Almost a month Some time ago, Facebook enabled the global availability of a tool that gives users an insight into the gloomy world of tracking that his company relies on to profile users of the wider web for ad targeting purposes.
Facebook does not courageously go into transparent daylight – but offers what the advocacy group for data protection rights Privacy International has described as "tiny adhesive plaster for a much bigger problem".
The problem it refers to is the lack of active and informed consent to mass-monitor Internet users through background tracking technologies embedded in apps and websites, even when users are surfing outside of Facebook's own content garden.
The dominant social platform only offered this feature after the Cambridge Analytica data abuse scandal in 2018, when Mark Zuckerberg was faced with uncomfortable questions in Congress about the scope of general Facebook web tracking, Since then, policymakers around the world have reviewed the way their business works – and found that there is a worrying lack of transparency in and around Adtech in general and Facebook in particular.
Facebook's tracking pixels and social plugins – also known as share / like buttons, which spice up the mainstream web – have created an extensive tracking infrastructure that tacitly informs the technology giant about the activities of Internet users, even if a person has not interacted with a Facebook brand has buttons.
Facebook claims this is just how the web works. Other technology giants (similarly Google) track Internet users in a similar way. However, as a platform with more than 2.2 billion users, Facebook has an advantage over the lion's share of its competitors when it comes to collecting personal data and building a global database with personal profiles.
It is also positioned as a dominant player in an adtech ecosystem, meaning that it is supplied with information by data brokers and publishers using tracking technology to survive in such a distorted system.
The opacity of online tracking means that the average Internet user is no smarter that Facebook can track what he is surfing the entire Internet. Indeed, questions of consent are very large.
Facebook is also able to track usage of third-party apps if someone chooses a Facebook sign-in option that the company recommends developers to implement in their apps. Again, there is an option to offer less friction selection than requiring users to create another credential.
The price for this “convenience” is data and data protection for users, since the Facebook login gives the technology giant an insight into the use of apps in the third part.
The company also used a VPN app that it bought and identified as a security tool to get data on the use of third-party apps. However, it was recently withdrawn from the Onavo app following a public backlash (though this did not result in a similar tracking program running for teenagers).
Background tracking is how Facebook's creepy ads work (such behavioral ads are better known as "relevant") – and how they have worked for years
Only in recent months have users been able to gain insight into this network of online whistleblowers by providing limited information about the companies that share tracking data with Facebook, as well as some limited controls.
From "Clear History" to "Off Facebook Activity"
Originally informed in May 2018, at the heart of the Cambridge Analytica scandal, as an option "Clear History", this option has since been renamed "Off-Facebook Activity" – a label that is as bloodless and without "Call to Action" as that average Facebook users, should they encounter burying menus deep in unsightly settings, would rather go along than feel moved to perform a privacy cleanup.
(You can access the setting here for recording – however, you must be logged in to Facebook to do this.)
The other problem is that you cannot delete your browser history with the Facebook tool, you can only unlink your Facebook ID. There is no option to clear your browsing history using the button. Another reason for the name change. No, Facebook has not created a clear history button.
"While we welcome efforts to provide more transparency to users by showing the companies that Facebook receives personal data from, the tool offers little opportunity for users to take action," Privacy International criticized Facebook this week, "you not to say." everything".
As the saying goes, a little knowledge can be a dangerous thing. So a little transparency means anything but clarity. And Privacy International summarizes the off-Facebook activity tool with a suitable oxymoron and describes it as a "new window on opacity".
"This tool shows how impossible it is for users to prevent external data from being shared with Facebook," he writes, and emphatically warns: "Without meaningful information about what data is collected and shared and how the user can do it Opt-out of such a collection, Off-Facebook activity is just another incomplete insight into Facebook's opaque practices when it comes to tracking users and consolidating their profiles, "
For example, it is pointed out that the information provided here is limited to a “simple name”, which prevents the user from “exercising his right to receive more information about how this data was collected” at least EU users are entitled.
“As a user, we have the right to know the name / contact details of companies that claim to have interacted with us. For example, if the only thing we see is the random name of an artist that we have never heard of before (true story), how should we know whether it is the record label, the agent, the marketing company, or even the personal focus is on? us with ads? "It adds.
Another point of criticism is that Facebook only provides limited information on every data transfer. Privacy International notes that some events are labeled "under a cryptic CUSTOM" label. and that Facebook "does not provide any information about how the data was collected by the advertiser (Facebook SDK, tracking pixel, such as button …) and on which device, so that the user is informed about the circumstances under which this data collection took place in the Stay dark ”.
