Facebook Is Tracking Me Even Though I’m Not on Facebook

I don't use Facebook. I'm not technophobic — I'm a geek. I've been using email since the early 1990s, I have accounts on hundreds of services around the net, and I do software development and internet protocol design both for work and for fun. I believe that a globe-spanning communications network like the internet can be a positive social force, and I publish much of my own work on the open web.

But Facebook and other massive web companies represent a strong push toward unaccountable centralized social control, which I think makes our society more unequal and more unjust. The Cambridge Analytica scandal is one instance of this long-running problem with what I call the "surveillance economy." I don't want to submit to these power structures, and I don’t want my presence on such platforms to serve as bait that lures other people into the digital panopticon.

But while I've never "opted in" to Facebook or any of the other big social networks, Facebook still has a detailed profile that can be used to target me. I've never consented to having Facebook collect my data, which can be used to draw very detailed inferences about my life, my habits, and my relationships. As we aim to take Facebook to task for its breach of user trust, we need to think about what its capabilities imply for society overall. After all, if you do #deleteFacebook, you'll find yourself in my shoes: non-consenting, but still subject to Facebook’s globe-spanning surveillance and targeting network.

There are at least two major categories of information available to Facebook about non-participants like me: information from other Facebook users, and information from sites on the open web.

Information from other Facebook users

When you sign up for Facebook, it encourages you to upload your list of contacts so that the site can "find your friends." Facebook uses this contact information to learn about people, even if those people don't agree to participate. It also links people together based on who they know, even if the shared contact hasn't agreed to this use.

For example, I received an email from Facebook that lists the people who have all invited me to join Facebook: my aunt, an old co-worker, a friend from elementary school, etc. This email includes names and email addresses — including my own name — and at least one web bug designed to identify me to Facebook’s web servers when I open the email. Facebook records this group of people as my contacts, even though I've never agreed to this kind of data collection.

Similarly, I'm sure that I'm in some photographs that someone has uploaded to Facebook — and I'm probably tagged in some of them. I've never agreed to this, but Facebook could still be keeping track.

So even if you decide you need to join Facebook, remember that you might be giving the company information about someone else who didn't agree to be part of its surveillance platform.

Information from sites on the open Web

Nearly every website that you visit that has a "Like" button is actually encouraging your browser to tell Facebook about your browsing habits. Even if you don't click on the "Like" button, displaying it requires your browser to send a request to Facebook's servers for the "Like" button itself. That request includes information mentioning the name of the page you are visiting and any Facebook-specific cookies your browser might have collected. (See Facebook's own description of this process.) This is called a "third-party request."

This makes it possible for Facebook to create a detailed picture of your browsing history — even if you've never even visited Facebook directly, let alone signed up for a Facebook account.

Think about most of the web pages you've visited — how many of them don't have a "Like" button? If you administer a website and you include a "Like" button on every page, you're helping Facebook to build profiles of your visitors, even those who have opted out of the social network. Facebook’s “Share” buttons on other sites — along with other tools — work a bit differently from the “Like” button, but do effectively the same thing.

The profiles that Facebook builds on non-users don't necessarily include so-called "personally identifiable information" (PII) like names or email addresses. But they do include fairly unique patterns. Using Chromium's NetLog dumping, I performed a simple five-minute browsing test last week that included visits to various sites — but not Facebook. In that test, the PII-free data that was sent to Facebook included information about which news articles I was reading, my dietary preferences, and my hobbies.

Given the precision of this kind of mapping and targeting, "PII" isn’t necessary to reveal my identity. How many vegans examine specifications for computer hardware from the ACLU's offices while reading about Cambridge Analytica? Anyway, if Facebook combined that information with the "web bug" from the email mentioned above — which is clearly linked to my name and e-mail address — no guesswork would be required.

I'd be shocked if Facebook were not connecting those dots given the goals they claim for data collection:

We use the information we have to improve our advertising and measurement systems so we can show you relevant ads on and off our Services and measure the effectiveness and reach of ads and services.

