So Mozilla, which is one of the companies behind the effort to understand the Meta Pixel, is also sending data to Facebook? I was not a member of the Rally study.
What the f** is going on? Is Firefox itself tracking me too? Or maybe some extension? Which extension? How am i supposed to tell without hoping that the right person magically sees this comment or going 100% technical and running packet captures and Wireshark?
Why can't we just get access to the _RAW_ data being sent or stored about us?
As of now, VS Code will send encrypted data to Microsoft when you use it. So my machine, OS, applications all send data about me to companies, and I'm not even allowed to know what it is (not to single them out, VS Code is just one example I have inspected myself). I don't claim to understand SSL all that well, but i think they used certificate pinning and pre-master secrets that makes it impossible or very difficult for anyone outside MS to decrypt the data in any way...
This is all completely normal now. On mobile devices its even worse. Its not even possible to completely inspect the data a phone/tablet sends without rooting it and many are already impossible to bootloader unlock or root/jailbreak.
With certificate pinning, on an encrypted smartphone volume with a hardware key, that is only unlocked just in time by the OS (the way android works now), it is LITERALLY impossible to know what data is being transmitted or received over SSL on your own device. You are not allowed to know.
>Why can't we just get access to the _RAW_ data being sent or stored about us?
Because most of it isn't interesting or relevant to you. Most data being sent isn't actually data about you, but data about the product.
>On mobile devices its even worse
This is because mobile devices are more secure and privacy preserving than the desktop platform. What you think is locking you out is actually just the platform locking everyone out so that they cripple the capabilities of malicious apps. Also keep in with that device users and app developers are both stakeholders. App developers want to keep their platforms secure which can conflict with the interests of the device users. The platform tries to balance the needs of everybody to try and make the best platform possible for all parties.
> Because most of it isn't interesting or relevant to you. Most data being sent isn't actually data about you, but data about the product.
Thanks but that's for me to decide. And all of the privacy abuses in clear view by Meta and others over the past few years make that assertion sound ridiculous. In my view the owner of a device has a right to have complete visibility into said device's communications.
Personally I agree that this endless back-door privacy leakage is unwelcome.
That said, the idea that we have self-described "rights" waters down the concept of actual "rights".
Things like Miranda rights, 2nd ammendment rights and so on are codified trade-offs between public good and personal good. Often these rights are local, and differ from country to country. Some travel, some don't. Most people in the UK presume they have free-speech rights (they don't) but pretty-much no-one in the UK believes they "have the right to bear arms."
I don't negate your point. I too have a desire not to leak data to corporations from my devices. Equally I choose which browser I use, which sites I visit, which OS I run, and so on.
I guess I'm saying that I understand that companies don't exist for my benefit, but for theirs, and I balance their desires with my desires when making my choices.
Perhaps more generously, to Firefox, they’re interpreting Firefox user strings as an app sending data to them. For curiosity, where did you pull that data from?
I can see it as well.
I don't understand it either.
I use facebook container on the desktop.
Perhaps it is on Android or iPhone?
I would also like to know what data Firefox shared with Facebook about me.
If you follow the trail of links (or directly go to https://www.facebook.com/dyi), you can request a detailed report. I have my doubts about on how complete this is, but in my case, the only thing I saw from Firefox were ACTIVATE_APP events; based on the timestamps almost definitely all from my phone.
Maybe it detects you using facebook container and infers you use firefox from that? Mine doesn't show anything firefox related, using ublock origin everywhere.
Also note that they allow for server side data as well so companies can send via backends and circumvent any ad blockers. Good companies do respect a users preferences but not all do.
Fingerprinting and tracking links are common for unindentified users. Cross domain cookies are harder to fo outside of chrome. For known users, you can sync data to Facebook with email addresses, names, phone numbers etc. This is likely why you see most websites these days trying to collect that info from you as early as possible.
You click on a tracking link, Server 1 now has a unique ID associated with that click. S1 forwards you to S2 with a unique identifier. S2 now has that unique ID associated with you. You buy something on S2. S2 sends a request to S1 saying "unique ID #123 bought something for $40".
Additionally, data brokers and data clean rooms now allow you to share data making it easier as well. Snowflake, liveramp, etc all offer super easy (and privacy compliant according to them) ways of implementing this.