"Does Facebook really show everything they process / store about these events in the log / export?" queries data protection researcher Wolfie Christl, who is tracking the ad tech industry's tracking techniques. "They have to, otherwise they will not meet their Subject Access Request (SAR) obligations (under EU law)."
Christl notes that Facebook makes users jump through an additional “download” area to display data about tracked events – and even then, as Privacy International points out, there is only a limited view of what has actually been tracked …
And it's just ridiculous.
FB does not show me the list of visits they have recorded from a particular website in their web interface, no! I have to download my information, which takes a long time.
And then I'm sure that's not all the data they record when tracking a VIEW_CONTENT event: pic.twitter.com/qBO87Zp5YH
– Wolfie Christl (@WolfieChristl), January 29, 2020
"Why doesn't Facebook, for example, list the specific websites / URLs visited? Do they complete data from the domains, eg categories? If so, why isn't that in the logs?" Asks Christl.
We asked Facebook a number of questions, including why no further details are provided by default. It replied with this statement attributed to the speaker:
We offer a variety of tools that allow users to access their Facebook information, and we have designed these tools to comply with relevant laws, including the GDPR. We disagree with the claims of this article (Privacy International) and would welcome the opportunity to discuss them with Privacy International.
Facebook also said it continues to develop what information is displayed through the off-Facebook activity tool – and welcomes feedback.
We also asked him about the legal basis on which he processes information from people obtained through his tracking pixels and social plug-ins. There was no answer to these questions.
Six names, many questions …
When the company launched the off-Facebook activity tool, a quick poll among available theinformationsuperhighway colleagues showed very different results for our respective numbers (which other Facebook reservations may not show the latest activity) – by a colleague who had an eye irrigation of 1,117 entities (probably due to many app tests); to several with several / several hundred each; to a couple in the middle ten.
In my case, I only had six. But in my view – as an EU citizen with a range of rights related to privacy and data protection; and as someone who wants to practice good online privacy hygiene, including a very limited approach to using Facebook (for example, never with their mobile app), there were still six too many. I wanted to find out how these entities circumvented my attempts not to be persecuted.
And in the case of the first in the list, who on earth was it …
It turns out that Cloudfront is a subdomain of the Amazon Web Services Content Delivery Network. But I had to search online myself to find out that the owner of this particular domain is (now) a company called Nativo.
The Facebook list only contained very bare information. I also clicked to delete the first entity because it immediately looked so strange, and found that Facebook deleted all entries – which meant that I could not access the little additional information it had about the respective data transfers had provided.
Unimpressed, I set about contacting each of the six companies directly with questions and asked which of my data they had transferred to Facebook and which legal basis they thought they had for processing my information.
(On a practical level, six names looked like a sample size that I could at least track manually – but remember that I was the theinformationsuperhighway exception. Imagine trying data from 1,117 companies or 450 or even 57 companies to request lists of some of my colleagues.)
This process took about a month and a lot of back and forth / chasing. It probably only provided as much information as I did because I asked as a journalist; An average internet user may have had difficulty answering their questions. According to EU law, however, citizens have the right to request a copy of the personal data stored about them.
Finally, I was able to get confirmation that tracking pixels and Facebook share buttons were involved in sharing my data with Facebook in certain cases. Nevertheless, I remain in the dark in many things. For example, exactly what personal data Facebook has received.
In one case, I was told by a listed company that it doesn't know what data was shared – only Facebook knows because it implemented the company's "proprietary code". (Insert your own "WTAF" there.)
The legal side of these transfers also remains very opaque. In my view, I would not intentionally consent to any of these follow-ups – but in some cases, the companies involved claim that (my) consent (somehow) has been obtained (or implied).
In other cases, they indicated that they are based on a legal basis in EU law called "legitimate interests". However, this requires performing a balancing test to ensure that business use does not have a disproportionate impact on the rights of the individual.
I could not determine if such tests were ever carried out.
Since Facebook also uses the tracking information from its pixels and social plug-ins (and appears to be used in more detail as some companies claimed to receive only aggregate rather than individual data), Christl suggests that such a balancing test is probably not easy to exist for this tiny little "platform giant" reason.
In particular, he points out that so-called "event data" is used in the conditions of Facebook's business tool to "personalize functions and content and to improve and secure Facebook products" – also for "advertisements and recommendations". for R&D purposes; and "to maintain and improve the integrity of Facebook corporate products".
In a section of its legal provisions covering the use of its pixels and SDKs, Facebook also requires companies that implement their tracking technologies to obtain user consent before doing so in relevant jurisdictions responsible for tracking cookies and Similar need a declaration of consent – using the example of the EU.
