[manigandham]

10+ year adtech veteran here. This article is nonsense, written by someone without any industry experience.

Facebook has billions of users on several different apps. And people log into these apps to use them. FB, Instagram, Whatsapp. Cross-app tracking is not a big deal, they already know who you are.

The big hits are going to be a reduction in data collected by other apps fed to Facebook, and in measurement and attribution (like app install ads). If anything, it can actually strengthen their walled-garden data moat when advertisers realize that it's still the most efficient way to reach users. Their last earnings report shows significant growth and is the opposite of a struggling business.

[choppaface]

Isn't Google's position here, combined with their push for FLoC, just to create their own cookie and push out competition? It's them saying they have enough data about (profitable!) users now that they can join any future data against past data using not cookies nor app data but just Google property usage... ? And if they don't have enough data about you to do that joining today, then either you won't be profitable to them, or they're banking you'll create a Google account at some point.

Google Plus may have "failed" as a product, but a lot of data joining happened in that effort.

[manigandham]

No, web and apps are very different environments. Websites used cookies to track users across sites from a 3rd-party company/domain. But cookies were constantly deleted and each domain had its own cookies so matching profiles was always rough. Apps all used the same long-lived device-level ID, allowing them to share data about the same profile much easier while having access to more details from APIs (like GPS and bluetooth).

The web saw ad blocking, tracking protection, and privacy regulation which eliminated 3rd-party cookies - but apps were overlooked for a long time. Apple and Google finally added more API permissions and removed this device ID meaning that apps are now in the same place as websites. FLoC is just a way to solve for targeting by creating interest-based cohorts within your browser that don't reveal personal details.

However none of this affects 1st-party tracking. The more you share with an app or site, the more they know, and if you login then they obviously know who you are. They can also still share that data with Facebook (subject to regulations). The major change here is to stop tracking in anonymous situations (like app installs that won't know which device clicked on an ad and then installed on app), not to stop all data collection.

[choppaface]

> The major change here is to stop tracking in anonymous situations (like app installs that won't know which device clicked on an ad and then installed on app), not to stop all data collection.

Let's suppose you use Google or Facebook to discover an e-commerce site, and then you visit that site "anonymously", and then put something in your cart. Maybe you even convert.

If the site has a "log in with {Google,Facebook,etc}" pop-up, then Google/Facebook (even if you do NOT log in) can join your visit with whatever else data they have. (I think Faceboook says, or said, something in their TOS that they won't but I wouldn't trust that-- they're recording the hit to their pop-up after all).

Google / Facebook will already record your click that lead to the site. Now, you might not be logged in to Google or Facebook on the device visiting the third party site, but if anything else on the local network is logged in, then they derive data from your visit even if it's "anonymous." Even the regional impression gives them value.

So here's the deal though: that e-commerce site "owns" that session and impression. At the very least, they paid to serve it. What FLoC and this Android change do is make it harder for Google/Facebook competitor (e.g. Amazon ads, Microsoft, Verizon/Oath, AT&T, etc) from finding something that can join the user visit to whatever data they already have. That makes the impression to the e-commerce site less valuable because now only Google/Facebook can derive data from it.

Moreover, Google / Facebook are going to target ads based upon that visit. Maybe not ads delivered to that user, and maybe not delivered on that e-commerce site (or for them), but they're going to derive targeting value nevertheless. So if the e-commerce site ever wants to run ads, FLoC and this Android setting should in theory make competitors to Google weaker.

So there's a lot of discussion about privacy here, but in the macro I can't help but see FLoC and this Android change as a way to protect Google's monopoly, and Facebook's moat over their own space.

When it comes to mobile, though, I thought there was already so much fragmentation between browsers / quirks, display settings, other User Agent meta, and IP addresses that fingerprinting without cookies was a lot easier than on the Desktop. And by now, many users have transitioned from Desktop to Mobile, making any other previously joined fingerprints more valuable (something Google or Facebook could do, but maybe not ATT/Verizon). So the Android opt-out really only hurts new properties or ad providers who are starting fresh, right?

[manigandham]

Yes, Facebook and Google both learn from your actions on their site, including the outbound links. They can infer interests from that.

However most sites, like in your example, also include their analytics tools and directly send them data. Ecommerce stores will often report conversions with your email address to G/FB so that you can be targeted for ads as a return customer. A lot of the data collection is done like this where other businesses do the actual collecting and sending.

Mobile is much worse with privacy. The web has to deal with constantly changing security rules, limited APIs, and purged data. On mobile, most usage is in apps which have strong identifiers that never change, and access to far more system level data and APIs. They can - and do - leak far more data. That's why you have expose articles that show that people were tracked by location for entire weeks at a time, which is not possible at all with websites.

