How Does Facebook Know So Much About Me?

Facebook collects as much information as it can about you – from contact information and your physical location to highly-sensitive information such as your political views and financial status.

When you sign up for a Facebook account, you’re required to submit your real name, gender, date of birth, and email address or mobile number. In 2019, much of this information was breached for at least 267 million users.

Users are also encouraged to add a wide range of further personal information, from relationship status to school and current city. As you browse the website to engage with the friends, communities, and organizations you follow, Facebook keeps an activity log of your behavior. That includes everything you share, add, like, and click on, as well as photos you are tagged in and connections you make. This information is available to view via the "Your Interests" tab. Facebook keeps track all of your friend connections (including people you’ve un-friended), and every ad you view and click on.

Facebook also collects location data by recording each IP address that you use to log into the website, asking you to share your location in your browser and on your phone, and making it tricky to opt out. This combined information is used to serve you location-specific ads and to document your physical movements so that advertisers can track the connection between digital ads and real-world purchases. In 2018, Facebook actively marketed Onavo, a spyware app that was passed off as a VPN. Onavo could access the mobile phone data of people who installed it, which it then fed back to Facebook. The company has filed several U.S. patent applications for technology that would allow it to predict your future location by analyzing your previous location data and that of your friends. While it’s not unusual for tech companies to file patents for technologies they never end up using, this move demonstrates Facebook’s interest in developing their processing capabilities for this very lucrative and highly-intrusive type of personal information.

Facebook uses tracking tools, contact lists, and a complex network of third-party apps to collect information about its users and non-users alike.

Facebook’s network of third-party apps is one of the main channels for its data collection. When you choose the "Facebook login" option that many sites offer, this allows the site or app to access information about you. Exactly what and how much varies from company to company, ranging from name and gender to friends lists. These friends lists are aggregated as social graphs and are what allowed Cambridge Analytica to gather data about so many people. In that scandal’s wake, Facebook made changes so that companies cannot collect data about people’s friends without their express permission.

Less obvious data collection points include social plugins that double as trackers and are embedded on non-Facebook websites, such as the "Like" and "Share" buttons you see all over the Web. Facebook Analytics and Facebook ads are some of the further ways that the company collects information about people from other websites and apps.

Facebook also allows businesses to upload contact lists of Facebook users they want to target with advertising. This allows companies to match Facebook users with their own databases of email addresses, contact lists that are bought from data brokers, and publicly-available information like voter records, and use all of this information to target their desired audiences. You can see which companies have targeted you by clicking on Advertisers > Who used a contact list added to Facebook.

From 2013-2018, Facebook ran Partner Categories, a data licensing program intended to enhance the precision of the company’s targeted advertising capabilities using information about individuals’ offline actions. Starting with Datalogix in 2012, Facebook began licensing third-party data brokers (including Acxiom, Epsilon, Experian, Oracle Data Cloud, TransUnion and WPP in the U.S.) to aggregate large amounts of information about its users – largely of a financial nature. These include credit card transactions, account balances, loyalty programs, and income. Facebook may not have shared any of its own data with these third-party brokers. However, they also never explained how the Partner Categories program actually functioned, arguing they had no obligation to do so because they were not the ones collecting the information. After Partner Categories came under criticism in 2018, Facebook shut it down.

Facebook can track people without an account using a range of techniques, from contact uploads to trackers on other websites.

Even if you don’t have a Facebook account, the company can track you online in two main ways. The primary method occurs when friends who are on Facebook choose to upload their contacts to the site to see who they might know. This information is combined to create so-called "shadow profiles" about non-Facebook users, which are used to generate friend recommendations should a non-user ever sign up. Another way that Facebook can tell if two people know each other is by scouring the metadata of photos for timestamps and geographic location. In some cases, Facebook may compare dust and scratches on the lenses of the cameras that snapped the photos.

As you browse the Web, many websites use analytics and tracking tools like Facebook pixel and other social APIs to track visitors. This information is sent back to Facebook and used for ad retargeting, which are ads that follow you around the web, among other purposes. Facebook tracking tools have been found on 30% of the top 10,000 websites – including porn sites, as a 2018 study brought to light.

Mark Zuckerberg has testified that Facebook doesn’t sell your data directly. But data is how the company makes money – by selling advertisers access to you as a consumer.

