Published On: Wed, Feb 26th, 2020

Facebook’s latest ‘transparency’ apparatus doesn’t offer most — so we went digging

Just underneath a month ago Facebook switched on tellurian accessibility of a apparatus that affords users a peek into a ghastly universe of tracking that a business relies on to form users of a wider web for ad targeting purposes.

Facebook is not going resolutely into pure illumination — nonetheless rather charity what remoteness rights advocacy organisation Privacy International has dubbed “a small adhering smear on a many wider problem”.

The problem it’s referring to is a miss of active and sensitive determine for mass notice of Internet users around credentials tracking technologies embedded into apps and websites, including as people crop outward Facebook’s possess calm garden.

The widespread amicable height is also customarily charity this underline in a arise of a 2018 Cambridge Analytica information injustice scandal, when Mark Zuckerberg faced ungainly questions in Congress about a border of Facebook’s ubiquitous web tracking. Since afterwards policymakers around a universe have dialled adult inspection of how a business operates — and satisfied there’s a discouraging miss of clarity in and around adtech generally and Facebook specifically. 

Facebook’s tracking pixels and amicable plugins — aka a share/like buttons that peppers a mainstream web — have combined a immeasurable tracking infrastructure that silently informs a tech hulk of Internet users’ activity, even when a chairman hasn’t interacted with any Facebook-branded buttons.

Facebook claims this is customarily ‘how a web works’. And other tech giants are likewise intent in tracking Internet users (notably Google). But as a height with 2.2BN+ users Facebook has got a impetus on a lion’s share of rivals when it comes to harvesting people’s information and building out a tellurian database of chairman profiles.

It’s also positioned as a widespread actor in an adtech ecosystem that means it’s a one being fed with intel by information brokers and publishers who muster tracking tech to try to tarry in such a lopsided system.

Meanwhile a opacity of online tracking means a normal Internet user is zero a wiser that Facebook can be following what they’re browsing all over a Internet. Questions of determine dawn unequivocally vast indeed.

Facebook is also means to lane people’s use of third celebration apps if a chairman chooses a Facebook login choice that a association encourages developers to practice in their apps — again a carrot being to be means to offer a reduce attrition choice vs requiring users emanate nonetheless another login credential.

The cost for this ‘convenience’ is information and user remoteness as a Facebook login gives a tech hulk a window into third partial app usage.

The association has also used a VPN app it bought and badged as a confidence apparatus to reap information on third celebration app use — nonetheless it’s recently stepped behind from a Onavo app after a open recoil (though that did not stop it regulating a identical tracking module targeted during teens).

Background tracking is how Facebook’s creepy ads duty (it prefers to call such behaviorally targeted ads ‘relevant’) — and how they have functioned for years

Yet it’s customarily in new months that it’s charity users a peek into this network of online informers — by providing singular information about a entities that are flitting tracking information to Facebook, as good as some singular controls.

From ‘Clear History’ to “Off-Facebook Activity”

Originally briefed in May 2018, during a crux of a Cambridge Analytica scandal, as a ‘Clear History’ choice this has given been renamed ‘Off-Facebook Activity’ — a tab so bloodless and abandoned of ‘call to action’ that a normal Facebook user, should they eventuality on it buried low in unlovely settings menus, would some-more expected pierce along than feel changed to lift out a remoteness purge.

(For a record we can entrance a environment here — nonetheless we do need to be logged into Facebook to do so.)

The other problem is that Facebook’s apparatus doesn’t indeed let we surprise your browsing history, it customarily delinks it from being compared with your Facebook ID. There is no choice to indeed transparent your browsing story around a button. Another reason for a name switch. So, no, Facebook hasn’t built a transparent story ‘button’.

“While we acquire a bid to offer some-more clarity to users by arrangement a companies from that Facebook is receiving personal data, a apparatus offers small proceed for users to take any action,” pronounced Privacy International this week, criticizing Facebook for “not revelation we everything”.

As a observant goes, a small trust can be a dangerous thing. So a small clarity implies — good — anything nonetheless clarity. And Privacy International sums adult a Off-Facebook Activity apparatus with an good oxymoron — describing it as “a new window to a opacity”.

“This apparatus illustrates customarily how unfit it is for users to forestall outmost information from being common with Facebook,” it writes, warning with emphasis: “Without revealing information about what information is collected and shared, and what are a ways for a user to opt-out from such collection, Off-Facebook activity is customarily another deficient peek into Facebook’s ambiguous practices when it comes to tracking users and consolidating their profiles.”

It points out, for instance, that a information supposing here is singular to a “simple name” — thereby preventing a user from “exercising their right to find some-more information about how this information was collected”, that EU users during slightest are entitled to.