This is, in essence, exactly what Cambridge Analytica did.

Consent

Facebook and other tech companies often deflect accusations against excessive data collection by arguing "consent" — that they harvest and use data with the consent of the users involved.

But even if we accept that clicking through a "Terms of Service" that no one reads can actually constitute true consent, even if we ignore the fact that these terms are overwhelmingly one-sided and non-negotiable, and even if we accept that it's meaningful for people to give consent when sharing data about other people who may have also opted in — what is the recourse for someone who has not opted into these systems at all?

Are those of us who have explicitly avoided agreeing to the Facebook terms of service simply fair game for an industry-wide surveillance and targeting network?

Privilege

I don’t mean to critique people who have created a Facebook profile or suggest they deserve whatever they get.

My ability to avoid Facebook comes from privilege — I have existing social contacts with whom I know how to stay in touch without using Facebook's network. My job does not require that I use Facebook. I can afford the time and expense to communicate with my electoral representatives and political allies via other channels.

Many people do not have these privileges and are compelled to "opt in" on Facebook's non-negotiable terms.

Many journalists, organizers, schools, politicians, and others who have good reasons to oppose Facebook's centralized social control feel compelled by Facebook's reach and scale to participate in their practices, even those we know to be harmful. That includes the ACLU.

Privacy should not be a luxury good, and while I'm happy to encourage people to opt out of these subtle and socially fraught arrangements, I do not argue that anyone who has signed up has somehow relinquished concerns about their privacy. We need to evaluate privacy concerns in their full social contexts. These are not problems that can be resolved on an individual level, because of the interpersonal nature of much of this data and the complexities of the tradeoffs involved.

Technical countermeasures

While they may not solve the problem, there are some technical steps people can take to limit the scope of these surveillance practices. For example, some web browsers do not send "third-party cookies" by default, or they scope cookies so that centralized surveillance doesn't get a single view of one user. The most privacy-preserving modern browser is the Tor Browser, which everyone should have installed and available, even if it's not the browser they choose to use every day. It limits the surveillance ability of systems that you have not signed up for to track you as you move around the web.

You can also modify some browsers — for example, with plug-ins for Firefox and Chrome — so that they do not send third-party requests at all. Firefox is also exploring even more privacy-preserving techniques.

It can’t be denied, though, that these tools are harder to use than the web browsers most people are accustomed to, and they create barriers to some online activities. (For example, logging in to some sites and accessing some web applications is impossible without third-party cookies.)

Some website operators take their visitors' privacy more seriously than others, by reducing the amount of third-party requests. For example, it's possible to display "share on Facebook" or "Like" buttons without sending user requests to Facebook in the first place. The ACLU's own website does this because we believe that the right to read with privacy is a fundamental protection for civic discourse.

If you are responsible for running a website, try browsing it with a third-party-blocking extension turned on. Think about how much information you're requiring your users to send to third parties as a condition for using your site. If you care about being a good steward of your visitors' data, you can re-design your website to reduce this kind of leakage.

Opting out?

Some advertisers claim that you can "opt out" of their targeted advertising, and even offer a centralized place meant to help you do so. However, my experience with these tools isn't a positive one. They don't appear to work all of the time. (In a recent experiment I conducted, two advertisers’ opt-out mechanisms failed to take effect.) And while advertisers claim to allow the user to opt out of "interest-based ads," it's not clear that the opt-outs govern data collection itself, rather than just the use of the collected data for displaying ads. Moreover, opting out on their terms requires the use of third-party cookies, thereby enabling another mechanism that other advertisers can then exploit.

It's also not clear how they function over time: How frequently do I need to take these steps? Do they expire? How often should I check back to make sure I’m still opted out? I'd much prefer an approach requiring me to opt in to surveillance and targeting.

Fix the surveillance economy, not just Facebook

These are just a few of the mechanisms that enable online tracking. Facebook is just one culprit in this online "surveillance economy," albeit a massive one — the company owns Instagram, Atlas, WhatsApp, and dozens of other internet and technology companies and services. But it’s not the only player in this space. Google’s business model also relies on this kind of surveillance, and there are dozens of smaller players as well.

