You’re using it, even when you’re not.
Facebook’s getting a lot of (in my opinion, well deserved) negative attention and scrutiny of late for a variety of reasons.
One of the lesser-known aspects of Facebook’s data collection is that they’re able to track people who don’t have Facebook accounts.
I know, because for a while a few years ago I helped ’em. (I no longer do.)
Become a Patron of Ask Leo! and go ad-free!
Facebook tracking
Because many websites use Facebook-supplied tracking technology, including the “Facebook pixel”, it’s easy for Facebook to collect information about your activities whether you have a Facebook account or not. This same technology is also used by advertising networks and others for similar purposes.
Image tracking
Images can be used to track what you do. It’s one of the reasons email programs generally disable images by default.
When an image is displayed — be it in email or on a website — it has to be fetched from somewhere. For example, when this page is displayed, your browser finds an instruction to display an image, which is then fetched from this location:
https://askleo.com/wp-content/uploads/2021/11/keyhole-spy-2048×1075.jpg.webp
(Details of that URL may change due to caching, but the concept remains the same.)
So when you display this page, in addition to the browser saying:
- Hey, askleo.com! Could I get “how-does-facebook-track-me-even-if-i-dont-have-an-account” from you, please?
It finds instructions on the page that an image is required, so it then also asks:
- Hey, askleo.com! Could I get “wp-content/uploads/2021/11/keyhole-spy-2048×1075.jpg.webp” from you, please?
So askleo.com knows you fetched a page, and it knows you fetched an image.
So what does that have to do with Facebook?
The tracking pixel
Many sites with a Facebook presence — like Ask Leo! has its Facebook Page — are encouraged by Facebook to add what’s called a tracking pixel or Facebook pixel. It’s exactly what it sounds like: a single-pixel image (often invisible) referenced somewhere on the page.
That means when you visit a webpage of some random site — I’ll use reallybigbookstore.com as my example — your browser says something to the effect of:
- Hey, reallybigbookstore.com! Could I get “some-random-page” from you, please?
On the resulting page, the browser finds instructions to “display” the image that is the Facebook pixel, and thus asks:
- Hey, facebook.com! Could I get “whatever/pixel.png” from you, please?
That lets Facebook know you visited reallybigbookstore.com.
So, how does one silly little pixel let Facebook track you?
Referrers
Whenever a browser requests an image to be displayed on a webpage, it includes the URL of the webpage containing the request. It’s called the “referrer“, or referring page.
For example, for the image at the top of this page, the request is more like:
- Hey, askleo.com! Could I get “how-does-facebook-track-me-even-if-i-dont-have-an-account” from you, please?
Then, when the browser discovers that the page includes a reference to the image:
- Hey, askleo.com! Could I get “wp-content/uploads/2021/11/keyhole-spy-2048×1075.jpg.webp” from you, please?
- By the way, this is for “https://askleo.com/how-does-facebook-track-me-even-if-i-dont-have-an-account”.
Seems innocuous enough, right?
Let’s add Facebook into the mix. Let’s visit reallybigbookstore.com again.
- Hey, reallybigbookstore.com! Could I get “some-random-page” from you, please?
- Hey, facebook.com! Could I get “whatever/pixel.png” from you, please?
- By the way, this is for “https://reallybigbookstore.com/some-random-page”.
Facebook learned a couple of things from this exchange.
- You visited “reallybigbookstore.com”.
- You looked at “some-random-page”.
That’s still not tracking, though; it’s just notification. To track, we need one more component.
Cookies
Cookies are nothing more than bits of data placed on your computer by websites that are included in subsequent requests when you visit any page on that website again.
For example:
- Hey, askleo.com! Could I get “how-does-facebook-track-me-even-if-i-dont-have-an-account” from you, please?
Might get a response along the lines of:
- Sure, here’s the page, and here’s a little bit of data I want you to keep for me: 1,860,012,375.
The next time you visit any page on that site, the request looks like:
- Hey askleo.com! Could I get “best-articles-collection” from you, please?
- By the way, here’s the data you asked me to keep last time: 1,860,012,375.