“As users we are entitled to know a name/contact sum of companies that explain to have interacted with us. If a customarily thing we see, for example, is a pointless name of an artist we’ve never listened before (true story), how are we ostensible to know possibly it is their record label, agent, offered association or even them privately targeting us with ads?” it adds.

Another critique is Facebook is customarily providing singular information about any information send — with Privacy International observant some events are remarkable “under a mysterious CUSTOM” label; and that Facebook provides “no information per how a information was collected by a advertiser (Facebook SDK, tracking pixel, like button…) and on what device, withdrawal users in a dim per a resources underneath that this information collection took place”.

“Does Facebook unequivocally arrangement all they process/store about those events in a log/export?” queries remoteness researcher Wolfie Christl, who marks a adtech industry’s tracking techniques. “They have to, given differently they don’t do their SAR [Subject Access Request] obligations [under EU law].”

Christl records Facebook creates users burst by an additional “download” hoop in sequence to perspective information on tracked events — and even then, as Privacy International points out, it gives adult customarily a singular perspective of what has indeed been tracked…

“For example, given doesn’t Facebook list a specific sites/URLs visited? Do they infer information from a domains e.g. categories? If yes, given is this not in a logs?” Christl asks.

We reached out to Facebook with a series of questions, including given it doesn’t yield some-more fact by default. It responded with this matter attributed to spokesperson:

We offer a accumulation of collection to assistance people entrance their Facebook information, and we’ve designed these collection to approve with germane laws, including GDPR. We remonstrate with this [Privacy International] article’s claims and would acquire a possibility to plead them with Privacy International.

Facebook also pronounced it’s stability to rise that information it surfaces by a Off-Facebook Activity apparatus — and pronounced it welcomes feedback on this.

We also asked it about a authorised bases it uses to routine people’s information that’s been achieved around a tracking pixels and amicable plug-ins. It did not yield a response to those questions.

Six names, many questions…

When a association launched a Off-Facebook Activity apparatus a snap check of accessible TechCrunch colleagues showed unequivocally opposite formula for a sold tallies (which also competence not uncover a many new activity, per other Facebook caveats) — trimming from one co-worker who had an eye-watering 1,117 entities (likely down to doing a lot of app testing); to several with several/a few hundred apiece; to a integrate in a center tens.

In my box we had customarily six. But from my indicate of perspective — as an EU citizen with a apartment of rights compared to remoteness and information protection; and as someone who aims to use good online remoteness hygiene, including carrying a unequivocally sealed down proceed to regulating Facebook (never regulating a mobile app for instance) — it was still 6 too many. we wanted to find out how these entities had circumvented my attempts not to be tracked.

And in a box of a initial one in a list who on earth it was…

Turns out cloudfront is an Amazon Web Services Content Delivery Network subdomain. But we had to go acid online myself to figure out that a owners of that sold domain is (now) a association called Nativo.

Facebook’s list supposing customarily unequivocally unclothed skeleton information. we also clicked to delink a initial entity, given it immediately looked so weird, and found that by doing that Facebook wiped all a entries — that meant we was incompetent to keep entrance to what small additional info it had supposing about a sold information transfers.

Undeterred we set out to hit any of a 6 companies directly with questions — seeking what information of cave they had eliminated to Facebook and what authorised basement they suspicion they had for estimate my information.

(On a unsentimental turn 6 names looked like a representation distance we could during slightest try to follow adult manually — nonetheless remember we was a TechCrunch exception; suppose perplexing to ask information from 1,117 companies, or 450 or even 57, that were a lengths of lists of some of my colleagues.)

This routine took about a month and a lot of behind and forth/chasing up. It expected customarily yielded as many info as it did given we was seeking as a journalist; an normal Internet user competence have had a worse time removing courtesy on their questions — though, underneath EU law, adults have a right to ask a duplicate of personal information reason on them.

Eventually, we was means to obtain acknowledgment that tracking pixels and Facebook share buttons had been concerned in my information being upheld to Facebook in certain instances. Even so we sojourn in a dim on many things. Such as accurately what personal information Facebook received.

In one box we was told by a listed association that it doesn’t know itself what information was common — customarily Facebook knows given it’s implemented a company’s “proprietary code”. (Insert your possess ‘WTAF’ there.)

The authorised side of these transfers also stays rarely opaque. From my indicate of perspective we would not intentionally determine to any of this tracking — nonetheless in some instances a entities concerned explain that (my) determine was (somehow) achieved (or implied).

