Off-Facebook Activity

Facebook has finally implemented a tool that I have tried very hard for them to implement. This is a transparency tool on the tracking they do through Pixel (on website) and SDK.

It is mandatory for them to tell such information if asked, under European law. When I asked in Jan 2016 (through the little-used Safe Harbor) they told me it was essentially too difficult to implement.

Four years later it is there, but it took a lot more efforts. Among other steps it required a Senator asking in follow up questions to Zuckerberg to resolve discrepancies between his testimony and my own at the UK Parliament! In fact it was so hard that there is even a wiki entry to describe the timeline of events surrounding that tool.

In any case, the link https://www.facebook.com/off_facebook_activity/ then click on the icons should directly get you to a list of all the different third parties Facebook has communicated information to.

Now the challenge is to make this list useful for advocacy. This can be done!!! I have a ton of ideas, really, starting with pairwise comparison between users. First step: build a very basic scraper to pull this list from the site.

If you can help, sign up to the forum and introduce yourself below!

I personally have 591 sites listed, some including clearly sensitive personal information.

This is a real eye opener. Wow. Thanks for applying pressure and thanks for sharing. I’m definitely going to run through this with some of my experiment participants too.

You don’t need to - they have now added this file as available via the download your data dashboard. It generates a new file under “Ads and Businesses” called your_off-facebook_activity.json.

Here is a sample:

{
  "off_facebook_activity": [
    {
      "name": "Timehop",
      "events": [
        {
          "id": <ANONYMIZED_NUMBER>,
          "type": "ACTIVATE_APP",
          "timestamp": 1580197915
        },
        {
          "id": <ANONYMIZED_NUMBER>,
          "type": "ACTIVATE_APP",
          "timestamp": 1580109965
        },
        {
          "id": <ANONYMIZED_NUMBER>,
          "type": "AD_IMPRESSION",
          "timestamp": 1578986203
        },
        {
          "id": <ANONYMIZED_NUMBER>,
          "type": "AD_IMPRESSION",
          "timestamp": 1578985696
        },

One of the first things I think it would be interesting to build is a viewer that lets you view this file as a timeline and also to sort it by descending number of interactions recorded. I’m interested in getting involved in coding this, i may also be able to use it in my research.

I noticed my data only goes back to 26 July 2019. Same for others?

Three that surprised me:
TikTok - don’t use it
Transferwise - financial services provider
Kela - Finnish Social Security Government Department

Just did some simple analysis by converting the JSON file to CSV at https://www.csvjson.com/json2csv then loaded it into Excel. I have been tracked an alarming 5,739 times from 669 apps and websites since July 2019.

The ACTIVATE_APP event is particularly revealing. From this data for example I can see every time I have listened to LBC Radio or Audible.

I just got an interview with Swiss newspaper on UBS app letting Facebook track users.

I took the liberty of editing what you posted, @alexbfree. We don’t know how widely the identifiers are used. I would not share them publicly.

Right. Second step then, little python script to fire off Access Requests to everyone in this list, but challenging specifically the link with Facebook and the loss of control associated. Cf. GDPR Art 26.

HUGE GOTCHA. I just tried to disable Future Offsite Activity tracking via this new interface. It does more than you think - it seems to have wiped the entire offsite tracking history and also deletes all identities used for external login. Currently I am UNABLE to log into Spotify at all. Currently talking to Spotify support trying to regain access to my account
UGH.

Managed to regain account access. But that was not easy or pleasant. Better check my other log-in-via-Facebook apps!

A bit more on that gotcha. This is for Spotify. May be the same for other apps. Extract from the chat I had with a Spotify Support Agent just now:

Spotify Support Agent: In order for me to locate the Facebook-created account, may I ask for your Facebook ID, please? To find this, on desktop, log in to your Facebook account. Go to Settings, click ‘Apps and Websites’ in the menu on the left. Search for Spotify (if you can’t see it in the list of apps) and select it. Scroll down to ‘Get Help using Spotify’. Copy the Spotify User ID and send it over.

Me: The list of Apps and Websites has been wiped when i turned off off facebook activity.

Spotify Support Agent: Yes, that’s right. Once it’s disconnected, it can never be switched back.

Me: You said once Facebook offsite activity is disconnected it can never be reconnected? Did I understand that correctly? So it is now impossible to ever link my Spotify with facebook?

