You Probably Don’t Know All the Ways Facebook Tracks You

We’re all aware of the deal we make when we sign up with Facebook: we get somewhere to post vacation photos and stalk friends, and Mark Zuckerberg gets to sell your passion for fishing trips to fishing equipment retailers.

What you might not realise is how deep or extensive the tracking goes, so let’s shed some light on it.

All of this is well within Facebook’s remit. You’re using its services and, per its privacy policy, it can do what it likes with the data you hand over: Facebook’s full privacy policy is here.

There are some ways to limit the reach of Facebook’s data-sucking tentacles (and we’ll go through them below), but ultimately the only way to really get back all of your privacy is to delete your account.

Some of the relationship between your actions of Facebook and how Facebook uses those actions for financial gain is immediately obvious: like a page on Coke, and you see more adverts for the fizzy beverage.

But less obvious are the ways Facebook joins the dots between the data points it collects, building up a picture of who you are and what you might be interested in, whether or not it’s 100 percent accurate doesn’t really matter, because it can still sell targeted adverts at a higher rate.

“Even if people are aware of what data they’re telling Facebook about themselves, they’re unaware about the types of correlations that Facebook can make based on that data,” Bruce Schneier, a security expert and fellow at Harvard’s Berkman Center, told Gizmodo.

“This is normal, we tend to focus on the data collection because that’s easier to see. I think the real problem are the correlations, which are much harder to see.”

Take Facebook’s 2014 analysis of which users are in relationships, even if it’s not declared on their profiles. The way your posting frequency sheds light on your life is one of the correlations that Facebook can use, and this was four years ago!

The data in the experiment was aggregated and anonymised, Facebook says, but it shows the reach of Facebook’s digital surveillance apparatus.

If you want an idea on how Facebook perceives your online behavior and transforms it into tailored advertisements log into the site and visit your Ad Preferences page.

“Everything people do, either on Facebook directly or on sites that have a Facebook ‘Like’ button, reveals information about them to Facebook,” adds Schneier. “That’s an important point: Facebook tracks you even when you’re not on Facebook, because of their extensive surveillance network on sites that link to them.”

The Big Reveal

Even if you’re careful about the advertisers and businesses you interact with on Facebook, the social network’s range of technologies mean it’s very hard to stay completely untracked as you move about the web.

Load up Facebook’s ad policy page and you can learn about some of the ways you might be exposing yourself to eager advertisers, Facebook knows when you share information with a business, sign up for a loyalty program, or even add items to a shopping cart that you then never purchase.

As Facebook’s algorithms get smarter, its automated tracking gets smarter too. For example, facial recognition is a handy little AI trick you can use when you want to call up all the pictures you and your best buddy have been in together, but it also means Facebook can now recognise you in photos without you actually having to go to the trouble of tagging yourself, something that’s got the platform into hot water in Europe.

“As images are posted and you are tagged... facial recognition is continually refined,” Craig Spiezle, Chairman of the Online Trust Allowance, told Gizmodo. “Do users understand the implications? For example if there is a group photo of a project or an event, you may automatically be recognised and tagged.”

“Settings can be complex and while I think [Facebook] does try to provide notices on changes, I believe the typical user ignores it,” adds Spiezle, saying that while these tracking features can be disabled in certain cases, “these all come with a trade off to the user experience” on the network. Which means in order to enjoy the full benefit of what Facebook potentially has to offer you also have to give away much of your privacy.

Facebook isn’t the only company working on facial recognition and it’s not the only company that has to answer questions about how this automated scanning could be used to track us in the physical world when we’re not even aware of it.

There are plenty more examples of how Facebook adds to its user profiles too:

  • Where you’re going: The big data point Facebook gets when you install its mobile applications is where you are every second of the day. This gives it information on the bands you like seeing, the tourist spots you enjoy, and even the individual stores you walk into. If you’re not happy with this, you can revoke these permissions on Android and iOS.
  • The websites you visit: So many websites and third-party services use Facebook technologies, from Like buttons to login options, that Facebook has a pretty good idea of what you’re up to when you’re not actually on Facebook. If you want to limit how this data can be collected and used, then you need to do some tidying up in your Facebook settings.
  • Your financial status: Even if you never post about your money worries (or joys) on Facebook, it can still build up a fairly good assessment of your financial position to sell on to advertisers. How? By combining data points like your online purchases and where you live, together with records provided by its marketing partners from various sources.
  • Status updates you almost post: Facebook can tell when you’re about to write something and then think better of it, as per a 2012 research paper(though the contents of your self-censored musings aren’t logged). If you’re thinking of making a drunken boast or a barbed comment and then think better of it, Facebook sees your indecisiveness.
  • Apps you install: It’s not just Facebook’s privacy policy you need to worry about, but also how third-party apps are using your data, while a Facebook quiz may seem innocuous, telling the world which bands you’ve seen gives another data point to advertisers. Pay close attention to the permissions apps ask for and remove the ones you don’t need.
  • Apps your friends install: Bad news, apps your dimwitted friends install can gather information you’re sharing with them too. To limit this, go to the Apps section of Settings on Facebook, click Edit under Apps others use, and then untick all the categories of information you’re not comfortable sharing. Alternatively, unfriend the worst offenders.
  • When you’re feeling low: Another trick Facebook’s algorithms can do is make a pretty good guess about when you’re at a low ebb. This is one of the data points Facebook promises it isn’t selling on to advertisers, but it’s a sign of the way all these various social media signals can be combined together to make some revealing conclusions about you.
  • Facebook’s other apps: Even if you barely touch Facebook, the social network can still harvest information about you through the other apps it owns, like Instagram and WhatsApp. If you want to stop this from happening, you can switch off data sharing in WhatsApp, though you’re more or less stuck with it if you’re an Instagram user.