In other cases they pronounced they are relying on a authorised basement in EU law that’s referred to as ‘legitimate interests’. However this requires a balancing exam to be carried out to safeguard a business use does not have a jagged impact on sold rights.

I wasn’t means to discern possibly such tests had ever been carried out.

Meanwhile, given Facebook is also creation use of a tracking information from a pixels and amicable block sum (and clearly some-more granular use, given some entities claimed they customarily get total not sold data), Christl suggests it’s doubtful such a balancing exam would be easy to pass for that small small ‘platform giant’ reason.

Notably he points out Facebook’s Business Tool terms state that it creates use of so called “event data” to “personalize facilities and calm and to urge and secure a Facebook products” — including for “ads and recommendations”; for RD purposes; and “to contend a firmness of and to urge a Facebook Company Products”.

In a territory of a authorised terms covering a use of a pixels and SDKs Facebook also puts a responsibility on a entities implementing a tracking technologies to benefit determine from users before to doing so in germane jurisdictions that “require sensitive consent” for tracking cookies and identical — giving a instance of a EU.

“You contingency ensure, in a verifiable manner, that an finish user provides a required determine before we use Facebook Business Tools to capacitate us to store and entrance cookies or other information on a finish user’s device,” Facebook writes, indicating users of a collection to a Cookie Consent Guide for Sites and Apps for “suggestions on implementing determine mechanisms”.

Christl flags a counterbalance between Facebook claiming users of a tracking tech wanting to benefit before determine vs claims we was given by some of these entities that they don’t given they’re relying on ‘legitimate interests’.

“Using LI as a authorised basement is even argumentative if we use a information analytics association that reliably processes personal information particularly on seductiveness of you,” he argues. “I guess, attention lawyers try to disagree for a broader qualification of LI, nonetheless in a box of FB business collection we don’t trust that a balancing exam (a businesses legitimate interests vs. a impact on a rights and freedoms of information subjects) will work in preference of LI.”

Those entities relying on legitimate interests as a authorised bottom for tracking would still need to offer a resource where users can intent to a estimate — and we couldn’t immediately see such a resource in a cases in question.

One thing is transparent clear: Facebook itself does not yield a resource for users to intent to a estimate of tracking information nor opt out of targeted ads. That stays a long-standing censure opposite a business in a EU that information insurance regulators are still investigating.

One some-more thing: Non-Facebook users continue to have no proceed of training what information of theirs is being tracked and eliminated to Facebook. Only Facebook users have entrance to a Off-Facebook Activity tool, for example. Non-users can’t even entrance a list.

Facebook has shielded a use of tracking non-users around a Internet as required for vague ‘security purposes’. It’s an inherently jagged evidence of course. The use also stays underneath authorised plea in a EU.

Tracking a trackers

SimpleReach (aka d8rk54i4mohrb.cloudfront.net)

What is it? A California-based analytics height (now owned by Nativo) used by publishers and calm marketers to magnitude how good their content/native ads performs on amicable media. The product began life in a early noughties as a elementary apparatus for publishers to suggest identical calm during a bottom of articles before a startup pivoted — aiming to turn ‘the PageRank of social’ — charity analytics collection for publishers to lane rendezvous around calm in real-time opposite a amicable web (plugging into height APIs). It also built statistical models to envision that pieces of calm will be a many amicable and where, generating a exclusive per essay score. SimpleReach was acquired by Nativo final year to element analytics collection a latter already charity for tracking calm on a publisher/brand’s possess site.

Why did it seem in your Off-Facebook Activity list? Given it’s a b2b product it does not have a manifest consumer formula of a own. And, to my knowledge, we have never visited a possess website before to questioning given it seemed in my Off-Facebook Activity list. Clearly, though, we contingency have visited a site (or sites) that are regulating a tracking/analytics tools. Of march an Internet user has no apparent proceed to know this — unless they’re actively regulating collection to guard that trackers are tracking them.

In a serve quirk, conjunction a SimpleReach (nor Nativo) formula names seemed in my Off-Facebook Activity list. Rather a domain name was listed — d8rk54i4mohrb.cloudfront.net — that looked during initial peek weird/alarming.

I found this is owned by SimpleReach by regulating a tracker analytics service.

Once we knew a name we was means to bond a entrance to Nativo — around news reports of a merger — that led me to an entity we could approach questions to.  

What happened when we asked them about this? There was a bit of behind and onward and afterwards they sent a minute response to my questions in that they explain they do not share any information with Facebook — “or perform ‘off site activity’ as described on Facebook’s activity tool”.

They also suggested that their domain had seemed as a outcome of their tracking formula being implemented on a website we had visited that had also implemented Facebook’s possess trackers.

