Update, FB received personal data on me from 1573 apps and websites over the last 6 months, up more than two-fold from January 2020 when it introduced its 'Off-Facebook Activity' tool.
Methodology: For a part of my daily web activity I use a browser without any tracking protection or ad blocker, which is also logged into FB. Like many others. Annoying and painful, but what has to be done has to be done.

Correction: The new number seems to cover >6 months.
Some sites sent data about my activities to FB hundreds of times. Media websites are among the worst offenders:

- Daily Mail: 297x
- The Independent: 280x
- The Guardian: 203x
- Vice: 158x
- Reuters: 91x
- The Atlantic: 87x
- Forbes: 72x
- The New Yorker: 53x
- Politico: 46x
Media sites in German-speaking countries that sent personal data to FB include:

- DE: Spiegel, Tagesspiegel, Welt, FAZ, Handelsblatt, Stern, Freitag

- AT: Die Presse, Kleine Zeitung, Profil, oe24, OÖN, SN, Der Standard

- CH: NZZ, Tagesanzeiger

(non-exhaustive list)
But all kinds of companies let FB spy on me, from Amazon to Microsoft to McAfee to MyHeritage, from retail (Tesco, Asos) to telco (T-Mobile, Vodafone) to jobs (Glassdoor) to mental health services (BetterHelp), from personal finance to home rental to food delivery to gambling...
...from Amnesty International to the US Department of Homeland Security / CBP.

And both just did it again:
Many university sites sent data to FB, e.g.

- harvard, stanford, stanford, berkeley, hbs, mit, virginia, colorado, fordham, gwu [.edu]
- ox, birmingham, sheffield, gold, kcl, ucl [.ac.uk]
- unsw, bond [.edu.au]
- fh-wien, fhstp [.ac.at]

Also, Amsterdam and Tilburg universities.
Actually, FB didn't receive behavioral data from my mobile apps, because I tried to prevent FB from linking data from my mobile devices to this FB account.

Anyway, I've seen 'Off-Facebook Activity' lists that showed mobile apps sending behavioral data to FB up to 3,000 times.
This behavioral data from external sites and apps (and from other sources) is the lifeblood of Facebook's commercial surveillance machine.

I think the best way to stop this from happening is banning FB from using it, in the EU via data protection law, competition law, DSA/DMA.
Of course, this would undermine Facebook's business, but there is no way around it.

Current proposals want to obligate FB to process off-platform data 'only based on consent'. But this won't work. FB will always find a way to trick people into 'consent' or to delay enforcement.
Holding website and app publishers accountable in way that effectively prevents *everyone* from sending personal data to FB all the time is also an option, and I still think it must happen, but it didn't for years, so I'm more leaning towards banning FB itself from using it.
Nice to have, but won't fix it:

- Telling people to delete FB/Insta/WA (do it; but I've seen so many calls, FB kept growing + many people in the world just cannot do so for reasons)

- Shaming companies/orgs for data sharing with FB (can sometimes make sense, but not a solution)
- Protecting yourself by blocking hosts etc (do it; but it won't change FB's business+data practices at large)

- Browser/device vendors blocking it. This is in part happening, and it's good. But Google's Chrome plans have its own issues, and G is generally doing the same itself.
Some more sites that sent personal data on my activities to FB:

paypal .com
dropbox .com
webex .com
evernote .com
prezi .com
meetup .com
statista .com
yougov .com
norton .com

airbnb .com
uber .com
marriott .com
booking .com
tripadvisor .com
yahoo .com
spotify .com
soundcloud .com
vimeo .com
gofundme .com
grindr .com

nato .int
worldbank .org
mckinsey .com
deloitte .com
sap .com
samsung .com
adobe .com

pewresearch .org
nature .com
sciencemag .org
springer .com
elsevier .com
tandfonline .com
routledge .com
medscape .com
a16z .com
aei .org
consumerreports .org
rsaconference .com
fivethirtyeight .com
change .org
demandjustice .org
nationbuilder .com
substack .com
jacobinmag .com
thebaffler .com
jesuscalling .com
breitb*rt .com
dailyc*ller .com
theg*tewaypundit .com
atlasnetwork .org
aynrand .org
In February 2020, @riptari tracked down 6 companies that shared personal data on her with FB according to the 'Off-Facebook Activity' tool, and asked them about details.

One company openly stated it does not know what data it shares with FB. A deep dive: techcrunch.com/2020/02/25/fac…
Like @riptari, I have also d8rk54i4mohrb.cloudfront.net in the list of hosts that sent data on me to FB (see her above article).

And while most entries in my list look like website domains, it contains 42 entries that don't. I wonder what they refer to? FB Business Manager accounts?
So apparently FB received data on my activities from entities named DoubleDigital LTD, Industry Dive, OK Bilist, TU Media As, or 經緯廣告科技股份有限公司 AdHub. No idea who they are.

And who is this entity named 'Domain' that sent data on me to FB on March 1 2020 at 11:55 PM? 😬
So, what kind of data does FB receive from all those sites and apps?

Real-time data about which pages on which websites a billion+ people visits at which points in time, plus data about which apps they use at which points in time, is the basis for Facebook's profiling business.
And FB receives more. Standard activities transmitted include:

- Someone visits a page
- searches the site
- signs up
- subscribes
- donates
- adds a product to the cart
- enters payment info
- makes a purchase
- schedules an appointment
- gets in touch via phone/email/chat
FB often receives info about the 'value' of a person performing an activity, in $ or €, at individual level.