As we work to address the fallout from the current storm around Facebook and Cambridge Analytica, we can't afford to lose sight of these larger mechanisms at play. Cambridge Analytica's failures and mistakes are inherent to Facebook's business model. We need to seriously challenge the social structures that encourage people to opt in to this kind of surveillance. At the same time, we also need to protect those of us who manage to opt out.

View comments (31)
Read the Terms of Use

Anonymous

Great article.

Nicolas S.

Mass surveillance is dangerous. I'm disappointed that few US articles make mention of the EU GDPR, the big Europe initiative to give citizens more control on their data.

Sadly, Facebook already said they won't apply this rule for all the users.

Nicolas S.

BTW, thank you much for this post. It's good to see people wonder about e-surveillance.

Anonymous

i own an app with 300k monthly users. i know what i am saying bcs i have worked with them. facebook track everyone not only inside of its properties (facebook, whatsapp, messanger, instagram, pinterest and others), but also trough all the apps (android/ios) and the websites that use their monetization platform. they have a thing called 'pixel' (search in youtube) that follow you everywhere you go. starting from this they profile your psicology with a neural net and start to optimize the feed you see in facebook / instagram in base of what they want. until yesterday was click on ads. now they need time (better... datas for the neural net to eat) to optimize for 'meaningful relationship'. tomorrow will be what they simply want. the god decide, the intelligent machine execute. the essential thing here are the data about you and your psicology bcs you are the puppet to move prioritizing the info that most propbably will trigger a certain behaviour. your psicology worth 6 usd a year per user. since they have 2 billions that is why facebook worth several billions of dollars

Anonymous

"But Facebook and other massive web companies represent a strong push toward unaccountable centralized social control, which I think makes our society more unequal and more unjust."
So does big government which you support

"The Cambridge Analytica scandal is one instance of this long-running problem with what I call the "surveillance economy." I don't want to submit to these power structures, and I don’t want my presence on such platforms to serve as bait that lures other people into the digital panopticon."
Dont remember you having a problem when obama did the exact same thing

AU

One big difference is that big government is not selling your personal data to the highest bidder. And Facebook would probably be glad to sell them whatever information they don't already have. You seem to be anti-government, but Facebook already posts where you've visited on your page unless you opt out, so why not track how fast you were driving and sell it to the government to save them planning and money for speed cams, for example?

If you have a problem with government and its surveillance, what do you think would happen if companies like these and their tactics go unchecked; these companies could become like another "big government" you refer to, but government will probably be the least of your problem if you're not involved in illicit activity. Something I think you might not have realized when you compared the two entities is that one is in place to serve the people and has to answer to them (it might not be perfect, but there are checks and balances in place), and the other is in place to serve themselves, make a profit, and answer to shareholders. Government upholds laws to keep people protected from unrightful discrimination, so you don't have to tell a company you're applying for a job at about a disability or other protected statuses, but that private company will gladly sell the company that information for the right price and claim not to know what the company needs it for (or won't ask) because they have no accountability to you or the public who doesn't hold shares in their company. Kids did something stupid but "forgivable" as a child or had problems adjusting in their youth; might keep them out of that college or high school because Facebook was able to track those visits to the child psychologist and share them without your or your child's consent. Did they experiment or even just hang out with other students in college but stayed out of trouble and did well; they probably still won't get that job or into that grad school because Facebook has a picture of them at that concert/party/venue/etc. where such and such happened that their friends posted, and Facebook has attached it to your child since they've unconsentingly been tracking his/her activities through their friends' pages. I used people's kids as examples to illustrate my point because it's usually a topic that hits close to home and most people have an instinct to protect their children, but it can be applied to yourself or anyone else.

