WingNews logo WingNews GitHub [2]
top | item 15119591

Ask HN: How does Facebook know what I buy on Amazon or vice versa?

178 points| kmonad | 8 years ago | reply

Following just happened: An hour before lunch I googled and visited websites that sell bicycles. I also visited Amazon during this research. I then bought a bike from one of the manufacturers' websites. A few hours later I browse facebook and see ads to this manufacturers' bikes in my newsfeed, via an Amazon sponsored ad.

I use one browser (Safari) for facebook exclusively, and browsed the bikes / Amazon / made the purchase on Chrome. I have different email addresses for facebook, amazon and, well, google.

127 comments

order
[+] aresant|8 years ago|reply
Straightforward:

1) Amazon tracked your research and likes to use " ad retargeting" if they see you leave before checking out to remind you to come back and purchase.

3) FB offers advertisers a variety of retargeting means + insanely advanced cross-device tracking. Like a building full of PhD's advanced. Maintaining privacy by logging in from different devices / accounts / etc is a thing of the past if you EVER cross-pollute between browsers / devices / etc the signal is picked up and then compared with browsing behavior etc to get a strong profile. (1)

(1) https://www.facebook.com/business/a/performance-marketing-st...

[+] md224|8 years ago|reply
But... what about step 2?

> Like a building full of PhD's advanced.

On a more serious note, it's unfortunate that so many smart people use their intelligence to enable this kind of gross technology. It's all about "solving puzzles" rather than making the world a better place. There's gotta be more productive ways to advance your career.

[+] hiisukun|8 years ago|reply
I love picturing a room full of PhDs developing a crazy complicated algorithmic wonderland. Their celebrations at the complexity and genius of their work probably cut short, when users are targeted with ads telling them to buy something that they just bought.

When human male user "Joe" purchases a women's bath robe 1 week before Mother's day, does he really need ads for women's bath robes for the next month? Of course I know this is nothing to do with the fault of the room full of PhDs.

[+] ams6110|8 years ago|reply
But sort of silly to be advertising you for something you've already bought? They think maybe you liked the bike so much you'll buy another, but only if you see an ad?
[+] theweirdone|8 years ago|reply
As others have pointed out, it's an advertising technique called retargeting. Here are some of the technical details of how exactly it is done(Facebook's implementation might differ somewhat from this, but overall concept is same)

/* DSP - Demand side partner (Entity which works with someone who wants to show their ads) SSP - Supply side partner (Entity which works with some who have potential space on web to show ads) /

1. When you visited Amazon.com, one of the DSP associated with them drop a cookie on your system to uniquely identify you as a user. Let's call it cookiexyz. 2. When you end up on Facebook.com, their SSP also drops a cookie on you, let's call it cookieabc. 3. Now only thing remaining is to determine cookiexyz and cookieabc are same users. 4. To do that, SSP requests a bid from Amazon's DSP(among others). While doing that, it calls one of the DSP's url(bid tag) which sends cookiexyz in request headers and sends cookieabc in query params. This uniquely profiles the user which DSP stores in their system and next time user requests a bid again, they can serve them ads based on preferences based on cookiexyz. In other words, info that your looked at some shoes on Amazon.com

/ disclaimer: I work as a dev in one of the Advertising partner for Yahoo and Bing. */

[+] TekMol|8 years ago|reply
I have had similar experiences. Others have already mentioned some cross-browser fingerprintig techniques. One of the worst that many people don't know about is that browsers hand over your local IP. Check this proof of concept:

http://net.ipcalf.com/

The media device IDs the browsers provide look even worse:

https://jsfiddle.net/u4n4s296/

I am not sure if these are unique to the device type (for example a certain soundcard model) or to the device itself. If it's the latter, then that is an indestructible cross-browser cookie right there. EDIT: As per icebraining's comment, in Firefox they are not not cross-domain, not cross-browser and get randomized when you delete your cookies.

[+] icebraining|8 years ago|reply
In Firefox, the media device IDs are different for each site (origin): It is un-guessable by other applications and unique to the origin of the calling application. It is reset when the user clears cookies (for Private Browsing, a different identifier is used that is not persisted across sessions).

https://developer.mozilla.org/en-US/docs/Web/API/MediaDevice...

[+] hood_syntax|8 years ago|reply
Haha, wow. What is wrong with people nowadays, that they think this is reasonable behavior...
[+] jfoutz|8 years ago|reply
Love the comment. "In Chrome and Firefox your IP should display automatically, by the power of WebRTCskull."
[+] anowlcalledjosh|8 years ago|reply
Interestingly, this doesn't seem to work for me if I have uBlock Origin enabled. However, nothing is logged as blocked in uBO, so I can't tell what it's doing to break it.
[+] Angostura|8 years ago|reply
Just tried this on iOS Safari (running iOS beta, haven’t checked earlier version). Those media ids change on every page load.
[+] reaktivo|8 years ago|reply
Whoa, for a moment I felt pretty sure you would be mistaken. Hadn't read about this particular vulnerability before.
[+] captainhcg|8 years ago|reply
I am working at FB but not in ads or related team. But I had talked to a person who is directly working on it.

