from Hacker News

Off-Facebook activity

by bigbaguette on 1/29/20, 9:46 AM with 379 comments

  • by thegeekbin on 1/29/20, 12:30 PM

    Clearly I need to step it up. I was (unsurprisingly) surprised at what I've observed they've managed to correlate. I run standard pi-hole, resist fingerprinting, and normally go through a VPN (mainly because I'm on public wifi half the time when travelling). I haven't logged into facebook in about four years, just did it for the first time today to see what's been correlated.

    Aside the mountain of irrelevant notifications, here's what I've observed in this report that's concerning.

    1. Albeit some data has been correlated properly (banking applications which is scary on it's own part it's sending data to facebook, imgur, Xbox, my telco provider, and a few misc blogs I've visited a handful of times per year), it's correlated a significant amount of data that may not belong to me (good thing, I suppose?)

    2. Why the heck are banking applications sending data to Facebook as "CUSTOM", with no context? For example, RBC bank in Canada sends "CUSTOM" data (haven't been with them for over two years, but all interacts labelled CUSTOM) and Facebook will not give any more context on the exact data it received. Little scummy, Facebook.

    Well, time to sweep this up and resist tracking more. Let's see how it works this time round.

  • by jannes on 1/29/20, 10:41 AM

    My off-facebook activity was empty. That's encouraging, because it looks like my countermeasures have been working:

    - Fingerprinting resistance in Firefox (privacy.resistFingerprinting = true)

    - First-party isolation in Firefox (privacy.firstparty.isolate = true)

    - Blocking third-party cookies in Firefox (network.cookie.cookieBehavior = 1)

    - Firefox container when I need to login to ad/tracking companies (Facebook, Google)

    - uBlock Origin

    - Cookie AutoDelete

    - PiHole on my home network

  • by alasdair_ on 1/29/20, 8:06 PM

    To me the thing that bothered me most was that a mental health site (Psychologytoday.com) that I used to find a therapist was passing the information on my searches to Facebook, presumably to aid in targeted advertising.

    Honestly, I think that health-related searches that are directly tied to a specific individual (especially without informed consent - I didn’t log in or receive any notice this was being done) should be covered by HIPPA just like any other personally identifiable health record.

    The other weird one was the huge amount of data my bank was sending. 20+ requests per session. I have no idea why they would do that.

  • by wukerplank on 1/29/20, 10:19 AM

    Wow that's creepy. It lists apps where a) I didn't use FB login/signup and b) used a different email address to sign up. How do they cross-reference that to me? Hand how can I prevent that outside of their tools (which I assume still violate my privacy)?

  • by kpozin on 1/29/20, 10:32 AM

    In my profile, they managed to obtain a `PURCHASE` event from Macy's -- for an in-person purchase at a physical store. Macy's has my email address and certainly linked it to my credit card number, but this is nonetheless seriously creepy.

    I just tried to change my email address on Facebook and discovered that they canonicalize plus and dot variations in gmail.com addresses, and thus claim that the new email address is already associated with an account. Ended up having to create a completely new email alias on my own domain.

  • by ivyirwin on 1/29/20, 2:04 PM

    My first reaction to this was to be creeped out. Even being in the industry how did all of these sites (560) have data about me that they were willingly sending to Facebook without my permission. And while I have a Facebook account, I am not a Facebook user – as in I've logged in twice in the last year to see a neighborhood post or the like.

    But then I went from creeped out to oh shit as sites I run were on the list. The way Facebook puts it, these businesses are actively sharing data with Facebook for the businesses benefit. But as a developer who has been asked to put a pixel on a site many times, I have to rethink the data exchange here. Obviously the sites are not getting the benefit that Facebook is receiving from everyone piping in data – often unknowingly.

  • by vinaypai on 1/29/20, 2:43 PM

    I realize this is an unpopular opinion around here... but can anyone explain how they have actually been harmed by this? Like for real not in abstract notions of "creepiness" or whatever. I, for one with Facebook actually figured how to do something useful with that data and not be that raw sewage stream that basically led to stop logging in.

  • by pjc50 on 1/29/20, 11:00 AM

    Hmm. I have no website activity listed - but seemingly every single Android game and a few other apps is sending "activity" to FB, despite me never using any feature to associate the two. This sounds like: https://privacyinternational.org/report/2647/how-apps-androi...

    Any sensible way of stopping this?