"You have to make sure that an end user gives the necessary consent before using Facebook Business Tools so that we can store and access cookies or other information on the end user's device," Facebook writes, referring to users of its tools In In his cookie consent guide for websites and apps, you will find "Suggestions for implementing consent mechanisms".
Christl points out the contradiction between Facebook's claim that users of its tracking technology require prior consent and the claims of some of these companies that they do not because they are based on "legitimate interests".
"The use of LI as the legal basis is controversial even if you use a data analysis company that reliably processes personal data exclusively for you," he argues. "I think industry lawyers are trying to advocate for a broader applicability of LI, but in the case of FB business tools, I don't think the balancing test (a company legitimates interests against the impact on the rights and freedoms of data subjects) will." work in favor of LI. "
Companies that rely on legitimate interests as the legal basis for follow-up would still have to provide a mechanism for users to object to the processing – and I could not immediately identify such a mechanism in the cases in question.
One thing is crystal clear: Facebook itself does not offer users a mechanism to object to the processing of tracking data or to deactivate targeted ads. This is still a long-standing complaint against business in the EU, which is still under investigation by data protection authorities.
One more thing: Non-Facebook users still have no way of knowing what data they are tracking and transferring to Facebook. For example, only Facebook users have access to the off-Facebook activity tool. Non-users cannot even access a list.
Facebook has defended its practice of tracking non-users on the Internet when required for unspecified "security purposes". This is, of course, an inherently disproportionate argument. Practice continues to face legal challenges in the EU.
Tracking the tracker
SimpleReach (aka d8rk54i4mohrb.cloudfront.net)
What is it? A California-based analytics platform (now owned by Nativo) that is used by publishers and content marketers to measure the performance of their content / native ads on social media. The product was launched in the early 1990s as a simple tool for publishers to recommend similar content at the end of articles before the startup turned. The aim was to become the "PageRank of Social". It provides analytics tools for publishers to track content engagement in real time on the social web (plugging into platform APIs). Statistical models were also created to predict which content was most social and where. A proprietary score is generated for each article. SimpleReach was acquired by Nativo last year to complement the analytics tools that the latter have already offered to track content on the publisher / brand website.
Why did it appear in your off-Facebook activity list? Since it is a B2B product, it does not have its own visible consumer brand. As far as I know, I have never visited my own website before investigating why it is on my off-Facebook activity list. Of course, I must have visited a site (or sites) that use their tracking / analysis tools. Of course, an Internet user has no obvious way to tell – unless they're actively using tools to monitor which trackers they're tracking.
In another quirk, neither the SimpleReach (nor Nativo) brand names appeared in my off-Facebook activity list. More of a The domain name was listed – d8rk54i4mohrb.cloudfront.net – which looked strange / alarming at first glance.
I've found this to be SimpleReach using a tracker analytics service,
Once I knew the name, I was able to link the entry to Nativo via news of the acquisition, which led me to a company to which I could ask questions.
What happened when you asked her about it? There was a bit of a back and forth and then they sent a detailed answer to my questions claiming they didn't share any data with Facebook – "or" off-site activity "as described in the Facebook activity tool".
They also suggested that due to the implementation of their tracking code, their domain would appear on a website I visited that also implemented Facebook's own trackers.
“Thanks to our technology, our data controllers can insert other tracking pixels or tags and use us as a tag manager that delivers code to the page. One of our customers may have added a Facebook pixel to an item that you visited with our technology. This could lead to Facebook assigning this pixel to our domain, even though our domain was just a "carrier" of the code, "they told me.
Regarding the data they collected, they said the following: “The only personal data that the SimpleReach Analytics tag collects is your IP address and a randomly generated ID. Both values are processed, anonymized and aggregated on the SimpleReach platform and only made available to our subprocessors who are obliged to process such data only on our behalf. Such values will be permanently deleted from our system after 3 months. These values are used to give our customers a general idea of the number of users who have visited the articles they have entered. "
So they suggested again that the reason their domain is on my off-Facebook activity list is a combination of the Nativo / SimpleReach tracking technologies that are implemented on a website that also includes the retargeting pixel from Facebook is embedded. This then led to data about my online activity being shared with Facebook (which Facebook then referred to as coming from the SimpleReach domain).
Christl agreed and agreed that it sounds as if publishers "somehow attach Facebook pixel events to SimpleReach's cloudfront domain".
"SimpleReach is unlikely to receive any data from it. But the question is 1) SimpleReach may actually be responsible (if it happens in the context of their domain); 2) The off-Facebook activity is a mess (if it contains events that occur on domains whose owners are not web or app publishers). "
Nativo offered to determine if they had personal information about the unique identifier they assigned to my browser if I could send them that ID. However, I could not find such an ID (see below).
