[HN Gopher] Why is there a TikTok tracking pixel on UberEats wha... ___________________________________________________________________ Why is there a TikTok tracking pixel on UberEats what is this crap? Author : cmoog Score : 286 points Date : 2022-03-06 17:45 UTC (5 hours ago) (HTM) web link (user-images.githubusercontent.com) (TXT) w3m dump (user-images.githubusercontent.com) | soared wrote: | OP is going to have a heart attack when they install ghostery. | tester756 wrote: | bing and yahoo.co.jp are interesting | calrueb wrote: | As many people have pointed out these are for tracking the | performance of ad traffic. Savvy, "privacy minded" businesses may | listen to this sort of outrage, and pull the pixels off their | websites. But you are kidding yourself if you think you aren't | being tracked because the frontend JS is all first party. | | The same thing can, and is happening server side. Every platform | out there now has an event/conversion API [1]. If you are logging | in to Uber Eats with a email/phone number you have used elsewhere | then you are going to be tracked full-stop. | | 1. Here is TikTok's for example | https://ads.tiktok.com/help/article?aid=10003669 | sexy_panda wrote: | Even more concerning is Hotjar. | Raed667 wrote: | at least hotjar respects do-not-track settings | LeonM wrote: | DNT is not the solution though. | | DNT status is not readable by JS (by design), so DNT cannot | be implemented in the client. So all tracking calls are still | made over the network. It is then up to the server processing | those calls to drop them if the DNT header is present. Thus, | there is no way for a user to verify that DNT is actually | honored. | | Hotjar is probably the only one (claiming to be) honoring DNT | consistently. Luckily Hotjar is a SaaS where the customer | cannot influence this decision. But for all other tracking | solutions, whenever marketeers are given the option, they | will always choose to ignore DNT. | tentacleuno wrote: | That's not true. There's Navigator.doNotTrack[0]. It works, | but it's deprecated and I'm not sure what the replacement | is. | | [0]: https://developer.mozilla.org/en- | US/docs/Web/API/Navigator/d... | lexicality wrote: | It's deprecated because DNT is deprecated since barely | anyone respects it | Nextgrid wrote: | If DNT is sent when loading the initial page it is totally | possible to serve HTML that doesn't include the tracking | scripts. If you load your tracking scripts you've already | gone against your objective since even the initial HTTP | request that loads the tracking library leaks the user's IP | address and browser fingerprint back to the tracker. | | This is not a defense of DNT by the way - it has other | problems such as the increased fingerprinting surface, etc. | LeonM wrote: | You are right, didn't think of that | jstanley wrote: | > DNT status is not readable by JS (by design), so DNT | cannot be implemented in the client. | | But the JS is served by a server, which can read the DNT | header, so why can't it just write different JS based on | the content of the header? It can be as simple as writing | "let do_not_track = true;" if the header is present. | yawnxyz wrote: | Somewhat unrelatedly, just "innocently" embedding a tweet on a | site adds a TON of trackers from Twitter. It's really unfortunate | zero_k wrote: | People here talking about PII reminds me every day that we still | haven't grasped what Personal Data is, and how incredibly | different it is from PII. Ah, sad. | tentacleuno wrote: | The amount of tracking on this page is astounding. Just from the | screenshot, I count 9 trackers: Uber Eats' own | analytics sc-static.net (Snapchat? whois doesn't reveal | anything.) Google Tag Manager Facebook Connect | Yahoo TikTok ispot.tv (Some sort of ad management | solution.) Hotjar (Behavioural analytics.) Bing | mabbo wrote: | This is honestly very few considering how many different places | Uber Eats probably advertises on. | | I work on helping new Shopify merchants get more early sales, | and ads are super important for that to happen. Open up any | small and growing e-commerce store and you'll see at least this | many. | | Without ads, you don't find these small businesses, and all | consumers just go to Amazon, or other large established | marketplaces. | itslennysfault wrote: | That's just 9 in this screenshot. I'm sure there are loads | more if they scroll. | medion wrote: | Not on the main topic, but is there a way I can get in touch | to discuss how you might be able to help us and our Shopify | shop? | mabbo wrote: | It's a hard topic. My team mostly does experiments, A/B | tests on new merchants to see what nudges leads to better | results overall. The reality is we have a lot of ideas and | we're trying to get data to figure out those answers. But | we don't truly _know_ yet. | | The hard part (as far as I can tell) is product market fit | and finding your customer base. Once that's established, | you