  • by nonbirithm on 1/29/20, 6:43 PM

    I was surprised to see that Plex is sharing a bunch of interactions with Facebook despite me only signing in with email. They seem to just blindly correlate the email address with whatever Facebook account it points to. There is no mention of Facebook on their privacy page[1]. As a lifetime Plex Pass holder this has damaged my credibility with them.

    One of their employees says this is in error[2] so hopefully it will be fixed.

    I guess signing in with email is pretty much equivalent to contacting Facebook if this is possible to do.

    Besides that there are physical retailers that send data to Facebook even though I don't recall giving them any idea identifying info. I feel powerless since I rely on Messenger for communication with friends, who I've tried and failed to convince to switch elsewhere.

    [1] https://www.plex.tv/about/privacy-legal/privacy-preferences/

    [2] https://forums.plex.tv/t/why-is-plex-sharing-my-activities-w...

  • by feintruled on 1/29/20, 11:00 AM

    Deliveroo has evidently been sending them all my orders. Or at least, there are as many 'interactions' as I have made orders. I don't log in via my Facebook so that is an unwelcome surprise.

  • by yason on 1/29/20, 8:21 PM

    I had a few - all of them from my Android apps and via Facebook business tools i.e. the vendors are actively pushing my data to Facebook. One utility app that I'm not surprised about, one that I'm a bit more surprised about but the interesting bit was G-Shock Connect (for the watch).

    I installed their app once, figured it doesn't properly do the only thing I needed it for (show battery charge level), and I went to uninstall it. How did it find itself on Facebook?

    The app wasn't given any permissions and I did not enter any personal information. The TOS did require giving consent to sending app and watch usage data but I didn't tick allowing that for marketing purposes nor was personal information mentioned, just identification data from the phone itself, operating system etc.

    The app must have obtained my phone number or email from the phone's personal data. Apparently that's possible even if I declined all explicit permissions. They might be able to find my Google email by using Android's AccountManager apis. Phone number might be possible but slightly tricky and I think I disconnected my phone number from Facebook way before installing their app.

    Interesting stuff - looks like everything should run in an anonymous container by default on phones, too. I hope we'll get there soon. Still, a lot of this is based on trust rather than technical countermeasures. Will you trust the vendor or not?

  • by stonedge on 1/29/20, 1:30 PM

    Allegedly, I ditched my Facebook account years ago. Not just deactivated but delete, though I don’t really believe it. Is there anyway to see what’s in this (or to see if my account really is gone) without accidentally re-upping?

  • by chrisjamesc on 1/29/20, 10:31 AM

    If you want to disable facebook tracking out of facebook in the future, it's possible on this link: https://www.facebook.com/off_facebook_activity/future_activi...

    EDIT: the link doesn't seem to work, so you can click on "Manage Future Activity" => "Manage Future Activity" in the popup => Disable "Future Off-Facebook Activity"

  • by dannyr on 1/29/20, 11:06 AM

    Man I feel hopeless.

    I have not connected my Facebook account for over 90% of these sites/apps but they still sent my data to Facebook.

  • by gingerlime on 1/29/20, 11:18 AM

    Is it just me, or is there no way to download activity details? I click on an activity, then there's a few examples and a link to download, but this leads to a generic "Download your information" page and I cannot see an entry for the app or off-facebook specifically...

    How can I block it? some apps are on my iPhone, but I don't have the Facebook app on it (I do have messenger), and only used the apps on the phone. Aren't they isolated in some way?

  • by CodiePetersen on 1/29/20, 6:17 PM

    I deleted my Facebook a couple months ago. Now I wish I would have kept it just a little longer to see what they had on me.

    But in the end I still would have deleted it. Facebook clearly can't be trusted with my data. Idc what connections it gives me. They have shown time and time again that they will exploit the tiniest things to predict and manipulate your behavior.

    And apparently companies desperate for even slight up ticks in conversion rates will upload everything they know about you.

    No wonder Cambridge Analytica, AggregateIQ, and Robert Mercer had such an easy time compiling psychological profiles and categories of Americans and Brits.

    In the end, it's real simple. The human brain adjusts based on the environment and events around it. Id rather not have Zuckerberg, Dorsey, or anyone else they deem worthy, intentionally or otherwise playing around in my head.

  • by ben7799 on 1/29/20, 6:49 PM

    I feel like this stuff actually creeps me out more since I deleted my Facebook account. I didn't deactivate, I completely deleted.

    I'm near 100% sure they're still trying to track & sell me, but without an account I can't even see it.