I’m just using a random number as an example — it could be any data. It’s typically very small. In Ask Leo!’s case, for example, this cookie might include the fact you’re signed in to your Ask Leo! account and don’t need to sign in again every time you move from page to page.
Cookies apply to images as well — including the Facebook pixel.
If you’ve never visited Facebook before (or you’ve just cleared cookies), the request is still:
- Hey, facebook.com! Could I get “whatever/pixel.png” from you, please?
The response will be something like:
- Here’s your pixel.png, and here’s a little bit of data I want you to keep for me: “user: 12,398,641,238”.
Now, the next time you visit any site that happens to use the Facebook pixel, your browser will request:
- Hey, facebook.com! Could I get “whatever/pixel.png” from you, please?
- By the way, here’s the data you asked me to keep: “user: 12,398,641,238”.
- And by the way, this is for “https://reallybigbookstore.com/some-random-page”.
Facebook can now collect and track:
- All the sites you visit.
- All the pages on those sites you visit.
But is it really you that’s being tracked?
Yes, no, and maybe. It depends on what “user: 12,398,641,238” really means, and how much data has been collected already.
Building a picture
If you’re signed in to Facebook, it’s very likely that whatever is stored in the cookie is associated with your account. Put another way, “user: 12,398,641,238” could very well identify you, specifically, by identifying your specific Facebook account.1
If you’re not signed in to Facebook, though, you’re just “user: 12,398,641,238”. Seems pretty random and pretty anonymous, right?
At first, it is. Facebook might know you visited page A on site Z, and perhaps even know your country by virtue of your IP address, but that’s nowhere near enough to identify you.
Eventually, though, Facebook sees you’ve visited pages B, C, and D on site Y, pages E and F on site X, and so on and so on. Eventually, Facebook can build up quite a picture of exactly what sites you visit and what pages you view on those sites. Depending on how they analyze the data, they can figure out what topics you’re likely interested in, what views you likely hold, and even what things you’re likely looking to purchase.
It seems possible that with enough data and enough analysis, enough information could be correlated such that it could be used to identify you, specifically. I don’t believe they do this. For the most part, they’re not interested in individuals. What they are interested in is marketing to groups of individuals. Your activities more easily identify which cohorts you belong to than they identify you as an individual.
All without a Facebook account.
It’s about more than Facebook
All the techniques listed above are nothing more than the way the web and web browsers work. Referrers, cookies, and URLs are nothing more than the fundamental building blocks of how websites work and how webpages are requested, built, and displayed.
That Facebook is leveraging it all, presumably to perform this detailed data collection, aggregation, and analysis, is really just the tip of the iceberg. They have an enormous amount of data to work with. Being able to more accurately target content at those groups more likely to engage, or advertising to groups of people more likely to respond, is of huge value to them.
But they’re not alone.
Everything I’ve described applies to advertising networks as well. The names may not be as familiar, but the techniques are the same. The only real difference is that instead of a single, tiny, hidden pixel, the advertising networks are displaying ads. And once again, using the way the web works to collect data about the individuals viewing those ads across all the websites using the same advertising network is of high value. It teaches them what ads to show you.
It’s what allows ads to “follow you” around the internet.
It’s about more than pixels
I’ve used the Facebook pixel as the most obvious (and perhaps easiest to understand) technique Facebook, advertising networks, and other entities use to track your activity around the World Wide Web.
There are other techniques.
Particularly in the face of ad-blocking and privacy tools, many of these same companies develop other techniques to try to collect the same, or close to the same, data. And it’s all based on the same tools and techniques used to access and display internet content in the first place.
Should you worry?
I don’t.
That Facebook, Google, Microsoft, or others might be “watching” what I do doesn’t concern me. It’s my firm belief, and I’ve said this before, that I as an individual am just not that interesting. That I might be identified as an older, white, American, male (among other things) is interesting, but they don’t need to know who I am to make that determination. They have enough right there to show me the AARP advertisements they want me to interact with.
However, not everyone feels as I do.
Ad blockers, privacy-focused browsers, security tools, and more can all help reduce the amount of tracking, if it’s of concern to you.
