As someone that has spent a sizable amount of my career in ad products, the outrage here is kind of (sadly) funny. A conversion pixel? Hah, if you only had an idea of what the Facebook data faucet looked like in 2007-2017, your hairs would stand.
Pretty sure they were breaking all kinds of PII laws.
> Hah, if you only had an idea of what the Facebook data faucet looked like in 2007-2017, your hairs would stand.
I really don’t understand the goal with vague statements like this that can’t even provide even the slightest hint of specifics.
What specific data? Even a single example would make this anecdote useful. Instead it feels more like a brag. “I know something but I’m not telling” but in this case the commenter doesn’t claim to have worked at Facebook (just the industry in general) so I suspect it’s hearsay anyway.
> Pretty sure they were breaking all kinds of PII laws.
Given the way Facebook has been under the microscope and dragged in front of Congress, I’m going to assume that their corporate counsel was very careful to provide at least a best-effort attempt to comply with every law available at the time. It may not be popular, but I really doubt Facebook was violating laws for a decade straight as the largest player in the space.
Why do you give them the benefit of the doubt? There are countless examples of this kind of behavior in top companies.
The difference when it comes to other industries (e.g. food) is that the regulation has had time to develop, and most legislators understand the concepts. So it's harder to cheat.
Forgetting someones opt-out preferences by mistake doesn't ring as severe as using light carcinogens in your food mix.
It’s pretty straightforward and no secret. All those “share on Facebook” widgets you used to see everywhere are also tracking users. Since they’re embedded into basically every site ever, and each hit to the widget goes to facebook.com (so your browser helpfully sends their cookie along with it), that means Facebook knows who you are and what sites you visit without your consent or intervention, and uses that to sell targeted ads. They even have a profile on you even if you don’t use Facebook.
It’s changed a bit recently with GDPR, the Cambridge Analytica scandal and some third party cookie privacy stuff so it’s a bit less insidious now, but it’s still pretty bad.
Doesn't matter much. Now it'll just happen server side where the server sends the same types of data directly to facebook. See the facebook CAPI. Basically a server side implementation of DataLayer and such...
> if you only had an idea of what the Facebook data faucet looked like in 2007-2017, your hairs would stand.
I'm pretty sure everyone of technical aptitude knew Facebook's data faucet. But maybe I missed something.
As far as I know, Facebook:
a) Had all the freely provided data, PII/likes/social graph/etc.
b) On Facebook's site or mobile app, the were fingerprinting your device, examining your scrolling/mouse/clicking/other inputs to determine attention on a page
c) Could recreate most nonuser's social graphs just by seeing them as endpoints in registered people's contacts
c) On the web, had "like" buttons or ads and their code pretty much everywhere. Therefore they could track most people to most sites.
d.1) Sites could directly provide more information to allow retargeting
d.2) Sites could directly provide more information through a host of other services FB offered to the developers
e) On mobile, in the background, scrapped your contacts, GPS, nearby devices (other phones, WiFi, Bluetooth, although tower information may or not be included). Also, had installed by default on a lot of phones
f) On mobile, provided libraries people could import into their apps, mostly but not exclusively for ads. This let them get similar insights into usage patterns as on the web. Also, if people didn't install the FB app, let them get (e)
g) Used your real identity to purchase information about you from the various realworld data merchants
I don't think you missed anything substantial... but I'll add two extensions:
(1) Social graphs change slowly. And they still own Instagram, so for many users they have a live social graph still.
(2) Facebook Pixel is dead. Long live Facebook Pixel!
The Facebook Pixel is now (or at least nearing) effectively dead on modern up-to-date devices running ad blockers. Of course that leaves plenty of desktop machines where people aren't running ad blockers.
But more importantly, Facebook has acknowledged the elephant in the room and moved from client side to server side with Conversions API (CAPI) (aka the new "Facebook Pixel"). And there's nothing ad blockers can do about server-side analytics...
I used to tell people if they know how ad tech worked it would be banned tomorrow.
I doubt it's on FB during that period though?
