https://onezero.medium.com/doordash-and-thousands-of-other-companies-passively-send-your-data-to-facebook-4ebe851e710

This shit is crazy. Not surprised but damn.. they just passing info along like FB is the mafia.

Cell phone swipe so excuse the formatting.


June 9th, 2020 at 2:13 pm, I paid $13.87 to have bubble tea delivered to my house via the popular food delivery service Doordash. I can’t say I’m especially proud of this decision.

When I made the purchase, I expected that my little indulgence would remain between me and Doordash, since I hadn’t done anything to explicitly link the service to my other online accounts. Maybe the driver who delivered it would roll their eyes. Maybe Doordash’s recommendation system would say “Ah, that’s a juicy sale!” and suggest I repeat the order in a few days. But I assumed my purchase wouldn’t ripple much beyond that.

But I was wrong. Doordash (and hundreds of companies like it) aren’t just recording every purchase you make. They’re also sharing purchase data with other companies, who are using it to target ads. And as I would discover as a result of my extravagant bubble tea order, one of those companies is Facebook.


When the California Consumer Privacy Act (CCPA), a landmark privacy law, went into effect on January 1, it gave residents of California an unprecedented legal tool to access the information that big companies gather about them. This includes companies that would really prefer that their activities remain in the dark, like Clearview AI.
But the CCPA has also created a new and interesting corporate privacy strategy — drown the consumer in information. The logic here makes sense. The CCPA is scary — fines under the law, which began to be enforced on July 1, could easily run into the millions or even billions of dollars for large companies. Faced with this risk, some companies seem to have thought, “If we give the consumer access to basically everything, we can’t possibly be accused of CCPA noncompliance, right?”
The result is that consumers can now access massive data dumps from several large companies, including Facebook. To get your own, you simply go to Facebook.com/your_information, click on Download Your Information, and follow the instructions. Often within a few minutes, you’ll be invited to download a giant zip file with everything Facebook knows about you.

And when I say everything, I mean everything. My own data dump was 461 megabytes. It contains every post I’ve ever made on Facebook, every photo I’ve uploaded to the platform, everything I’ve commented on or liked, all my videos, conversations with my friends, and a good deal more.

That Facebook gathers all this data is not exactly breaking news. We’ve all known for a long time that Facebook is aware of basically everything we do. In his painful visit to the U.S. Senate, Mark Zuckerberg even made clear the company’s reason for learning everything about you: “We run ads.”

It’s still breathtaking to see your entire online life arrayed in front of you in little folders filled with HTML documents. But it’s not shocking, exactly.

What’s more interesting is a tiny folder, hidden away in Facebook’s massive data archive, labeled “your_off-facebook_activity” (a directory name that only a programmer could love). This folder contains a list of all the companies that have provided data on your activities elsewhere back to Facebook. It’s new as of January 2020.

In Facebook’s own words, this data captures “a summary of activity that businesses and organizations share with us about your interactions with them, such as visiting their apps or websites.” This includes “Opening an app, logging into an app with Facebook, viewing content, searching for an item, adding an item to a shopping cart, making a purchase” and “making a donation.”

Yup. If you’ve bought an item on myriad e-commerce websites, made a donation to a political campaign, used any of several hundred participating apps, or, in my case, bought a wildly expensive bubble tea, there’s a good chance Facebook knows about it. What are they doing with this knowledge? Again, it’s pretty clear. It’s there so it can “show you more relevant ads,” “help you discover new businesses and brands,” and the like.

It’s not surprising to me that Facebook is hoovering up all the data it can possibly get its hands on. What is surprising, though, is how many of the companies I know and trust are willingly handing that data to them.

Reading through my own “Off-Facebook” data page, I found a who’s-who of apps, websites, organizations, software programs, and political causes. My list included everything from large companies I use (like Sprint and Airbnb), to news websites (like the New York Times and Bloomberg), to medical providers (LabCorp), to charities (Carbon Fund).

And that’s how I discovered that my indulgent bubble tea order had made its way from Doordash into Facebook’s vast database of my life.

Even a plumber whose website I recall finding through a Google search, Mr. Rooter, was on the list. Also present were wellness apps like Fitbit and Welltory, and local business’ websites, like a pizza place two towns over that I frequent. In all, more than 1,000 external companies had provided information about my activities to Facebook.
Clicking through on each company, I was able to see a summary of the data they had provided — sort of. Many of the specifics of these transactions were obscured by generality. Facebook lists an “Event” type field for each data point, and most had the generic (if a bit ominous) designation “CUSTOM.”

But many did not. And from the Event type, it was often easy to determine what Facebook had logged. Looking at my entry for Doordash, for example, I saw that several events were recorded as “PURCHASE.” Each of these was time-stamped. I cross-referenced these against my Doordash order list. And that’s how I discovered that my indulgent bubble tea order had made its way from Doordash into Facebook’s vast database of my life.

The order in question was indeed logged as a PURCHASE event in my Facebook data, shared by Doordash. It had a time stamp of 2:13 p.m. on June 9th. That’s exactly when I placed the Doordash order, and the time stamp matched exactly with the order history I was able to access in my Doordash app.

Again, Facebook showed me a little hint of the data it’d collected. But what it showed raised more questions than it answered. Facebook’s own page on Off Facebook Activity says that “For technical and accuracy reasons, we don’t show all the activity we’ve received…We also don’t show details like the item you’ve added to your shopping cart.”
They don’t show it. But do they collect it? From the Off Facebook Activity view alone, it’s impossible to know. So I decided to find out. I filed a CCPA request with Doordash, but it languished. So I fired up Google’s Chrome browser, started network monitoring using the browser’s Developer Tools (which records all the raw data your browser sends and receives), set up a filter for data sent to Facebook, went to Doordash’s website, and created a brand new account.