Amazon is different to other AD buyers. Amazon does not want FB to know what customers are doing on its own site, so there is no FB tracker on Amazon at all. However, Amazon can choose what ad to deliver to you on FB backed up by its own team.

[+] rajathagasthya|8 years ago|reply
OP says they have different email addresses for Amazon and FB. How would Amazon know which user to target ads on FB in this case?
[+] kmonad|8 years ago|reply
Interesting indeed. It is therefore more likely that I should have asked "How does Amazon know who I am on Facebook?". I suspected this could be the directionality (weak attempt 'vice versa'). Thanks for the special insight!
[+] exelius|8 years ago|reply
DMPs.

Amazon buys (and sells) data to/from DMPs. That data can (and often does) include a hash of your credit cards, all the e-mail addresses you go by, etc. Amazon can basically buy programmable ad inventory that says "I want to show this ad for chainsaws to kmonad" and the DMP resolves who 'kmonad' is through a variety of methods.

Realistically, the opsec you would need to have to avoid this would be astronomically inconvenient. These DMPs work off statistics, so they don't need to know 100% that this browser session is probably kmonad, just 70%. Maybe you have the same IP, OS version, browser extensions, cookie sets...

[+] lxchase|8 years ago|reply
This is most likely. To take it one level further, since you bought something, it can be DLX data (or Oracle now) or some other purchase-based data (from Visa or Nielsen Catalina). Facebook can ingest these as custom segments to target. For instance, I can buy a data segment of past purchasers of Giant bicycles for $1 CPM that will be layered on whatever partner is integrated. With every "match" there will be drop off as one ID system needs to be matched with a separate ID system (i.e. FB <-> DLX, or Liveramp <-> Mobile App)
[+] calebcuster|8 years ago|reply
If you want to know what advertisers are retargeting you, you might want to check: http://whoisretargeting.me It can be enlightening. You can also opt out of a lot of it here: https://www.facebook.com/help/568137493302217
[+] jszymborski|8 years ago|reply
I don't seem to see too much specific to me, other than anything you can gleam from geolocation... Suspect NoScript/uBo/Self-destructing Cookies have mitigated a lot of it.
[+] hossbeast|8 years ago|reply
Does not work under Brave - which means I'm protected from retargeting, too?
[+] junkculture|8 years ago|reply
Interesting. I whitelisted this site, and 2 of the 4 ads it displays on each refresh are from Facebook.

I've never had an FB account and they seem to know it.

[+] kristianc|8 years ago|reply
Amazon has a Facebook retargeting pixel loaded which identifies you based on your (probably logged in but quite possibly not) Facebook account. Facebook has you IDed across browsers and across devices, getting around the single browser limitations cookies usually have.

This links back to your FB account. Best practice would be for advertisers to also load a 'burn' pixel on a conversion page which lets them know you have purchased the product, but the tech doesn't always allow for this.

[+] tagawa|8 years ago|reply
It's worth noting that according to this study[1], Facebook has trackers on 25% of the top 1 million websites (Google is top with 75%). This doesn't immediately explain how they get around the use of separate browsers, but with device fingerprinting techniques, e.g. checking the list of installed fonts, screen size, IP address, etc., I'm sure they can reach a high probability of recognising a single user.

[1] https://webtransparency.cs.princeton.edu/webcensus/

[+] BoorishBears|8 years ago|reply
Some AdSense ads will let you mark an item as already purchased if you click on the information icon
[+] js7745|8 years ago|reply
They use the Facebook Pixel https://www.facebook.com/business/a/facebook-pixel

They segment users that visited each product on Facebook with a custom audience and then create ads for similar products that they show you. This is all done programmatically.

[+] icebraining|8 years ago|reply
How would that work across different browsers?
[+] danilocesar|8 years ago|reply
Not totally related to the post, but IMHO the following happen too often:

I'm looking for a camera. So I opened a market place in my country that sells those cameras. Then I decided to buy one.

Then, for a few days, I open facebook and I only see ads about cameras, from the same marketplace. That's useless as I'm sure (and they should know with some confidence) I'm not buying another camera. They should/could target me ads about SD cards, lens. But certainly not cameras.