I would guess though that a bunch of health tech sent (perhaps accidentally just not understanding) a bunch of patient data though. Seems they are the responsible party.
There's been other examples beyond FB of 'auto track' too. devs just don't know or forget to turn it off.
Not to mention for some reason at that time putting a FB like button on all the porn. Who clicks that?!?!
> I would guess though that a bunch of health tech sent
I worked for a "healthtech" company in London at the beginning of the pandemic. They had the Facebook SDK malware embedded in the app that people were supposed to use for GP consultations.
I don't believe any explicit health data was sent (there was no intent to do so, and I’m not sure if that would even be possible), but merely the fact that I'm talking to a doctor (and the current time, location, device fingerprint, etc) is not something I'd like Facebook to know.
I know breaching the GDPR is basically the norm in any tech company but I thought that being involved in healthcare would make them super risk-averse and make an extra effort to comply.
They were not alone in this - PatientAccess and a bunch of other sites - that you can use to book GP consultations (including through the NHS - UK’s socialised healthcare system) had a shit ton of such trackers too, obviously loaded before any GDPR consent could even be obtained.
Not OP, but somewhere around 2010 I tinkered with creating a game for Facebook. I signed up for a developer account, spent some time with the docs and built a toy app.
It was a straightforward call to get info about the user, including name, email, interests, etc. Their friends list. Info about all their friends, including all the same details. And so on.
There was a EULA where the developer had to promise to delete all the info when the user signed out of the game, and not to share the info. That was the only security.
The project fizzled, but when the Cambridge Analytica news broke, it confused me, because my recollection is EVERYBODY had all those lists of user info. Seriously, tens of thousands of different companies, with the only thing stopping them was a pinky promise.
We used to have access to individual demographic data for breaking down your analytics and ad targeting, as well as being able to target users based on their specific email address or phone number. We could also target your friends.
From memory this has now all been rolled up into cohort demographics and 'look-a-like' audiences so you can no longer break your data down by specific users demographic attributes or target ads by say an email list unless they are already your users (and it's used for specific types of ads; retargeting).
From memory some of the more unsettling breakdown/targets were
- Ethnicity
- Life events
- Politics
- Pages (so other businesses) they had liked
I worked for a pure play furniture retailer you used to be able to do things like buy email lists from price comparators of gas/eletricity/home insurance with additional data like your postcode and then upload it to facebook and specifically target everyone with a FB account under that email/phone number with furniture ads. As the assumption is that if your looking for gas/eletricity/home insurance your likely to be moving home or at least be a person who had some need for furniture.
Now they just use the facebook pixel to put you into look a like audiences because they can see you went to the home insurance website and the real estate website (they all have the pixel installed) and make the same broad assumptions we were previously making but on the cohort and not your specific unique identifier.
Any developer can still send almost any data they want into FB to track basically anything.
'offline conversion' still allows you to send in names, age, bday, gender, etc for matching, IP, UA.
Though now it's hashed before going to FB.
And you can pass almost whatever custom data you want in. So I can in my industry optimize for a long term political donor, or potentially an early vote. Or someone accidentally sends in 'this person bought hepatitis meds'
This still exists despite what someone below said, unless I'm totally missing or misunderstanding something.
However it is not as valuable, and shrinking audience able to do deliver to because of iOS restrictions. And likely with Chrome too eventually
FB used to have more detailed interest/demographic buckets to target that they supplied. Used to be able to type in basically anything from what someone likes ___ very niche page to engages liberal political. There are still interests but there are fewer of those 'sensitive' ones. Still lots of stuff like works at ___. of course age, gender, geo.
But more fine grained interest targeting seems like going away pretty soon it's just going to be broad demographics.
The ROI is just not as good without iOS fine grained targeting FB is having to do a bunch of tricks with AI/modeling to try and make it perform but it's not as good.
I'm for targeted advertising. I think what iOS is doing is uncompetitive and bad.
But I do think there should be some sensible regulation. Like no healthcare or sensitive topic data (LGBTQ, dating, etc).
** ADDITION sorry this is long but one additional thing I think people also confusing the ad product with the old FB api.