have some momentum, leading to repeat customers and | lower acquisition costs. IE: once an ad network has some | existing customers to build a model on, it's cheaper to | target ads on similar customers. | | But that initial part is very hard. New privacy rules, like | Apple's changes, are a _good thing_ generally, but they | make it more expensive for small businesses to acquire | initial customers because ads are less effective, so you | have to pay for more of them to find your customers. That | gives Amazon (and other established competition) a massive | advantage. They know everyone deeply and can target | everywhere very precisely. | | I've heard that the Shopify subreddits are well liked by | merchants. Good info there. | | There's also the Gurus that can provide some support for | free, as well as you can hire an 'Expert' through Shopify | to get even more help. | | All this is to say the most groan-inducing phrase in | business: you've got to spend more to make more. And | there's no guarantee that you'll earn it back because | business is hard. | jon9544hn wrote: | Same! | pc86 wrote: | From their profile it looks as if they work at Shopify, so | probably just through the generic contact page would get | you to at least the right department. | user_named wrote: | Because they run ads on TikTok | Ourgon wrote: | The answer to this is the same as to all similar questions: _why | are you not blocking third-party content by default_? To which | the reaction tends to be that this is too difficult /too much | hassle/should not be necessary. No, it should not be necessary | just like locking your door should be necessary. Unfortunately, | it is. | | By the way, in this specific case another answer is "UberEats? | Learn To Cook(tm)!" | derimagia wrote: | Looks blocked to me. | sha256sum wrote: | Protip: if user privacy is a concern to you, then not supporting | these companies (by handing them your data) is a good place to | start. | badrabbit wrote: | No. This needs to be criminalized. Not liking a good or service | is one thing. Having things done to you or your information | without consent for the purpose of spying on you is stalking | with extra steps. Many of these companies still deprive you of | your privacy even without using their services by developing | shadow profiles on you. | [deleted] | ipaddr wrote: | This is an image that loads from a different host. | | Neither of these companies will create a shell profile if you | never visit them. | | If they are criminal why would you use them? | Retric wrote: | > If they are criminal why would you use them? | | People don't give money to scammers because they know their | scammers. | | It's the same with privacy issues, people who don't know | what's happening can't make informed choices. | notatoad wrote: | >people who don't know what's happening can't make | informed choices. | | it's really distasteful how privacy advocates always | assume that everybody who doesn't feel the same way they | do is uninformed. the average person has a basic | understanding that companies keep track of them online. | everybody who's spent more than five minutes online | without an adblocker understands retargeting. | | it's not that people don't understand, it's that they | don't care. telling people they're not informed enough to | make their own decisions isn't going to convince them to | start caring about the issue you care about. | amelius wrote: | This is why user-tracking should be opt-in. And not opt- | in by clicking a button, but opt-in by filling out a | physical form and sending it by mail. | skummetmaelk wrote: | Yes, everyone knows. That's why there are people in this | thread and others like it, on a website catering to | highly technical people, who are surprised at how deep | the tracking goes and what it is used for. | | Surely then, the average person is much more informed! | notatoad wrote: | i encourage you to talk to an "average person" about this | some time. check with your parents to see how much they | assume they're being tracked online. | | most people i've discussed the topic with misunderstand | how much they're being tracked, but assume that they are | being tracked _more_ than they actually are, not less. | and they 're totally okay with that. | mkr-hn wrote: | A common one is noticing that targeting works so well | they see ads for things they've talked about and assume | their phone is listening in on them. Though I wouldn't | say they're okay with it. | somehnguy wrote: | > everybody who's spent more than five minutes online | without an adblocker understands retargeting. I think | you're being absurdly generous here. I think there are | _way_ more people online who have no idea what this | sentence even means than people who understand it. Like | 99:1 'way more'. I can't think of a single person I know | who doesn't work in the computer field who would | understand that without being explicitly told. It simply | isn't