“Our record allows a Data Controllers to insert other tracking pixels or tags, regulating us as a tab manager that delivers formula to a page. It is probable that one of a business combined a Facebook pixel to an essay we visited regulating a technology. This could lead Facebook to charge this pixel to a domain, nonetheless a domain was merely a ‘carrier’ of a code,” they told me.

In terms of a information they collect, they pronounced this: “The customarily Personal Data that is collected by a SimpleReach Analytics tab is your IP Address and a incidentally generated id.  Both of these values are processed, anonymized, and many-sided in a SimpleReach height and not done accessible to anyone other than a sub-processors that are firm to routine such information customarily on a behalf. Such values are henceforth deleted from a element after 3 months. These values are used to give a business a ubiquitous thought of a series of users that visited a articles tracked.”

So, again, they suggested a reason given their domain seemed in my Off-Facebook Activity list is a mixed of Nativo/SimpleReach’s tracking technologies being implemented on a site where Facebook’s retargeting pixel is also embedded — that afterwards resulted in information about my online activity being common with Facebook (which Facebook afterwards attributes as entrance from SimpleReach’s domain).

Commenting on this, Christl concluded it sounds as if publishers “somehow insert Facebook pixel events to SimpleReach’s cloudfront domain”.

“SimpleReach substantially doesn’t get information from this. But a doubt is 1) is SimpleReach maybe indeed obliged (if it happens in a context of their domain); 2) The Off-Facebook activity is a disaster (if it contains events compared to domains whose owners are not web or app publishers).”

Nativo charity to establish possibly they reason any personal information compared with a singular identifier they have reserved to my browser if we could send them this ID. However we was incompetent to locate such an ID (see below).

In terms of authorised bottom to routine my information a association told me: “We have a right to routine information in suitability with supplies set onward in a several Data Processor agreements we have in place with Data Controllers.”

Nativo also suggested that a Offsite Activity in doubt competence have predated a squeeze of a SimpleReach record — that occurred on Mar 20, 2019 — observant any activity before to this would meant my query would need to be addressed directly with SimpleReach, Inc. that Nativo did not acquire. (However in this box a activity purebred on a list was antiquated after than that.)

Here’s what they pronounced on all that in full:

Thank we for submitting your information entrance request.  We know that we are a proprietor of a European Union and are submitting this ask pursuant to Article 15(1) of a GDPR.  Article 15(1) requires “data controllers” to respond to individuals’ requests for information about a estimate of their personal data.  Although Article 15(1) does not ask to Nativo given we are not a information controller with honour to your data, we have supposing information next that will assistance us in final a suitable Data Controllers, that we can hit directly.

First, for sum about a purpose in estimate personal information in tie with a SimpleReach product, greatfully see the SimpleReach Privacy Policy.  As a routine explains in some-more detail, we yield offered analytics services to other businesses – a customers.  To take advantage of a services, a business implement a record on their websites, that enables us to collect certain information per individuals’ visits to a customers’ websites. We examine a personal information that we obtain customarily during a instruction of a customer, and customarily on that customer’s behalf.

SimpleReach is an analytics tracker apparatus (Similar to Google Analytics) implemented by a business to surprise them of a opening of their calm published around a web.  “d8rk54i4mohrb.cloudfront.net” is a domain name of a servers that collect these metrics.  We do not share information with Facebook or perform “off site activity” as described on Facebook’s activity tool.  Our record allows a Data Controllers to insert other tracking pixels or tags, regulating us as a tab manager that delivers formula to a page.  It is probable that one of a business combined a Facebook pixel to an essay we visited regulating a technology.  This could lead Facebook to charge this pixel to a domain, nonetheless a domain was merely a “carrier” of a code.

The SimpleReach apparatus is implemented on articles posted by a business and partners of a customers.  It is probable we visited a URL that has contained a tracking code.  It is also probable that a Offsite Activity we are referencing is activity by SimpleReach, Inc. before Nativo purchased a SimpleReach technology. Nativo, Inc. purchased certain record from SimpleReach, Inc. on Mar 20, 2019, nonetheless we did not squeeze a SimpleReach, Inc. entity itself, that stays a apart entity independent with Nativo, Inc. Accordingly, any activity that occurred before Mar 20, 2019 pre-dates Nativo’s use of a SimpleReach record and should be addressed directly with SimpleReach, Inc. If, for example, TechCrunch was a publisher partner of SimpleReach, Inc. and had SimpleReach tracking formula implemented on TechCrunch articles or opposite a TechCrunch website before to Mar 20, 2019, any ensuing information collection would have been conducted by SimpleReach, Inc., not by Nativo, Inc.