Regarding the legal basis for processing my information, the company said to me: "We have the right to process data in accordance with the provisions set out in the various data processing agreements with those responsible for data processing."
Nativo also suggested that the off-site activity in question may have taken place prior to the purchase of SimpleReach technology, which took place on March 20, 2019, and said that any previous activity would mean that my request was made directly to SimpleReach, Inc., Nativo, would not have to be judged acquired. (In this case, however, the activity registered in the list was later dated.)
They said the following about all of this:
Thank you for submitting your data access request. We understand that you are based in the European Union and make this application in accordance with Article 15 (1) of the GDPR. Under Article 15 (1), "controllers" must respond to requests from individuals for information about the processing of their personal data. Although Article 15 (1) does not apply to Nativo, as we are not a data controller with regard to your data, we have provided information below to help us identify the appropriate data controller that you can contact directly.
SimpleReach is an analytics tracker tool (similar to Google Analytics) that is implemented by our customers to inform them about the performance of their content published on the Internet. D8rk54i4mohrb.cloudfront.net is the domain name of the servers that collect these metrics. We do not share any data with Facebook and do not carry out "off-site activities" as described in the Facebook activity tool. Our technology allows our data controllers to insert other tracking pixels or tags, using us as a tag manager that delivers code to the page. One of our customers may have added a Facebook pixel to an item that you visited with our technology. This could lead to Facebook assigning this pixel to our domain, even though our domain was only a “carrier” of the code.
The SimpleReach tool is implemented in articles published by our customers and partners of our customers. You may have visited a URL that contains our tracking code. It is also possible that the off-site activity that you are referring to is an activity of SimpleReach, Inc. before Nativo acquired SimpleReach technology. Nativo, Inc. purchased certain technologies from SimpleReach, Inc. on March 20, 2019, but we did not purchase the SimpleReach, Inc. unit itself, which remains a separate unit that is not affiliated with Nativo, Inc. Accordingly, all activities that took place prior to March 20, 2019 pre-dates Nativo's use of SimpleReach technology and should be discussed directly with SimpleReach, Inc. For example, if theinformationsuperhighway was a publisher partner of SimpleReach, Inc. and SimpleReach tracking code was implemented in theinformationsuperhighway articles or throughout the theinformationsuperhighway website before March 20, 2019, any resulting data collection would have been done by SimpleReach, Inc., not Nativo , Inc.
As mentioned above, our tracking script collects information and sends it to our servers based on the articles on which it is implemented. The only personal data that the SimpleReach Analytics tag collects is your IP address and a randomly generated ID. Both values are processed, anonymized and aggregated on the SimpleReach platform and only made available to our subprocessors who are obliged to process such data only on our behalf. Such values will be permanently deleted from our system after 3 months. These values are used to give our customers a general idea of the number of users who have visited the articles they have entered.
We have never shared any information with Facebook regarding the information we collect from the SimpleReach Analytics tag, be it personal data or otherwise. However, as mentioned above, it is possible that one of our customers added a Facebook retargeting pixel to an item that you visited with our technology. In this case, we would not have received any information collected from such a pixel, and we would have no knowledge of whether and to what extent the customer shared information with Facebook. Without further information, we cannot determine the specific customer (if any) for whom we may have processed your personal information. However, if you send us the unique identifier that we have assigned to your browser, we can determine, on behalf of a customer controller, whether personal data is linked to this browser and, if necessary, your request to the forwarding controller to respond directly to your request.
As data processors, we have the right to process data in accordance with the provisions of the various data processor agreements that we have concluded with those responsible for data processing. This type of agreement is designed to protect data subjects and to ensure that data processors are subject to the same standards that both the GDPR and the data controller have specified. This is the same type of agreement used by all other analytics tracking tools (as well as many other types of tools) like Google Analytics, Adobe Analytics, Chartbeat and many others.
I also asked Nativo to confirm whether Insider.com (see below) is a Nativo / SimpleReach customer.
The company informed me that "due to confidentiality restrictions" it could not disclose and would only do so Disclosure of customer identity when required by applicable law.
Again, if I gave the "unique identifier" assigned to my browser, I would like to retrieve a list of personal information that the SimpleReach / Nativo systems currently have stored for your unique identifier (if any), including the appropriate one Data Controller ”. ("If we have something personal Data collected by you on behalf of Insider.com, it would appear in the list of DataController, "it suggested.)
