Facebook: Yeah, We Track Your Every Move, But So Does Everyone Else

Yesterday, for no reason in particular, why do you ask, Facebook’s Hard Questions blog tackled the question of “What Data Does Facebook Collect When I’m Not Using Facebook, and Why?” It is a very thorough and dryly written account of how tracking technology works online … and doesn’t really answer any of the questions people have about the practice.

Facebook offers a number of tools that developers can “embed” on their web pages by adding lines of code to their sites. If you’ve ever cut and pasted HTML-embed code for a YouTube video, you’re familiar with the concept. That code tells your browsers to fetch parts of a website from many different sources: images and text from the host, embedded videos from YouTube, and most relevant to this issue, the Facebook Like button.

It is through these embedded tracking methods that Facebook is able to follow you around the web — because almost every modern website has some sort of Facebook tool included in it. It might not even be something you can see; it might be a tiny 1x1 pixel embedded on a page for the purpose of reporting your visit back to Facebook.

If you’ve logged in to Facebook in your browser while surfing the web, your browser remembers that you’ve logged in by using a “cookie.” Facebook then puts two and two together: Person X is logged in, and we need to create an embedded tool for Person X to show on Website Y. Therefore, Person X has visited Website Y. Even if you’re not logged in to Facebook, the site can still use cookies to create a log of your browsing history.

Why does Facebook do this? Because if it has more info on your web activity, it can more precisely target ads. This sort of tracking is not exclusive to Facebook. Hundreds of ad companies — and large tech companies like Amazon and Google — use tracking code in this way. These methods are able to collect basic info like your IP address, as well as your operating system and browser type.

So far, so good. What Facebook has described so far are standard web practices. Invasive, sure, but not out of the norm. What Facebook’s explainer blog post declines to offer up is for how long that data is retained (likely indefinitely) and how Facebook uses that data to draw conclusions about you. It simply gathers the data and uses it to “provide services.”

Facebook knows that the practice is creepy, and refuses to be up front about it. Appearing before Congress, Zuckerberg pretended to be unfamiliar with the term “shadow profiles” — profiles and logs created on people that are not Facebook users — despite that fact that the unsettling Facebook practice has been reported for years. When Senator Cory Gardner asked about Facebook tracking users outside of Facebook’s website, Zuckerberg talked his way around the issue.

In addition to providing services, Facebook also claims that it needs this data for security purposes. “For example, receiving data about the sites a particular browser has visited can help us identify bad actors,” Facebook’s David Baser writes. “If someone tries to log into your account using an IP address from a different country, we might ask some questions to verify it’s you. Or if a browser has visited hundreds of sites in the last five minutes, that’s a sign the device might be a bot.”

That last line about bots is particularly telling. Facebook can tell if a single user has visited hundreds of different sites, and logs what those sites are. In this case, it’s used to identify a bot, but let’s approach it from a different angle: If I visit dozens of sites about weight loss in a single day, Facebook can probably determine that I’d be receptive to ads for diet pills. By and large, Facebook’s tracking is used to bolster its ad system’s effectiveness, not to track bot activity. That Facebook declined to provide an example of how its tracking tech is used to help target ads tells you everything you need to know about Facebook’s commitment to transparency.

Facebook: We Track Your Every Move But So Does Everyone Else