[HN Gopher] We Built a Meta Pixel Inspector ___________________________________________________________________ We Built a Meta Pixel Inspector Author : andsoitis Score : 86 points Date : 2022-11-26 15:40 UTC (7 hours ago) (HTM) web link (themarkup.org) (TXT) w3m dump (themarkup.org) | mind-blight wrote: | The article claims that the meta pixel can load JavaScript. Does | anyone know if/how that's possible? I can't think of a way using | an image alone would trigger downloading JS | smelendez wrote: | It's not a literal pixel and hasn't been for years - it's a js | file included from a Meta site. They still call it the pixel | for some reason, maybe to make it seem less potent. | iamacyborg wrote: | I think they just used to call it the "like" button | itishappy wrote: | > _The Meta Pixel gets its name from trackers that | traditionally took the form of small, one-pixel-by-one-pixel | images. These tiny graphics are embedded on websites and emails | and typically collect info on who views the content. Since the | Meta Pixel's first iteration over a decade ago, when it was | called the Facebook Conversion Pixel, the pixel's functionality | and tracking have grown quite expansive. Now the Meta Pixel is | a mechanism that loads JavaScript code capable of collecting | detailed and granular data for every interaction on a page. | With all of this complexity, referring to it as only a "pixel" | can be misleading._ | blooalien wrote: | For those who are unaware how this all fits together, the | _literal_ pixel 's purpose is to ensure that even if | Javascript is entirely disabled on the client (end-user) | system, there is still a log entry at the tracker's end of | things noting a time/date and IP address of document access. | This is then fairly easily correlated with other logged data | to further flesh out the profile of the user that data leads | back to. This even works across domains, without actually | visiting Facebook or Google, allowing them to still track | that you've visited a site where their pixel is used, and the | time/date/IP of that access. It's just one small part of | their whole tracking toolbox, and the pixel itself is merely | an image file, and unable to in and of itself load any | Javascript. Still doesn't stop 'em from using it to track | you... Only way to do that is to block Javascript _and_ never | access the pixel image itself as well. Of course, then they | track you through _other_ means... | thewebcount wrote: | > For those who are unaware how this all fits together, the | literal pixel's purpose is to ensure that even if | Javascript is entirely disabled on the client (end-user) | system, there is still a log entry at the tracker's end of | things noting a time/date and IP address of document | access. | | Or to put it another way, even if you send the signal that | you don't want to be tracked, they will ignore it and track | you anyway. They are intentionally doing something | unethical and are aware they are doing it. | schemescape wrote: | I think it's a snippet of JavaScript code and not an "img" tag, | despite the name. | dang wrote: | Recent and related: | | _Tax filing websites have been sending users' financial | information to Facebook_ - | https://news.ycombinator.com/item?id=33705532 - Nov 2022 (74 | comments) | | _Tax-filing websites have been sending users financial info to | Meta_ - https://news.ycombinator.com/item?id=33753058 - Nov 2022 | (18 comments) | tobr wrote: | Could you add back the "How" in the title? | tppiotrowski wrote: | My privacy stance has evolved to just assume everything I do | online is public. | | Even if we fight and succeed in stopping a tracking mechanism | (third-party cookies) we discover that another one is developed | (fingerprinting). It's times when you think you have privacy/no | one is watching that you're most susceptible to doing something | you might regret. | | If you consciously acknowledge that your digital life is public, | you can consider performing activities using other mediums. | Calling instead of messaging. Shopping at stores with cash. | Journaling in a paper notebook. | toss1 wrote: | Wise choices, yet that we must make them is sad. | bitL wrote: | Why not use Tor Browser for private things then? | elmomle wrote: | This is great and important work. I think it would be | substantially more approachable if it began with an "Abstract" or | "Summary" section. Like it or not, most folks just want the | headlines; the presentation of the details is only important if | people understand and care about the core ideas. | | tl;dr for the website: meta pixels are everywhere on the web and | gathering your interactions and inputs on all kinds of sites-- | including ones related to your guilty