something your average person ever even thinks | about. | | Even people like my parents - who have been using | computers in some capacity since the late 90s but don't | work in anything related to computing - had no idea that | Verizon was selling their browsing data despite being | account holders who 'agreed' to the T&C and received | e-mails warning them that it was going to start doing so. | Nextgrid wrote: | The fact that people suspect Facebook of outright | _listening_ to them (even when that 's not the case) | suggest people aren't fully aware of what data is | collected, how it is used and how it can be misused. | | "Facebook listening to people" wouldn't be noteworthy if | people weren't creeped out by it. | badrabbit wrote: | Informed or not, they were not allowed to give consent. | No problem with people consenting to be tracked. | hw wrote: | Please, no more annoying popups asking me if i want to | accept cookies or be tracked. I am in the 'do not care' | camp and i just want to be able to visit sites without | having to click accept every time. | | These consent banners are a false sense of privacy. | People who "dont know" are most likely just going to give | consent anyway. It's the same thing as TOS consent. | [deleted] | Sparyjerry wrote: | People give consent all the time when it is still bad for | them. It is a moral question in the end, the same way, we | can say people consent to selling their body for sex, but | have made it illegal, or say people consent to gambling | knowing the odds put them at a disadvantage every single | bet, or how people consent to credit card debt at insane | rates not knowing just how much they are being taken | advantage of. Consent matters, but in the end it's what | we all believe should be tolerated from an ethical | standpoint. Personally I see many issues with data | collection and data sharing, even if not malicious, but | that give the opportunity to be abused by others with a | grudge or agenda I might not support. Not just banking | information, but location data, purchasing history, and | more. I'm not saying every has enemies out there but if | anyone wanted to cause harm with that information they | could. | charcircuit wrote: | The purpose isn't to spy on you. It's to track the | performance of an ad shown to you on tiktok. | Nextgrid wrote: | Which collects data on you and creates a profile. Whether | it's _currently_ used to increment an impression counter | doesn 't mean it can't be used for something more nefarious | down the line. | charcircuit wrote: | Collecting data about what you did is not necessarily | spying. If a game keeps tracks of my wins. That's not | spying even though it's collecting data on what I did. | Nextgrid wrote: | My point is that it's collecting way more data than the | single bit it needs in order to tell "yes this ad has | been seen, increment the counter". | charcircuit wrote: | It's not just about telling if an ad has been seen, but | what a user does on your site after clicking on the ad. | Do they immediately bounce? Do they buy something? | | You want to be able to see that you are actually getting | a positive return from the money you are spending on ads. | jjj123 wrote: | It's still spying even if there's a rational reason for | it. | JumpCrisscross wrote: | > _This needs to be criminalized_ | | Literally criminalised? As in you'll throw people in jail for | putting up a pixel? Made illegal, sure. | raverbashing wrote: | Wouldn't be a bad idea to be honest | | If they're acting so antagonistically against GDPR maybe , | for some of the most egregious cases, throwing some people | in jail will do the trick | | I mean, whoever does the whole song and dance for rejecting | cookies that shows a loading gif and takes a while does | deserve it | | And if you think I'm exaggerating, guess who has the best | info now on the Ukraine war? Tiktok. | JumpCrisscross wrote: | > _If they 're acting so antagonistically against GDPR | maybe throwing some people in jail will do the trick_ | | This is how you get a legal code like America's, where a | cop and prosecutor can put almost anyone in jail with the | flimsiest excuse. | | I understand the impulse. But the solution to bad | enforcement isn't ratcheting up penalties. It's | increasing enforcement. | raverbashing wrote: | You are correct. | | Usually what I find is that the American companies/people | usually try to follow the "bare" letter of the law, where | Europeans need to follow the spirit, as this is how it is | "usually" enforced. | | And while the former might let you get away with "one | weird trick" the latter usually leaves more margin to | interpretation which can be both a blessing and a curse. | badrabbit wrote: | Yes. Make the law clear and lock up CEOs just as you would | common stalkers. | Nextgrid wrote: | Considering this _is_ already illegal, at least under the | GDPR and plenty of companies still do so, maybe jail isn 't | that bad of an