„Swedish Radio News reporters have tested the tip-form on ECPAT's website and found that their name, email and telephone numbers were shared with Facebook.“
How the hell does this just happen? Have people forgotten how to build simple forms and just use Facebook?
Poor supervision over something like Google Tag Manager resulting in someone on the PR team adding extra stuff without being fully aware of the repercussions
The way I could imagine it happens is that they use GTM to trigger Facebook tags, for example to remarket people who have donated to ECPAT, since people who donate are likely to do so again after say a month or during Christmas so that's a perfect audience to have available for an ad campaign. But they have GTM fire FB on every single page out of convenience, since setting up rules in GTM on where to trigger it is work. The tip-off page is hosted on the same environment, so FB triggers by default.
Not 100% on this but if they aren't granted sufficient GTM access and the site is an SPA devs may not even have access of where to trigger it beyond blocking instantiation on certain pages.
100% this, the marketing team wants to have Google Tag Manager to inject random marketing scripts all across the page and management backs them up and then the development team has no insight to or no say in what actual scripts are run on a specific page.
That said: This is a GDPR nightmare and so is Google Tag Manager
It really doesn’t fix it, since the whole point of GTM is to allow arbitrary code execution on any page by marketing teams. (Yes, this is as bad of an idea as it sounds)
Something is off here. When PII data is shared with Facebook, it gets hashed before it gets sent. In fact, Facebook warns you if you are “leaking” PII in places like URL parameters that get picked up by their tracking pixel.
If they discover pageview events with PII in them, they throw them out.
I’m not justifying that hashed data is okay… but clear text data is not received or stored by Facebook via a Facebook Pixel, or their conversions API.
If facebook had the clear or hashed data anywhere else you’re still leaking it just with extra steps. Hashes don’t by themselves anonymize. If you have access to the original data it’s trivial to recompute the hash and build your association that way. You could assume the data is salted but that’s not always a safe assumption.
I am not here to defend Meta, only clarify how data is transmitted.
Data is not salted as far as I can tell, it's normalized and hashed via SHA256. They publish SDKs for serverside integrations so you can see how the code is set up.
They probably embedded tracking pixels because PR teams wanted to have data on how many people viewed the page vs how many people actually filed a report.
Why do I get feeling time and time again that developers pick the easy solutions. Not the sensible ones.
Some type of page download counter should not be impossible, and number of reports should also be easy metric. Why do they even think they need to get someone like Facebook involved...
In almost all organizations outside of IT, IT is at the bottom of the social ladder. They gotta do what management wants.
And that won't change until enough large organizations get hit hard by fines that everyone else follows suit and hires actually capable CTOs with veto power over everyone else.
Case study: I help run a site that has resources for trans and LGBT people.
With a question as sensitive and personal as “am I transgender or not and how would I know,” it’s deeply important to me that visiting my website won’t accidentally get my users into trouble, even indirectly through tracking or federated cohort ad targeting.
- The only JavaScript is that which is necessary to run the site;
- The site only listens on HTTPS;
- There are no cookies;
- I explicitly opt users out of FLoC to prevent other sites targeting ads to my users based on my site’s content;
- I use a third-party hosting provider that only supplies aggregate passive server logs for a 30-day rolling window, which only shows me the domain name of the Referer, so I can’t know exactly where my users came from.
> The only JavaScript is that which is necessary to run the site
No JS is required to 'run' a site. I can and do use Hackernews without ever requiring JS to be enabled. Everything works via POST, it's quick and simple.
Yes. A Non-JS world is painful, and there are many difficulties, but ensuring your site works with noscript would do the world a huge favor.
If it's something like a resource locator or questionnaire, then doing the processing locally in JS is in fact better for privacy than sending personal data over the network. It's nice when websites work without JS but you are a deeply unserious engineer if you think that there are no tradeoffs involved.
I could see the idea of building a quiz or something with CSS and named anchors (links within the document). No JavaScript, everything all on one .html, and it would work on elinks!
Isn't it possible to set cookies with CSS anyways? https://dev.to/astrit/how-to-set-a-cookie-with-css-3o16 Seems like there would potentially be a way to get cross-site tracking using only CSS, though I don't imagine many people looked into it (I haven't), largely because its a good assumption that your clients have JS enabled so if you want to track, just use JS -- especially because then you get full browser fingerprinting.