Yes, there is surveillance but it is not absolute. Add unchecked surveillance for profit by private entities and kiss your privacy goodbye. You thought it was bad that smart TVs were recording people unknowingly? And I'm not an especially paranoid person or wrapped up in conspiracy theories, but I know enough, have seen enough, and have been around long enough to know there are things that need to be controlled and regulated before they have control over us much more than most, if not all, of us would like.

Anonymous

No law should be passed unless it can be enforced, we have too many unenforceable laws. It would be better to link to tools that can be used to limit the efficiency of surveillance. It's like preventing people from entering your house, it's better to buy a gun than to rely on police.

Also, why is it that Obama can brag about using Facebook to target supporters but it's a scandal when Trump does the same?

Worldie

Reading this from Edward Snowden's Tweet! What is the solution? Maybe it's ethics and competition!

So far, Worldie wants to join the social media industry! Also, as CEO, so far I wrote an easy-to-read 7 page Terms of Service! Worldie is Free Speech, All-In-One (will be), and I had to define "free speech" because people think it doesn't exist. Also, of course the debate today is free speech for WHO in the social media industry. There's reporting, which well, just like in offline reality, you can say what you wish, but it doesn't mean it won't be reported.

As for cookies, well, all sites use that, but without data selling, the individual small business (or even corporations) don't get the individual names of the users. It's a widespread, vague targeting. All they get are the aggregate counts of the results. This though, went far beyond that with Cambridge, Facebook... Also, LinkedIn sells your data to recruiters, and likely other social networks do, too. How is that fair that some get chosen for jobs from algorithms? If you surveyed small business owners, I can nearly 100% guarantee that they would NOT want all that data or information about people. Definitely, they don't need to know who you called 5 times yesterday (as FB has). All they want are conversions, and that basically always stays around 10% or less per ad/sponsorship. Basic demographics, geographics, etc, and then here we also have interests, "likes," as well.

There are other ways of making revenue than by selling user's data, though people deny it, and certainly have to me. You don't have to exploit.

But Cambridge Analytica also worked with government agencies, it sounded like, or its owners certainly did according to that whistleblower. PRISM affects nearly all large tech companies today, which feeds it to the government. NSLs don't need warrants.

Huge problems are political bias (long list there), censorship bias, spam algorithms, and this obvious manipulation. Anyways, I think there are solutions, but cookies will remain. The question is, is it a vague idea, or is it individualistic and manipulative like in this case? Is it sold, or not sold? Also, you did not mention geolocation. Nearby services. Of course, there can be opt outs.

However, we NEED FEEDBACK! We need entrepreneurial thinking. Day in and day out, I get no feedback at all, and I'm basically the only one designing, testing, planning, and strategizing. I get hardly any ideas (almost 0) from anyone and 99.9% of the time, it is just me asking if they think an idea is good or not. If I get feedback at all, it is regressive or trying to claim no revenue, or there's no free speech, or they don't want to actually take the effort to make an account on the Live Demo, or something like this. I even had the whole "what if there is a video of chopping off heads"? I answer we have reporting for criminal activity. They claim no one would invest, and that my idea is worthless, while their relative can work at Facebook. Anyways.

Look forward to new networks because likely I'm not the only one. Plus, if I've said so many controversial things myself, wouldn't I care about other people being limited? I'm not an elite like Zuckerberg.

Anonymous

I would STRONGLY SUGGEST the author to ask the ACLU for a translator of this article into
Spanish
Portuguese
Korean
in the next days. As soon as possible.

This is a great thinkpiece, and the world deserves to know the full scope of it. Though psychological repercussions'll be dire, the time is ripe to rip that band-aid.

Anonymous

While I use FB and Twitter, I try to be a bit circumspect about what I post and what I consent to. I don't give up my contacts or my friend lists or allow any page to post for me, either. But this is getting entirely out of hand. While I have a lot of long distance friends I keep in touch with using FB, the negatives are starting to outweigh the positives. The CLOUD act, which you didn't mention, is outrageous - and FB and Google, among others, lobbied for it! Why do we put up with this?

Pages

Stay Informed