As mentioned above, a tracking book collects and sends information to a servers formed on a articles it is implemented on. The customarily Personal Data that is collected by a SimpleReach Analytics tab is your IP Address and a incidentally generated id.  Both of these values are processed, anonymized, and many-sided in a SimpleReach height and not done accessible to anyone other than a sub-processors that are firm to routine such information customarily on a behalf. Such values are henceforth deleted from a element after 3 months.  These values are used to give a business a ubiquitous thought of a series of users that visited a articles tracked.

We do not, nor have we ever, shared ANY information with Facebook with regards to a information we collect from a SimpleReach Analytics tag, be it Personal Data or otherwise. However, as mentioned above, it is probable that one of a business combined a Facebook retargeting pixel to an essay we visited regulating a technology. If that is a case, we would not have perceived any information collected from such pixel or have trust of whether, and to what extent, a patron common information with Facebook. Without some-more information, we are incompetent to establish a specific patron (if any) on seductiveness of that we competence have processed your personal information. However, if we send us a singular identifier we have reserved to your browser… we can establish possibly we have any personal information compared with such browser on seductiveness of a patron controller, and, if we have, we can brazen your ask on to a controller to respond directly to your request.

As a Data Processor we have a right to routine information in suitability with supplies set onward in a several Data Processor agreements we have in place with Data Controllers.  This form of agreement is designed to strengthen Data Subjects and safeguard that Data Processors are reason to a same standards that both a GDPR and a Data Controller have put forth.  This is a same form of agreement used by all other analytics tracking collection (as good as many other forms of tools) such as Google Analytics, Adobe Analytics, Chartbeat, and many others.

I also asked Nativo to endorse possibly Insider.com (see below) is a patron of Nativo/SimpleReach.

The association told me it could not divulge this “due to confidentiality restrictions” and would customarily reveal a temperament of business if “required by germane law”.

Again, it pronounced that if we supposing a “unique identifier” reserved to my browser it would be “happy to lift a list of personal information a SimpleReach/Nativo systems now have stored for your singular identifier (if any), including a suitable Data Controllers”. (“If we have any personal data collected from we on seductiveness of Insider.com, it would come adult in a list of DataControllers,” it suggested.)

I checked mixed browsers that we use on mixed inclination nonetheless was incompetent to locate an ID trustworthy to a SimpleReach cookie. So we also asked possibly this competence seem trustworthy to any other cookie.

Their response:

Because a data is possibly pseudonymized or anonymized, and we do not record of any other pieces of Personal Data about you, it will not be probable for us to locate this data nonetheless a cookie value.  The SimpleReach user cookie is, and has always been, in a “__srui” cookie underneath a “.simplereach.com” domain or any of a sub-domains. If we are incompetent to locate a SimpleReach user cookie by this name on your browser, it competence be given we are regulating a opposite device or given we have privileged your cookies (in that box we would no longer have a ability to map any personal data we have formerly collected from we to your browser or device). We do have other cookies (under a domains postrelease.com, admin.nativo.com, and cloud.nativo.com) nonetheless those cookies would not be compared to a coming of SimpleReach in a list of Off Site Activity on your Facebook account, per your strange inquiry.

What did we learn from their inclusion in a Off-Facebook Activity list? There seemed to be a association between this domain and a publisher, Insider.com, that also seemed in my Off-Facebook Activity list — as both logged events bear a same date; and Insider.com is a publisher so would tumble into a right patron difficulty for regulating Nativo’s tool.

Given those correlations we was means to theory Insider.com is a patron of Nativo. (I reliable this when we spoke to Insider.com) — so Facebook’s apparatus is means to trickle relational inferences compared to a tracking attention by surfacing/mapping business connectors that competence not have been differently evident.

Insider.com

What is it? A New York formed business media association that owns brands such as Business Insider and Markets Insider

Why did it seem in your Off-Facebook Activity list? I suppose we clicked on a record essay that seemed in my Facebook News Feed or elsewhere nonetheless when we was logged into Facebook

What happened when we asked them about this? After about a week of radio overpower an worker in Insider’com’s authorised dialect got in reason to contend they could plead a emanate on background.

This chairman told me a information in a Off-Facebook Activity apparatus came from a Facebook share symbol that is embedded on all articles it runs on a media websites. They reliable that a share symbol can share information with Facebook regardless of possibly a site caller interacts with a symbol or not.

In my box we positively would not have interacted with a Facebook share button. Nonetheless information was passed, simply by consequence of loading a essay page itself.

Insider.com pronounced a Facebook share symbol widget is integrated into a sites regulating a customary set-up that Facebook intends publishers to use. If a share symbol is clicked information compared to that movement would be common with Facebook and would also be perceived by Insider.com (though, in this scenario, it pronounced it doesn’t get any personalized information — nonetheless rather gets total data).

