How does Facebook track your browsing without third party cookies?

Question

Facebook has served me an ad for a website I visited earlier in the day. I have third party cookies disabled and have not followed any links between the website and Facebook (links which could contain a tracking ID connecting my Facebook account to the website).

Without third party cookies, how can Facebook know that I visited the website?

If the site you visited had a "like", "share" or something else related to facebook, the website can track you. If you don't want that anymore, you can install on your browser an useful extension named "Facebook container" that automatically blocks Facebook scripts in any external site. Note that if you use that extension, you can't anymore use Facebook's "like" button, etc., in external site. — DioCanada, Nov 10 '19 at 22:59
Shout out for the EFF extenstion Privacy Badger. It replaces the Facebook widgets with its own version that can't be tracked. — Darren, Nov 11 '19 at 09:34
"an ad for a website I visited earlier in the day" => Mine is a comment. You are assuming FB served that ad on the assumption they *know* about your visit. Exactly like the "FB is *hearing* us" dispute, this could also be explained under a cognitive bias hypotesis. *Maybe* the site is performing a huge campaign, and *not necessarily* FB provided that ad on the grounds that they had record of your visit. Yet again, mine was just a comment — usr-local-ΕΨΗΕΛΩΝ, Nov 11 '19 at 10:42
Pfft, you're living in the past. Nowadays I merely talk to my wife about something and if my phone is within an earshot of us then I'll get an ad for the item next time I open Facebook. — MonkeyZeus, Nov 11 '19 at 14:00
@usr-local-ΕΨΗΕΛΩΝ before I blocked almost everything, I could get some very specific ads, related to stuff I didn't normally search for, after quickly looking up a product. Specific down to a particular brand — Chris H, Nov 11 '19 at 16:03
Related on Meta Stack Overflow: [Stack Overflow lets Facebook track us across their sites](https://meta.stackoverflow.com/q/384864/7795130). — Davy M, Nov 12 '19 at 09:01
If you are serious about solving such problems, you need to disable all third-party scripts (such as via [UBlock Origin](https://addons.mozilla.org/en-us/firefox/addon/ublock-origin)), as well as not click on any links on a website that are related to FB. It is still possible for a website to run an FB script on their own servers, but if they really do so then it can be difficult to block that without disabling all scripts for the site. — user21820, Nov 12 '19 at 13:28
@user21820 UBlock Origin doesn't block all third party scripts. noScript is my friend here. (noScript + UBlock + Ghostery + Facebook container is my current set-up) — Baldrickk, Nov 12 '19 at 14:23
@Baldrickk: Clearly, you don't know how to use UBlock Origin properly; it's easy to set it to block all 3rd party scripts or frames or objects or any combination, and whitelist specific domains, all via the GUI itself (read the documentation), and if that is not enough you can even add your own rules from the dashboard. By the way, [NoScript has shady behaviour](https://security.stackexchange.com/q/123505), so you had better think twice before continuing to use it. — user21820, Nov 12 '19 at 14:30
@MonkeyZeus, that’s the price of letting your phone run an O.S. or app made by NSA’s biggest competitor. — WGroleau, Nov 12 '19 at 16:37
Privacy Badger is very nice but impossible to use for day to day activities. It requires constant tuning because it often breaks websites with embedded forms in iframes, for instance. The DuckDuckGo essentials extension + uBlock Origin are much more viable for frequent usage. No Script is even worse as it blocks ALL Javascript by default. — Andrea Lazzarotto, Nov 13 '19 at 09:59

score 121 · Answer 1 · answered Nov 10 '19 at 14:29

121

Facebook does not need to use third-party cookies to track you as you move from site to site, if the sites contain Facebook's javascript code (e.g. for the Facebook 'like' button). In this case, Facebook's javascript code can place first-party cookies on your system, and communicate back to Facebook's servers to show you ads based on sites that you've visited previously.

answered Nov 10 '19 at 14:29

mti2935

19,868
2
45
64

Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/101432/discussion-on-answer-by-mti2935-how-does-facebook-track-your-browsing-without-th). – Rory Alsop Nov 24 '19 at 14:25
The variant using Facebook’s JavaScript SDK is only one of two possible implementations for the Like Button. The other one uses frames, where setting first-party cookies is not possible. – caw Dec 13 '19 at 18:26

score 26 · Answer 2 · answered Nov 11 '19 at 12:15

In addition to the other answers:

The website you visited could have sent information about your visit directly to Facebook using their "Server-side API".

This doesn't need any client-side scripting technology to be enabled, because all communication happens between the 3rd party website and Facebook.