I’m just not convinced you can completely eliminate it.
Do this
If the thought of being tracked concerns you, take sensible precautions when exploring the web. Use a privacy-focused browser (Brave would be one example), privacy extensions (Privacy Badger, for example), and appropriate security tools.
But there’s really no need to panic when you see ads following you. It’s not really about you, specifically.
Subscribe to Confident Computing! to get a practical perspective on how things like tracking can work, and whether — and when — you should be concerned. More confidence & less frustration — solutions, answers, & tips — in your inbox every week.
Footnotes & References
1: I don’t know this is exactly how Facebook works. The point here is that it’s entirely possible, and in my opinion quite likely.
As a family we don’t use Facebook, so it was interesting to read this.
If FB is somehow tracking our surfing habits, I am surprised I never see their cookies in my browser, I delete cookies at least once a day, so I get to see all entities who are placing them … or am I???
Are there any utilities which can scrub cookies that accumulate on a given day? So that after a browsing session, I can just clean our recently acquired cookies?
Would using Brave’s Private Window feature accomplish this?
Thanks…
Private supposedly deletes cookies when you close the window. When you manually clear cookies in most browsers there’s an option to specify the timeframe: I believe one day is in the list of options.
Most browsers have some sort of Incognito or Private browsing mode. Those don’t modes don’t normally allow cookies to be saved.
The Cookie AutoDelete extension will delete cookies associated with a tab when you close the tab. You can decide which sites to delete so you have a lot of control.
Informative article and thank you for the recommendation for Privacy Badger, Leo. I just installed it on Firefox. It will be a nice adjunct to uBlock Origin.
CBC (Canada) TV’s Marketplace ran a story a couple years ago on online shopping, where they found that these online shopping websites were also tracking you and adjusted the price based on how much their algorithms figured they could get you to pay. They had 4 people looking to buy the same thing from the same website and got 4 different prices every time, until everyone cleared their cookies and switched to the private (incognito) mode of the browser and then they all got the same price.
James B wrote:
“…They had 4 people looking to buy the same thing from the same website and got 4 different prices every time, until everyone cleared their cookies and switched to the private (incognito) mode of the browser and then they all got the same price.”
Ouch! So this is my reward from partonizing
AmaI mean, “ReallyBigBookStore.COM” — higher prices?!? Ptooey! :(Yes, we need to return to enforcing antitrust and anti-monopoly laws and regulation.
Good point grandrascal, that had not occurred to me.
I think a little of my own research is in order.
I will check prices at the really big bookstore, then I will delete the cookies and see what happens when I recheck the items.
I do have a Facebook account. I use it to keep in touch with friends and family. I also speak my mind on occasion. Since I am being tracked by every advertising agency on the web anyway, and there is nothing within reason that I can do to stop it, other than add-blockers and/or privacy-centric web browsers, I just don’t worry about it. Facebook (and all the other add tracking agencies) can get as much information about me as they want anyway, so having an account on Facebook is essentially irrelevant. Leo makes a very good point. I’m not all that interesting, so whether the information being collected is directly attached to me due to my Facebook account or to my web activity (other add agencies), the end result is the same. Ultimately, the information collected about me is an aggregation not a dossier, so who cares, I don’t.
I have been an Internet user almost since the World Wide Web began (essentially since Windows 95 was released, and even a bit before), so these organizations have had a very long time to collect information about me, and by now they probably know more about me than I do. All this tracking has had no effect on me or my web activity. It has not affected my Internet security either. On the positive side, the adds I see online are probably more likely to be of interest to me. I still get to decide whether I click on them or not (usually not). If I see an add that interests me I usually don’t click through, instead I do a web search on the thing being advertised. The only time I do click through is when I see an add that interests me coming from a web site I visit regularly, like this one because I want to support the site in return for the content being provided.
There is one thing that I believe needs to be changed. Web browsers should have an indication in it’s communications with web sites being visited when the user is a child. Cookies and other tracking technology should be disabled/rejected. Tracking and collecting information about children should be illegal world wide, no exceptions.
These are my thoughts, what do you think?
