[HN Gopher] We Built a Meta Pixel Inspector
___________________________________________________________________
We Built a Meta Pixel Inspector
Author : andsoitis
Score : 86 points
Date : 2022-11-26 15:40 UTC (7 hours ago)
(HTM) web link (themarkup.org)
(TXT) w3m dump (themarkup.org)
| mind-blight wrote:
| The article claims that the meta pixel can load JavaScript. Does
| anyone know if/how that's possible? I can't think of a way using
| an image alone would trigger downloading JS
| smelendez wrote:
| It's not a literal pixel and hasn't been for years - it's a js
| file included from a Meta site. They still call it the pixel
| for some reason, maybe to make it seem less potent.
| iamacyborg wrote:
| I think they just used to call it the "like" button
| itishappy wrote:
| > _The Meta Pixel gets its name from trackers that
| traditionally took the form of small, one-pixel-by-one-pixel
| images. These tiny graphics are embedded on websites and emails
| and typically collect info on who views the content. Since the
| Meta Pixel's first iteration over a decade ago, when it was
| called the Facebook Conversion Pixel, the pixel's functionality
| and tracking have grown quite expansive. Now the Meta Pixel is
| a mechanism that loads JavaScript code capable of collecting
| detailed and granular data for every interaction on a page.
| With all of this complexity, referring to it as only a "pixel"
| can be misleading._
| blooalien wrote:
| For those who are unaware how this all fits together, the
| _literal_ pixel 's purpose is to ensure that even if
| Javascript is entirely disabled on the client (end-user)
| system, there is still a log entry at the tracker's end of
| things noting a time/date and IP address of document access.
| This is then fairly easily correlated with other logged data
| to further flesh out the profile of the user that data leads
| back to. This even works across domains, without actually
| visiting Facebook or Google, allowing them to still track
| that you've visited a site where their pixel is used, and the
| time/date/IP of that access. It's just one small part of
| their whole tracking toolbox, and the pixel itself is merely
| an image file, and unable to in and of itself load any
| Javascript. Still doesn't stop 'em from using it to track
| you... Only way to do that is to block Javascript _and_ never
| access the pixel image itself as well. Of course, then they
| track you through _other_ means...
| thewebcount wrote:
| > For those who are unaware how this all fits together, the
| literal pixel's purpose is to ensure that even if
| Javascript is entirely disabled on the client (end-user)
| system, there is still a log entry at the tracker's end of
| things noting a time/date and IP address of document
| access.
|
| Or to put it another way, even if you send the signal that
| you don't want to be tracked, they will ignore it and track
| you anyway. They are intentionally doing something
| unethical and are aware they are doing it.
| schemescape wrote:
| I think it's a snippet of JavaScript code and not an "img" tag,
| despite the name.
| dang wrote:
| Recent and related:
|
| _Tax filing websites have been sending users' financial
| information to Facebook_ -
| https://news.ycombinator.com/item?id=33705532 - Nov 2022 (74
| comments)
|
| _Tax-filing websites have been sending users financial info to
| Meta_ - https://news.ycombinator.com/item?id=33753058 - Nov 2022
| (18 comments)
| tobr wrote:
| Could you add back the "How" in the title?
| tppiotrowski wrote:
| My privacy stance has evolved to just assume everything I do
| online is public.
|
| Even if we fight and succeed in stopping a tracking mechanism
| (third-party cookies) we discover that another one is developed
| (fingerprinting). It's times when you think you have privacy/no
| one is watching that you're most susceptible to doing something
| you might regret.
|
| If you consciously acknowledge that your digital life is public,
| you can consider performing activities using other mediums.
| Calling instead of messaging. Shopping at stores with cash.
| Journaling in a paper notebook.
| toss1 wrote:
| Wise choices, yet that we must make them is sad.
| bitL wrote:
| Why not use Tor Browser for private things then?
| elmomle wrote:
| This is great and important work. I think it would be
| substantially more approachable if it began with an "Abstract" or
| "Summary" section. Like it or not, most folks just want the
| headlines; the presentation of the details is only important if
| people understand and care about the core ideas.
|
| tl;dr for the website: meta pixels are everywhere on the web and
| gathering your interactions and inputs on all kinds of sites--
| including ones related to your guilty pleasures, your taxes, your
| health, school, etc.
