Facebook has just introduced a feature that allows advertisers to track the behavior of users across devices (e.g. laptop, iPhone, desktop). The feature will allow advertisers to get a better picture of user behavior prior to a “conversion” (e.g. a purchase). According to Facebook’s Conversion Measurement page, other types of conversions can include “checkouts, registrations, leads, key page views, or customers adding items to a cart.”
Facebook has been offering conversion measurement for a while. Basically, advertisers just place Facebook’s tracking pixel on whichever page they want to track conversions on and create an ad on Facebook with the same pixel. Facebook will then do the rest and provide the advertiser with a summary that includes the number of conversions, the cost per conversion, etc.
This method of cross-device tracking is also not a completely new idea. The method of using site logins to allow advertisers to connect user behavior across user devices has been discussed since at least 2012, and Facebook itself says they already offer “targeting, delivery and conversion measurement across devices.” Given the amount of time Facebook’s tracking pixel has been around, this statement is unsurprising.
What does seem to be new is that Facebook is now providing advertisers with more information; Facebook is now reporting which devices were used by tracked users before conversion and which devices were used during conversion. Facebook gives two examples of what advertisers can now see: “the number of customers that clicked an ad on an iPhone but then later converted on desktop, or the number of people that (sic) saw an ad on desktop but then converted on an Android tablet.” This is information that, until now, was unavailable to advertisers.
How Cross-Device Tracking Works
How does cross-device tracking work? There appear to be 2 main techniques:
1. Link user data from 2 or more different sources (e.g. cookies, mobile device UUID).
2. Infer a link using data such as machine configuration, operating system, or wireless setting
Technique #2 relies on factors that might be the same for more than one user, and therefore cannot be 100% accurate. At best, this type of tracking can only provide a “match rate”; the likelihood that two different profiles actually belong to the same user. It is only a guess.
Facebook tracks their users across devices as they sign in, which implies that technique #1 is being used. In short, if you sign into Facebook on one phone and click an ad, then make a purchase on another device on which you are also signed in to the same Facebook account, Facebook will help the advertiser connect the dots, probably via the tracking pixel.
How to Avoid This Kind of Tracking
But what about the privacy conscious everyday user? What if you don’t want your behavior to be tracked by Facebook and advertisers? Your most powerful weapon against tracking in this case is simply not signing in.
There are 2 ways of not signing in:
1. Not using Facebook at all. From the perspective of privacy, this is of course the best option, but it is also not an option for many people, at least at the moment.
2. Limit the devices from which you sign in.
Suppose you own 2 phones. You use the first one primarily to socialize, and the second one to shop. Instead of signing in to Facebook on both phones, only sign into Facebook on the first phone. Never sign in to Facebook on the second phone. Facebook will then have no way to connect your shopping history on the second phone with your Facebook profile. You should also sign into Facebook for only as long as necessary even on the first phone; if you stay signed in too long, non-Facebook sites can send your information to Facebook.
When I mean “never sign in,” I am describing an ideal situation. It is sometimes impossible to avoid signing in to Facebook once or twice. If you’ve lost your other phone, for example, and you need to send an important message, you may have to make an exception. Once the dust settles, make sure you sign out on the phone that was not intended to be used with Facebook.
The Importance of Maintaining a Separation of Identities
Many sites (not just Facebook) try to get users to sign in using an account that is used at multiple sites. Have you ever visited a site where you are invited to sign up with third-party accounts? Examples include “Sign up with Facebook” or “Sign up with Google” buttons. If you do this, the site will be able to connect whatever data they are able to access on your Facebook or Google account with whatever information you provide to their site; a potentially dangerous combination. When it comes to protecting your privacy, combination of databases is never good. Some sites may not even offer their own registration/login system; they actually require you to log in with a third-party account like Facebook or Google in order to use their site at all! This may be your only hint to run for the hills.
If you absolutely need to use one of these sites for some reason, I strongly recommend that you maintain a separation of identities by creating a separate Google account (or whatever type of third-party account they require) exclusively for use with this site. In other words, make sure this Google account has not been used for any other site, and make sure it will never again be used for any site other than the one you’re using. By creating a separate account for just this site, you will ensure that no information from your primary Google (or other third-party) account, if you have one, will leak onto the site you are logging into. A password manager can help you keep track of the extra accounts for as long as you need them.