Facebook can also automatically collect other information when a user visits a webpage that incorporates a amicable plug-ins.

Asked possibly Insider.com knows what information Facebook receives around this pacifist lane a association told me it does not — observant a plug-in runs exclusive Facebook code. 

Asked how it’s collecting determine from users for their information to be common passively with Facebook, Insider.com pronounced a Privacy Policy stipulates users determine to pity their information with Facebook and other amicable media sites. It also pronounced it uses a authorised belligerent famous as legitimate interests to yield functionality and get analytics on articles.

In a active box (of a user clicking to share an article) Insider.com pronounced it interprets a user’s movement as consent.

Insider.com reliable it uses SimpleReach/Nativo analytics tools, definition site caller information is also being upheld to Nativo when a user lands on an article. It pronounced determine for this data-sharing is enclosed within a determine government height (it uses a CMP done by Forcepoint) that asks site visitors to mention their cookie choices.

Here site visitors can select for their information not to be common for analytics functions (which Insider.com pronounced would forestall information being passed).

I customarily ask all cookie determine opt outs, where available, so I’m a small astounded Nativo/SimpleReach was upheld my information from an Insider.com webpage. Either we unsuccessful to click a opt out one time or unsuccessful to respond to a cookie notice and information was upheld by default.

It’s also probable we did opt out nonetheless information was upheld anyway — as there has been examine that has found a suit of cookie notifications omit choices and pass information anyway (unintentionally or otherwise).

Follow adult questions we sent to Insider.com after we talked:

1) Can we endorse possibly Insider has achieved a legitimate interests assessment?
2) Does Insider have a site resource where users can intent to a pacifist data send to Facebook from a share buttons?

Insider.com did not respond to my additional questions.

What did we learn from their inclusion in a Off-Facebook Activity list? That Insider.com is a patron of Nativo/SimpleReach.

Rei.com

What is it? A California-based ecommerce website offered outside gear

Why did it seem in your Off-Facebook Activity list? I don’t remember ever visiting their site before to looking into given it seemed in a list so I’m unequivocally not sure

What happened when we asked them about this? After observant it would examine it followed adult with a statement, rather than minute responses to my questions, in that it claims it does not reason any personal information compared with — presumably — my TechCrunch email, given it did not ask me what information to check against.

It also seemed to be claiming that it uses Facebook tracking pixels/tags on a website, nonetheless categorically observant as much, essay that: “Facebook competence collect information about your interactions with a websites and mobile apps and simulate that information to we by their Off-Facebook Activity tool.”

It claims it has no entrance to this information — that it says is “pseudonymous to us” nonetheless suggested that if we have a Facebook comment Facebook could couple any browsing on Rei’s site to my Facebook’s temperament and therefore lane my activity.

The association also forked me to a Facebook Help Center post where a association names some of a activities that competence have resulted in Rei’s website promulgation activity information on me to Facebook (which it could afterwards couple to my Facebook ID) — nonetheless Facebook’s list is not downright (included are: “viewing content”, “searching for an item”, “adding an object to a selling cart” and “making a donation” among other activities a association marks by carrying a formula embedded on third parties’ sites).

Here’s Rei’s matter in full:

Thank we for your calm as we looked into your questions.  We have checked a systems and energetic that REI does not contend any personal information compared with we formed on a information we provided.  Note, however, that Facebook competence collect information about your interactions with a websites and mobile apps and simulate that information to we by their Off-Facebook Activity tool. The information that Facebook collects in this demeanour is pseudonymous to us — definition we can't brand we regulating a information and we do not contend a information in a demeanour that is associated to your name or other identifying information. However, if we have a Facebook account, Facebook competence be means to compare this activity to your Facebook comment around a singular identifier taken to REI. (Funnily enough, while researching this we found TechCrunch in MY list of Off-Facebook activity!)

For a finish list of activities that could have resulted in REI pity pseudonymous information about we with Facebook, this Facebook Help Center essay competence be useful.  For a minute outline of a ways in that we competence collect and share patron information, a functions for that we competence routine your data, and rights accessible to EEA residents, greatfully impute to a Privacy Policy.  For information about how REI uses cookies, greatfully impute to a Cookie Policy.

As a follow adult doubt we asked Rei to tell me that Facebook collection it uses, indicating out that: “Given that, customarily given we aren’t (as we know it) directly regulating my data yourself that does not meant we are not obliged for my data being eliminated to Facebook.”

The association did not respond to that point.