| spikefromspace wrote:
| Also note that they allow for server side data as well so
| companies can send via backends and circumvent any ad blockers.
| Good companies do respect a users preferences but not all do.
| tppiotrowski wrote:
| What's the mechanism here? I thought it's sharing a cross
| domain cookie that allows you to identify a user as they surf
| from one domain to another.
| nerdponx wrote:
| Fingerprinting?
| [deleted]
| frereubu wrote:
| The Facebook Conversions API: https://www.facebook.com/busine
| ss/help/2041148702652965?id=8...
| luckylion wrote:
| You click on a tracking link, Server 1 now has a unique ID
| associated with that click. S1 forwards you to S2 with a
| unique identifier. S2 now has that unique ID associated with
| you. You buy something on S2. S2 sends a request to S1 saying
| "unique ID #123 bought something for $40".
| spikefromspace wrote:
| Fingerprinting and tracking links are common for
| unindentified users. Cross domain cookies are harder to fo
| outside of chrome. For known users, you can sync data to
| Facebook with email addresses, names, phone numbers etc. This
| is likely why you see most websites these days trying to
| collect that info from you as early as possible.
| spikefromspace wrote:
| Additionally, data brokers and data clean rooms now allow you
| to share data making it easier as well. Snowflake, liveramp,
| etc all offer super easy (and privacy compliant according to
| them) ways of implementing this.
| jboy55 wrote:
| I tried to request my data from a couple of meida
| companies, (criteo, apogee), criteo required a image of my
| drivers license, and Apogee just ignored it.
| luckylion wrote:
| You need some syncing though, otherwise Facebook wouldn't know
| who that user is that almost bought your stuff and that you now
| want to retarget.
| Hydraulix989 wrote:
| I wish more energy was directed to also understanding what data
| Google and TikTok collect from their users.
| zaptheimpaler wrote:
| I went to look at the off-site facebook history on my profile.
| Its truly scary the amount of data they have. The worst part is
| this:
|
| https://imgur.com/a/A8JVQOR
|
| So Mozilla, which is one of the companies behind the effort to
| understand the Meta Pixel, is also sending data to Facebook? I
| was not a member of the Rally study.
|
| What the f** is going on? Is Firefox itself tracking me too? Or
| maybe some extension? Which extension? How am i supposed to tell
| without hoping that the right person magically sees this comment
| or going 100% technical and running packet captures and
| Wireshark?
|
| Why can't we just get access to the _RAW_ data being sent or
| stored about us?
|
| As of now, VS Code will send encrypted data to Microsoft when you
| use it. So my machine, OS, applications all send data about me to
| companies, and I'm not even allowed to know what it is (not to
| single them out, VS Code is just one example I have inspected
| myself). I don't claim to understand SSL all that well, but i
| think they used certificate pinning and pre-master secrets that
| makes it impossible or very difficult for anyone outside MS to
| decrypt the data in any way...
|
| This is all completely normal now. On mobile devices its even
| worse. Its not even possible to completely inspect the data a
| phone/tablet sends without rooting it and many are already
| impossible to bootloader unlock or root/jailbreak.
|
| With certificate pinning, on an encrypted smartphone volume with
| a hardware key, that is only unlocked just in time by the OS (the
| way android works now), it is LITERALLY impossible to know what
| data is being transmitted or received over SSL on your own
| device. You are not allowed to know.
| Tsiklon wrote:
| Perhaps more generously, to Firefox, they're interpreting
| Firefox user strings as an app sending data to them. For
| curiosity, where did you pull that data from?
| mulligan wrote:
| I think these folks fail to connect the pixel with its purpose.
| The sites and apps who advertise want to understand who is
| converting, they provide this information to the advertiser so
| they can correlate the users who saw an ad to a purchase.
|
| By keeping the purpose vague, it makes it seem nefarious.
| Xelbair wrote:
| the actual purpose IS nefarious.
| matheusmoreira wrote:
| Is it still safe to assume that uBlock Origin blocks all of this?
| ranting-moth wrote:
| Does Firefox's Enhanced Tracking Protection block this properly?
|
| https://support.mozilla.org/en-US/kb/enhanced-tracking-prote...