Ernie
In a way I agree with you about the privacy issue, Ernie. If Google want to track me when I search the web, good luck to them. They provide a highly sophisticated and extremely expensive service free and are entitled, in my view, to some reward for this. On the other hand, though, as Leo points out, Facebook and Twitter seem to be following me despite my using their services very little and this has the practical consequence for me that many corporate websites load slowly and inefficiently, while simple websites used by not for profit organisations, including the government, come up in a flash. I see the evidence for this in the status bar of my browser, which shows for such complex sites a tedious series of referrals to the likes of Facebook and Twitter as the page attempts to load. It’s annoying because it impedes access to the site while having no relevance to the content and affording no benefit to the user. This is parasitic and damagingly gums up much of the web.
Good article reinforced with easily understood examples. Thanks for preparing and publishing!
To Leo and friends. Can you comment on the use of pihole (which examines DNS requests) and the effect pihole has on privacy. Does pihole only reduce ads? Or is there improvement on privacy concerns, as well?
Thanks for giving us these articles. Very informative.
Don’t have any experience with it yet, though it does look pretty interesting. It appears to be primarily targeting advertising, though.
I’m a human on this planet with about 8B others. I’m interested in lots of things. I don’t care one whit what
any other tracks about me. If I see an uninvited email, I trash it. Period. Then, maybe, I’ll access it in my
browser. And, I don’t even believe most of anything I read there-it’s just interesting, sometimes. The whole world is full of beautiful and ugly, smart and stupid-it’s all fun, just like ALL your articles. Thanks for
using your time the way you do.
I am a FaceBook user. I visit many websites daily. And I routinely clear my cache and cookies, just because. I normally don’t worry about the tracking and I pretty much ignore all advertising. However…
About a month ago I had abdominal mesh surgery. I didn’t post about this in my FaceBook feed and I didn’t do any search on the topic since I already was informed about the surgery. About 3 weeks after the surgery, I was in a restaurant talking to some friends and they asked about the surgery. I talked a little about it. The next day, while browsing through my FaceBook feeds, I had three advertisements pop up dealing with “Mesh surgery lawsuits.” I had never seen those advertisements on FaceBook before. How did a simple discussion, in person (not on a phone) make it to FaceBook so that they would feed me that advertisement? I don’t use Siri or Cortana or any other voice activated services. Has FaceBook found a way to access my phone microphone?
It’s super unclear. I know that many people are concerned that voice activated services listen more than they let on. If you have an android phone, for example, you probably have “Hey Google”, whether you use it or not.
That being said, every time I’ve looked into this there’s been some other explanation — words used in an email, a forgotten search, visiting a related website — something. But I can’t rule out the possibility of being heard.
I’ve gotten mesh surgery lawsuit ads and I don’t even know what mesh surgery is, so I’ve never mentioned it. It’s a common ad. It might just be a coincidence (or maybe not). One day, I talked about a nearby ski resort with a friend. The next day, a photo of that town appeared as my Windows login wallpaper. I chalked that up to coincidence.
CMA, my wife saw that happen, only even worse. She was over a friend’s house last month. He raised an object in the air and said something like “remember how we used this with dad?” He didn’t name it. My wife had an ad for that object show up in her Facebook feed within a minute. She had never had that ad before. Coincidence? Maybe. Very strange timing? Absolutely! Are they also using our cameras? If so, this is horror beyond imagining. This is unrestrained privacy intrusion.
Interesting post !
You are probably in their contact list. It would be interesting if those adds wound up on their face book accounts or others people on their contact list.
That could lead you back to your microphone question.
What impact do VPN and TOR browser have on this process?
TOR would block most tracking. A VPN will hide your IP number and encrypt the communication between you and the VPN, but it won’t stop cookies or some other tracking methods.
Very little, if any. The example I use in the article still works, for example.