Facebook has long maintained that it does not sell data about its users. User data is Facebook’s most valuable asset, so it is in the company’s interest to retain ownership of it. Instead, the company sells access to users so companies can reach the audiences they want to through highly-targeted advertising. One way Facebook does this is with a long list of personal characteristics, "categories of interest", or "unique attributes" – from race, gender, and marital status to income bracket. In a 2016 study, ProPublica collected 52,000 of these unique attributes, submitted by users – including some obscure ones like "Pretending to Text in Awkward Situations". Facebook allows advertisers to pick-and-choose a tailored selection of these attributes in order show ads to the specific types of people they want to target. For example, a new luxury fitness club opening in New York can ask Facebook to show their ads to women between 25-35 who live in Manhattan, earn over $60,000 a year, and are interested in "personal fitness","sportswear" and "healthy living".

In addition to the profit Facebook makes from selling access to user data, the company has a track record of sharing data in intrusive, non-consensual ways. A 2018 investigation by The New York Times revealed the "special arrangements" that Facebook had with Big Tech firms between 2010-2018 in pursuit of steep growth. These included allowing Netflix and Spotify to read a Facebook user's private messages, letting Microsoft Bing see nearly all a Facebook user's friends without consent, giving Amazon permission to grab a user's contact information via their Facebook friends, and allowing Yahoo to see posts from Facebook friends – all despite publicly stating that they had stopped this kind of sharing back in 2014.

Facebook has repeatedly denied listening to its users’ conversations via microphones. But a variety of other cues it gathers information from – and the way it combines that information to serve you up ads – is even more invasive.

Have you ever seen a Facebook or Instagram ad about a product you’ve never searched for, emailed about, or otherwise typed into your phone – but have recently mentioned to a friend? When those niche sneakers you spoke about in the vicinity of your phone pop up in an ad the next day, it feels too strange to be a coincidence. It’s probably not your microphone that’s listening, however. Facebook has repeatedly denied this – in a 2016 blog post and in front of the U.S. Congress.

Whether or not you trust Mark Zuckerberg, the technical reasons that limit microphone spying by Facebook are compelling – it simply may not be worth the effort. As Facebook engineer Antonio Garcia Martinez explained in Wired, “Constant audio surveillance would produce about 33 times more data daily than Facebook currently consumes. Such snooping would be eminently detectable, ringing up noticeable amounts of data on your smartphone as Facebook maintained your always-on call to Zuckerberg.” A 2018 study conducted by researchers at Northeastern University backs this up – having found no evidence that Facebook apps triggered the microphone without express permission, nor that audio files were being transmitted from phones.

In 2018, Facebook launched a smart video device called Portal that allows customers to make Internet calls. We know that Facebook analyzes Portal usage data such as length of calls and frequency of calls to feed users targeted ads. Though Facebook has claimed they take a privacy-centric stance with the product, we also know they use transcribed recordings to train the artificial intelligence that powers Portal. There's no evidence that Portal is also tracking conversations and relaying them to humans, as Amazon Alexa devices have been caught doing, but privacy-conscious users will be wary.

Facebook is reluctant to engage with the issue head-on because of the risk that the company would be compelled to explain the real infrastructure behind their complex behavioral advertising system – which is arguably more invasive than simply tapping our phone’s microphones.

The clearly-defined profiles that allow Facebook to serve up highly-specific advertising are created through a combination of all the data they sweep up on the Internet. This data is collected, aggregated, and analyzed so effectively to serve us content and ads that it feels like Facebook’s listening.

Aside from deleting Facebook and its subsidiaries Instagram and WhatsApp, there are several steps you can take – both on the platform itself and external measures – to reclaim at least a degree of control over your data.

Delete Facebook

The most effective solution is, of course, to delete all your accounts on services owned by Facebook – that means Instagram and WhatsApp too. If you’re ready to take the plunge for your privacy, don’t forget to download your Facebook data beforehand. (Settings > General > Download a copy of your Facebook data). However, if you do keep your Facebook account(s), there are some defensive steps you can take.

Limit the information Facebook knows about you:

• See what data Facebook and its advertisers have and revoke access: Settings > Ads > Ad Preferences
• Revoke Facebook’s access to your microphone and location.
• Do a quick Facebook Privacy Checkup to see what information you can remove.
• Review all third-party apps connected to your Facebook account and revoke their access.
• Delete information you previously shared with Facebook: Your personal details (phone number, date of birth, personality preferences), old posts, photos, etc.
• Untag yourself and your friends from photos to avoid training Facebook’s evolving facial recognition tools.

Limit the information Facebook partners and trackers know about you:

• Stop using the “log in with Facebook” option for all websites and apps that offer it, and switch to a password manager that creates unique and secure password for every website.
• Install a tracker-blocking browser extension like Privacy Badger to prevent tracking by Facebook Pixel and Facebook’s like button.
• Use a VPN with a built-in anti-tracking tool. Find out about IVPN’s Anti-Tracker feature.
• Follow our guide to the ad tech business, which contains simple digital self-defense tips and strategies.