  • by avip on 1/29/20, 12:45 PM

    I was asked to "sign in" to "facebook" therefore I have no idea what this post is about.

    (seriously, concerned citizens should consider browsing fb incognito and never stay signed-in)

  • by Lammy on 1/29/20, 7:15 PM

    The linked page displays nothing but "You must log in to continue" if you don't have a Facebook account. I searched around and found this news page that explains it: https://about.fb.com/news/2019/08/off-facebook-activity/

  • by m1 on 1/29/20, 10:31 AM

    A bit weird that my Monzo seems to be sending data to Facebook?

  • by milankragujevic on 1/29/20, 12:11 PM

    Apparently my website is complicit in this... I'm disgusted with and ashamed of myself.

    https://i.imgur.com/Wz7O8HU.png

    Edit: typo complacenet to complicit, thanks Zarel.

  • by Infinitesimus on 1/29/20, 10:45 AM

    Apparently Blind made the list. So much for 'anonymous'

  • by joshspankit on 1/29/20, 12:26 PM

    Anyone else thrown off that “Download Activity Details” (which seems to be the only way you can find out what interaction was sent) leads to the main Download Your Information page, and not to anything specific to that app or that interaction?

  • by wrdalex on 1/29/20, 10:38 AM

    Revolut is sending data to them, too. 202 interactions for my account.

  • by CreepyLife on 1/29/20, 10:55 AM

    If Google and Facebook is ready to "show" these data, I wonder what and how much data they are hiding.

  • by gjm11 on 1/29/20, 5:03 PM

    There's a little note saying that the list may not be complete. If you click that, they pop up an explanation, one of the bullet points in which says this:

    > We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all of the activity that we've received. Activity that is not shown includes information that we've received when you're not logged in to Facebook, or when we can't confirm that you've previously used Facebook on that device. It also includes details such as the item that you added to your shopping basket.

    It seems to me that this gives them carte blanche to omit anything they feel like omitting.

  • by king_magic on 1/29/20, 2:15 PM

    Real nice that there is no bulk turn-off feature. Giant pain to click through a few hundred sites to block future activity. But I suppose that's the point, right? To make it as difficult as possible for users to block this kind of oh-shit creepy behavior.

  • by cryptozeus on 1/29/20, 5:29 PM

    Blind app send interactions to Facebook. This defies the whole point of blind app. This is so wrong on so many levels.

  • by Jaruzel on 1/29/20, 12:02 PM

    I don't use Facebook, but I do use Messenger as I have a couple of close family members who refuse to use anything else. I've just logged into Facebook (which has no history as I've purged it[1]), and still there are 5 apps sharing my activity with Facebook. These 5 apps are all on my phone, so I guess Messenger is also sharing back to FB. :( ---

    [1] Shameless plug: https://github.com/Jaruzel/DeleteFacebookActivity

    [Cross-posted from the other thread]

  • by chinathrow on 1/29/20, 12:59 PM

    That's so funny that they come up with this page these days.

    "We receive Jane's off-Facebook activity and we save it with her Facebook account. The activity is saved as "visited the Clothes and Shoes website" and "made a purchase"."

    I downloaded my data before, and never have I seen what exactly the listed companies sent to FB.

    I have a list of just a few companies (mainly by using a different email address for FB only) but still, I have no idea what these companies sent to FB about me.

    Edit: I found the data now - it's now available for export.

  • by jmccorm on 1/29/20, 4:11 PM

    NETFLIX. The regular "payment" records don't concern me but the "custom" records (as recent as last night) do. Is that viewing data or what is this? I've also got "custom" records from HULU, but the last one was in December.

    This isn't necessarily sinister... but it certainly raises some questions on what these streaming video companies are telling Facebook on a regular basis.

  • by makecheck on 1/29/20, 4:32 PM

    Be sure to find both settings: the one to clear activity up to now, and the separate one to ensure that future activity is not tracked either.

  • by Pxtl on 1/29/20, 3:22 PM

    ... wow.

    You know, you hear about tracking cookies but it's a whole other thing to see it staring you in the face. What's the most shocking is how small so many of these entries are. Like, there's a local children's day-camp and sports facility that I send my kids to on P.A. days on the list. And a local politician's page.

  • by SCdF on 1/29/20, 11:11 AM

    There is nothing on this page I was not aware of and intentionally linked (e.g. Strava).