I tried to request my data from a couple of meida companies, (criteo, apogee), criteo required a image of my drivers license, and Apogee just ignored it.
I am not 100% sure but I believe in the US, only California has an official data compliance law (CCPA). GDPR applies to some degree as well but I suspect that many businesses will only make a best effort until decent fines are handed out.
Facebook could probably just ask to send whatever you got about the user and they'll deal with the identification. User agent + IP is probably more than enough. Worst case they just build a JS that can be included and give the full fingerprint.
Correct me if I'm wrong, but the tool in the OP sounds like a crowdsourcing effort to collect the data the Facebook tool can tell you across multiple users and multiple sites.
That's not really the same thing as a tool that tells a single person that the site they're on uses meta pixel as it happens.
Correct. The Facebook Pixel Helper is used to test that the pixel has been installed correctly and events, both standard and custom, are firing correctly.
I actually work in an industry that utilizes these a lot. Google, tiktok, meta etc. I implement the code on our customers sites. It's crazy how much data these scripts collect.
Businesses choose to send this data to the ad platforms for their own benefits - better targeting, measurement, and ML optimization of their ad campaigns.
The businesses are legally accountable for the data they're sending and complying with privacy laws, but to most platforms it's a dumb pipe for whatever data the business chooses to send.
> Businesses choose to send this data to the ad platforms for their own benefits - better targeting, measurement, and ML optimization of their ad campaigns.
I think the post you're replying to is concerned about the moral rights of the people whose data is sent, not whether sending the data is beneficial or harmful to the business that sends it.
From experience, most folks who implement these tags don’t understand the scope of what they’re actually doing, and most are likely doing so without consulting a legal team or understanding the legal implications of the tracking they’re deploying.
Probably more OK then they are with making their life uncomfortable to look for another job with similar benefits. It's not just a moral decision in a void.
Regardless of what you say, it’s actions that matter. You can tell me you’re against something all you want — but if your actions tell me you aren’t, guess which I care about?
It’s easy to talk ourselves into doing something “under protest” that we’re “against” for a big paycheck. But you know what, at some point, we’re not really “against” it afterall.
Developers doing something "under protest"? Why would they? Nobody is going hungry if they don't work at $corp any more and work for $otherCorp instead.
That'll be something for when the market has fundamentally changed and you'll make your nation's average for your education level. But until then essentially nobody has to work anywhere "under protest", there are so many other opportunities.
So says you in a market where bigTech is laying people off, where people have spouse/kids/house payment/car payment/holiday pressures/adult responsibilites.
Choice A) stand on principle and ruffle feathers and risk becoming unemployed
Choice B) just do what tasks you've been assigned, collect paycheck, hold your nose until better options are available.
It is totally understandable why people can find themselves in these situations. It is totally different than the team member that thinks up this stuff and actively promotes this within the org. Those are the asshats
Other options have been available since forever and still are unless you're in a super niche field, and everything that touches ads and tracking / analytics isn't niche.
There's more than enough work out there, but those other jobs might not net an individual 10x the average household income. Can one survive on 5x or even 3x? Then there are more than enough alternatives.
If the employer has kidnapped your daughter and threatens to kill her if you don't build this tracking solution, then I can totally see how you'd do things you find reprehensible "under protest". But I doubt that's a common scenario, and generally people just don't care or they rationalize it ("I'm working on ads so the internet will not be paywalled").
You're preaching to the choir a bit, but I'm just showing some empathy. I've been in places that started to move into directions that I didn't agree with, and caused me to start the process of moving. It takes time, and while you're lining things up, you have to do work to get paid.
You can judge someone that accepted a job at bigAdTech, but there are other jobs that start out as an acceptable place but as things continue on with potentially new leadership or some other change causes things to become untenable. Not everything is simple, but you can armchair quarterback and make judgement one the limit information you have.
My privacy stance has evolved to just assume everything I do online is public.
Even if we fight and succeed in stopping a tracking mechanism (third-party cookies) we discover that another one is developed (fingerprinting). It's times when you think you have privacy/no one is watching that you're most susceptible to doing something you might regret.
If you consciously acknowledge that your digital life is public, you can consider performing activities using other mediums. Calling instead of messaging. Shopping at stores with cash. Journaling in a paper notebook.