| marketingtech wrote:
| Meta offers their own...it's not hidden.
|
| https://chrome.google.com/webstore/detail/facebook-pixel-hel...
|
| But this doesn't cover server-side data transfer.
| https://developers.facebook.com/docs/marketing-api/conversio...
| Xelynega wrote:
| Correct me if I'm wrong, but the tool in the OP sounds like a
| crowdsourcing effort to collect the data the Facebook tool can
| tell you across multiple users and multiple sites.
|
| That's not really the same thing as a tool that tells a single
| person that the site they're on uses meta pixel as it happens.
| N3Xxus_6 wrote:
| I actually work in an industry that utilizes these a lot. Google,
| tiktok, meta etc. I implement the code on our customers sites.
| It's crazy how much data these scripts collect.
| glitchcrab wrote:
| > It's crazy how much data these scripts collect
|
| And you're ok with this?
| marketingtech wrote:
| Businesses choose to send this data to the ad platforms for
| their own benefits - better targeting, measurement, and ML
| optimization of their ad campaigns.
|
| The businesses are legally accountable for the data they're
| sending and complying with privacy laws, but to most
| platforms it's a dumb pipe for whatever data the business
| chooses to send.
| Xelynega wrote:
| Probably more OK then they are with making their life
| uncomfortable to look for another job with similar benefits.
| It's not just a moral decision in a void.
| iamacyborg wrote:
| From experience, most folks who implement these tags don't
| understand the scope of what they're actually doing, and most
| are likely doing so without consulting a legal team or
| understanding the legal implications of the tracking they're
| deploying.
| paulcole wrote:
| Is your question rhetorical?
|
| Their actions tell us they're OK with it.
| dylan604 wrote:
| Do they? Have you never done something under protest?
| luckylion wrote:
| Developers doing something "under protest"? Why would
| they? Nobody is going hungry if they don't work at $corp
| any more and work for $otherCorp instead.
|
| That'll be something for when the market has
| fundamentally changed and you'll make your nation's
| average for your education level. But until then
| essentially nobody has to work anywhere "under protest",
| there are so many other opportunities.
| dylan604 wrote:
| So says you in a market where bigTech is laying people
| off, where people have spouse/kids/house payment/car
| payment/holiday pressures/adult responsibilites.
|
| Choice A) stand on principle and ruffle feathers and risk
| becoming unemployed
|
| Choice B) just do what tasks you've been assigned,
| collect paycheck, hold your nose until better options are
| available.
|
| It is totally understandable why people can find
| themselves in these situations. It is totally different
| than the team member that thinks up this stuff and
| actively promotes this within the org. Those are the
| asshats
| luckylion wrote:
| Other options have been available since forever and still
| are unless you're in a super niche field, and everything
| that touches ads and tracking / analytics isn't niche.
|
| There's more than enough work out there, but those other
| jobs might not net an individual 10x the average
| household income. Can one survive on 5x or even 3x? Then
| there are more than enough alternatives.
|
| If the employer has kidnapped your daughter and threatens
| to kill her if you don't build this tracking solution,
| then I can totally see how you'd do things you find
| reprehensible "under protest". But I doubt that's a
| common scenario, and generally people just don't care or
| they rationalize it ("I'm working on ads so the internet
| will not be paywalled").
| dylan604 wrote:
| You're preaching to the choir a bit, but I'm just showing
| some empathy. I've been in places that started to move
| into directions that I didn't agree with, and caused me
| to start the process of moving. It takes time, and while
| you're lining things up, you have to do work to get paid.
|
| You can judge someone that accepted a job at bigAdTech,
| but there are other jobs that start out as an acceptable
| place but as things continue on with potentially new
| leadership or some other change causes things to become
| untenable. Not everything is simple, but you can armchair
| quarterback and make judgement one the limit information
| you have.
| paulcole wrote:
| Yes and yes.
|
| Regardless of what you say, it's actions that matter. You
| can tell me you're against something all you want -- but
| if your actions tell me you aren't, guess which I care
| about?
|
| It's easy to talk ourselves into doing something "under
| protest" that we're "against" for a big paycheck. But you
| know what, at some point, we're not really "against" it
| afterall.
___________________________________________________________________
(page generated 2022-11-26 23:00 UTC)