    So does this mean I am successfully stopping them from tracking websites I visit via tracking pixels / IP mapping / whatever other nefarious shit they do, or are they just not showing this information here?

  • by padraic7a on 1/29/20, 11:30 AM

    One thing I'm not clear on - when I click on Coinbase (just one example) I see the following under 'What you can do';

    - View coinbase.com

    - Turn off future activity from coinbase.com

    - Give feedback about this activity

    Does 'turn off' mean they won't share this information again, or that I won't be told about it again?

  • by forgottenpass on 1/29/20, 9:07 PM

    >We receive more details and activity than what appears here. For technical and accuracy reasons, this list doesn't show all the activity that we've received. Activity that is not shown includes information we've received when you're not logged into Facebook, or when we can't confirm that you've previously used Facebook on that device.

    So, basically all the information they have on me? I don't log in to facebook all that often. By not helping them survive me, they'll coyly pretend like they have less surveillance data tied to my account in their database than they do. I doubt they're going to purge those surveillance records "technical and accuracy" reasons.

  • by pmlnr on 1/29/20, 10:46 AM

    "just must log in to read this"

    Can someone please share it?

  • by eivarv on 1/29/20, 12:04 PM

    I can't believe that this stuff is acceptible, or even legal. The fact that you're tracked off-Facebook (for instance), even if you're not logged in or on Facebook is not just creepy, but borderline abusive.

  • by novok on 1/29/20, 6:29 PM

    Now we need a one click delete all data in account button, without 'deleting' the account, because 'deleting' your facebook account doesn't delete any of the data inside of it.

  • by Jupe on 1/29/20, 5:57 PM

    Interestingly, none of the other "big brother" companies show up on my activity feed, even though I do use them. No Apple. No Amazon. No Google. No Netflix. Not even Microsoft.

    Anyone else??

    Wow, this is beyond creepy.

  • by code4tee on 1/29/20, 1:56 PM

    Clearly they’ve come to the realization that they either do this voluntarily or future regulation will force them to do it. The beginning of the end of hyper-targeted online advertising has started.

  • by qu4ku on 1/29/20, 2:03 PM

    Nowhere to hide.

    Just a few days ago I wanted to research some nasty disease and I used brave on TOR to watch some stuff about it on YT.

    First thing after I opened FB was a clinical laboratory tests adv.

  • by nerdjon on 1/29/20, 2:26 PM

    The fact that they have information about apps that I specifically chose to not link to facebook for variety of reasons...

    Including one specific app that they have 356 interactions from that I really do not want associated with my facebook account.

    Looks like I am going to be spending the next couple of days digging through the report I just generated.

    When this is all server side is the only option to make an email that is only for facebook and hope they can't link data any other way?

  • by Nextgrid on 1/29/20, 12:17 PM

    It would be good to name and shame every vendor that shares data with Facebook and have them in a searchable list, so people can check before engaging with them.

  • by kjakm on 1/29/20, 11:08 AM

    What are the best ways to protect against this kind of tracking? I would argue it's probably better to keep a Facebook account so you can see what they're tracking and work to prevent it.

    In my browser I'm running uBlock Origin, HTTPS Everywhere, and Privacy Badger. I'm guessing those will help quite a lot. However on an iPhone what can I do (as that's where a lot of this data seems to be coming from)?

  • by neycoda on 1/29/20, 6:32 PM

    I removed my Facebook info from my browser and phone, changed the info I had on there to be basically anonymized (except to people who know me), and then logged in with a different browser on both desktop and phone dedicated to just Facebook. Now they can't tell what websites I'm going to and don't have direct access to my photos and files etc.

  • by HelloFellowDevs on 1/29/20, 2:46 PM

    Kinda surprised how many interactions I've had tracked from my visits to Home Depot, I've only recently started stopping by there in the past year or so. What data could they have possibly even used? Sell me more cardboard moving boxes? Plant supplies?

  • by Pxtl on 1/29/20, 3:26 PM

    ... html/js allowing requests to domains other than the one in my URL bar was a mistake.

  • by UncleSlacky on 1/29/20, 8:47 PM

    Weirdly, FB thinks I've had dealings with Home Depot, which I've never visited (virtually or IRL). Nothing else, but then I use Ublock Origin, Privacy Badger, disconnect.me etc. as well as FB Purity. I also don't have a smartphone.

  • by Hoasi on 1/29/20, 11:58 AM

    > You must log in to continue.

    Nah, I will pass.

