Skip to content
Wow, sad, angry
Naked Security Naked Security

Facebook now tracking and showing ads to people who don’t use Facebook

Ever since it launched the Like button in early 2009 Facebook has been tracking the sites its users visit.

Accusations that Facebook tracks non-users as they browse around the web have dogged it for years.

Well, now we can stop calling them accusations thanks to an announcement on 26 May 2016 from the Social Network itself:

Today, we’re expanding Audience Network so publishers and developers can show better ads to everyone – including those who don’t use or aren’t connected to Facebook.

Audience Network is Facebook’s ad network for mobile apps. It uses the same data and targeting that powers ads inside Facebook to deliver ads “beyond Facebook and into mobile apps.”

When it was launched two years ago Audience Network would only show ads to people who had a Facebook account. Despite that it has grown to be the second biggest mobile ad network after Google’s.

That limitation has now been lifted and all of us, including people like me who’ve never had a Facebook account, will be fair game for ads that use Facebook’s targeted advertising algorithms.

It’s pretty obvious that users within the walled garden of Facebook’s, er, news-wall-stream-thing (or whatever it’s called now) have their every move hoovered up and analysed but how, you might ask, will it know what to show to un-hoovered non-users?

Ever since it launched the Like button in early 2009 Facebook has been tracking the sites its users visit.

Every time you see a Like button on a website your browser is talking to Facebook; telling it what page you’re looking at and what kind of browser you’re using and, thanks to the magic of cookies, extending an invisible thread that links this page to the other pages with embedded Like buttons you’ve seen.

And that all happens even if you don’t click on it.

To put things in perspective, all of us share all of the same information with all the web pages we visit, and all of the third party sharing or analytics widgets that are embedded in that page.

That we send all of this information to Facebook is a quirk of the way the web works and that Facebook records it for users of its services is neither in dispute nor unusual (Twitter does it too for example.)

What has been matter of dispute and innuendo until now is whether or not Facebook records and acts upon the information it receives from non-users.

Last year it denied claims made in a report commissioned by the Belgian Privacy Commission that it was tracking non-users, claiming that the report was “based on assumptions.”

Following that report a Belgian court gave Facebook 48 hours to stop tracking non-users and as a consequence Belgians without a Facebook account are now unable to view any Belgian Facebook pages, even public profiles.

In February the French data protection agency CNIL gave Facebook three months to stop tracking non-users in France.

But even those actions didn’t clear things up entirely because, to my reading at least, both the accusations and the response from Facebook seem to deal with nothing more than we already knew; that Facebook sets cookies.

Doubters will say there’s nothing new in this announcement, that Facebook has been tracking all of us all along. Perhaps they’re right – perhaps this announcement is simply a big organisation that’s already tracking us all just bringing itself into line with EU regulations.

If they are right though they’ve never managed to prove it.

Now, at last, everything is out in the open.

In tracking non-users like this Facebook isn’t doing anything unusual, there are other ad networks that work in the same way and there are social media companies that use their third party widgets for similar purposes (and worse.) If you’re open to web and mobile advertising this might even be good news for you because you should see better ads.

What makes this announcement significant for the rest of us is Facebook’s size and reputation. Facebook isn’t just another ad network in exactly the same way that Microsoft isn’t just another software company.

Facebook is in our lives and (literally) in our faces. If you’ve decided not to be a Facebook or Instagram user you already have to contend with the fact that your friends and family are likely throwing mentions, photographs and tags of you into the great data hoover.

If you want to keep your browsing habits out of it too and you’re in North America or Europe you could follow Facebook’s vague advice and opt out via the marketing industry’s most relevant self-regulatory body:

Signing up should stop all of the participating networks from tracking you, not just Facebook, but you do have to trust the fox to guard the hen house.

If you want to put yourself in the driving seat then start using your browser in private browsing or incognito mode, uninstall Flash, use add-ons that help you control which cookies you accept or scripts you run, and install an ad-blocker.

At Naked Security we’re not generally in the habit of endorsing third party software but we hear a lot of good things about NoScript, Privacy Badger and the Tor Browser.

Feel free to use the comments to share your own preferences.

Image by rvlsoft /


I wish there was an easy way that I could feed my devices (and/or possibly my router) with blacklisted and whitelisted domains to prevent domains that I have not entered in my location bar from either butting in or listening. Facebook would be no 1 on the blacklist; so the image would not download and nothing could be sent back to – or any of its co-conspirator domains.

I guess Noscript does this for scripts but I want something with a wider scope.


look at pfsense…


How do I install pfsense on my mobile android device?


You don’t. It’s FreeBSD software you install on a spare computer that works alongside (or instead of) your router.

If you’ve got a spare computer (e.g. a retired laptop), you might also want to take a look the Sophos XG Firewall, which is 100% free for home use, including all commerical features – mail scanning, web filtering, malware protection, network intrusion prevention, a VPN, and much more:

For Android, you might want to take a look at our free Sophos Anti-Virus and Security for Android:


I recommend you edit your computer’s “hosts” file. This sounds like exactly what you’re trying to achieve.