I also formerly asked Rei.com to endorse possibly it has any data sharing arrangements with a publisher of Rock Ice repository (see below). And, if so, to endorse a processes concerned in data being shared. Again, we got no response to that.

What did we learn from their inclusion in a Off-Facebook Activity list? Given that Rei.com seemed alongside Rock Ice on a list — both displaying a same date and customarily one activity each — we surmised they have some kind of data-sharing arrangement. They are also both outside brands so there would be apparent blurb ‘synergies’ to underpin such an arrangement.

That said, conjunction would endorse a business attribute to me. But Facebook’s list heavily implies there is some credentials data-sharing going on

Rock Ice magazine 

What is it? A climbing repository constructed by a California-based publisher, Big Stone Publishing

Why did it seem in your Off-Facebook Activity list? I suppose we clicked on a couple to a climbing-related essay in my Facebook feed or else visited Rock Ice’s website while we was logged into Facebook in a same browser session

What happened when we asked them about this? After ignoring my initial email query we subsequently perceived a brief response from a publisher after we followed adult — that read:

The Rock and Ice website is opt in, where we have to determine to terms of use to entrance a website. we don’t know what private information we are observant Rock and Ice shared, so we can’t pronounce to that. The site terms are here. As settled in a terms we can opt out.

Following up, we asked about a sustenance in a Rock Ice website’s cookie notice that states: “By stability to use a site, we determine to a cookies” — seeking possibly it’s flitting information nonetheless watchful for a user to vigilance their consent.

(Relevant: In Oct Europe’s tip justice released a statute that active determine is required for tracking cookies, so we can’t dump cookies before to a user giving determine for we to do so.)

The publisher responded:

You have to opt in and determine to a terms to use a website. You competence opt out of cookies, that is lonesome in a terms. If we do not wish a advantages of these promotion cookies, we competence be means to opt-out by visiting: http://www.networkadvertising.org/optout_nonppii.asp.

If we don’t wish any cookies, we can find extensions such as Ghostery or a browser itself to stop and exclude cookies. By doing so nonetheless some websites competence not work properly.

I followed adult again to indicate out that I’m not seeking about a options to opt in or opt out but, rather, a function of a website if a caller does not yield a determine response nonetheless continues browsing — seeking for acknowledgment Rock Ice’s site interprets this state as determine and therefore sends data.

The publisher stopped responding during that point.

Earlier we had asked it to endorse possibly a website shares caller information with Rei.com? (As remarkable above, a dual seemed with a same date on a list that suggests information competence be being upheld between them.) we did not get a respond to that doubt either.

What did we learn from their inclusion in a Off-Facebook Activity list? That a repository appears to have a data-sharing arrangement with outside tradesman Rei.com, given how a span seemed during a same indicate in my list. However conjunction would endorse this when we asked

MatterHackers

What is it? A California-based tradesman focused on 3D copy and digital manufacturing

Why did it seem in your Off-Facebook Activity list? we overtly have no idea. we have never to my trust visited their site before to questioning given they should seem on my Off Site Activity list.

I sojourn flattering meddlesome to know how/why they managed to lane me. we can customarily presupposition we clicked on some technology-related calm in my Facebook feed, possibly intentionally or by accident.

What happened when we asked them about this? They initial asked me for acknowledgment that they were on my list. After we had sent a screenshot, they followed adult to contend they would investigate. we pushed again after conference zero for several weeks. At this indicate they asked for additional information from a Off-Facebook Activity apparatus — namely some-more granular metrics, such as a time and date per eventuality and some tab information — to assistance with tracking down this sold data-exchange.

I had formerly supposing them with a date (as it appears in a screenshot) nonetheless it’s probable to download additional an additional turn of information about information transfers that includes per eventuality time/date-stamps and labels/tags, such as “VIEW_CONTENT” .

However, as remarkable above, we had formerly comparison and deleted one object off of my Off-Facebook Activity list, after that Facebook’s height had immediately erased all entries and compared metrics. There was no apparent proceed we could redeem entrance to that information.

“Without this information we would assume that we noticed an essay or product on a site — we tell a lot of ‘How To’ calm compared to 3D copy and other digital production technologies — this information could have afterwards been prisoner by Facebook around Adroll for ad retargeting purposes,” a MatterHackers orator told me. “Operationally, we have no other information pity resource with Facebook.”

Subsequently, a association reliable it implements Facebook’s tracking pixel on each page of a website.

Of a pixel Facebook writes that it enables website owners to lane “conversions” (i.e. website actions); emanate tradition audiences that shred site visitors by criteria that Facebook can brand and compare opposite a user-base, permitting for a site owners to aim ads around Facebook’s height during non-customers with a identical profile/criteria to existent business that are browsing a site; and for formulating energetic ads where a template ad gets populated with product calm formed on tracking information for that sold visitor.