  • by Doctor_Fegg on 1/29/20, 12:49 PM

    Four days before the UK general election, Facebook apparently "received activity" relating to me from an anonymous, icon-less organisation with a cryptic name, who appear to be completely un-googleable.

    Well, that's reassuring.

  • by fsflover on 1/29/20, 6:02 PM

    "You have no available activity to show at this time."

    Qubes OS with disposable VMs helps!

  • by Santosh83 on 1/29/20, 11:45 AM

    I apparently have no records of off-Facebook activity. This is probably because of blocking all 3rd-party cookies and enabling the blocking of social media trackers in both uBlock as well as that built into Firefox.

  • by alien1993 on 1/29/20, 10:52 AM

    Seems like most of my data they got from apps on my Android phone, there was even an app that I just installed, opened and uninstalled in less then a minute without even logging in or anything.

    How can I block them in the future?

  • by xyby on 1/29/20, 11:42 AM

    I am in Europe, so by law (GDPR) I have the right to make them delete all of this data.

    How do I do so?

    Also, I never consented to this being collected. How can their practice of collecting this type of data be GDPR compliant?

  • by tallgiraffe on 1/29/20, 12:05 PM

    In case of Facebook, one has to wonder, is this a move towards consumer privacy, or a way for Facebook to clear cache so they could build a more up to date profile of you.

  • by ArtDev on 1/29/20, 8:27 PM

    These apps are from my phone which does not have the facebook app installed. They must be harvesting stuff on me from the Instagram and/or Whatapp permissions.

  • by robteix on 1/29/20, 11:32 AM

    Literally the first result in the list of companies that shared data about me with FB is my pharmacy. My pharmacy! That's just... wrong.

  • by kirillzubovsky on 1/29/20, 3:11 PM

    When is Facebook's next investor call? The number of newly active users (who showed up for this) is going through the roof!

  • by DannyB2 on 1/29/20, 3:02 PM

    I clicked the link and was told I needed to log into Facebook to continue.

    Is it necessary to have a FB account in order to read TFA?

  • by heinrichhartman on 1/29/20, 2:19 PM

    What is this? I only get a login prompt. I don't have a fb account.

    Would s/o mind explaining what this is all about.

  • by Andromeda88 on 1/29/20, 4:44 PM

    Emirates NBD Bank app and CAREEM app are sharing info with Facebook.

    It was very surprising to see ENBD in the list.

  • by alinspired on 1/29/20, 9:28 PM

    never installed facebook app on a phone, but multiple 3rd party apps on the phone report to facebook. For some reported apps i've never been logged in.

    looks like facebook knows my phone's "hardware id" from somewhere

    edit: good to know that uBlock blocked all web activity

  • by cryptozeus on 1/29/20, 5:25 PM

    Now imagine what google has on you.

  • by abright on 1/29/20, 6:11 PM

    Ah, so disappointing that I need a Facebook account to read this. The joy of missing out.

  • by ryanmarsh on 1/29/20, 9:16 PM

    My payroll and accounting systems are talking to Facebook about me. Why? I have no idea.

  • by DevKoala on 1/29/20, 8:19 PM

    Is there a way to tell how Facebook is tracking you if you deleted your account?

  • by dbg31415 on 1/29/20, 7:06 PM

    Can someone post a screenshot for those of us with out Facebook accounts?

  • by skytbest on 2/11/20, 2:52 AM

    Did they take this down? It just goes to my Facebook home page

  • by sequoia on 1/29/20, 3:58 PM

    Can someone tell us non-Facebook users what this looks like?

  • by theqult on 1/29/20, 6:48 PM

    390 connected apps. And i never use facebook login

  • by throwawaylolx on 1/29/20, 12:32 PM

    Is there an equivalent Off-Facebook for Google?

  • by s-skl on 1/29/20, 5:28 PM

    fuing unbelievable that my photo to scan app on the phone is sending activity to Facebook!

  • by rypskar on 1/29/20, 6:31 PM

    Also check https://www.facebook.com/ads/preferences/?entry_product=info... to see who has uploaded lists including your email or phone number to to facebook. Wonder what GDPR say about uploading this type of lists

  • by allovernow on 1/29/20, 7:07 PM

    So is there any way to find out what information FB has on you if you don't have an account?

  • by marknadal on 1/29/20, 6:27 PM

    I don't understand.

    It says I completed a registration for a company I never signed up to.

    I did visit that company's restaurant that day, but I did not purchase anything.

    Are some companies auto-registering you?