The old FB api was an absolute sieve you could get basically any data a person has on their profile and also their friend's data. This is what happened with Cambridge Analytics.
All that has been shut down even login with fb they are way more strict about actually testing sites etc
I would guess that's when the Cambridge Analytics thing became well known, where they were using Facebook's network/data graphs to compile their own compiled and targeted data.
I don’t see why that would solve the issue. your browser is communicating with facebook’s servers, so if they log your communication it’s not exactly a violation of your private property rights
This is it and is how the online advertising industry has worked for over 25 years.
In its simplest form the pixel is used to attribute an ad view/click to a conversion event. At the beginning of the online ad industry that’s all it did, advertisers for the first time had the ability to directly, in real time, see the effectiveness of their ads. The economic value and GDP generated due to this innovation is immeasurable, the internet economy is literally built on it.
At the beginning there was no profile building, combining with PII and data gathered from social media or even your gmail emails (yes the content of your emails). And it was magical!
It’s the innovations since that have moved the entire industry through a grey area into the blank where the way they operate is questionable at best.
The point is, this tracking pixel on its own is incredible what it unlocks. It’s the way that data is then used that we have to call into question.
Personally the simplest form of attribution to me is fine. It works and I don’t believe it’s invasive if they aren’t then combining it with pii and profile data. Sadly that time has passed and all advertising networks now rely so heavily of ML/AI that it’s impossible to manage them, as an advertiser, in the way you used to. Hopefully regulation will push the industry back to where it was.
This is also why even Apple and Mozilla (companies with a vested interest in harming the ad ecosystem) are pushing for various privacy-preserving ad attribution technologies. Nobody objects to UberEats knowing that their Tiktok ads are working or not - they object to Tiktok cross-referencing the data from UberEats and everywhere else to build an interest profile on them.
At my first ever job where I was actually hired as a programmer (December 2000) my first project was to build a web stats system. I knew little enough that I flailed for the first week or two, then independently invented the tracking pixel from first principles - backed by an unbelievably ugly perl CGI script - to enable data collection.
It collected only pages visited, browser versions and referer (sic) headers - it didn't occur to me to collect anything else - and yet provided vast amounts of business value to our customers as well as a vast amounts of experience at scaling for me (though, uh, given how badly the early versions of that code scaled, not necessarily at the same time).
> The point is, this tracking pixel on its own is incredible what it unlocks. It’s the way that data is then used that we have to call into question.
I entirely agree with this statement, and what's happened since saddens me.
I'm going to pour another drink and take a moment to feel old now.
(edited to add: 'tracking pixel' seems to mean that class of instrument to many other commenters, I'm specifically talking about an <img> tag that loaded a single pixel transparent gif ... I also made bar charts for the analytics users' UI using HTML tables with a pair of <td> tags per row, one with a coloured background, one clear, using percentages to provide relative data. 2001 was a different world)
This is it but only half the equation. Yes, the pixel lets advertisers track their return on ad spend (through tracking conversions), but it's also a targeting mechanism (ie you can tell ad platforms you will pay $X / conversion, versus paying per impression or per click).
If anyone cared about privacy, a solution would be to only include the pixel when a user was redirected from tiktok to Ubereats. No need to include the other 6 pixels, or include them for users that landed via the homepage.
My first thought was that most people use TikTok on mobile, whats the point of this (if the ad takes them to play store/app store or to the Uber eats app). Then I realized that this is probably aimed at tracking for new signups, they probably send them to the app stores with a redirect to their site in the middle. TikTok probably doesnt forward them the user identifier hence the tiktok pixel on their page, so they can see the effectiveness of the ad on some TikTok ads dashboard.
This is honestly very few considering how many different places Uber Eats probably advertises on.
I work on helping new Shopify merchants get more early sales, and ads are super important for that to happen. Open up any small and growing e-commerce store and you'll see at least this many.
Without ads, you don't find these small businesses, and all consumers just go to Amazon, or other large established marketplaces.
