Advisory: Changes to Facebook’s off-Meta Data Collection Policy

The influence expands

Quick note: if you believe you understand the issue at hand and are looking for our recommendations of what to do to limit risks to you, scroll to the end of this article for our list of suggestions.

Background

Some users of Facebook / Meta have reported receiving the following notification that is announcing significant changes to how Meta handles your privacy. The announcement states as follows with bold emphasis added:

“The Your activity off Meta technologies setting, which lets you disconnect your off-Meta activity from your account, is going away. You can use the updated Activity from other businesses setting to choose if we use this activity to show you ads and now other content.”

Both “Your activity off Meta technologies” and “Activity from other businesses” are references to specific in-app settings.

In this article, we will explain what this means, how it affects your privacy, what it indicates about the past, present, and future for Facebook users, and what we recommend can be done about it. In fact, we cover much of this topic in general, along with recommendations for what to do to maximize online privacy in our new book, Practive Security 101, available on Amazon.com.

Related Articles from Practive Security:

· The Internet Gold Rush

· Digital Privacy

· VPN Explained

· Safe Searching and Browsing

Please consider signing up for our services at PractiveSecurity.com or signing up on our Substack page to unlock access to all our content. Also consider signing up for our personal security self-assessment at practivesecurity.com/signup if you would like to assess how you stack up to our best practices for online safety and security.

Off-Meta Activity

Meta is one of the largest participants in an often hidden economy known as data monetization. They use the platforms and technologies they own to intentionally generate descriptive information about their users as those people use Meta products & services. Their goal is to leverage what you use and how you use it to create a detailed profile about you as an individual. That profile is hidden from your view, but it is used by Meta to curate your Facebook experience, meaning this is how they choose what you see in the product via content like ads, friend recommendations, and posts in your feeds.

They intentionally code their products and services to generate descriptive information that describes you, your interests, your behaviors, and more.

But Meta doesn’t stop with collecting information within their own platform. They also buy other platforms, purchase data feeds from other service providers / companies like Google and your ISP, and even embed web activity trackers in your web browser, so they can gather as much information about you as possible from anyone who has unique insights and will partner with them in this business.

In fact, there is a major South Korean app company that creates apps specifically to target demographics and information sets that are novel and not yet part of the larger marketplace of monetized data. The Band app common among schools and youth sports is one of these. The parent company who owns Band describes their business model as intended to gather unique information about people’s lives that they can sell to Meta in order to help expand the metaverse. You should pretty much assume any “free” app or service is doing a similar thing. That’s how they are self-funded.

WhatsApp is another great example of this. Meta purchased WhatsApp, which was a “free” product at the time, for $19 billion. How can a company that produces a “free” product and service be worth $19 billion? The answer is in the monetization of user data. In fact, WhatsApp has a negative reputation in the cyber security and privacy communities for using practices that intentionally leak or expose sensitive user information so that it can be used by Meta in their “off-Meta activity” data gathering programs.

This is actually a massive industry – it is the funding vehicle that generates most of Silicon Valley’s wealth. So much so, that when I was working for a financial services software company, the executive staff became obsessed with finding ways to use their software to generate unique data about people that they could sell in order to grow the business to new record levels in revenue generation. It’s a massive hidden economy. It’s also what led to the development of the modern so-called AI platforms, but that’s another story.

What does all this add up to? Attention, addiction, and influence. Originally this started with creating an ecosystem of highly effective targeted advertising. Facebook used to sell ad space and ad targeting to 3^rd parties to help fund “free” Facebook and “free” WhatsApp. However, for many years now, Facebook has moved beyond that simple model and uses this capability for influence operations; to influence elections, culture, public narratives etc. It is in effect part of a larger ecosystem of radicalization and behavior control of the population.

Facebook is so aggressive at this, that they have been accused of creating “shadow” or “ghost” accounts and profiles of people they learn about through the collection and purchasing of user data (often called meta data). Facebook would learn about a person, attempt to associate that learning with an existing user of Facebook, and if they could not make a positive association, they would create a new profile for that individual and keep it updated so that when that person eventually joined Facebook, they would have a profile rich with information to make their Facebook experience customized to them from the start. This is well documented.

Limiting the Meta Experience

The following help article from Facebook describes a privacy setting that was once available, which would allow users to “disconnect” the data Facebook learned about them from non-Facebook sources from their Facebook profile/account. What that means is if you used that setting and told Facebook not to use “off-Meta” data about you, then if they had purchased a data feed from a 3^rd party that contained your information, they (Meta) could not associate it with your Meta/Facebook profile and therefore it could not be used in your Meta experience. Let me say that again, by disconnecting that off-Meta data set, they could not use it in Facebook. Here’s how Facebook explains it:

https://www.facebook.com/help/1224342157705160/

“You can choose to turn off your future activity off Meta technologies with the Manage future activity setting.