But I think "this site doesn't use JS so it must be safe" is...a really bad assumption.
You have no idea what site is it. Perhaps it's an interactive game or a questionnaire. POSTing that data to a server is much worse than running some clientside code. Your post is not productive at all.
You’re right, JavaScript wouldn’t be necessary for my website. I agree that getting rid of it would increase accessibility. Would love to be able for my site to be usable in elinks…
My post above was concerned most of all with privacy, and the only scripts are for page rendering, they’re hosted from my domain, and they make no network calls. Bytecode in, DOM nodes out, all on the user’s device.
They (Swedish Radio) have done a few stories on Facebook pixel during the last year.
A year ago it was the state-owned pharmacy Apoteket that leaked customer information and their orders to Facebook. Once it was revealed that multiple pharmacies did it, an investigation into three of them was started. Last month SR extended their search and found 100 pharmacies in Europe doing the same thing. Leaking information to Facebook.
I'm sure this is a really common issue because it's so convenient and useful when doing the marketing and analysis. People don't think about the consequences or the fact that it's against the rules of Facebook.
People just don't understand how valuable data is.
For example, Sweden has a Facebook Market competitor that uses Facebook _and_ Google for analytics. Now we know for a fact that Amazon has in past used AWS to spy on b&m and e-commerce competitors, i dont belive for a minute that Meta would be any better.
Not OP but I did some searching and found an article citing this comment chain with throwaway accounts claiming to be former AWS employees doing it. I didn't bother reading all of the comments but I would assume it to be major news if it was actually true.
3 hours have passed. I also did a healthly amount of googling various permutations of what they said and didn't find anything relevant so until anything new is revealed I guess we should consider this fiction.
For what it's worth, I remember coming across this claim a couple years ago about AWS on HN. I don't think it's fiction, it's possible that their PR has scrubbed these allegations from the internet.
The only way to stop this from happening in the long term is to educate users that companies are spying on them, and tell them about the tools to prevent it.
Depending on site owners and spyware companies, like Facebook, to solve the problem is super naive, and will never solve it. They directly benefit from these "leaks," and so they have no motivation to prevent them.
What tools are capable of stopping FB tracking 100%? Right now it's a "cold" arms race between Facebook and people trying to avoid tracking but if more people started trying I think Facebook would try harder to track everyone and things would heat up. The only way to avoid a perpetual arms race (that Facebook will probably win) is to legislate boundaries that Facebook is legally not allowed to cross. We saw this happen on iOS (though at an OS/App Store policy level instead of legally) and it seemed to actually work.
Sure, but can we teach grown men not to wring their hands about safety mechanisms for $SCARY_NEW_TECH at the same time they're becoming inevitable and culturally familiar?
No need to be snide. Computer security is a lot harder to learn for most people because it's abstract and requires a degree of mental modeling that most consumers aren't equipped to perform. If it were as easy as you suggest businesses/ organizations would be invulnerable to phishing attacks, which they're obviously not. And entities like that have dedicated IT and HR staff to set up/train people, which consumers typically don't.
I reserve the right to remain snide toward anyone who holds such insulting and condescending views toward "most people". Asserting civility, in such contexts as this one, is often used as nothing more than an excuse to avoid confronting your own antisocial behavior, however politely you manage to frame it. Social contracts need not be adhered to by either side once broken. If you wish to reinstate it, be my guest, but that's not my obligation.
It's not that they can't understand it, it's that there's plenty of other stuff to pay attention to out there, for better or worse. The threat of cold and hunger comes before more abstracted threat vectors, and you are extremely lucky to have the mental space to consider and discuss such things as privacy on this here website. If you want to ride high on your sense of innate superiority, accept for yourself the mission you seem to imply for the technologically-literate and make privacy so simple even a small child could be protected.
Legislation is used to protect vulnerable groups and health data. Strong reasonable legislation is hard to write, and expensive to enforce, but effective enforcement will cause changes to internet sites. Think GDPR.
It is hard to manage cross-jurisdictional issues on the internet. In this case, Sweden could probably design good restrictions since it is a site local to Sweden?
Trying to get everyone to become security professionals is highly unrealistic.
All those pitiful ignoramuses, who have no idea how to walk three times around the block to avoid the Staasi - they need to be protected from the secret police, pshaw!
How the hell does this just happen? Have people forgotten how to build simple forms and just use Facebook?