Update, FB received personal data on me from 1573 apps and websites over the last 6 months, up more than two-fold from January 2020 when it introduced its 'Off-Facebook Activity' tool. 
https://twitter.com/WolfieChristl/status/1222261523407691777
Methodology: For a part of my daily web activity I use a browser without any tracking protection or ad blocker, which is also logged into FB. Like many others. Annoying and painful, but what has to be done has to be done.
Correction: The new number seems to cover >6 months.
Correction: The new number seems to cover >6 months.
Some sites sent data about my activities to FB hundreds of times. Media websites are among the worst offenders:
- Daily Mail: 297x
- The Independent: 280x
- The Guardian: 203x
- Vice: 158x
- Reuters: 91x
- The Atlantic: 87x
- Forbes: 72x
- The New Yorker: 53x
- Politico: 46x
- Daily Mail: 297x
- The Independent: 280x
- The Guardian: 203x
- Vice: 158x
- Reuters: 91x
- The Atlantic: 87x
- Forbes: 72x
- The New Yorker: 53x
- Politico: 46x
Media sites in German-speaking countries that sent personal data to FB include:
- DE: Spiegel, Tagesspiegel, Welt, FAZ, Handelsblatt, Stern, Freitag
- AT: Die Presse, Kleine Zeitung, Profil, oe24, OÖN, SN, Der Standard
- CH: NZZ, Tagesanzeiger
(non-exhaustive list)
- DE: Spiegel, Tagesspiegel, Welt, FAZ, Handelsblatt, Stern, Freitag
- AT: Die Presse, Kleine Zeitung, Profil, oe24, OÖN, SN, Der Standard
- CH: NZZ, Tagesanzeiger
(non-exhaustive list)
But all kinds of companies let FB spy on me, from Amazon to Microsoft to McAfee to MyHeritage, from retail (Tesco, Asos) to telco (T-Mobile, Vodafone) to jobs (Glassdoor) to mental health services (BetterHelp), from personal finance to home rental to food delivery to gambling...
...from Amnesty International to the US Department of Homeland Security / CBP.
And both just did it again:
And both just did it again:
Many university sites sent data to FB, e.g.
- harvard, stanford, stanford, berkeley, hbs, mit, virginia, colorado, fordham, gwu [.edu]
- ox, birmingham, sheffield, gold, kcl, ucl [.ac.uk]
- unsw, bond [.edu.au]
- fh-wien, fhstp [.ac.at]
Also, Amsterdam and Tilburg universities.
- harvard, stanford, stanford, berkeley, hbs, mit, virginia, colorado, fordham, gwu [.edu]
- ox, birmingham, sheffield, gold, kcl, ucl [.ac.uk]
- unsw, bond [.edu.au]
- fh-wien, fhstp [.ac.at]
Also, Amsterdam and Tilburg universities.
Actually, FB didn't receive behavioral data from my mobile apps, because I tried to prevent FB from linking data from my mobile devices to this FB account.
Anyway, I've seen 'Off-Facebook Activity' lists that showed mobile apps sending behavioral data to FB up to 3,000 times.
Anyway, I've seen 'Off-Facebook Activity' lists that showed mobile apps sending behavioral data to FB up to 3,000 times.
This behavioral data from external sites and apps (and from other sources) is the lifeblood of Facebook's commercial surveillance machine.
I think the best way to stop this from happening is banning FB from using it, in the EU via data protection law, competition law, DSA/DMA.
I think the best way to stop this from happening is banning FB from using it, in the EU via data protection law, competition law, DSA/DMA.
Of course, this would undermine Facebook's business, but there is no way around it.
Current proposals want to obligate FB to process off-platform data 'only based on consent'. But this won't work. FB will always find a way to trick people into 'consent' or to delay enforcement.
Current proposals want to obligate FB to process off-platform data 'only based on consent'. But this won't work. FB will always find a way to trick people into 'consent' or to delay enforcement.
Holding website and app publishers accountable in way that effectively prevents *everyone* from sending personal data to FB all the time is also an option, and I still think it must happen, but it didn't for years, so I'm more leaning towards banning FB itself from using it.
Nice to have, but won't fix it:
- Telling people to delete FB/Insta/WA (do it; but I've seen so many calls, FB kept growing + many people in the world just cannot do so for reasons)
- Shaming companies/orgs for data sharing with FB (can sometimes make sense, but not a solution)
- Telling people to delete FB/Insta/WA (do it; but I've seen so many calls, FB kept growing + many people in the world just cannot do so for reasons)
- Shaming companies/orgs for data sharing with FB (can sometimes make sense, but not a solution)
- Protecting yourself by blocking hosts etc (do it; but it won't change FB's business+data practices at large)
- Browser/device vendors blocking it. This is in part happening, and it's good. But Google's Chrome plans have its own issues, and G is generally doing the same itself.
- Browser/device vendors blocking it. This is in part happening, and it's good. But Google's Chrome plans have its own issues, and G is generally doing the same itself.
