Each Facebook User is Monitored by Thousands of Companies

A new study looks at who is sending information about your online activity to Facebook

This article was copublished with Consumer Reports, an independent, nonprofit organization that works side by side with consumers for truth, transparency and fairness in the marketplace. Learn more here.

By now most internet users know their online activity is constantly tracked. No one should be shocked to see ads for items they previously searched for, or to be asked if their data can be shared with an unknown number of “partners.”

But what is the scale of this surveillance? Judging from data collected by Facebook and newly described in a unique study by non-profit consumer watchdog Consumer Reports, it’s massive, and examining the data may leave you with more questions than answers.

Using a panel of 709 volunteers who shared archives of their Facebook data, Consumer Reports found that a total of 186,892 companies sent data about them to the social network. On average, each participant in the study had their data sent to Facebook by 2,230 companies. That number varied significantly, with some panelists’ data listing over 7,000 companies providing their data.

The Markup helped Consumer Reports recruit participants for the study. Participants downloaded an archive of the last three years of their data from their Facebook settings, then provided it to Consumer Reports.

By collecting data this way, the study was able to examine a form of tracking that is normally hidden: so-called “server-to-server” tracking, in which personal data goes from a company’s servers to Meta’s servers. Another form of tracking, in which Meta tracking pixels are placed on company websites, is visible to users’ browsers.

Because the data came from a self-selected group of users, and because the results were not demographically adjusted, the study does not “make any claims about how representative this sample is of the U.S. population as a whole,” Consumer Reports noted. Participants were also likely more privacy conscious and technically inclined than typical users and more likely to be members of Consumers Reports.

Despite its limitations, the study offers a rare look, using data directly from Meta, on how personal information is collected and aggregated online.

Meta spokesperson Emil Vazquez defended the company’s practices. “We offer a number of transparency tools to help people understand the information that businesses choose to share with us, and manage how it’s used,” wrote Vazquez in an emailed statement to The Markup.

While Meta does provide transparency tools like the one that enabled the study, Consumer Reports identified problems with them, including that the identity of many data providers is unclear from the names disclosed to users and that companies that provide services to advertisers are often allowed to ignore opt-out requests.

One company appeared in 96% of participants’ data: the San Francisco-based data broker LiveRamp. But the companies sharing your online activity to Facebook aren’t just little-known data brokers. Retailers like Home Depot, Walmart and Macy’s all were in the top 100 most frequently-seen companies in the study. Credit reporting and consumer data companies such as Experian and TransUnion’s Neustar also made the list, as did Amazon, Etsy and PayPal.

LiveRamp did not respond to a request for comment.

What Exactly Does This Data Contain?

The data examined by Consumer Reports in this study comes from two types of collection: events and custom audiences. Both categories include information about what people do outside of Meta’s platforms.

Custom audiences allow advertisers to upload customer lists to Meta, often including identifiers like email addresses and mobile advertising IDs. These customers, and so-called “lookalike audiences” made up of similar people, can then be targeted with ads on Meta’s platforms.

The other category of data collection, “events,” describes interactions that the user had with a brand, which can occur outside of Meta’s apps and in the real world. Events can include visiting a page on a company’s website, leveling up in a game, visiting a physical store, or purchasing a product. These signals originate from Meta software code included in many mobile apps, their tracking pixel, which is included on many websites, and from server-to-server tracking, where a company’s server passes data to a Meta server.

The Markup has written extensively about the Meta Pixel and how it has been used to surveil people as they dial suicide hotlines, buy their groceries, take the SATs, file their taxes, and book appointments with their doctors. Website owners can configure the pixel to track user website interactions such as searches or filling out a form, sending each action to Meta, even if the user doesn’t have an account on Facebook. Although research tools like The Markup’s “Pixel Hunt” can detect the Meta pixel or SDK tracking, there is no way for a consumer to monitor the traffic between a company’s server and Meta’s. This Consumer Reports study looks at server-to-server data along with the rest.

How Can I See My Data?

Facebook users can browse through the list of companies that have sent their data to Facebook by going to: https://accountscenter.facebook.com/info_and_permissions

From this menu, users can either download or access their information. To see the companies outside of Meta that have been sharing your information, select “Your activity off Meta technologies,” then “Recent activity.” You might be prompted to re-enter your password at this point. This view will show you the number of recent connections between various third-party businesses you visited and Meta, and examples of the activity that was shared. You can choose to prevent future sharing by the company by selecting “Disconnect.” To see detailed information about these interactions, request a copy of your data.

But after jumping through the many hoops required to actually get your hands on this data, you may still be left with lingering questions. For example, in addition to easily recognizable company names, more than 7,000 companies in Consumer Reports’ study were named using unreadable gibberish, or just numbers that don’t mean anything to most users. Even those companies with readable names often did not include links to the company website. Some company names were ambiguous, such as “Viking,” which could be a number of different businesses.

“This type of tracking which occurs entirely outside of the user’s view is just so far outside of what people expect when they use the internet,” Caitriona Fitzgerald, Deputy Director of the Electronic Privacy Information Center, told The Markup in an interview. Fitzgerald said that while users are likely aware that Meta knows what they are doing while they are on Facebook and Instagram, “they don’t expect Meta to know what stores they walk into or what news articles they’re reading or every site they visit online.”

In the report, Consumer Reports calls for a number of policy proposals covering data collection practices, some of which could be part of a national digital privacy law, something that the organization has long advocated for. Among the recommendations specifically aimed at Meta’s technology and the advertisers who use it:

Fitzgerald echoed these recommendations, saying the problem lies with the fact that the burden is on the consumer to take action to prevent this data collection. Even a “global opt-out” mechanism allowing users to avoid having their data shared is not enough because “that still requires the user to take an action to protect their privacy. A lot of people are not going to have the time or knowledge to do that,” said Fitzgerald.

Vazquez, Meta’s spokesperson, said the company would “continue to invest in data minimization technologies to keep up with evolving expectations. As we cover in our terms, businesses are responsible for getting permission to share people’s information with companies like ours.”

For now, the lack of a federal privacy law leaves consumers in most states with few options. “I think people should be encouraging their elected officials to pass privacy laws that require businesses to change some of these business practices to stop this ubiquitous tracking of our every click and every movement,” said Fitzgerald.

This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.

Posted in: Big Data, Cybercrime, Cybersecurity, E-Commerce, Privacy, Social Media, Spyware