from Facebook way before installing their app.
Interesting stuff - looks like everything should run in an anonymous container by default on phones, too. I hope we'll get there soon. Still, a lot of this is based on trust rather than technical countermeasures. Will you trust the vendor or not?
> We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all of the activity that we've received. Activity that is not shown includes information that we've received when you're not logged in to Facebook, or when we can't confirm that you've previously used Facebook on that device. It also includes details such as the item that you added to your shopping basket.
It seems to me that this gives them carte blanche to omit anything they feel like omitting.
[1] Shameless plug: https://github.com/Jaruzel/DeleteFacebookActivity
[Cross-posted from the other thread]
"We receive Jane's off-Facebook activity and we save it with her Facebook account. The activity is saved as "visited the Clothes and Shoes website" and "made a purchase"."
I downloaded my data before, and never have I seen what exactly the listed companies sent to FB.
I have a list of just a few companies (mainly by using a different email address for FB only) but still, I have no idea what these companies sent to FB about me.
Edit: I found the data now - it's now available for export.
This isn't necessarily sinister... but it certainly raises some questions on what these streaming video companies are telling Facebook on a regular basis.
You know, you hear about tracking cookies but it's a whole other thing to see it staring you in the face. What's the most shocking is how small so many of these entries are. Like, there's a local children's day-camp and sports facility that I send my kids to on P.A. days on the list. And a local politician's page.
So does this mean I am successfully stopping them from tracking websites I visit via tracking pixels / IP mapping / whatever other nefarious shit they do, or are they just not showing this information here?
So, basically all the information they have on me? I don't log in to facebook all that often. By not helping them survive me, they'll coyly pretend like they have less surveillance data tied to my account in their database than they do. I doubt they're going to purge those surveillance records "technical and accuracy" reasons.
Anyone else??
Wow, this is beyond creepy.
Just a few days ago I wanted to research some nasty disease and I used brave on TOR to watch some stuff about it on YT.
First thing after I opened FB was a clinical laboratory tests adv.
Qubes OS with disposable VMs helps!
Would s/o mind explaining what this is all about.
It was very surprising to see ENBD in the list.
looks like facebook knows my phone's "hardware id" from somewhere
edit: good to know that uBlock blocked all web activity
It says I completed a registration for a company I never signed up to.
I did visit that company's restaurant that day, but I did not purchase anything.
Are some companies auto-registering you?