From the very first click, I was blown away by what Facebook is gathering. As I navigated from page to page and completed the account creation process, Doordash continually pinged Facebook with detailed updates about my activities. These included the fact that I signed up for an account, the moment I logged into it for the first time, and every page that I viewed while on the Doordash website.
Again, this was with a brand-new Doordash account. I hadn’t used my Facebook account to log in to Doordash, or done anything to link the two services. Doordash chose to share my data with Facebook entirely of its own accord, and entirely without my knowledge.

To dig deeper, I decided to recreate my lavish bubble tea purchase, this time with full monitoring. It was breakfast time, so I decided to find a smoothie instead of tea. I navigated to the page for my local Vitality Bowls restaurant. As I did so, Doordash diligently sent data about each of my actions to Facebook. I saw a smoothie that I liked (the Tropical Paradise™ for $7.49), so I clicked on it to learn more. Doordash sent this click to Facebook. It even included the name of the item I had clicked, and the store it was linked to (Vitality Bowls Dublin).

The smoothie looked good, so I added it to my cart. This generated another ping to Facebook. I finished the checkout process, and sure enough, with my last click Doordash sent Facebook a PURCHASE event. Only this time, I could see exactly what they sent. It included an identifier for the store, an ID for the smoothie itself, its purchase price, an ID for the Doordash shopping cart and order, the quantity I had purchased, the currency I was using, and the fact that I was a new customer. The amount of data being sent to Facebook was mind-blowing — every aspect of my shopping experience, down to the individual click and the exact amount I had spent, was logged and duly shared.
A snippet of the data about the author’s smoothie purchase, which Doordash sent to Facebook.

A snippet of the data about my smoothie purchase, which Doordash sent to Facebook. Redactions of potentially identifying information in red are my own. Image: Thomas Smith

Again, Doordash is far from the only company sending my data to Facebook. Many other companies also shared purchase data. Sprint, for example, logged a PURCHASE record with Facebook around when I bought a new cell phone.

Other companies provided data beyond purchases in a somewhat-understandable format, too. For example, several news sources told Facebook when I “VIEWED CONTENT” on their site. Welltory, a wellness app, shared when I “LEVELED UP.” What that means, I have no idea. But it has a nice Dungeons and Dragons feel to it.
And then there are all those “CUSTOM” records. Using the same browser data monitoring technique, I could likely determine what many of them signify. With CCPA, though, there may be a much easier approach. I can simply file requests with each company I’m curious about, and likely determine exactly what “CUSTOM” data they’re sending to Facebook. That’s exactly what I plan to do.

To Facebook’s credit, they’re extremely clear about why they’re gathering all your data. And they make it comparatively easy to access a massive archive of all your Facebook-related activity (in a human-readable HTML format, nonetheless!), which at least points you to which companies are sending them what categories of data, even if the specifics are vague. They should include more (like the exact data being logged), but it does provide a start, and many of their data collection efforts are disclosed publicly.

Other organizations that share your information with the company may be less comfortable with that sharing coming out. Some may not even realize what they’re sending to Facebook. Zoom made that claim when it was accused of sharing data, in violation of its privacy policy, earlier this year (Doordash’s privacy policy acknowledges that it shares data with third parties, but doesn’t specifically mention Facebook.)

And some companies may be sending data they shouldn’t. Facebook has policies to prohibit sending sensitive data, like medical or financial records. But when everything is labeled “CUSTOM,” it’s impossible to tell if those policies are being followed.

That’s where laws like CCPA come in. If you’re curious about who is sending your data to Facebook — and what, specifically, they’re sending — you now have ways to find out. First, get your own massive data dump from Facebook, using the process I describe above. Then, comb through the “Off-Facebook activity” section to see who’s been sending them data about you.

But the laws only work if we actively participate in our own privacy, learning about who is gathering data on us, and why.

Finally, file a CCPA request with each company, requesting a detailed description of how they’ve shared your data, and for what purpose. Your request will have the backing of law if you live in California. But many large companies are extending CCPA access to customers outside the state, too. So it’s possible you’ll get a response even if you’re not a Californian.

If you’re not happy with a company’s response, or feel they’re holding data back, get a lawyer. Since enforcement of the law went into effect on July 1, several firms are now taking CCPA cases. According to Mike Cardoza, a consumer protection attorney whose firm has begun accepting CCPA cases, attorneys “often pursue the cases as class actions, which are a good way to discourage corporate misbehavior.”

CCPA and other privacy laws have given us, as consumers, an unprecedented level of access to our data. But the laws only work if we actively participate in our own privacy, learning about who is gathering data on us, and why. That can take a lot of work, and who wants to spend hours combing through the obscure corners of a giant zip archive, or searching through raw HTTP requests to find little tidbits of personal info? But if we want to ensure that our online lives are protected, we need to put in that work.

So roll up your sleeves, grab your own Facebook data archive, and start digging. If you find something surprising or concerning, use CCPA or other laws in your jurisdiction to follow up on it. I’ll be doing the same thing right alongside you. Only by taking these steps towards transparency and access can we empower ourselves to understand what giant companies know about us — and who they’re telling.

Oh, and Facebook, if you’re listening: The tea was totally worth it.

****************
TBH the fact that you're even a mod here fits squarely within Jag's narrative of OK-sanctioned aggression, bullying, and toxicity. *shrug*