I checked multiple browsers that I use on multiple devices, but couldn't find an ID attached to a SimpleReach cookie. So I also asked if this could be linked to another cookie.
Because our Data is either pseudonymized or anonymized and we do not record any other personal parts Data it will not be possible for us to locate this through you Data without the cookie value. The SimpleReach user cookie has always been in the "__srui" cookie under the ".simplereach.com" domain or one of its subdomains. Wenn Sie ein SimpleReach-Benutzercookie unter diesem Namen in Ihrem Browser nicht finden können, liegt dies möglicherweise daran, dass Sie ein anderes Gerät verwenden oder Ihre Cookies gelöscht haben (in diesem Fall können wir keine persönlichen Cookies mehr zuordnen Daten Wir haben zuvor von Ihnen in Ihrem Browser oder Gerät gesammelt. Wir haben andere Cookies (unter den Domains postrelease.com, admin.nativo.com und cloud.nativo.com), aber diese Cookies beziehen sich nicht auf das Erscheinen von SimpleReach in der Liste der Off-Site-Aktivitäten in Ihrem Facebook-Konto. gemäß Ihrer ursprünglichen Anfrage.
Was haben Sie aus ihrer Aufnahme in die Off-Facebook-Aktivitätsliste gelernt? Es schien eine Korrelation zwischen dieser Domain und einem Publisher, Insider.com, zu bestehen, der auch in meiner Off-Facebook-Aktivitätsliste aufgeführt war, da beide protokollierten Ereignisse dasselbe Datum tragen. Außerdem ist Insider.com ein Publisher und fällt daher in die richtige Kundenkategorie für die Verwendung des Nativo-Tools.
Angesichts dieser Zusammenhänge konnte ich vermuten, dass Insider.com ein Kunde von Nativo ist. (Ich habe dies bestätigt, als ich mit Insider.com gesprochen habe.) Das Facebook-Tool kann also relationale Schlussfolgerungen in Bezug auf die Tracking-Branche verlieren, indem es Geschäftsverbindungen aufdeckt / abbildet, die ansonsten möglicherweise nicht offensichtlich waren.
Was ist es? Ein in New York ansässiges Business Media-Unternehmen, das Marken wie Business Insider und Markets Insider besitzt
Warum wurde es in Ihrer Off-Facebook-Aktivitätsliste angezeigt? Ich stelle mir vor, ich habe auf einen Technologieartikel geklickt, der in meinem Facebook-Newsfeed oder anderswo erschien, aber als ich bei Facebook angemeldet war
Was ist passiert, als du sie danach gefragt hast? Nach ungefähr einer Woche Funkstille meldete sich ein Mitarbeiter der Rechtsabteilung von Insider’com, um das Problem im Hintergrund zu besprechen.
Diese Person teilte mir mit, dass die Informationen im Off-Facebook-Aktivitätstool über den Facebook-Freigabeknopf stammen, der in alle Artikel eingebettet ist, die auf den Medienwebsites ausgeführt werden. Sie bestätigten, dass die Schaltfläche "Teilen" Daten mit Facebook teilen kann, unabhängig davon, ob der Website-Besucher mit der Schaltfläche interagiert oder nicht.
In meinem Fall hätte ich sicherlich nicht mit dem Facebook-Share-Button interagiert. Trotzdem wurden Daten einfach durch das Laden der Artikelseite selbst weitergegeben.
Laut Insider.com ist das Widget für Facebook-Freigabeknöpfe mithilfe einer Standardeinstellung, die Facebook-Publisher verwenden möchten, in seine Websites integriert. Wenn Sie auf die Schaltfläche "Teilen" klicken, werden Informationen zu dieser Aktion an Facebook weitergegeben und auch von Insider.com empfangen (in diesem Szenario werden jedoch keine personalisierten Informationen, sondern aggregierte Daten abgerufen).
Facebook kann auch automatisch andere Informationen sammeln, wenn ein Benutzer eine Webseite besucht, die seine sozialen Plug-Ins enthält.
Auf die Frage, ob Insider.com weiß, welche Informationen Facebook über diese passive Route erhält, teilte mir das Unternehmen mit, dass dies nicht der Fall ist. Das Plug-In führt einen proprietären Facebook-Code aus.
Auf die Frage, wie die Zustimmung der Benutzer zur passiven Weitergabe ihrer Daten an Facebook eingeholt wird, gibt Insider.com an, dass die Datenschutzrichtlinie die Zustimmung der Benutzer zur Weitergabe ihrer Informationen an Facebook und andere Social-Media-Websites vorsieht. Es sagte auch, dass es die als legitime Interessen bekannte Rechtsgrundlage nutzt, um Funktionen bereitzustellen und Analysen zu Artikeln abzuleiten.