Your activity off Meta technologies is a summary of activity that businesses and organizations share with us about your interactions with them, such as visiting their apps or websites. They use our Business Tools, like Facebook Login, Meta Pixel or Instagram Basic Display, to share this information with us. This helps us do things like give you a more personalized experience on Facebook. Learn more about your activity off Meta technologies and how we use it.

You can also choose to disconnect your activity off Meta technologies, which will disconnect your past activity from your account. Keep in mind, when you turn off future activity for all apps and websites, it’ll also disconnect your past activity.”

I’ll explain with an example. Let’s say you use your web browser to sign in to Facebook. Facebook is collecting information about you and what you are doing via your web browser. That’s in-Meta data because its information collected while you use their product and they can use that for related purposes as defined and disclosed by their data use and privacy policy. If you open another tab in that same browser window and place an online order for pizza for dinner, then it’s possible that Meta could collect that information about your dinner order and merge it into your Facebook profile. That means they are merging your “off-Meta” pizza order with your “in-Meta” profile. You might suddenly see pizza as a theme in your Facebook experience, or you might see content from businesses or restaurants that are competitors who have paid Meta to influence you away from pizza and toward them, or away from your chosen restaurant and toward the advertising one.

I’m sure you’ve seen this before. We get a strange sense that Facebook or Google or Amazon are watching or listening to us in other ways and we see that in targeted experiences that merge contexts from different online experiences or even merge real-world activities with the digital one.

With privacy settings in Meta, it seems you once had the chance to prevent Meta from merging what they learn about you outside of Facebook (your pizza order in this example), with your profile they create based on what they can learn from you as you use Facebook (and other Meta products). You could basically limit their ads and influences to only what you reveal about yourself to them by using their products.

Meta’s Policy Change

What Meta seems to be doing now, is getting rid of that old “off-Meta” data learning kill switch. With this change, they are admitting to their larger data collection scheme but are now taking away your ability to prevent them from using “off-Meta” data about you, inside Meta. The new setting lets you tell Meta not to use that larger learned profile they maintain about you in order to manage what you see (news, posts, friends etc.) inside the Facebook product. But it means Meta is going to continue to build that larger learned profile about you, using external data sources and information shared with them or purchased by them. They are taking away your ability to limit what they learn about you and what is in that larger story.

So now they can use “off-Meta” data in your Facebook experience, and this setting tells them not to…though they will retain the ability no matter what.

What is Learned About You

It may be difficult to imagine just what all this “learning” about you means, so I’ll attempt to describe that with some limited and simple examples, but the key to understanding the significance of this is in viewing this in aggregate, or in sum.

Let’s say you have a daily routine of reading the news and checking social media and email every morning while getting ready for the day. I think for many of us, that’s a normal experience that replaced how previous generations read newspapers each morning. Well, in the past, that newspaper was one product created for everyone and what you choose to read and how you chose to use that product was up to you. The newspaper publisher had no idea what you were doing with their product. Some read it for the comics, some for the headlines, some for the letters to the editor, some for the personal ads etc. But the news companies had no way of knowing what you did with the paper once you had it.

Today, when you turn on your computer or smartphone, that’s recorded. That can include the date, time, personally identifying information, your location etc. When you open your app or browser and start connecting to an Internet property, like Facebook or a news website etc. that’s also recorded – the time, the site, how long you spend there, what links you clicked on, what stories you read, what posts you read, how long you hovered on a page, what ads you saw…all your activity is being recorded and reported to data aggregators like Google, Microsoft, Meta, and others. Perhaps later in the day, during a break, you make a quick check of the weather, the news, and social media messages. All recorded. Perhaps at the end of the day, you do the same but for an extended time. Again, all recorded and added to your profile.

Collectively, over time this aggregate story of what you use the Internet for and how you use it creates a story about you as a person; your habits, your interests, your routines, your relationships, your mood, your views…etc. In fact, it can create a profile about you that reveals insights you may not be aware of; patterns of your life that you may not even notice.

Now all that information in the hands of someone like Meta that controls what news stories you see in your feed, or what friends you might be interested in connecting with, or what influencers or celebrities you might want to follow, means they can create an online experience that is specific to you. That also means they can create an experience that will influence, manipulate, and can control you. They can feed you what they know you will be interested in, in order to capture your attention and get you to participate in what they want you to. They want you on the platform, because that generates more money they can use or sell, either to advertisers or to pay content creators, or to sell to political interests.

Now expand that out to think of all the demographic information that Meta has access to. Information about people groups, information about trends, information about how we collectively react to certain things. All the people who have similar patterns, profiles, and interests across the entire user-base of their products. They can use those larger demographics for influence as well; sometimes feeding, sometimes suppressing information and choosing those who get to represent current events and the narratives of our life and culture.