FloC is only for anonymous situations. If you're already logged into G/FB and are on their sites, or accessing their resources as a 3rd-party, then they already know you are. FLoC and similar tech is used for when you identity isn't known, and then your browser provides rough categories of interests based on what sites you saw before. Remember the ultimate control over privacy is you and what data you willingly send. Many people login and post everything themselves, thereby being their own worst enemy when it comes to privacy.

[Jaepa]

FLoC as I understand it can be used by anyone who has a large enough user surface area. Facebook can and probably will to some extent capitalize on FLoC.

[swiley]

A lot of people forget that Facebook ends up on your iphone via dylibs included in almost every other app.

[spideymans]

I have to imagine that at some point Apple will be targeting these frameworks as part of their privacy push.

[smoldesu]

I wouldn't think so. Apple has notoriously [0] ignored [1] any any security threats [2] that don't pose any immediate interest [3] to the end user.

[0] https://www.gizchina.com/2021/05/26/researcher-found-a-secur... [1] https://appleinsider.com/articles/14/09/25/researcher-accuse... [2] https://www.forbes.com/sites/thomasbrewster/2014/09/04/creat... [3] https://www.wired.com/story/macos-malware-shlayer-gatekeeper...

[xanaxagoras]

Wait, what?

[swiley]

Sorry, I'm not sure what part of that wasn't clear. Facebook ships useful libraries to app developers as binaries and they use that to get code on everyone's phone in order to add to their data collection apparatus.

I'm pretty sure they're not the only ones who do that either. It's a pretty effective method to get around app sandboxes.

[haswell]

As someone who does not build mobile apps, none of that was clear from the earlier comment. I appreciate the additional explanation - I wonder if there's a way to find out which apps include this so I can avoid them...

[swiley]

You should probably avoid any closed source software that isn't community maintained just like on the desktop.

Unfortunately Apple and Google work extremely hard to make this somewhere between difficult and impossible.

[NationalPark]

Which libraries in particular report ad/identity telemetry to Facebook?

[vlovich123]

https://github.com/facebook/facebook-android-sdk/

[kevin_thibedeau]

My stock camera app pings FB on startup because of this. Fortunately it can be blocked on Android.

[dannyw]

How do I block this on Android?

[StavrosK]

You can do things that range from cutting off data access to the app to installing Blokada and cutting off access via DNS.

[mcraiha]

AFAIK in vanilla Android you have to use VPN if you want to block access to certain domain for all the apps.

[kevin_thibedeau]

NoRoot Firewall

[na85]

That's fucking infuriating.

[FearlessNebula]

How can 3rd party developers make API calls to a binary?

[swiley]

https://developer.apple.com/library/archive/documentation/Ma...

I haven't touched iOS development in years but I believe you don't even need a dev account to publish these.

[jonny_eh]

But with the recent change to iOS 14.5 (and Android 12), those apps can't report to Facebook that they're being used by the same user (unless the user opts-in). Right?

[amelius]

Is this the app-equivalent of the Facebook pixel?

[malka]

worse, it allows them to run arbitrary code in a lot of apps.

Do not install apps, unless absolutely necessary.

[FearlessNebula]

Couldn’t you say the same thing for web pages with JavaScript?

[randomdata]

> Their last earnings report shows significant growth and is the opposite of a struggling business.

It helps when governments have given out huge grants specifically earmarked for social media advertising in an effort to help struggling brick and mortar business through the COVID landscape. It will be interesting to see if those earnings continue when businesses are back to paying for their own ads. In my business, which received one of those grants, I'm not sure the payback justified the spend, to be honest.

[anupamchugh]

> Facebook already knows who you are

True, but do the small business know you? No. Facebook helps match other advertisers with you, and earns a good commission out of it.

Now, with these sweeping changes, Facebook would no longer be able to effectively connect marketers with you.

>Their last earnings report show significant growth.

True. But the changes weren’t live back then. Apple released the App Tracking Transparency framework update with iOS14.5 in mid April.

I’m not a veteran in the ad tech space like you. Neither I claim to be one. What I wrote are just facts mixed with my thoughts. None of the things are misleading.

It’s easy to make such sweeping remarks in the comments section. Maybe write an article on your thoughts over this, and we’ll discuss someday

[manigandham]

> "Facebook would no longer be able to effectively connect marketers with you."

Why not? What does small business knowing you have to do with anything? Marketers can target using demographics, interests, behaviors and tons of other factors to get new customers, or they can upload an emails or other profile data to retarget existing users. Nothing has changed here.

