← Back to context

Comment by verst

2 days ago

These tracking "pixels" are used across the entire ad tech industry. It is very pervasive. Amazon, Twitter / X, Facebook / Meta, Pinterest, Snap, TikTok...

19 comments

verst

Reply
Walf  2 days ago

It's not just pixels. They strongly encourage site owners to send (normalised and hashed) personal data from every interaction to them, with the promise of better targeting for the site's ads. You cannot block this or opt out because it's server-side.

  • JimDabell  2 days ago

    > You cannot block this or opt out because it's server-side.

    Facebook’s latest approach is to give people instructions on setting up a relay server in their own infrastructure so that privacy software that blocks third-party tracking still works, even when it looks at IP addresses to detect things like CNAME cloaking.

    https://developers.facebook.com/docs/marketing-api/conversio...

    • Walf  2 days ago

      The positive of that approach (for users) is that it relies on client-side scripts, so it's possible for privacy tools to target those.

  • herbst  2 days ago

    Another reason not to deal with any company that has any kind of Facebook focus at all

rkagerer  2 days ago

Yep, and it doesn't make it right.

I recently told my bank I don't agree to their new privacy terms. I sent them all 26 pages, marked up with various red lines crossing out the objectionable clauses. One was about tracking pixels, web beacons and the like.

There was also much worse stuff contained like behavioral profiling and sharing my data with outside advertising conglomerates.

After-the-fact opt out mechanisms were described for a lot of it, but I explained very clearly that I am not consenting in the first place. The fact they provide an opt out for some of the most shameful portions reinforces that they don't need consent in the first place to provide me with banking services. I don't know who in their right mind would accept such terms. Unfortunately most individuals I know wouldn't have a clue what the jargon means or how it affects them.

A meeting was set up with my bank manager, and to underscore my point I brought in the original, aged-parchment paperwork I signed over two decades ago to open the account. That was only 5 pages long by comparison.

I also brought in a screenshot from Facebook that proved the bank uploaded some information about me to them in a Custom Audience customer list (a tool offered to advertisers that perversely deputizes them in Meta's quest to ingest all of our personal information). They have no business telling Meta or other third parties who I bank with (which is what the hashed uploaded lists are used to match & confirm).

The manager was quite understanding of my concerns and agreed none of what I objected to is legitimately needed to provide me with banking. I politely explained if they expected me to agree to this garbage I would take my personal and business deposits elsewhere.

I was pragmatic, and realize they're not going to reprogram their whole web portal just for me, but told them if they were going to go ahead and embed web beacons and the like in pages served up to me, or engage in more aggressive privacy violations, then they're doing so without my consent (an important distinction if I suffer damages down the line). In the end, my redlined version of their policy was affixed to my file to document that I do not in fact accept their terms, and they got to keep me as a customer. Not as good as a countersigned revised agreement, but enough to indicate my intent should consensus ad idem come into question.

I realize this was a lot of time and effort (and some risk of further nuisance if it failed and my accounts had to be closed), expended for something most people don't seem to care about. But the growing trend of companies outside tech adopting all our worst dark patterns really gets my gears grinding.

The story goes to show that if you choose to push back, sometimes you can win.

Good job Europe, keep blazing a trail which I hope my country eventually decides to follow.

  • vasco  2 days ago

    So you're still tracked the same way as everyone else and they didn't sign any of your changes, so how are you protected?

    • const_cast  1 day ago

      I think if class-actions come up in the future they have a pretty good case. It seems to me there's a good chance of getting the ball rolling on this stuff - the world is becoming much more aware of the risks associated with online privacy.

      Really, the banking industry should be some of the most aware. They lose millions, maybe billions, to fraud and identity theft. The fact they engage with it and enable it demonstrates how strong the suits are and how little they understand.

      Want to stop identity theft? Stop leaking personal data to hundreds of third parties. We don't know if they're running their shitty analytics on a Raspberry Pi taped under someone's cubicle. There's a reason we keep having data breaches.

    • rkagerer  2 days ago

      It's a fair question.

      Mainly, they'd have a much harder time basing a defense on having had my consent, should I have cause to sue them down the line.

      > they didn't sign any of your changes

      I didn't sign any new agreements of theirs, either.

      The manager did of course check that all the relevant knobs and dials in their system able to be turned off were set as such.

      And it caused them some minor grief. If enough of us were to push back like this, the grief might grow sufficiently for them to do something about (like maybe recognize nobody wants these godawful policies and there's a great business opportunity for companies that decide to build a brand premised on customer respect).

      2 replies →

  • bluecalm  2 days ago

    >>Good job Europe, keep blazing a trail which I hope my country eventually decides to follow.

    While GDPR had some good intentions the way it implemented in practice just makes things more difficult for consumers and changes little. For example in Poland one of the major banks still forces you to accept them sharing your information with advertising partners.

    The main effect of the regulation is that you waste 30 seconds on every call to a business you make for listening about stuff about their privacy policy and the on every form you have to consent to something or be denied service.

    • rkagerer  2 days ago

      I hate how it spurred every website under the sun to ask for cookie consent. My gut says that practice (or at least its breadth) stems from a misunderstanding of the legislated requirements.

      > you have to consent to something or be denied service

      I hate this too.

      But I hope consumers start to recognize it isn't always the case. Just because contracts are laid out on screens nowadays instead of paper, doesn't mean they're immutable and must uniformly be accepted as-is. We've been shepherded into a culture of just agreeing to whatever crap is placed in front of us. This is one reason I refuse to use DocuSign and always insist on paper or PDF's. I recognize not everyone has bargaining power, and I was fortunate in my case.

      Interestingly, where there is unequal bargaining power, that fact itself can on occasion bite back against the company. Eg. In my jurisdiction, it obliges the judge to interpret any ambiguity of terms in favour of the party with less agency.

      I generally think companies are overestimating how well some of the more unscrupulous terms we're seeing these days will hold up under the test of litigation.

      2 replies →

    • rkgkglflms  2 days ago

      On the contrary, GDPR actually says that it’s illegal to condition content or services on the acceptance of tracking, if anything is provided after accepting optional tracking, it must also be available if declining tracking. This is very easy for a layman to understand when reading GDPR.

      What your bank is doing is clearly illegal.

      4 replies →