The thing that really got me, personally, was searching psychologytoday.com for a mental health professional and seeing that Facebook had a copy of everything I'd searched for, without me ever agreeing to any kind of data sharing.
[disclaimer: I worked at Facebook at the time. I was still appalled.]
This is great and important work. I think it would be substantially more approachable if it began with an "Abstract" or "Summary" section. Like it or not, most folks just want the headlines; the presentation of the details is only important if people understand and care about the core ideas.
tl;dr for the website: meta pixels are everywhere on the web and gathering your interactions and inputs on all kinds of sites--including ones related to your guilty pleasures, your taxes, your health, school, etc.
I think these folks fail to connect the pixel with its purpose. The sites and apps who advertise want to understand who is converting, they provide this information to the advertiser so they can correlate the users who saw an ad to a purchase.
By keeping the purpose vague, it makes it seem nefarious.
I'll give you $5 if you give me access to your email account in full and let me see what you buy, what newsletters you sign up for, etc. I won't even steal any of your data or anything nefarious outside of collect some stats for my own uses.
If you let Facebook do this for free, you should at least take the $5 from me.
The article claims that the meta pixel can load JavaScript. Does anyone know if/how that's possible? I can't think of a way using an image alone would trigger downloading JS
It’s not a literal pixel and hasn’t been for years – it’s a js file included from a Meta site. They still call it the pixel for some reason, maybe to make it seem less potent.
> The Meta Pixel gets its name from trackers that traditionally took the form of small, one-pixel-by-one-pixel images. These tiny graphics are embedded on websites and emails and typically collect info on who views the content. Since the Meta Pixel’s first iteration over a decade ago, when it was called the Facebook Conversion Pixel, the pixel’s functionality and tracking have grown quite expansive. Now the Meta Pixel is a mechanism that loads JavaScript code capable of collecting detailed and granular data for every interaction on a page. With all of this complexity, referring to it as only a “pixel” can be misleading.
For those who are unaware how this all fits together, the literal pixel's purpose is to ensure that even if Javascript is entirely disabled on the client (end-user) system, there is still a log entry at the tracker's end of things noting a time/date and IP address of document access. This is then fairly easily correlated with other logged data to further flesh out the profile of the user that data leads back to. This even works across domains, without actually visiting Facebook or Google, allowing them to still track that you've visited a site where their pixel is used, and the time/date/IP of that access. It's just one small part of their whole tracking toolbox, and the pixel itself is merely an image file, and unable to in and of itself load any Javascript. Still doesn't stop 'em from using it to track you… Only way to do that is to block Javascript and never access the pixel image itself as well. Of course, then they track you through other means…
> For those who are unaware how this all fits together, the literal pixel's purpose is to ensure that even if Javascript is entirely disabled on the client (end-user) system, there is still a log entry at the tracker's end of things noting a time/date and IP address of document access.
Or to put it another way, even if you send the signal that you don’t want to be tracked, they will ignore it and track you anyway. They are intentionally doing something unethical and are aware they are doing it.
https://imgur.com/a/A8JVQOR
So Mozilla, which is one of the companies behind the effort to understand the Meta Pixel, is also sending data to Facebook? I was not a member of the Rally study.
What the f** is going on? Is Firefox itself tracking me too? Or maybe some extension? Which extension? How am i supposed to tell without hoping that the right person magically sees this comment or going 100% technical and running packet captures and Wireshark?
Why can't we just get access to the _RAW_ data being sent or stored about us?
As of now, VS Code will send encrypted data to Microsoft when you use it. So my machine, OS, applications all send data about me to companies, and I'm not even allowed to know what it is (not to single them out, VS Code is just one example I have inspected myself). I don't claim to understand SSL all that well, but i think they used certificate pinning and pre-master secrets that makes it impossible or very difficult for anyone outside MS to decrypt the data in any way...
This is all completely normal now. On mobile devices its even worse. Its not even possible to completely inspect the data a phone/tablet sends without rooting it and many are already impossible to bootloader unlock or root/jailbreak.
With certificate pinning, on an encrypted smartphone volume with a hardware key, that is only unlocked just in time by the OS (the way android works now), it is LITERALLY impossible to know what data is being transmitted or received over SSL on your own device. You are not allowed to know.