Spotify Support Agent: If the account was originally created via Facebook, once it get disconnected, it can never be switched back. But, for your case, since the account was created using the email address (not via Facebook), you can reconnect/disconnect Facebook anytime you want.

Me: let me just check I understood that correctly. For someone who had created their spotify account via facebook… if they turned off facebook offsite activity they would permanently and irretrievably lose access to their spotify account?

Spotify Support Agent: Yes, that’s right.

Me: wow that’s terrible

Spotify Support Agent: Remember, there are two ways to sign up for an account with us, one is using Facebook Profile and one is using your email address only.

Me: and what would happen to playlists etc? would they still exist but it’s just impossible to log in? or would all spotify account data get deleted the moment facebook offsite activity gets turned off?

Spotify Support Agent: They would still be there. The account will just be disconnected from Facebook and not the songs nor playlists that are connected to it.

Me: ok so maybe there would be some way to save the playlists and move them to a new account?

Spotify Support Agent: Yes.

Me: good to know. Thanks for explaining! What a nasty Gotcha this whole thing was.

Spotify Support Agent: No worries! We got your back on this one. Just in case you want to do the transfer, you can ask us again through chat so we can help.

I’m not sure I understand what you mean. Followed the link, article 26 seems to be about joint controllers but I am not sure I understand what should be challenged? Who are the joint controllers in this context? Facebook and the third party website? Doesn’t the fact we can now access this data satisfy our GDPR rights w.r.t. offsite tracking data?

Interesting consequence as well from an antitrust perspective. You are now more directly linked to Spotify, which gives Spotify more business agency, with antitrust consequences. cc @Isabel

It doesn’t satisfy everything, in that it doesn’t show all, like what a CUSTOM event is.

The joint controllers are the third party and Facebook. The interesting question is also who has to disclose what, as it shows who controls what over what information.

Posted about this on Facebook and got some surprising responses from a couple of friends:

If it makes my Facebook experience better, and I actually get relevant ads that I might be interested in, I’m all for it!

I read through the entire available list. Literally nothing shocking whatsoever. But even if they did track what I see on porn sites or whatever, it honestly doesn’t bother me one bit.

I still don’t understand what about it supposed to bother me. I literally do not care whatsoever. The more companies know about me, the better they can tailor their ads and services for me (for their own profit, yes, of course I’m aware). I don’t hold any information private. I’m an open book. I have no concern about how it will be used against me. If I could attach a camera to my forehead and have it sent directly to advertisers to better target me ads, go ahead!

And another friend, when I made the point that there is a difference between a site or app tracking its own users, versus a single company gathering tracking data from multiple sites and apps, said:

What’s different about it? It’s all just recording data about the way that people move from one place to another, same as any tracking cookie does. And pretty much all of that is done to make a profit. That’s what businesses do. Profit is the ultimate purpose of improving their service, whether it’s for their website users or for advertisers and third party clients, or both. Which is exactly the same as what Facebook do. So again, what’s the difference? They’re not selling your personal data to third parties, despite what the conspiracy theorists will tell you. And none of it is without consent, it’s in the terms and conditions.

Thought others might be interested to read the views of some folks who are not worried about this at all, unlike probably most of us in this forum!

Thanks.

Good reality check on how transparency is perceived differently by different people.

FWIW I didn’t ask random contacts what they thought of this, but did post about the tool on my Facebook feed. A bunch of people were genuinely surprised at the result they themselves got, and commented back either thanking me or getting into this proto-investigative mode where you start comparing with friends. But then again there are several layers of bias here (those who bothered to comment, to check what the tool meant for them, and those who actually still receive my messages commenting negatively about Facebook years after doing so consistently).

The interesting bit here is “what do you respond to the person who uses it but is nonplussed by the result? how do you explain - if possible or even true - that the tool is useful?”

At the moment I would respond with “You are both technically literate and resigned to current business models around personal data. I believe it is possible to build a world where people are more technically literate and where business models have evolved beyond the crudest of monetizations of personal data. I do know that this tool is useful in making people more technically literate and raising their expectations from businesses.”

The fact that Kela (Finnish social security department) shared data with Facebook has hit the news https://yle.fi/uutiset/osasto/news/paper_kela_website_user_data_ended_up_with_google_facebook/11187895