Just in general look at those cookie consent dialogs at any site living on advertising or using it and really see the insanity of number of partners... That should show that we might actually need to burn it all down...
Just install uBlock on your friends and families browsers. Most people seems fine with being tracked if that means they get "offers" they don't want to miss. I however detest anything connected to advertisement to the level that I frequently hang up when our own sales people call me because I directly spot a salesperson, even before I recognize the voice... Quite embarrasing sometimes :-)
So I install uBlock, uMatrix and Pi-hole everywhere. Also help customers do the same with sane defaults so they get rid of most stuff without burning their whole browser.
And as an advertiser we don't have to pay for the people that didn't want to see our ads in the first place, win win loose :-)
As many people have pointed out these are for tracking the performance of ad traffic. Savvy, "privacy minded" businesses may listen to this sort of outrage, and pull the pixels off their websites. But you are kidding yourself if you think you aren't being tracked because the frontend JS is all first party.
The same thing can, and is happening server side. Every platform out there now has an event/conversion API [1]. If you are logging in to Uber Eats with a email/phone number you have used elsewhere then you are going to be tracked full-stop.
No. This needs to be criminalized. Not liking a good or service is one thing. Having things done to you or your information without consent for the purpose of spying on you is stalking with extra steps. Many of these companies still deprive you of your privacy even without using their services by developing shadow profiles on you.
Your list of companies is too short. Throw out the market leaders who spend on brand and cheat somewhere else in the chain and look for a smaller company.
The best bypass for this process is to cut Ubereats entirely out of the picture and call the local restaurant directly to place your order. Ubereats in this case is a third party so what difference does it make? None of you start to think about it.
Not handing your data to companies will result in poor data and bad decisions on their end, which is bad for them and the customers.
What's super idiotic in all this is that the "data companies bad" is often spread by the very companies which would rather have data themselves than their competitors.
Readit News
Pretty sure they were breaking all kinds of PII laws.
I really don’t understand the goal with vague statements like this that can’t even provide even the slightest hint of specifics.
What specific data? Even a single example would make this anecdote useful. Instead it feels more like a brag. “I know something but I’m not telling” but in this case the commenter doesn’t claim to have worked at Facebook (just the industry in general) so I suspect it’s hearsay anyway.
> Pretty sure they were breaking all kinds of PII laws.
Given the way Facebook has been under the microscope and dragged in front of Congress, I’m going to assume that their corporate counsel was very careful to provide at least a best-effort attempt to comply with every law available at the time. It may not be popular, but I really doubt Facebook was violating laws for a decade straight as the largest player in the space.
Key points: https://twitter.com/YBenkler/status/1070337233159372806?s=20...
Here was one thread of highlights which is still somewhat readable: https://web.archive.org/web/20181206132832/https://twitter.c...
Germany banned their cross-site data sharing/reciprocity, such as from menstrual cycle-tracking apps which had come to light (maybe separately), in 2019: https://twitter.com/YBenkler/status/1093495901342126080?s=20...
The difference when it comes to other industries (e.g. food) is that the regulation has had time to develop, and most legislators understand the concepts. So it's harder to cheat.
Forgetting someones opt-out preferences by mistake doesn't ring as severe as using light carcinogens in your food mix.
It’s changed a bit recently with GDPR, the Cambridge Analytica scandal and some third party cookie privacy stuff so it’s a bit less insidious now, but it’s still pretty bad.
Deleted Comment
I'm pretty sure everyone of technical aptitude knew Facebook's data faucet. But maybe I missed something.
As far as I know, Facebook:
a) Had all the freely provided data, PII/likes/social graph/etc.
b) On Facebook's site or mobile app, the were fingerprinting your device, examining your scrolling/mouse/clicking/other inputs to determine attention on a page
c) Could recreate most nonuser's social graphs just by seeing them as endpoints in registered people's contacts c) On the web, had "like" buttons or ads and their code pretty much everywhere. Therefore they could track most people to most sites.
d.1) Sites could directly provide more information to allow retargeting d.2) Sites could directly provide more information through a host of other services FB offered to the developers
e) On mobile, in the background, scrapped your contacts, GPS, nearby devices (other phones, WiFi, Bluetooth, although tower information may or not be included). Also, had installed by default on a lot of phones
f) On mobile, provided libraries people could import into their apps, mostly but not exclusively for ads. This let them get similar insights into usage patterns as on the web. Also, if people didn't install the FB app, let them get (e)
g) Used your real identity to purchase information about you from the various realworld data merchants
Which did I miss?