The more information you give the 3rd-party site, the more they can share with FB. The bare minimum is your IP address. If you have an account then your email address could be shared. If you make a purchase then all of that can be shared, too.

If the website used both client-side scripting and server-side communication to tell Facebook about you, then the fact your visit generated a server-side event but not a corresponding client-side event shows to them that you use an ad-blocker. This information can also be saved and potentially used to serve you different content in future.

com2ghz · Answer 3 · 2019-11-11T14:02:57.663

9

There are more ways to keep track of your browser fingerprint.

For example the following data may be used for finger printing:

Operating system
Installed fonts
Installed Browser add-ons
User agent, shows your version of your browser
IP address
Screen resolution
etc...

There are sites where you can check your browser fingerprint like these: https://amiunique.org/

Facebook has a Server Side API where API's can send events directly to the Facebook servers. This includes forwarding the client_user_agent which contains your browser fingerprint so they can match these requests to identify you.

edited Nov 11 '19 at 14:02

answered Nov 11 '19 at 11:55

com2ghz

207
1
2

2

How does the browser fingerprint help in this case? This is not a case of a returning user. – schroeder Nov 11 '19 at 12:32
2

This answer is very generic. – northerner Nov 11 '19 at 13:52
1

@schroeder You're a returning user to Facebook. How else would you see the ads? – user253751 Nov 11 '19 at 15:23
2

Not even as a Facebook user, but they keep Shadow profiles of non-users to keep track of them. – com2ghz Nov 11 '19 at 16:01
@user253751 the question is how would Facebook know that the user visited the other site – schroeder Nov 11 '19 at 16:07
@com2ghz the question is how Facebook does that. Browser fingerprinting is not it. – schroeder Nov 11 '19 at 16:07
@com2ghz `client_user_agent` does ***not*** contain a browser fingerprint. – schroeder Nov 11 '19 at 16:10
1

Because the other site is probably doing something similar. There is no other way that Facebook will get your data. – com2ghz Nov 11 '19 at 16:11
@com2ghz the API guide even tells you ***exactly*** how they do it, and it's not a browser fingerprint or a value in `client_user_agent`. Keep reading the API spec. – schroeder Nov 11 '19 at 16:11
1

@schroeder because the other site ran some code from Facebook that fingerprinted you, obviously. – user253751 Nov 12 '19 at 10:27
@user253751 and if that is the case, "returning" to Facebook is not a factor. And please, please read the API link now added to the question. It's all explained there. No need to guess or speculate. – schroeder Nov 12 '19 at 10:39

score 7 · Answer 4 · answered Nov 11 '19 at 22:29

I want to clarify that what you are seeing is most likely a retargeting advertisement (Learn more at wikipedia). The website you visited may be voluntarily sending data to Facebook in order to serve ads to you when you browse other websites, such as Facebook.

You can learn more about this from Facebook's B2B Marketing page and their Developer Documentation. Note that even if you block Javascript and third party cookies, there is still a no-script tag which loads an image (tracking pixel) which will leak some information to facebook's servers. This is why you need a browser plugin which has blacklists in order to truly browse privately.

If you are curious about the mechanics, this answer about tracking pixels goes into more detail.

score 1 · Answer 5 · answered Nov 12 '19 at 12:10

1

Just have a look at the site of the Electronic Frontier Foundation www.eff.org and search on Browser. You will find many articles, dated 2010, on browser fingerprinting without cookies.

Also, just see for yourself how unique your browser is on the Panopticlick site

I also remember a similar EFF test site that shows you how many other browsers share particular fonts etc on your browser, but could not find that site.

answered Nov 12 '19 at 12:10

Roland

137
3

Browser fingerprinting is already covered in another answer and that's not how it works. – schroeder Nov 12 '19 at 15:12
Also, answers which are just links to things which may or may not answer the question, are not themselves valid answers to the question. Paraphrase the material in your answer to make your answer useful. – Beanluc Nov 12 '19 at 18:08
1

@Beanluc I did not "just" mention a link, but annotated that it is some authoritative collection of info. Also that the issue is about 10 years old, as a subtle hint about the value of the question. The Panopticlick site makes it possible to actually find out yourself how fingerprinting works. – Roland Nov 12 '19 at 22:24
@schroeder Many answers I have seen on lots of questions contain duplicate material, without complaints. Often, there is a slight twist that distinguishes answers. And if fingerprinting is not the answer, not how it works, that would be another topic. – Roland Nov 12 '19 at 22:27

How does Facebook track your browsing without third party cookies?

5 Answers5

Linked