idea after all? | dehrmann wrote: | Good luck with that. The list of companies to avoid is pretty | long. | dave5104 wrote: | All you need to do is unplug your modem and you're good to | go. | Skunkleton wrote: | Don't drive into a mall parking lot, or use visa card, or | .... | Nextgrid wrote: | If only it was that easy. The supermarket near me has a | "data collection" notice about some tracking BS and to ask | an associate for details and to opt-out (yes, as if the | minimum-wage teenager would know anything about it, and how | would the opt-out even work). | dzmien wrote: | The teenager making minimum wage would almost certainly | summon a manager. | dehrmann wrote: | Credit card companies sell your data, too. You basically | have to use cash and not have a cell phone. | ipaddr wrote: | Your list of companies is too short. Throw out the market | leaders who spend on brand and cheat somewhere else in the | chain and look for a smaller company. | gtirloni wrote: | Why are smaller companies any better in this regard? | Nextgrid wrote: | Well in this case data is collected and sent to various third- | parties even without you willingly entering any data on the | website manually. | uhtred wrote: | Using a browser add on like Privacy Badger should block that. | Ekaros wrote: | Just in general look at those cookie consent dialogs at any site | living on advertising or using it and really see the insanity of | number of partners... That should show that we might actually | need to burn it all down... | tills13 wrote: | Would you be willing to pay for the content you get for free | from sites like YouTube, Reddit, and HackerNews? | NelsonMinar wrote: | Youtube at least puts a price on this: $12/mo. $18 for a | family of 5. | mkr-hn wrote: | I'm sure that this doesn't remove tracking and makes you | more valuable to their ad partners. | laurent92 wrote: | If you pay, you still get tracked. PS: And now they have your | name, address, email and CC on file. | XorNot wrote: | Also an important data point: (1) you have disposable | income and (2) you are _willing_ to pay. | Firmwarrior wrote: | I'd be willing to pay the 5 cents a month or whatever it | works out to be | motoxpro wrote: | If you're talking Facebook in the US, it will be ~40$, I | would think it would be around the same for Youtube. | | https://www.adexchanger.com/investment/google-reveals- | youtub... | Moru wrote: | Just install uBlock on your friends and families browsers. Most | people seems fine with being tracked if that means they get | "offers" they don't want to miss. I however detest anything | connected to advertisement to the level that I frequently hang | up when our own sales people call me because I directly spot a | salesperson, even before I recognize the voice... Quite | embarrasing sometimes :-) | | So I install uBlock, uMatrix and Pi-hole everywhere. Also help | customers do the same with sane defaults so they get rid of | most stuff without burning their whole browser. | | And as an advertiser we don't have to pay for the people that | didn't want to see our ads in the first place, win win loose | :-) | PaulBGD_ wrote: | Specifically, uBlock Origin | _fat_santa wrote: | I'm no ads expert but my guess would be they run ads on TikTok | and have the pixel on UberEats to figure out the conversion rate | on those ads. | qeternity wrote: | This is the answer. I am surprised it's not routed through | another pixel manager though. | mosen wrote: | They're loading GTM at the top, so it was possibly triggered | through that. | samwillis wrote: | This is it and is how the online advertising industry has | worked for over 25 years. | | In its simplest form the pixel is used to attribute an ad | view/click to a conversion event. At the beginning of the | online ad industry that's all it did, advertisers for the first | time had the ability to directly, in real time, see the | effectiveness of their ads. The economic value and GDP | generated due to this innovation is immeasurable, the internet | economy is literally built on it. | | At the beginning there was no profile building, combining with | PII and data gathered from social media or even your gmail | emails (yes the content of your emails). And it was magical! | | It's the innovations since that have moved the entire industry | through a grey area into the blank where the way they operate | is questionable at best. | | The point is, this tracking pixel on its own is incredible what | it unlocks. It's the way that data is then used that we have to | call into question. | | Personally the simplest form of attribution to me is fine. It | works and I don't believe it's invasive if they aren't then | combining it with pii and profile data. Sadly that time has | passed and all advertising networks now rely so heavily of | ML/AI that it's impossible to manage them, as an advertiser, in | the way you used to. Hopefully regulation will push the | industry back to where it was. | black_puppydog