I don't think you missed anything substantial... but I'll add two extensions:
(1) Social graphs change slowly. And they still own Instagram, so for many users they have a live social graph still.
(2) Facebook Pixel is dead. Long live Facebook Pixel!
The Facebook Pixel is now (or at least nearing) effectively dead on modern up-to-date devices running ad blockers. Of course that leaves plenty of desktop machines where people aren't running ad blockers.
But more importantly, Facebook has acknowledged the elephant in the room and moved from client side to server side with Conversions API (CAPI) (aka the new "Facebook Pixel"). And there's nothing ad blockers can do about server-side analytics...
Imagine gloating and being proud of such a career.
Dead Comment
Dead Comment
I doubt it's on FB during that period though?
I would guess though that a bunch of health tech sent (perhaps accidentally just not understanding) a bunch of patient data though. Seems they are the responsible party.
There's been other examples beyond FB of 'auto track' too. devs just don't know or forget to turn it off.
Not to mention for some reason at that time putting a FB like button on all the porn. Who clicks that?!?!
I worked for a "healthtech" company in London at the beginning of the pandemic. They had the Facebook SDK malware embedded in the app that people were supposed to use for GP consultations.
I don't believe any explicit health data was sent (there was no intent to do so, and I’m not sure if that would even be possible), but merely the fact that I'm talking to a doctor (and the current time, location, device fingerprint, etc) is not something I'd like Facebook to know.
I know breaching the GDPR is basically the norm in any tech company but I thought that being involved in healthcare would make them super risk-averse and make an extra effort to comply.
They were not alone in this - PatientAccess and a bunch of other sites - that you can use to book GP consultations (including through the NHS - UK’s socialised healthcare system) had a shit ton of such trackers too, obviously loaded before any GDPR consent could even be obtained.
It was a straightforward call to get info about the user, including name, email, interests, etc. Their friends list. Info about all their friends, including all the same details. And so on.
There was a EULA where the developer had to promise to delete all the info when the user signed out of the game, and not to share the info. That was the only security.
The project fizzled, but when the Cambridge Analytica news broke, it confused me, because my recollection is EVERYBODY had all those lists of user info. Seriously, tens of thousands of different companies, with the only thing stopping them was a pinky promise.
From memory this has now all been rolled up into cohort demographics and 'look-a-like' audiences so you can no longer break your data down by specific users demographic attributes or target ads by say an email list unless they are already your users (and it's used for specific types of ads; retargeting).
From memory some of the more unsettling breakdown/targets were
I worked for a pure play furniture retailer you used to be able to do things like buy email lists from price comparators of gas/eletricity/home insurance with additional data like your postcode and then upload it to facebook and specifically target everyone with a FB account under that email/phone number with furniture ads. As the assumption is that if your looking for gas/eletricity/home insurance your likely to be moving home or at least be a person who had some need for furniture.Now they just use the facebook pixel to put you into look a like audiences because they can see you went to the home insurance website and the real estate website (they all have the pixel installed) and make the same broad assumptions we were previously making but on the cohort and not your specific unique identifier.
'offline conversion' still allows you to send in names, age, bday, gender, etc for matching, IP, UA.
Though now it's hashed before going to FB.
And you can pass almost whatever custom data you want in. So I can in my industry optimize for a long term political donor, or potentially an early vote. Or someone accidentally sends in 'this person bought hepatitis meds'
This still exists despite what someone below said, unless I'm totally missing or misunderstanding something.