* Then it happened again when I bought the SDCards =/

[+] sumedh|8 years ago|reply
Maybe the tracker did not track your purchase and still thinks you are looking to buy one.
[+] trjordan|8 years ago|reply
Some data matching isn't done with straight cookies. You visited from the same computer, same IP. It may be a guess done by comparing IP + installed fonts.

The other possibility is that your multiple email addresses have been matched as the same person. So even though you use different browsers and have different cookies, they're collapsed on Facebook's side.

[+] alimoeeny|8 years ago|reply
It is enough for you to only once have used the same browser / profile with both accounts. There are cookies to keep track of who is who and then it is a matter of matching identifiers on one platform to the other. It is hard to believe you have been diligent enough to keep things absolutely 100% separate between Facebook and amazon.
[+] Grustaf|8 years ago|reply
I read your question as being about how facebook found out from amazon what you bought. I don't know much about web technology but it seems to me they don't need to know, since the ads you mentioned came from Amazon, even if they're served inside facebook. So it's enough if facebook gives enough info to amazon so that the latter can infer who you are, then they know that you bought that bike.

It's somewhat encouraging that the algorithms are still so stupid as to advertise precisely the things you are least likely, a large infrequent purchase that you just made!

[+] MichaelGG|8 years ago|reply
Are they stupid? I've cancelled and bought a competing product more than once, though not via ads (adblocker), just searching or reconsidering.
[+] __abc|8 years ago|reply
This is all fairly straight forward however, what blows my mind is Facebook makes recommendations of friends that I've NEVER had any digital interaction with.

For some reason it picked up the kid who stocks the craft beer at my local family run grocer. Literally only talked to the kid face-to-face. No phone number, no texting, no contact entry (not that I share those with Facebook anyways).

That made the hair on the back of my neck stick up when that happened.

[+] jakub_g|8 years ago|reply
I suspect FB uses location and/or WiFi data as one of entry points. Note that smartphones often scan WiFi networks even when WiFi is off.

Based on the high intersection of two sets of SSIDs names visible from two devices at the same time, you can decide two people were in one room together. If this happens regularly, you can be quite confident people "know" each other in some way, which can unveil many surprising "friends" recommendations.

[+] mateo411|8 years ago|reply
There is some process that is running a spatial join. You were both logged into facebook at the same time, and were in close proximity.

I had a similar situtation where Facebook recommended that I friend a coworker that sat next to me.

[+] eknkc|8 years ago|reply
Maybe he searched and looked you up on Facebook and it's somehow enough signal to suggest him?
[+] nsgi|8 years ago|reply
Have you ever called the grocer's phone number? Maybe it's linked to his account.
[+] jdavis703|8 years ago|reply
These companies can also track you by IP address. I've had conversations with co-workers about them considering a specific large purchases, and then seen ads for what we talked about popping up. I'm assuming that if the CPM is low enough, many ad-retargeters will take the risk of targeting ads based on IP address alone.
[+] godot|8 years ago|reply
Aside from basic retargeting with cookies, there's definitely something more going on between Facebook and Google. (geoip/location might be a good guess)

I have a habit of going into Incognito browsing often. Not for viewing any NSFW stuff, I just have this habit whenever I want to look up something that I know is very one-off and not related to my general interests. (habit started with Amazon and it showing me related products of stuff I wasn't interested in because I clicked on a link friends send over skype)

A few days ago I was sitting at home, remembered about a specific couch-in-a-box company, wanted to check out how the couch looks again, so I opened up Incognito as I always do, and searched for Burrow.

Later on that night, I saw Burrow facebook ads. Not only was I in incognito when I searched, and this time I was actually on a whole different laptop while on Facebook!

[+] nickphx|8 years ago|reply
All of those actions (searching, viewing, purchasing) sent signals to various tracking companies that all exchange data either directly or indirectly through third parties. While Amazon may not directly work with Facebook and exchange tracking data, Facebook may work with another third party that works with Amazon.
[+] ars|8 years ago|reply
It's by IP address.

I know this because you can browse for something on Amazon on one machine, then find ads for that item on an entirely different machine - but one that's using the same WiFi.

Good luck buying a surprise present for a Significant Other. If you try, they'll see ads for it on Facebook.

[+] mrhektor|8 years ago|reply
On a related note, I had a weird experience where I was talking about a trip to Vietnam with my friends. A few hours later, I saw an ad for air travel to Vietnam on my FB page.

Now I'm 100% sure I hadn't googled or searched for Vietnam previously. At first, the conspiracy theorist inside said "they're listening!" through my phone microphone or whatever. But then, I thought, could they have been forming a pattern of my behaviour over the past several days, cross-referenced across several platforms (maybe I had searched for "Travel destinations" and also a friend had given a travel recommendation of Vietnam on chat)? Have the algorithms gotten that advanced?