pleasures, your taxes, your | health, school, etc. | spikefromspace wrote: | Also note that they allow for server side data as well so | companies can send via backends and circumvent any ad blockers. | Good companies do respect a users preferences but not all do. | tppiotrowski wrote: | What's the mechanism here? I thought it's sharing a cross | domain cookie that allows you to identify a user as they surf | from one domain to another. | nerdponx wrote: | Fingerprinting? | [deleted] | frereubu wrote: | The Facebook Conversions API: https://www.facebook.com/busine | ss/help/2041148702652965?id=8... | luckylion wrote: | You click on a tracking link, Server 1 now has a unique ID | associated with that click. S1 forwards you to S2 with a | unique identifier. S2 now has that unique ID associated with | you. You buy something on S2. S2 sends a request to S1 saying | "unique ID #123 bought something for $40". | spikefromspace wrote: | Fingerprinting and tracking links are common for | unindentified users. Cross domain cookies are harder to fo | outside of chrome. For known users, you can sync data to | Facebook with email addresses, names, phone numbers etc. This | is likely why you see most websites these days trying to | collect that info from you as early as possible. | spikefromspace wrote: | Additionally, data brokers and data clean rooms now allow you | to share data making it easier as well. Snowflake, liveramp, | etc all offer super easy (and privacy compliant according to | them) ways of implementing this. | jboy55 wrote: | I tried to request my data from a couple of meida | companies, (criteo, apogee), criteo required a image of my | drivers license, and Apogee just ignored it. | luckylion wrote: | You need some syncing though, otherwise Facebook wouldn't know | who that user is that almost bought your stuff and that you now | want to retarget. | Hydraulix989 wrote: | I wish more energy was directed to also understanding what data | Google and TikTok collect from their users. | zaptheimpaler wrote: | I went to look at the off-site facebook history on my profile. | Its truly scary the amount of data they have. The worst part is | this: | | https://imgur.com/a/A8JVQOR | | So Mozilla, which is one of the companies behind the effort to | understand the Meta Pixel, is also sending data to Facebook? I | was not a member of the Rally study. | | What the f** is going on? Is Firefox itself tracking me too? Or | maybe some extension? Which extension? How am i supposed to tell | without hoping that the right person magically sees this comment | or going 100% technical and running packet captures and | Wireshark? | | Why can't we just get access to the _RAW_ data being sent or | stored about us? | | As of now, VS Code will send encrypted data to Microsoft when you | use it. So my machine, OS, applications all send data about me to | companies, and I'm not even allowed to know what it is (not to | single them out, VS Code is just one example I have inspected | myself). I don't claim to understand SSL all that well, but i | think they used certificate pinning and pre-master secrets that | makes it impossible or very difficult for anyone outside MS to | decrypt the data in any way... | | This is all completely normal now. On mobile devices its even | worse. Its not even possible to completely inspect the data a | phone/tablet sends without rooting it and many are already | impossible to bootloader unlock or root/jailbreak. | | With certificate pinning, on an encrypted smartphone volume with | a hardware key, that is only unlocked just in time by the OS (the | way android works now), it is LITERALLY impossible to know what | data is being transmitted or received over SSL on your own | device. You are not allowed to know. | Tsiklon wrote: | Perhaps more generously, to Firefox, they're interpreting | Firefox user strings as an app sending data to them. For | curiosity, where did you pull that data from? | mulligan wrote: | I think these folks fail to connect the pixel with its purpose. | The sites and apps who advertise want to understand who is | converting, they provide this information to the advertiser so | they can correlate the users who saw an ad to a purchase. | | By keeping the purpose vague, it makes it seem nefarious. | Xelbair wrote: | the actual purpose IS nefarious. | matheusmoreira wrote: | Is it still safe to assume that uBlock Origin blocks all of this? | ranting-moth wrote: | Does Firefox's Enhanced Tracking Protection block this properly? | | https://support.mozilla.org/en-US/kb/enhanced-tracking-prote... | marketingtech wrote: | Meta offers their own...it's not hidden. | | https://chrome.google.com/webstore/detail/facebook-pixel-hel... | | But this doesn't cover