However it is not as valuable, and shrinking audience able to do deliver to because of iOS restrictions. And likely with Chrome too eventually
FB used to have more detailed interest/demographic buckets to target that they supplied. Used to be able to type in basically anything from what someone likes ___ very niche page to engages liberal political. There are still interests but there are fewer of those 'sensitive' ones. Still lots of stuff like works at ___. of course age, gender, geo.
But more fine grained interest targeting seems like going away pretty soon it's just going to be broad demographics.
The ROI is just not as good without iOS fine grained targeting FB is having to do a bunch of tricks with AI/modeling to try and make it perform but it's not as good.
I'm for targeted advertising. I think what iOS is doing is uncompetitive and bad.
But I do think there should be some sensible regulation. Like no healthcare or sensitive topic data (LGBTQ, dating, etc).
** ADDITION sorry this is long but one additional thing I think people also confusing the ad product with the old FB api.
The old FB api was an absolute sieve you could get basically any data a person has on their profile and also their friend's data. This is what happened with Cambridge Analytics.
All that has been shut down even login with fb they are way more strict about actually testing sites etc
Deleted Comment
Deleted Comment
Dead Comment
In its simplest form the pixel is used to attribute an ad view/click to a conversion event. At the beginning of the online ad industry that’s all it did, advertisers for the first time had the ability to directly, in real time, see the effectiveness of their ads. The economic value and GDP generated due to this innovation is immeasurable, the internet economy is literally built on it.
At the beginning there was no profile building, combining with PII and data gathered from social media or even your gmail emails (yes the content of your emails). And it was magical!
It’s the innovations since that have moved the entire industry through a grey area into the blank where the way they operate is questionable at best.
The point is, this tracking pixel on its own is incredible what it unlocks. It’s the way that data is then used that we have to call into question.
Personally the simplest form of attribution to me is fine. It works and I don’t believe it’s invasive if they aren’t then combining it with pii and profile data. Sadly that time has passed and all advertising networks now rely so heavily of ML/AI that it’s impossible to manage them, as an advertiser, in the way you used to. Hopefully regulation will push the industry back to where it was.
It collected only pages visited, browser versions and referer (sic) headers - it didn't occur to me to collect anything else - and yet provided vast amounts of business value to our customers as well as a vast amounts of experience at scaling for me (though, uh, given how badly the early versions of that code scaled, not necessarily at the same time).
> The point is, this tracking pixel on its own is incredible what it unlocks. It’s the way that data is then used that we have to call into question.
I entirely agree with this statement, and what's happened since saddens me.
I'm going to pour another drink and take a moment to feel old now.
(edited to add: 'tracking pixel' seems to mean that class of instrument to many other commenters, I'm specifically talking about an <img> tag that loaded a single pixel transparent gif ... I also made bar charts for the analytics users' UI using HTML tables with a pair of <td> tags per row, one with a coloured background, one clear, using percentages to provide relative data. 2001 was a different world)
Nice illustration of how "innovation" != "progress"
Rotten to the core.
How is this not everyone's first thought?
I work on helping new Shopify merchants get more early sales, and ads are super important for that to happen. Open up any small and growing e-commerce store and you'll see at least this many.
Without ads, you don't find these small businesses, and all consumers just go to Amazon, or other large established marketplaces.
So I install uBlock, uMatrix and Pi-hole everywhere. Also help customers do the same with sane defaults so they get rid of most stuff without burning their whole browser.
And as an advertiser we don't have to pay for the people that didn't want to see our ads in the first place, win win loose :-)
The same thing can, and is happening server side. Every platform out there now has an event/conversion API [1]. If you are logging in to Uber Eats with a email/phone number you have used elsewhere then you are going to be tracked full-stop.
1. Here is TikTok's for example https://ads.tiktok.com/help/article?aid=10003669
Neither of these companies will create a shell profile if you never visit them.
If they are criminal why would you use them?
Deleted Comment
Literally criminalised? As in you’ll throw people in jail for putting up a pixel? Made illegal, sure.
What's super idiotic in all this is that the "data companies bad" is often spread by the very companies which would rather have data themselves than their competitors.
Interestingly, it only loads after you agree to third party cookies by clicking “Got it”. So I guess they at least respect that.