Im aktiven Fall (wenn ein Benutzer klickt, um einen Artikel zu teilen) interpretiert Insider.com die Aktion des Benutzers als Zustimmung.
Insider.com hat bestätigt, dass es SimpleReach / Nativo-Analysetools verwendet. Dies bedeutet, dass Besucherdaten der Website auch an Nativo übergeben werden, wenn ein Benutzer auf einem Artikel landet. Die Einwilligung für diesen Datenaustausch ist in der Einwilligungsverwaltungsplattform enthalten (es wird ein von Forcepoint erstelltes CMP verwendet), in der die Website-Besucher aufgefordert werden, ihre Cookie-Auswahl anzugeben.
Hier können Website-Besucher festlegen, dass ihre Daten nicht zu Analysezwecken weitergegeben werden sollen (laut Insider.com würde dies die Weitergabe von Daten verhindern).
Normalerweise wende ich alle Opt-Outs für Cookies an, sofern verfügbar. Daher bin ich ein wenig überrascht, dass Nativo / SimpleReach meine Daten von einer Insider.com-Webseite erhalten hat. Entweder habe ich nicht einmal auf das Deaktivieren geklickt oder ich habe nicht auf die Cookie-Benachrichtigung geantwortet, und die Daten wurden standardmäßig übergeben.
Es ist auch möglich, dass ich mich abgemeldet habe, aber die Daten trotzdem weitergegeben wurden – da Untersuchungen ergeben haben, dass ein Teil der Cookie-Benachrichtigungen Auswahlmöglichkeiten ignoriert und Daten trotzdem weitergibt (unbeabsichtigt oder auf andere Weise).
Folgefragen, die ich nach dem Gespräch an Insider.com gesendet habe:
1) Können Sie bestätigen, ob Insider eine berechtigte Interessenbewertung durchgeführt hat?
2) Verfügt Insider über einen Site-Mechanismus, mit dem Benutzer dem Passiven widersprechen können? Daten transfer to Facebook from the share buttons?
Insider.com did not respond to my additional questions.
What did you learn from their inclusion in the Off-Facebook Activity list? That Insider.com is a customer of Nativo/SimpleReach.
What is it? A California-based ecommerce website selling outdoor gear
Why did it appear in your Off-Facebook Activity list? I don’t recall ever visiting their site prior to looking into why it appeared in the list so I’m really not sure
What happened when you asked them about this? After saying it would investigate it followed up with a statement, rather than detailed responses to my questions, in which it claims it does not hold any personal data associated with — presumably — my theinformationsuperhighway email, since it did not ask me what data to check against.
It also appeared to be claiming that it uses Facebook tracking pixels/tags on its website, without explicitly saying as much, writing that: “Facebook may collect information about your interactions with our websites and mobile apps and reflect that information to you through their Off-Facebook Activity tool.”
It claims it has no access to this information — which it says is “pseudonymous to us” but suggested that if I have a Facebook account Facebook could link any browsing on Rei’s site to my Facebook’s identity and therefore track my activity.
The company also pointed me to a Facebook Help Center post where the company names some of the activities that might have resulted in Rei’s website sending activity data on me to Facebook (which it could then link to my Facebook ID) — although Facebook’s list is not exhaustive (included are: “viewing content”, “searching for an item”, “adding an item to a shopping cart” and “making a donation” among other activities the company tracks by having its code embedded on third parties’ sites).
Here’s Rei’s statement in full:
Thank you for your patience as we looked into your questions. We have checked our systems and determined that REI does not maintain any personal data associated with you based on the information you provided. Note, however, that Facebook may collect information about your interactions with our websites and mobile apps and reflect that information to you through their Off-Facebook Activity tool. The information that Facebook collects in this manner is pseudonymous to us — meaning we cannot identify you using the information and we do not maintain the information in a manner that is linked to your name or other identifying information. However, if you have a Facebook account, Facebook may be able to match this activity to your Facebook account via a unique identifier unavailable to REI. (Funnily enough, while researching this I found theinformationsuperhighway in MY list of Off-Facebook activity!)
As a follow up question I asked Rei to tell me which Facebook tools it uses, pointing out that: “Given that, just because you aren’t (as I understand it) directly using my data yourself that does not mean you are not responsible for my data being transferred to Facebook.”
The company did not respond to that point.
I also previously asked Rei.com to confirm whether it has any data sharing arrangements with the publisher of Rock & Ice magazine (see below). And, if so, to confirm the processes involved in data being shared. Again, I got no response to that.