Regarding a authorised bottom for a information sharing, MatterHackers had this to say: “MatterHackers is not an EU entity, nor do we control business in a EU and so have not undertaken GDPR correspondence measures. CCPA [California’s Consumer Privacy Act] will expected ask to a business as of 2021 and we have begun a routine of ensuring that a website will be in correspondence with those regulations as of Jan 1st.”

I forked out that GDPR is extraterritorial in range — and can ask to non-EU formed entities, such as if they’re monitoring people in a EU (as in this case).

Also expected relevant: A statute final year by Europe’s tip court found sites that hide third celebration plug-ins such as Facebook’s like symbol are jointly obliged for a initial information estimate — and contingency possibly obtain sensitive determine from site visitors before to information being eliminated to Facebook, or be means to denote a legitimate seductiveness authorised basement for estimate this data.

Nonetheless it’s still not transparent what authorised bottom a association is relying on for implementing a tracking pixel and flitting information on EU Facebook users.

When asked about this MatterHacker COO, Kevin Pope, told me:

What did we learn from their inclusion in a Off-Facebook Activity List? we found out that an ecommerce association we had never listened of had been tracking me

Wallapop

What is it? A Barcelona-based peer-to-peer marketplace app that lets people list secondhand things for sale and/or to hunt for things to buy in their proximity. Users can accommodate in chairman to lift out a transaction profitable in money or there can be an choice to compensate around a height and have an object posted

Why did it seem in your Off-Facebook Activity list? This was a customarily digital activity that seemed in a list that was something we could explain — reckoning out we contingency have used a Facebook sign-in choice when regulating a Wallapop app to buy/sell. we wouldn’t routinely use Facebook sign-in nonetheless for trust-based marketplaces there competence be user advantages to leveraging network effects.

What happened when we asked them about this? After my query was booted around a bit a PR association that works with Wallapop responded seeking to speak by what information we was perplexing to ascertain.

After we chatted they sent this response — attributed to sources from Wallapop:

Same as it happens with other apps, wallapop can seem on a users’ Facebook Off Site Activity page if they have interacted in any proceed with a height while they were logged in their Facebook accounts. Some communication examples embody logging in around Facebook, visiting a website or carrying both apps non-stop and logged.

As other apps do, wallapop customarily shares activity events with Facebook to optimize users’ ad experience. This includes if a user is purebred in wallapop, if they have uploaded an object or if they have started a conversation. Under no business wallapop shares with Facebook a users’ personal information (including sex, name, email residence or write number).

At wallapop, we are entirely committed with a confidence of a village and we do a protected diagnosis of a information they select to share with us, in correspondence with EU’s General Data Protection Regulation. Under no business these information are common with third parties nonetheless pithy authorization.

I followed adult to ask for serve sum about these “activity events” — seeking whether, for instance, Wallapop shares messaging calm with Facebook as good as vouchsafing a amicable network know that equipment a user is chatting about.

“Under no business a calm of a users’ messages is common with Facebook,” a orator told me. “What is common is singular to a fact that a review has been instituted with another user in propinquity to a specific item, this is, activity events. Under no business we would share a users’ personal information either.”

Of march a indicate is Facebook is means to couple all app activity with a user ID it already has — so each square of activity information being common is personal data.

I also asked what authorised bottom Wallapop relies on to share activity information with Facebook. They pronounced a authorised basement is “explicit determine given by users” during a indicate of signing adult to use a app.

“Wallapop collects pithy determine from a users and during any time they can practice their rights to their data, that embody a alteration of determine given in a initial place,” they said.

“Users give their pithy determine by clicking in a analogous box when they register in a app, where they also get a possibility to opt out and not do it. If after on they wish to change a determine they gave in initial instance, they also have that choice by a app. All a information is clearly accessible on a Privacy Policy, that is GDPR compliant.”

“At wallapop we take a community’s remoteness and confidence unequivocally severely and we follow recommendations from a Spanish Data Protection Agency,” it added

What did we learn from their inclusion in a Off-Facebook Activity list? Not many some-more than we would have already guessed — i.e. that regulating a Facebook sign-in choice in a third celebration app grants a amicable media hulk a high grade of prominence into your activity within another service.

In this box a Wallapop app purebred a many activity events of all 6 of a listed apps, displaying 13 vs customarily one each for a others — so it gave a bit of a revealing peek into a volume of third celebration app information that can be upheld if we opt to open a Facebook login wormhole into a apart service.

About the Author