Why This Data Collection Change

Based on some basic searches of this announced change, it seems Meta has been planning this for some time and is rolling it out to users at different times. But Meta has also recently announced new user-profiling initiatives focused on using information they learn about us to guess our age in order to implement age-based access controls within their products. This is their attempt to comply with or get ahead of legislation that will mandate they prevent access to certain content by certain individuals based on age. We covered this in two recent articles, one specifically on the GUARD act, and the other highlighting Meta’s plan for compliance with the law via age-based content restrictions.

Meta wants to expand their ability to gather information about you to include new sources and types of information, to expand the details of your user profile that they maintain, so they can with legal precision identify exactly who you are. This, again, is in service to complying with age-based restrictions for accessing various content in their platform. This announced change means you no longer have any control over what they add to the profile they maintain about you, but you can tell Meta not to use all of what they have learned inside your Facebook experience. But they will still maintain it.

Basically, if they learn about your pizza order, you can tell them not to use that inside your Facebook experience so you won’t see content about pizza, but they will still know about it and they may still use that knowledge for other things…like controlling your access to the platform or controlling what features you can use.

In the short-term, Meta’s plan is to use this to identify the age of users so they can prevent those under 18 from being able to access AI chatbots. It is a form of digital ID used for government-defined censorship.

The Danger

Of course, the inherent danger in all this is in the amount of power Meta has and what they do with that power. Today, with this change, they are expanding their power and how it can be used. They are giving themselves permission to collect more information and to use it to greater ends, while reducing your say in that process. Today it seems to be about age-based access restrictions, but as we know from the last decade or so, Meta and their peers in Big Tech view themselves primarily as the curators of culture and politics in the West and the world. The leaders of Big Tech find their primary value and contribution to this world in being activists; to use their power and wealth and platforms for good as they see it.

And as we have seen in recent years, that greater good is in direct conflict with the values and morals of the West. They are agents working against us.

Let’s say that following some political transition in our country, Big Tech with their massive profiling ability wants to prevent anyone associated with a certain event or politician or idea from being able to speak about that through social media. Well, if they know about you and your association with whatever they deem taboo, then they can control your ability to express or participate accordingly. In fact, they have done this openly and have been broadly criticized for it in recent years. We have called it “election interference,” but the reality is it is cultural reconstruction.

Today it may be done in the noble context of protecting the children. But tomorrow, that setting can be easily switched.

How You Can Limit This Power

What we can or should do about this is difficult to answer. There are some things we can do to protect our privacy and prevent the data collectors from gathering information they use to build and sell these profiles about us, but at the end of the day, they run the platforms and so we are at their disposal so long as we participate. But knowing about this manipulation is also an important part of protecting your heart and mind from influence; knowing you are under the influence means you can watch for the effects and avoid the traps.

Here are some things you can do to limit the learning:

Use the new Meta setting to restrict them from using off-Meta data in your Facebook experience. This will limit their influence power over you within the product, which is a good step to take.

Use a web browser that focuses on privacy. I recommend FireFox, DuckDuckGo, or Apple’s Safari. Their default security and privacy settings are very good and they actively work against information gathering from websites and apps. Also use the DuckDuckGo search engine rather than Google or Bing.

Avoid using multiple browser tabs when moving from one Internet property (website) to another. Your browser session can leak information across tabs that can tell more of your story and associate you with more information or activity than you might like. Consider opening multiple browser windows and using bookmarks to save websites rather than maintaining many open tabs across many websites.

When prompted about cookies, always choose the most restrictive option and avoid accepting “all cookies.” Cookies are the main way your browser maintains awareness of you and your recent activity on websites. They are mini spies.

Avoid the Google ecosystem, including Android, Chrome, and Gmail. This ecosystem is designed to maximize information collecting, selling, and use for manipulation. The Android OS is designed to allow apps on your device to share information, which is how much of it can be harvested and associated with you. The same is true of the Chrome browser, and of course Google monitors your Gmail inbox all the time.

Also avoid the Meta / Facebook ecosystem of apps, including WhatsApp and Facebook messenger. Meta maximizes information gathering across their products as they can use common and deceptive language in privacy policies to give them authorization to use whatever “they” collect from their products.

Avoid “free” messaging apps except those that honor privacy and security. I recommend Signal.

While all social media companies have problems, the handling of information, speech, and privacy by X under Elon Musk is the best there is. Consider migrating off the legacy social media platforms if you can, and if not, then limiting use as much as possible.

Consider using VPN and keeping it always on. Your Internet Service Provider (ISP) is a major source of information harvesting, which they sell to big data brokers like Amazon, Meta, Google etc. Using VPN on your device will limit what your ISP can see you doing and that can limit their ability to learn about your activity…which in turn limits what the big aggregators can learn about you or associate with you. VPN can limit or interfere with the functionality or access to some websites, so you may need to disable it temporarily for some activities.

These practices should help maintain your privacy from the many spies that are on the Internet, which in-turn should reduce the ability of organizations like Google and Meta to influence and manipulate you…and in turn…all of us.