server-side data transfer. | https://developers.facebook.com/docs/marketing-api/conversio... | Xelynega wrote: | Correct me if I'm wrong, but the tool in the OP sounds like a | crowdsourcing effort to collect the data the Facebook tool can | tell you across multiple users and multiple sites. | | That's not really the same thing as a tool that tells a single | person that the site they're on uses meta pixel as it happens. | N3Xxus_6 wrote: | I actually work in an industry that utilizes these a lot. Google, | tiktok, meta etc. I implement the code on our customers sites. | It's crazy how much data these scripts collect. | glitchcrab wrote: | > It's crazy how much data these scripts collect | | And you're ok with this? | marketingtech wrote: | Businesses choose to send this data to the ad platforms for | their own benefits - better targeting, measurement, and ML | optimization of their ad campaigns. | | The businesses are legally accountable for the data they're | sending and complying with privacy laws, but to most | platforms it's a dumb pipe for whatever data the business | chooses to send. | Xelynega wrote: | Probably more OK then they are with making their life | uncomfortable to look for another job with similar benefits. | It's not just a moral decision in a void. | iamacyborg wrote: | From experience, most folks who implement these tags don't | understand the scope of what they're actually doing, and most | are likely doing so without consulting a legal team or | understanding the legal implications of the tracking they're | deploying. | paulcole wrote: | Is your question rhetorical? | | Their actions tell us they're OK with it. | dylan604 wrote: | Do they? Have you never done something under protest? | luckylion wrote: | Developers doing something "under protest"? Why would | they? Nobody is going hungry if they don't work at $corp | any more and work for $otherCorp instead. | | That'll be something for when the market has | fundamentally changed and you'll make your nation's | average for your education level. But until then | essentially nobody has to work anywhere "under protest", | there are so many other opportunities. | dylan604 wrote: | So says you in a market where bigTech is laying people | off, where people have spouse/kids/house payment/car | payment/holiday pressures/adult responsibilites. | | Choice A) stand on principle and ruffle feathers and risk | becoming unemployed | | Choice B) just do what tasks you've been assigned, | collect paycheck, hold your nose until better options are | available. | | It is totally understandable why people can find | themselves in these situations. It is totally different | than the team member that thinks up this stuff and | actively promotes this within the org. Those are the | asshats | luckylion wrote: | Other options have been available since forever and still | are unless you're in a super niche field, and everything | that touches ads and tracking / analytics isn't niche. | | There's more than enough work out there, but those other | jobs might not net an individual 10x the average | household income. Can one survive on 5x or even 3x? Then | there are more than enough alternatives. | | If the employer has kidnapped your daughter and threatens | to kill her if you don't build this tracking solution, | then I can totally see how you'd do things you find | reprehensible "under protest". But I doubt that's a | common scenario, and generally people just don't care or | they rationalize it ("I'm working on ads so the internet | will not be paywalled"). | dylan604 wrote: | You're preaching to the choir a bit, but I'm just showing | some empathy. I've been in places that started to move | into directions that I didn't agree with, and caused me | to start the process of moving. It takes time, and while | you're lining things up, you have to do work to get paid. | | You can judge someone that accepted a job at bigAdTech, | but there are other jobs that start out as an acceptable | place but as things continue on with potentially new | leadership or some other change causes things to become | untenable. Not everything is simple, but you can armchair | quarterback and make judgement one the limit information | you have. | paulcole wrote: | Yes and yes. | | Regardless of what you say, it's actions that matter. You | can tell me you're against something all you want -- but | if your actions tell me you aren't, guess which I care | about? | | It's easy to talk ourselves into doing something "under | protest" that we're "against" for a big paycheck. But you | know what, at some point, we're not really "against" it | afterall. ___________________________________________________________________ (page generated 2022-11-26 23:00 UTC)