There is a difference between staying anonymous online and being tracked for marketing. Staying anonymous by using TOR and/or VPN attempts to hide your computer, browser, IP and location by using proxies or intermediaries between your device and the websites you visit. In that sense, TOR makes it difficult to track which websites you visited, especially to an outside snooper. But TOR doesn’t stop the type of tracking by cookies used for marketing that’s described in this article. TOR is like any other browser (it’s a version of Firefox) in that it gives you options for how to handle cookies. If you were to block all cookies many websites won’t work or will misbehave. Pixel tracking files typically can’t be blocked by any browser, besides they are widely used in HTML emails. If your worry is being tracked for advertising there really isn’t a fool-proof or convenient way to stop that. Try these: Don’t use Google search. Clear your browser cache between websites or even going from one page to another on the same website, never stay logged in to your Google or social media accounts while you’re doing general browsing.
TOR, by default, clears cookies, browsing history, and the browser cache when the browser is closed, similar to browsing in incognito mode, whereas a VPN doesn’t do anything with cookies.
To avoid email tracking, you can block remote images. Lately, most email programs and webmail websites bloxk remote images by default.
How Does Blocking Pictures in an Email Protect My Privacy?
One way of restricting Facebook or other sites from your computer is by modifying the system hosts file. This is a text file called “hosts” (no extension) located at %SystemRoot%\System32\drivers\etc\. I’m not going to get into details on how to use this file because you can find it on the internet. But briefly, this acts as a local alternate DNS overriding the URLs that a browser sends out. In the hosts file you list the URLs you want to restrict and have your computer route the browser to a bogus IP address. Typically, this bogus IP address is your own computer. So, when the browser goes to facebook.com and then goes to your computer’s IP address (127.0.0.1) there is no Facebook server there, so the connection fails. There are caveats about the hosts file: On some systems the permission settings may not allow you to edit it without a great deal of hassle. There are selected URLs that the Windows OS will ignore in the hosts file, such as all Microsoft URLs (these are hard coded in the OS). Note that this hosts file can also be used against you in a phishing attack, so if you change the admin permissions on this file so you can edit it, change them back to admin “read only”. In the past Leo has had various articles on the hosts file.
Some security/privacy tools use this technique. The problem, of course, is that blocking, say, “facbook.com” means that nothing from Facebook would ever be visible on your PC at all.
I’ll be 50 this time next month. I suppose my AARP ads are soon to follow. LOL, thanks for sharing Leo and thanks for what you do.
Great article Leo, as always. Some years ago, I worked for a large player in the online advertising realm. The company tracked all manner of browser activity. I cannot speak to what Facebook does with the data it collects. I can say this with confidence. The company I worked for was not nefarious. It had one overarching goal, monetize content. Create value for advertisers, i.e. find buyers. That’s it.
Several commented about price differences observed for online purchases based on specific users and their cookie “breadcrumb” trail. This is an absolute reality. There are a plethora of criteria used to profile online buyers in aggregate but several are the “800lb gorilla” in the room type.
Your zipcode, operating system and calculated gender will have you paying more. For purposes of this comment, zipcodes in high-value real estate areas, like Washington DC or anywhere in California will pay more. Anyone using iOS will pay more as advertisers deem you to be more affluent at best or gullible at worse. Women will pay more too for all manner of things, especially clothing. Is this fair? Dear reader, I’ll let you be the judge of that. There’s a silver lining. Being aware this is happening can be used against advertisers with a bit of creativity!
There’s a common trend for many online to avoid advertisements or use ad-blockers. That’s a fine approach. Here’s another one to consider. All ads online are supported by finite advertising budgets. Based on my experiences with the ad company, I encourage folks to bang on the ads known in the industry as click-thru. Close the ads as they pop-up. Why you ask? Because this event is tracked and the advertiser has to pay an agreed-upon amount to the company serving the ad. One click means nothing. This is a numbers game. The more people that click thru the faster the ad budget is consumed. The ads will actually go away faster than if blocked. I realize this seems counterintuitive. At the end of the day, it’s all about money. You consume an advertiser’s budget without a corresponding uptick in sales, the ads will evaporate.
Another side effect if the same person clicks the ads on a page several times, the ad server will flag that website and possibly stop supplying ads because they think the website owner may be clicking to make money. This isn’t fair to the website owner who isn’t in on the breach of privacy.