Here you can assign an unroutable IP address to whatever domains you like, so when the browser tries to open such a domain, the connection fails. This is a great way to block ads at the whole-computer level without relying on browser plugs-ins.

You can download a well-maintained list of spammy domains to block here, which also includes instructions how to install it (varies for Windows, Mac, Linux etc)

[url removed]


It is funny sophos page should have the Facebook plug in. Being the largest networking website, I suppose it is ideal to share this and related articles :-)


You have to be a logged-in Facebook user for the widgets to function.


And we thank you for not using the Facebook plugin Paul.


Indeed, I think I understated my case in the previous reply…not only do you have to be logged in for a Like to be a Like, we aren’t using Facebook’s widget, as you say. IIRC we are just retrieving the Like count using Facebook’s API (which doesn’t relate to being logged in or not), and providing a Like button for people who are Facebook users, are logged in, and like to Like us.


From the Digital Advertising Alliance website:
“The opt out functionality of this page requires that your browser allow third party cookies. Please adjust your browser’s cookie settings and click “Try Again” to continue using this page.

If you continue with 3rd party cookies blocked, you will experience problems with the status and opt out functionality of this Page.”

Yeah, no.


Firefox with “ublock origin ” adblocker , then “Self Destructing Cookies” and “Https Everywhere” are my main defenses. But this set up is especially relevant to Android. With all tools, you need to understand how they work to make any adjustments to various sites you visit. Or, like I do, just use another browser in a pinch. I actually use several for different purposes.

The newest adblocking browser in playstore is “Brave” by Brendan Eich, Co-founder of Firefox. There are versions for all other platforms too. His approach might just be revolutionary if he can get people to understand his business model. More importantly, it blocks trackers and ads by default with plenty of settings to personalize. Adblock Plus, Ghostery and others with built in blocking for their browsers were published to playstore in the last 12-24 months.


I use the Ghostery extension in Chrome. It reports finding and blocking six trackers on this page, including Facebook Social Graph.


When you say “it reports Facebook Social Graph,” what exactly do you mean by that? Can you be more precise about how you think our Facebook widget is tracking you? (IIRC it is “a Facebook widget” but it is not *Facebook’s* widget, if that makes sense.)


On this page Ghostery picks up the following 3rd parties:

Google Analytics – this is a web analytics package. Without it we’d be unable to say how many visitors we had and we’d have to pack up and go home. Importantly Google Analytics prohibits the gathering or inclusion of any data that might personally identify users.

Gravatar and WordPress stats – is our host and their stats package is a non-negotiable element of that hosting (see our cookies page for more). Gravatar is part of WordPress, it’s a comment avatar that can be used across multiple sites and it’s also where WordPress stores our favicon (the S that appears in your browser tab.)

The other items are either Twitter or Facebook. Visitors are our lifeblood and we think making it easy to share our content is important so we have social media widgets on our pages. They’re not a secret – they’re at the top of the article in bright colours. Note that we don’t use the vendor-supplied widgets for either though, instead we make calls directly to the APIs that supply tweet and Like numbers.

We try to strike a balance – there’s functionality that we think is important for a site like ours – social sharing, comment scoring and polls for example – but over the years, as we’ve added functionality, we’ve actually reduced our 3rd party dependencies.

Some people hate any kind of third-party dependency, no matter what they do, others are happy to live with them, even ad networks if they think they’re getting something in return.

Different sites will have different approaches and strike different balances so in the end it’s up to end users to decide what they will and won’t allow their browser to share.

Our policy on cookies and scripts is on our cookies page, linked from our footer.


@Mark Stockley May 31, 2016 at 1:26 am

1) Simple sharing buttons can be created by JavaScript without the need of widgets that allow the target site to read in advance.

2) This blog is also free advertising for Sophos’ commercial products so maybe the company should cough up the costs of an independent website hosting with no strings attached.

3) Also, there are alternatives to Google Analytics that are more trustworthy as far as privacy goes.


I feel a little disappointed to hear this site referred to as “free advertising,” considering just how much time, effort, passion and, ahem, cost, goes into it from our side – articles don’t write themselves :-)


I visited Digital Advertising Alliance’s website on my Android to opt out of being tracked by their advertisers. Now I’m getting deluged with spam advertising e-mails! I’m pissed off, to say the least.

I’m guessing it’s from the ONE advertiser I couldn’t opt out of.


And that’s the rub. Whenever I’m about to opt out of anything, or unsubscribe, there’s a nagging little voice that says, “If you do, they’re gonna be ticked off and promptly sell your address to everyone else, including the PayPal scammers/phishers from whom you get umpteen horribly written phishing emails every week. Is it easier to just delete everything from this site or to deal with potential fallout?”

So, sometimes I opt out, sometimes I don’t, and I don’t know that either course really accomplishes anything.


Here’s an extra use for the DAA opt out site if you have Ublock Origin or Request Policy installed – go to the opt out page, let it load the status of all the ad sites, then go into your addon of choice and block every destination on the page :)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!