Some more sites that sent personal data on my activities to FB:
paypal .com
dropbox .com
webex .com
evernote .com
prezi .com
meetup .com
statista .com
yougov .com
norton .com
airbnb .com
uber .com
marriott .com
booking .com
tripadvisor .com
yahoo .com
paypal .com
dropbox .com
webex .com
evernote .com
prezi .com
meetup .com
statista .com
yougov .com
norton .com
airbnb .com
uber .com
marriott .com
booking .com
tripadvisor .com
yahoo .com
spotify .com
soundcloud .com
vimeo .com
gofundme .com
grindr .com
nato .int
worldbank .org
mckinsey .com
deloitte .com
sap .com
samsung .com
adobe .com
pewresearch .org
nature .com
sciencemag .org
springer .com
elsevier .com
tandfonline .com
routledge .com
medscape .com
soundcloud .com
vimeo .com
gofundme .com
grindr .com
nato .int
worldbank .org
mckinsey .com
deloitte .com
sap .com
samsung .com
adobe .com
pewresearch .org
nature .com
sciencemag .org
springer .com
elsevier .com
tandfonline .com
routledge .com
medscape .com
a16z .com
aei .org
consumerreports .org
rsaconference .com
fivethirtyeight .com
change .org
demandjustice .org
nationbuilder .com
substack .com
jacobinmag .com
thebaffler .com
jesuscalling .com
breitb*rt .com
dailyc*ller .com
theg*tewaypundit .com
atlasnetwork .org
aynrand .org
aei .org
consumerreports .org
rsaconference .com
fivethirtyeight .com
change .org
demandjustice .org
nationbuilder .com
substack .com
jacobinmag .com
thebaffler .com
jesuscalling .com
breitb*rt .com
dailyc*ller .com
theg*tewaypundit .com
atlasnetwork .org
aynrand .org
In February 2020, @riptari tracked down 6 companies that shared personal data on her with FB according to the 'Off-Facebook Activity' tool, and asked them about details.
One company openly stated it does not know what data it shares with FB. A deep dive: techcrunch.com/2020/02/25/fac…
One company openly stated it does not know what data it shares with FB. A deep dive: techcrunch.com/2020/02/25/fac…
Like @riptari, I have also d8rk54i4mohrb.cloudfront.net in the list of hosts that sent data on me to FB (see her above article).
And while most entries in my list look like website domains, it contains 42 entries that don't. I wonder what they refer to? FB Business Manager accounts?
And while most entries in my list look like website domains, it contains 42 entries that don't. I wonder what they refer to? FB Business Manager accounts?
So apparently FB received data on my activities from entities named DoubleDigital LTD, Industry Dive, OK Bilist, TU Media As, or 經緯廣告科技股份有限公司 AdHub. No idea who they are.
And who is this entity named 'Domain' that sent data on me to FB on March 1 2020 at 11:55 PM? 😬
And who is this entity named 'Domain' that sent data on me to FB on March 1 2020 at 11:55 PM? 😬
So, what kind of data does FB receive from all those sites and apps?
Real-time data about which pages on which websites a billion+ people visits at which points in time, plus data about which apps they use at which points in time, is the basis for Facebook's profiling business.
Real-time data about which pages on which websites a billion+ people visits at which points in time, plus data about which apps they use at which points in time, is the basis for Facebook's profiling business.
And FB receives more. Standard activities transmitted include:
- Someone visits a page
- searches the site
- signs up
- subscribes
- donates
- adds a product to the cart
- enters payment info
- makes a purchase
- schedules an appointment
- gets in touch via phone/email/chat
…
- Someone visits a page
- searches the site
- signs up
- subscribes
- donates
- adds a product to the cart
- enters payment info
- makes a purchase
- schedules an appointment
- gets in touch via phone/email/chat
…
FB often receives info about the 'value' of a person performing an activity, in $ or €, at individual level.
So, websites+apps let their own profiling systems calculate how much you're worth to them and tell FB every time you use their website or app.
developers.facebook.com/docs/facebook-…
So, websites+apps let their own profiling systems calculate how much you're worth to them and tell FB every time you use their website or app.
developers.facebook.com/docs/facebook-…
@privacyint showed in 2019 how menstruation apps share very sensitive 'custom' data with FB, and how FB gets informed "the moment a user opens the app", "whether the user has a Facebook account or not and whether they are logged into Facebook or not"
privacyinternational.org/long-read/3196…
privacyinternational.org/long-read/3196…
When I examined how apps send personal data to third parties together with the Norwegian Consumer Council et al in 2019, we found that FB even received battery/charging status, memory and detailed gyroscope data
(this didn't make it into our report because we didn't focus on FB)
(this didn't make it into our report because we didn't focus on FB)
So, FB received data on the exact orientation of the device and on how quickly it's being moved into which direction #totallynotinvasive
2 out of 10 examined apps sent gyroscope data. All sent at least some data to FB, and 9/10 sent the Android/Google ID.
fil.forbrukerradet.no/wp-content/upl…
2 out of 10 examined apps sent gyroscope data. All sent at least some data to FB, and 9/10 sent the Android/Google ID.
fil.forbrukerradet.no/wp-content/upl…
FB may argue they only use battery/gyroscope data for your 'ad experience'.
I'd argue FB cannot be trusted, there is no GDPR enforcement, in many regions of the world no regulation at all, and they probably just feed this into just another reckless engagement optimization model.
I'd argue FB cannot be trusted, there is no GDPR enforcement, in many regions of the world no regulation at all, and they probably just feed this into just another reckless engagement optimization model.
Anyway, data that is obviously extremely sensitive is at most a bonus issue.
Facebook's business+power relies on data that can be operationalized. In many cases this is about data that does not seem to be extremely sensitive in the first place, but is being processed at scale.
Facebook's business+power relies on data that can be operationalized. In many cases this is about data that does not seem to be extremely sensitive in the first place, but is being processed at scale.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