> "But the changes weren’t live back then"

IDFA has had a global opt-out for years and 30% in the US have turned it off. The new change is to allow the opt-out on a per-app basis after install.

> "It’s easy to make such sweeping remarks in the comments section. Maybe write an article on your thoughts over this, and we’ll discuss someday"

It's "easy" because I've built multiple products and companies over a decade, and earned my knowledge and experience in the industry. I never said you were misleading though, but that's the 3rd incorrect statement you made in your reply after the two above.

No article needed, my comments already cover everything. This is a discussion forum though so go ahead and discuss right here if you want.

[anupamchugh]

>"Marketers can target using demographics, interests, behaviors and tons of other factors to get new customers, or they can upload an emails or other profile data to retarget existing users"

Demography, interests and behaviours are the exact things that what won't be possible without the user's choice now. Coming to your question: small businesses won't have that much first party data to target new users accurately.

>"IDFA has had a global opt-out for years and 30% in the US have turned it off. The new change is to allow the opt-out on a per-app basis after install."

The opt-out feature was buried deep in the settings. Most user never knew it existed. Or aren't tech savvy enough to figure how to disable it

Also, you have a source for this: "global opt-out for years and 30% in the US have turned it off".

I don't think most users even knew that feature until iOS 13. Alright, even if they do, a shift from 30 percent to over 80 percent with a single software update is huge. Still, would love if you could share a source.

[manigandham]

Again, that's not how it works. The first-party relationship is between Facebook and its users (who willingly share all that data). Marketers run ads on Facebook by leveraging Facebook's graph and data which it owns.

Also that IDFA opt-out doesn't do anything for logged-in identities as I said before. That's why walled-gardens are so powerful and why privacy regulation has strengthened them even further. There is a big difference between independent adtech, 3rd-party data collection, and anonymous tracking compared to the first-party data moats that Google and Facebook have.

[jmole]

I wonder how big the hit is from paid app installs via facebook ads. This is a much bigger market than a lot of people understand, and it's nontrivial to track conversions unless you have that mobile app ID.

[manigandham]

It'll hurt attribution but if Facebook can't do it then nobody can, so overall spend might not change significantly.

[fshbbdssbbgdd]

Apple can do it: https://searchads.apple.com/

Some would say this is the entire point of Apple blocking cross-app tracking.

[manigandham]

That's true, and it probably is. Or at the very least, Apple knows that app installs are still in demand and greatly helps the ecosystem.

[piggybox]

as well as Google

[hedora]

I only log into Facebook to tighten the privacy settings (I probably should just delete it, but they obviously had already built a large shadow profile for me before I created my account; presumably they’d keep doing that after I deleted it.)

They gather tons of my information from third parties, often through data sharing deals.

For instance, when I bought a car, the manufacturer somehow linked it to my Facebook account (without my knowledge or consent, and I don’t have a car app installed on my phone).

However, the vast majority of their profile on me is from cross-app sharing.

[manigandham]

If you do business and give data to a company, whether through an app or some offline interaction, then they know who you are and can sync that data with Facebook or other ad companies as long as it follows regulations.

This change only stops easy syncing of a profile based on a stable device-level identifier, often used in (semi-)anonymous situations (like app install ads). It doesn't mean companies can't share data ever again.

[varispeed]

That's why the public needs to push for advert targeting to be illegal - this way there will be no point to collect such data in the first place.

The targeting should only work in a following way:

- I sell car tyres, therefore to find my consumers I'll buy an ad on the Facebook car group.

Instead of:

- I sell car tyres, find anyone who asked their friends about where to buy car tyres, who is between 20-40, Caucasian, has a good credit score and has autism and is into rubber jokes.

[amelius]

> And people log into these apps to use them.

Yes, but Apple doesn't allow apps to show ads directly, iiuc.

[kornish]

What do you mean? Ads show up as native content in Facebook, Instagram, etc.

[amelius]

Sorry, I was under the impression that the AppStore guidelines prohibit the use of ads.

[danaris]

Not even a little bit. There are vast numbers of free, ad-supported apps in the iOS App Store. This is accepted, intentional, and mostly fine (because it's nearly impossible for malicious in-app ads to either compromise your device, or exfiltrate data the app itself doesn't already have access to, due to iOS security & sandboxing).

[colejohnson66]

Ever see ads for games that say “99% CAN’T BEAT THIS LEVEL!!??” or similar garbage? Those games show full screen ads after every level or even every move.

[danaris]

I've heard of them. They certainly sound like garbage.

Was there a point to this, or did you just want to note that there are really terrible (but non-harmful) apps on the App Store?