Do you know where your data is?

Facebook sees everything you do on the platform, though it does offer a decent amount of control over who else can see your posts and who can’t.

Sometimes, however, these lines aren’t as clearly marked as you might think, and with a little bit of expert know-how, other people can dig deeper into your profile than you might like.

Michael Bazzell collects publicly available online data for his job as a security expert (he’s served as a technical advisor on Mr. Robot), and was able to show us how to check on the big information you might be revealing without knowing it.

First, head here, click the Facebook link on the left side of the page, and enter your username into the FB User Name field to get your profile number (a long series of digits). Log into Facebook and try any of the following URLs to see what you (or your friends have been) up to.

  • Places you’ve checked into:
    www.facebook.com/search/<userID>/places-checked-in  
  • Events you’re going to/interested in:
    www.facebook.com/search/<userID>/events    
  • Photos you’ve commented on:
    www.facebook.com/search/<userID>/photos-commented    
  • Facebook videos you’ve liked:
    www.facebook.com/search/<userID>/videos-liked

You can pick up data here that’s not necessarily available through your profile and can even in some cases be seen by people who you’re not friends with on Facebook, as long as the posts are public. If other people can uncover these sorts of results with a few clicks, imagine what’s going on deep within Facebook’s servers.

“The examples above were done legally and within the intention of Facebook’s search,” Bazzell, who doesn’t post anything on Facebook, told us. “There was nothing shady. I only pulled publicly available details.”

“My view is that anything posted to a social network is public data, regardless of the privacy settings. I don’t blame Facebook, I blame all of us for not investigating the companies that want our data. Facebook does not charge its users for access, yet makes billions of dollars. The users are the product.”

It’s up to you whether you find the services of Facebook (or Google or Apple or Amazon) useful enough to be worth the privacy trade-off, but what’s certain is we’re in a new age of data tracking, one that goes way beyond the information we’re actually aware that we’re sharing.

Gizmodo:    Image: Nick Youngson 

You Might Also Read: 

The Big Online Advertising Swindle:

Australia To Challenge Facebook & Google Over Media Disruption:

 

« Facebook Names IBM Watson Executive AI Chief
Cyber Attacks Rank Alongside Natural Disasters »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

SANS Institute

SANS Institute

SANS is the most trusted and by far the largest source for information security training and security certification in the world.

Checkmarx

Checkmarx

Checkmarx provides state-of-the-art application security solutions with static code analysis software.

Zeguro

Zeguro

Zeguro provides complete cybersecurity risk assessment, mitigation and insurance, allowing you to easily manage your cyber risk.

Armis

Armis

Armis offers the markets leading asset intelligence platform designed to address the new threat landscape that connected devices create.

Haventec

Haventec

Haventec’s internationally patented technologies reduce cyber risk and enable pervasive trust services with a decentralised approach to authentication.

Security Alliance

Security Alliance

Security Alliance provide bespoke cyber intelligence consulting and research services.

InfoExpress

InfoExpress

InfoExpress provides network security solutions that enhance productivity and security through better visibility, improved security, and automating device and mobile access to the network.

Privakey

Privakey

Transaction Intent Verification. Privakey delivers a secure channel to streamline high risk transactions, enabling digital trust between services and their users.

SafeCipher

SafeCipher

SafeCypher are crypto specialists with a very specialized knowledge of Public Key Infrastructure (PKI), Hardware Security Modules (HSM), Quantum Resistant Cryptography and Crypto-Agility.

Action1

Action1

Action1 is a Cloud-based lightweight endpoint security platform that discovers all of your endpoints in seconds and allows you to retrieve live security information from the entire network.

Seemplicity

Seemplicity

Seemplicity revolutionizes the way security teams work by automating, optimizing and scaling all risk reduction workflows in one workspace.

Trustifi

Trustifi

Trustifi leads the market with the easiest to use and deploy email security products, providing both inbound and outbound email security from a single vendor.

Cybit

Cybit

Cybit is the one-stop-shop for digital transformation that scales in line with your growth.

Nihka Technology Group

Nihka Technology Group

Nihka offers full end-to-end ICT solutions from business optimisation, data centre modernisation, cloud connection and management, and ICT security.

Merkle Science

Merkle Science

Merkle Science provides next generation risk mitigation, compliance and forensics for crypto-native businesses, DeFi participants, financial institutions & government agencies.

CSIRT-Gnd

CSIRT-Gnd

CSIRT-Gnd provides 24x7 Computer Security Incident Response Services to citizens, companies and government agencies in Grenada.