Skip to content
Naked Security Naked Security

Facebook: 3 reasons we’re tracking non-users

It's just how the internet works, Facebook said.

It should have been an easy question to answer.
It came from Florida Rep. Kathy Castor during the House’s questioning of Facebook CEO Mark Zuckerberg last week, when she asked:

You are collecting personal data on people who are not Facebook users. Yes or no?

There was no yes or no to be had, so she tried again:

You watch where we go. Isn’t that correct?

Zuckerberg’s response:

Everyone has control over how that works.

She wasn’t the only member of the House Energy and Commerce Committee to press the CEO about how much information it collects about both users and non-users. As Castor put it, “It’s practically impossible these days to remain untracked in America,” and it’s led to a “devil’s bargain” in which people are “spied on” and tracked even after they leave the platform.
On Monday, Facebook finally coughed up the answer. It’s no shocker: the answer is yes.
Yes, Facebook tracks both users and non-users across websites and apps, according to a post written by David Baser, Product Management Director.
It does so for three main reasons, he said:

  1. To provide its services to the sites or apps;
  2. To improve safety and security on Facebook; and
  3. To enhance its own products and services.

From the post:

When you visit a site or app that uses our services, we receive information even if you’re logged out or don’t have a Facebook account. This is because other apps and sites don’t know who is using Facebook.

Facebook is far from the only online service to do this. Twitter, Pinterest and LinkedIn have similar Like and Share buttons, Google has a popular analytics service, and Amazon, Google and Twitter all offer login features, Baser said.

In fact, most websites and apps send the same information to multiple companies each time you visit them.

Baser emphasized that “We don’t sell people’s data. Period.” And, just as Zuckerberg repeatedly told Senators and Representatives last week, Baser said that Facebook is focused on putting users in control of their data and that the company is trying to be more transparent about the data it collects and how that data is used.

Whether it’s information from apps and websites, or information you share with other people on Facebook, we want to put you in control – and be transparent about what information Facebook has and how it is used. We’ll keep working to make that easier.

That transparency doesn’t extend to letting non-users get at the data Facebook collects about them, however.
On Wednesday, Zuckerberg responded to questions from Rep. Ben Luján by explaining that Facebook collects “data of people who have not signed up for Facebook” for “security purposes,” explaining how it helps to prevent scraping:

…in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to … we need to know when someone is repeatedly trying to access our services

The CEO didn’t explain what, if anything, else Facebook might doing with the data it gathers on non-members.


Lawmakers and privacy advocates immediately responded, with many saying that Facebook needed to develop a way for non-users to find out what the company knows about them.
On Friday, Facebook said it had no plans to build such a tool, according to Reuters.
In his post on Monday, Baser added a bit of detail around the security purposes behind its collection of non-users’ data:

If someone tries to log into your account using an IP address from a different country, we might ask some questions to verify it’s you. Or if a browser has visited hundreds of sites in the last five minutes, that’s a sign the device might be a bot.

Baser explained that one of the services Facebook provides to websites and apps is Audience Network: a service that lets advertisers create ads on Facebook that show up elsewhere in cyberspace. Advertisers can also target non-users with a tiny but powerful snippet of code known as the Facebook Pixel: a web targeting system embedded on many third-party sites. Facebook has lauded it as a clever way to serve targeted ads to people, including non-members.
Conspicuous by its absence from the blog post was any mention of shadow profiles: profiles of people who’ve never signed up for Facebook.
European countries have been battling with Facebook over shadow profiles for years. In 2011, a Irish privacy group sent a complaint about shadow profiling – collecting data including but not limited to email addresses, names, telephone numbers, addresses and work information – from non-members.
More recently, in the latest installment in a long-running privacy case, a Belgian court ordered Facebook to stop profiling non-members in the country or face a daily fine.
But what, exactly, can non-users do about this tracking?
Facebook sent this statement to Reuters:

This kind of data collection is fundamental to how the internet works.
There are basic things you can do to limit the use of this information for advertising, like using browser or device settings to delete cookies. This would apply to other services beyond Facebook because, as mentioned, it is standard to how the internet works.


6 Comments

Just a big dog and pony show. Sad that he spent most of his time explaining what Facebook is and how the internet works to old farts that should NOT be in Congress.

Aren’t there expert who they could have consulted with before the questioning to get the basics of how facebook works so that they could ask better questions? (that answer is yes, and the question is rhetorical). Now they are getting into the meat of the problem, though I’m not sure if they know they are.

From the outset I assumed that everything I put on Facebook is public – that way I am not disappointed. I find the game of “why is Facebook suggesting X as a friend” interesting – wondering how it has supposedly connected us and how surprised that person would be if they became my “friend”.

Yes. I’ve never used/signed up to, Facebook, but my partner did last year. They were showing me some of their friend requests. Some were people I worked with over 5yrs ago, but have had little or no contact with since. So I’m guessing they scrape contact lists, find my details in both and suggest them. I.e. Facebook has a shadow profile in me even though I’ve chosen not to give them any details about me.
So the statement “Everyone has control over how that works.” And “..on Facebook, we want to put you in control – and be transparent about what information Facebook has..” doesn’t ring true at all for me. I can’t control what information Facebook has in me. Even if I’d never been on the internet, sibling as someone has my contact details on their phone and load the Facebook app, they can and do profile you.

Deleting cookies won’t help if Facebook is tracking IP addresses, which I’m sure they are.

Does it help to turn third party cookies off?
Does it help to turn your modem off for IP reset occassionally (for those of us with an internet service provider who assigns unique IP addresses on reset)?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?