wrote: | > It's the innovations since that ... | | Nice illustration of how "innovation" != "progress" | judge2020 wrote: | Innovation is simply building something better. (Societal) | progress is subjective, which is why you could probably run | a survey and any respondents with marketing degrees would | likely indeed call this "progress" towards a better- | understood society.. | kmeisthax wrote: | This is also why even Apple and Mozilla (companies with a | vested interest in harming the ad ecosystem) are pushing for | various privacy-preserving ad attribution technologies. | Nobody objects to UberEats knowing that their Tiktok ads are | working or not - they object to Tiktok cross-referencing the | data from UberEats and everywhere else to build an interest | profile on them. | xico wrote: | As a user I have the complete opposite objections: I do not | see why I would have Uber run JavaScript on my machine just | for them to know how well their campaigns are working, | while I totally want advertisement that is highly targeted | to me. | matsemann wrote: | They don't have to run some weird JS, it's often just a | 1px img with some query params loaded at the confirmation | screen. In itself nothing annoying, the problem is how | that data is combined with other data and profiling | users. | kshdeo wrote: | If they know how their campaigns are doing -> they can | target better and earn more money and in turn give you | more discounts. So it's just good karma to let them run | the tiny js script which does no more harm than 100 other | services running on your machine, which you never used | either. | jahewson wrote: | That's not really how it works though. Uber would never | allow TikTok to take and sell Uber's own data, that's just | bad business. Secondly the only data that TikTok would have | access to in such a scenario would be whatever campaign | data Uber send them in the conversion request, which again, | is not licensed for reuse. All anyone cares about is | knowing how many conversions occurred and which targeted | "audience" those users were in. Oftentimes it's the | advertiser who is bringing those with them - say, a list of | emails or phone numbers they want to target. Again, the ad | platform is not just taking that data for themselves, | because they would not have customers for very long if they | did that. | Nextgrid wrote: | Just FYI, Mozilla's commitment to privacy is smoke and | mirrors. You need to install uBlock Origin and opt-out of | Mozilla's telemetry and similar BS to get any meaningful | privacy in Firefox. | GavinMcG wrote: | How does including telemetry for a product make a | commitment to privacy from _unrelated companies ' | tracking_ "smoke and mirrors"? There's a difference | between the privacy I expect from a direct service | provider and from various random agents seeking to build | a profile on me. | Firmwarrior wrote: | Your argument is literally exactly the same argument | Facebook uses to justify all its spying. It's not a solid | ideological base to build upon. I don't want ANYONE | spying on ANYTHING that I'm doing, even if they think | it's for my own good and it's not crossing a line. | | > How does including interest-based tracking for a | product make a commitment to privacy from unrelated | companies' tracking "smoke and mirrors"? There's a | difference between the privacy I expect from a direct | service provider and from various random agents seeking | to build a profile on me. | jefftk wrote: | How does Mozilla have a vested interest in harming the ad | ecosystem? | chinathrow wrote: | > This is it and is how the online advertising industry has | worked for over 25 years. | | Rotten to the core. | pc86 wrote: | If you have a better way to do it people will literally | never stop throwing money at you. | B-Con wrote: | This was my first thought. | | How is this not everyone's first thought? | omegalulw wrote: | My first thought was that most people use TikTok on mobile, | whats the point of this (if the ad takes them to play | store/app store or to the Uber eats app). Then I realized | that this is probably aimed at tracking for new signups, they | probably send them to the app stores with a redirect to their | site in the middle. TikTok probably doesnt forward them the | user identifier hence the tiktok pixel on their page, so they | can see the effectiveness of the ad on some TikTok ads | dashboard. | Ozzie_osman wrote: | This is it but only half the equation. Yes, the pixel lets | advertisers track their return on ad spend (through tracking | conversions), but it's also a targeting mechanism (ie you can | tell ad platforms you will pay $X / conversion, versus paying | per impression or per click). | dustymcp wrote: | Yes this is a pixel to track audiences and retarget them when | they are browsing tik tok, same goes for google, facebook and | any other ads exchange. | yashap wrote: | It's definitely this - details here: | https://www.tiktokforbusinesseurope.com/resources/install-ti... | dvt wrote: | As someone that has spent a sizable amount of my career in ad | products, the outrage here is kind of (sadly) funny. A conversion | pixel? Hah, if you only had an _idea_ of what the Facebook data | faucet looked like in 2007-2017, your hairs would stand. | | Pretty sure they were breaking all kinds of PII laws. | tentacleuno wrote: | The amount of client-side JavaScript code that inconspicuous | Like button loads is unnerving. | arkitaip wrote: | "I don't know why you are upset that I'm stabbing you when I've | been poisoning your all these years ha ha ha". | wy35 wrote: | Not really accurate analogy. More like "you're only finding | out today that I've been poisoning you the entire time?" | mtgx wrote: | In other words, victim blaming. | refulgentis wrote: | No. Lol. | bhch wrote: | pedantic | axiosgunnar wrote: | droptablemain wrote: | dralley wrote: | What happened in 2017? | [deleted] | jimmygrapes wrote: | I would guess that's when the Cambridge Analytics thing | became well known, where they were using Facebook's | network/data graphs to compile their own compiled and | targeted data. | Apocryphon wrote: | GDPR maybe | amelius wrote: | What does it say about TikTok's tracking pixels in | UberEats? | briandilley wrote: | Nothing. Because TikTok didn't put the tracking pixel | there, UberEats did. It's from an advertising campaign | that UberEats is running on TikTok. The need to related | "conversions" (ie: people ordering/buying shit) on their | system with whichever ad they were given on the TikTok | side. | paulcole wrote: | What PII laws are there in the US? | mistrial9 wrote: | https://oag.ca.gov/privacy/privacy-laws # California State | summary | [deleted] | 1_player wrote: | > As someone that has spent a sizable amount of my career in ad | products, the outrage here is kind of (sadly) funny | | Imagine gloating and being proud of such a career. | matt-attack wrote: | I didn't get the sense that he/she was gloating. Just citing | their expertise. | Bud wrote: | Nobody gloated, and in fact, the commenter did not even | indicate they were proud of their career. | | Stop projecting. | refulgentis wrote: | Ads are fine | starsep wrote: | Ads themselves might be fine to you (I disagree). Breaking | privacy laws, spying on users, and dark patterns to trick | user into "consent" is not. | pc86 wrote: | And one need have the other so I can't imagine what | exactly it is you're talking about in the context of a | reply to the statement "Ads are fine." | timando wrote: | Ads targeted based on the content they are placed next to | don't need to track anybody. While they might be annoying | (i.e. take up space / time) they don't have any privacy | concerns. | tonymet wrote: | it allows uber eats to build custom audiences and track | conversion rates . welcome to ad tech ca 1998 | boring_twenties wrote: | I don't get this. Nothing about tiktok in the Network debugger, | nor in uBlock or NoScript for that matter. | Nextgrid wrote: | I bet it's loaded by Google Tag Manager which acts as a | "dropper" to load further malware. If you block that (which I | assume you do if you have uBlock Origin) you don't get to see | the rest. | rosndo wrote: | cmoog wrote: | rosndo wrote: | Minor49er wrote: | Maybe OP just noticed this particular connection and was | genuinely surprised | 1vuio0pswjnm7 wrote: | As one can see from comments on HN, it bothers some website | developers when these basic tactics are openly discussed. The | user gets no choice over whether her data is shared, or with whom | it is shared. The expectation appears to be that no one will ever | complain, whether for the first time or on a consistent basis. | Perhaps there is a belief that if a certain amount of time passes | without any complaints, this signifies a common "ad tech" | practice is acceptable to the general population, and passes any | sort of ethical, regulatory or legal analysis. A sort of | "waiver". Silence equals acceptance. | | "Everyone else was doing it, so therefore we in particular are | not guilty of any wrongdoing." Perhaps some folks think that is a | good defense. | beckman466 wrote: | > As one can see from comments on HN, it bothers some website | developers when these basic tactics are openly discussed. | | no in this case i think this post has everything to do with OP | believing that this pixel tracking by a non-American/non- | Western firm (in this case Chinese) is somehow less kosher | compared to tracking by Silicon Valley social media | platforms/firms (who, as others have pointed out, use exactly | the same tools/strategies). | topaz0 wrote: | That may have been the case for the original poster, but the | discussion has been about tracking generally. | dionian wrote: | Stuff like this is why I try to use umatrix style filtering | wherever possible ___________________________________________________________________ (page generated 2022-03-06 23:00 UTC)