So, websites+apps let their own profiling systems calculate how much you're worth to them and tell FB every time you use their website or app.
developers.facebook.com/docs/facebook-…
@privacyint showed in 2019 how menstruation apps share very sensitive 'custom' data with FB, and how FB gets informed "the moment a user opens the app", "whether the user has a Facebook account or not and whether they are logged into Facebook or not"
privacyinternational.org/long-read/3196…
When I examined how apps send personal data to third parties together with the Norwegian Consumer Council et al in 2019, we found that FB even received battery/charging status, memory and detailed gyroscope data

(this didn't make it into our report because we didn't focus on FB)
So, FB received data on the exact orientation of the device and on how quickly it's being moved into which direction #totallynotinvasive

2 out of 10 examined apps sent gyroscope data. All sent at least some data to FB, and 9/10 sent the Android/Google ID.
fil.forbrukerradet.no/wp-content/upl…
FB may argue they only use battery/gyroscope data for your 'ad experience'.

I'd argue FB cannot be trusted, there is no GDPR enforcement, in many regions of the world no regulation at all, and they probably just feed this into just another reckless engagement optimization model.
Anyway, data that is obviously extremely sensitive is at most a bonus issue.

Facebook's business+power relies on data that can be operationalized. In many cases this is about data that does not seem to be extremely sensitive in the first place, but is being processed at scale.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wolfie Christl

Wolfie Christl Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @WolfieChristl

2 Apr
The way digital advertising works today implies that myriads of companies share personal data on millions with shady actors every second.

A group of US senators asked major adtech firms who they share data with. Spoiler: It won't be easy to answer this.
wsj.com/articles/u-s-s…
"we must understand the serious national security risks posed by the unrestricted sale of Americans’ data to foreign companies and governments”

I don't think the national security angle is the only relevant one, but it will certainly give the initiative the urgency it deserves.
"They also asked the companies to provide the names of all foreign clients who had access to user data through auctions over the past three years"

Affected adtech firms / data brokers include Google, AT&T/Xandr, Verizon, Index Exchange, Magnite, OpenX, PubMatic, Twitter/MoPub.
Read 4 tweets
1 Apr
Come on, this pseudo-insightful PR piece carefully crafted by a team of unknown authors in the name of the former UK Deputy Prime Minister, now Facebook's "Vice President of Global Affairs" aka chief lobbyist, is horrible, and nobody should endorse it 😡
nickclegg.medium.com/you-and-the-al…
Take a look at this chart. All the major optimization goals are simply missing - all the relevant KPIs, maximizing engagement, user retention etc. Pure misinformation.

It's a carefully crafted compilation of most of Facebook's PR spins, distractions and lies from recent years.
Sorry, I'm a bit annoyed, yes.
Read 4 tweets
1 Apr
"Customs and Border Protection (CBP) and Immigrations Customs Enforcement (ICE) officials demanded location data from three companies who collectively track the movements of tens of millions of vehicles every day: GM OnStar, Geotab and Spireon" forbes.com/sites/thomasbr…
I told Forbes that as more and more devices collect extensive data on our behaviors, often for purposes that improve our everyday lives, we need to make sure that law enforcement agencies do not see the mere availability of data as a free pass to access it as they see fit.
Law enforcement agencies accessing detailed GPS location data collected for purposes such as navigation or emergency services is highly intrusive. The requirements for issuing warrants must make sure that such data can only be used to tackle the most serious crimes.
Read 4 tweets
31 Mar
Anomaly 6, another firm run by ex-military and location industry veterans, sold location data secretly sourced from ordinary smartphone apps to SOCOM/SOCAFRICA, a US military unit tasked with counterterrorism, counterinsurgency and special reconnaissance: vice.com/en/article/z3v…
SOCOM states the contract was about evaluating the "feasibility of using Anomaly 6 telemetry services in an overseas operating environment"

As the WSJ reported in August, Anomaly 6 tracks "the movements of hundreds of millions of mobile phones world-wide" wsj.com/articles/u-s-g…
Once again, the way our digital (app) economy currently works, built and optimized for uncontrolled marketing surveillance, treating personal data as just another mass commodity, is directly feeding into the most invasive forms of government surveillance.
Read 10 tweets
17 Mar
"A surveillance contractor that has previously sold services to the U.S. military is advertising a product that it says can locate the real-time locations of specific cars in nearly any country on Earth", based on data sent by cars+components themselves: vice.com/en/article/k7a…
"automakers and Original Equipment Manufacturers (OEMs) often include sensors in vehicle parts that collect information such as their airbag and seatbelt status, engine temperature, and current location, and then transmit that information ... to the automaker or to third parties"
"Ulysses is a small surveillance contractor…that also claims to offer cellular interception and jamming technology [and] has worked with U.S. Special Operations Command (SOCOM), a branch of the military tasked with counterinsurgency, counterterrorism, and special reconnaissance"
Read 4 tweets
13 Mar
Interesting. Google refers to Oracle's Datalogix, which sells consumer profiles based on purchase data from thousands of shops, as a "key external vendor".

From a job announcement for an "Insights Manager, Global Client & Agency Solution" at Google EMEA:
webcache.googleusercontent.com/search?q=cache… Image
It's interesting because I didn't often see Google naming Datalogix a partner/vendor in recent years.

In 2016, DoubleClick named Oracle Data Cloud an offline conversion partner:
doubleclick-advertisers.googleblog.com/2016/10/get-be…

In 2018 it was named a "Google Measurement Partner":
blogs.oracle.com/oracledataclou… ImageImage
In this list of "Ad Manager Certified External Vendors", Google names Datalogix a "data provider":
developers.google.com/third-party-ad…

In this newer list of "Ad technology providers", Google lists Oracle Data Cloud as a vendor who may serve and measure ads in EEA/UK:
support.google.com/admanager/answ… ImageImage
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!