What did you learn from their inclusion in the Off-Facebook Activity list? Given that Rei.com appeared alongside Rock & Ice on the list — both displaying the same date and just one activity apiece — I surmised they have some kind of data-sharing arrangement. They are also both outdoors brands so there would be obvious commercial ‘synergies’ to underpin such an arrangement.
That said, neither would confirm a business relationship to me. But Facebook’s list heavily implies there is some background data-sharing going on
Rock & Ice magazine
What is it? A climbing magazine produced by a California-based publisher, Big Stone Publishing
Why did it appear in your Off-Facebook Activity list? I imagine I clicked on a link to a climbing-related article in my Facebook feed or else visited Rock & Ice’s website while I was logged into Facebook in the same browser session
What happened when you asked them about this? After ignoring my initial email query I subsequently received a brief response from the publisher after I followed up — which read:
Following up, I asked about the provision in the Rock & Ice website’s cookie notice which states: “By continuing to use our site, you agree to our cookies” — asking whether it’s passing data without waiting for the user to signal their consent.
(Relevant: In October Europe’s top court issued a ruling that active consent is necessary for tracking cookies, so you can’t drop cookies prior to a user giving consent for you to do so.)
The publisher responded:
You have to opt in and agree to the terms to use the website. You may opt out of cookies, which is covered in the terms. If you do not want the benefits of these advertising cookies, you may be able to opt-out by visiting: http://www.networkadvertising.org/optout_nonppii.asp.
I followed up again to point out that I’m not asking about the options to opt in or opt out but, rather, the behavior of the website if the visitor does not provide a consent response yet continues browsing — asking for confirmation Rock & Ice’s site interprets this state as consent and therefore sends data.
The publisher stopped responding at that point.
Earlier I had asked it to confirm whether its website shares visitor data with Rei.com? (As noted above, the two appeared with the same date on the list which suggests data may be being passed between them.) I did not get a respond to that question either.
What did you learn from their inclusion in the Off-Facebook Activity list? That the magazine appears to have a data-sharing arrangement with outdoor retailer Rei.com, given how the pair appeared at the same point in my list. However neither would confirm this when I asked
What is it? A California-based retailer focused on 3D printing and digital manufacturing
Why did it appear in your Off-Facebook Activity list? I honestly have no idea. I have never to my knowledge visited their site prior to investigating why they should appear on my Off Site Activity list.
I remain pretty interested to know how/why they managed to track me. I can only surmise I clicked on some technology-related content in my Facebook feed, either intentionally or by accident.
What happened when you asked them about this? They first asked me for confirmation that they were on my list. After I had sent a screenshot, they followed up to say they would investigate. I pushed again after hearing nothing for several weeks. At this point they asked for additional information from the Off-Facebook Activity tool — namely more granular metrics, such as a time and date per event and some label information — to help with tracking down this particular data-exchange.
I had previously provided them with the date (as it appears in the screenshot) but it’s possible to download additional an additional level of information about data transfers which includes per event time/date-stamps and labels/tags, such as “VIEW_CONTENT” .
However, as noted above, I had previously selected and deleted one item off of my Off-Facebook Activity list, after which Facebook’s platform had immediately erased all entries and associated metrics. There was no obvious way I could recover access to that information.
“Without this information I would speculate that you viewed an article or product on our site — we publish a lot of ‘How To’ content related to 3D printing and other digital manufacturing technologies — this information could have then been captured by Facebook via Adroll for ad retargeting purposes,” a MatterHackers spokesman told me. “Operationally, we have no other data sharing mechanism with Facebook.”
Subsequently, the company confirmed it implements Facebook’s tracking pixel on every page of its website.
Of the pixel Facebook writes that it enables website owners to track “conversions” (i.e. website actions); create custom audiences which segment site visitors by criteria that Facebook can identify and match across its user-base, allowing for the site owner to target ads via Facebook’s platform at non-customers with a similar profile/criteria to existing customers that are browsing its site; and for creating dynamic ads where a template ad gets populated with product content based on tracking data for that particular visitor.
Regarding the legal base for the data sharing, MatterHackers had this to say: “MatterHackers is not an EU entity, nor do we conduct business in the EU and so have not undertaken GDPR compliance measures. CCPA (California’s Consumer Privacy Act) will likely apply to our business as of 2021 and we have begun the process of ensuring that our website will be in compliance with those regulations as of January 1st.”
I pointed out that GDPR is extraterritorial in scope — and can apply to non-EU based entities, such as if they’re monitoring individuals in the EU (as in this case).
Also likely relevant: A ruling last year by Europe’s top court found sites that embed third party plug-ins such as Facebook’s like button are jointly responsible for the initial data processing — and must either obtain informed consent from site visitors prior to data being transferred to Facebook, or be able to demonstrate a legitimate interest legal basis for processing this data.
Nonetheless it’s still not clear what legal base the company is relying on for implementing the tracking pixel and passing data on EU Facebook users.
When asked about this MatterHacker COO, Kevin Pope, told me:
While we appreciate the sentiment of GDPR, in this case the EU lacks the legal standing to pursue an enforcement action. I’m sure you can appreciate the potential negative consequences if any arbitrary country (or jurisdiction) were able to enforce legal penalties against any website simply for having visitors from that country. Techcrunch would have been fined to oblivion many times over by China or even Thailand (for covering the King in a negative light). In this way, the attempted overreach of the GDPR’s language sets a dangerous precedent.
To provide a little more detail – MatterHackers, at the time of your visit, wouldn’t have known that you were from the EU until we cross-referenced your session with Facebook, who does know. At that point you would have been filtered from any advertising by us. MatterHackers makes money when our (U.S.) customers buy 3D printers or materials and then succeed at using them (hence the how-to articles), we don’t make any money selling advertising or data.
Given that Facebook does legally exist in the EU and does have direct revenues from EU advertisers, it’s entirely appropriate that Facebook should comply with EU regulations. As a global solution, I believe more privacy settings options should be available to its users. However, given Facebook’s business model, I wouldn’t expect anything other than continued deflection (note the careful wording on their tool) and avoidance from them on this issue.
What did you learn from their inclusion in the Off-Facebook Activity List? I found out that an ecommerce company I had never heard of had been tracking me
What is it? A Barcelona-based peer-to-peer marketplace app that lets people list secondhand stuff for sale and/or to search for things to buy in their proximity. Users can meet in person to carry out a transaction paying in cash or there can be an option to pay via the platform and have an item posted
Why did it appear in your Off-Facebook Activity list? This was the only digital activity that appeared in the list that was something I could explain — figuring out I must have used a Facebook sign-in option when using the Wallapop app to buy/sell. I wouldn’t normally use Facebook sign-in but for trust-based marketplaces there may be user benefits to leveraging network effects.
What happened when you asked them about this? After my query was booted around a bit a PR company that works with Wallapop responded asking to talk through what information I was trying to ascertain.
After we chatted they sent this response — attributed to sources from Wallapop:
Same as it happens with other apps, wallapop can appear on our users’ Facebook Off Site Activity page if they have interacted in any way with the platform while they were logged in their Facebook accounts. Some interaction examples include logging in via Facebook, visiting our website or having both apps opened and logged.
As other apps do, wallapop only shares activity events with Facebook to optimize users’ ad experience. This includes if a user is registered in wallapop, if they have uploaded an item or if they have started a conversation. Under no circumstance wallapop shares with Facebook our users’ personal data (including sex, name, email address or telephone number).
At wallapop, we are thoroughly committed with the security of our community and we do a safe treatment of the data they choose to share with us, in compliance with EU’s General Data Protection Regulation. Under no circumstance these data are shared with third parties without explicit authorization.
I followed up to ask for further details about these “activity events” — asking whether, for instance, Wallapop shares messaging content with Facebook as well as letting the social network know which items a user is chatting about.
“Under no circumstance the content of our users’ messages is shared with Facebook,” the spokesperson told me. “What is shared is limited to the fact that a conversation has been initiated with another user in relation to a specific item, this is, activity events. Under no circumstance we would share our users’ personal information either.”
Of course the point is Facebook is able to link all app activity with the user ID it already has — so every piece of activity data being shared is personal data.
I also asked what legal base Wallapop relies on to share activity data with Facebook. They said the legal basis is “explicit consent given by users” at the point of signing up to use the app.
“Wallapop collects explicit consent from our users and at any time they can exercise their rights to their data, which include the modification of consent given in the first place,” they said.
“At wallapop we take our community’s privacy and security very seriously and we follow recommendations from the Spanish Data Protection Agency,” it added
What did you learn from their inclusion in the Off-Facebook Activity list? Not much more than I would have already guessed — i.e. that using a Facebook sign-in option in a third party app grants the social media giant a high degree of visibility into your activity within another service.
In this case the Wallapop app registered the most activity events of all six of the listed apps, displaying 13 vs only one apiece for the others — so it gave a bit of a suggestive glimpse into the volume of third party app data that can be passed if you opt to open a Facebook login wormhole into a separate service.