Advertising, the Facebook product
Facebook's financial results are crystal clear, more than 98% of its revenue comes from advertising. Facebook has 2 growth levers here:
- Increase supply: namely, providing more advertising opportunities to advertisers.
- Increase demand: namely, convincing existing advertisers to increase their advertising budgets, and signing new advertisers.
Increase supply: your available brain time
The most direct way to increase advertising supply is toacquire new users. As indicated this internal memo, Facebook applied this strategy of growth at all costs, to the extreme:
That can be bad if they make it negative. Maybe it costs a life by exposing someone to bullies. Maybe someone dies in a terrorist attack coordinated on our tools.
[...] The ugly truth is that we believe in connecting people so deeply that anything that allows us to connect more people more often is de facto good. It is perhaps the only area where the metrics do tell the true story as far as we are concerned.
Another lever, diversify via repurchase of existing applications. In 2012, Facebook thus bought Instagram, its users and its know-how :
Zuckerberg on the takeover of Instagram: Facebook buys itself time, in order to to incorporate Instagram’s growth mechanisms into its Apps (at the time ahead of mobile phones and photos).
Increasing the advertising offer also involves monetization of third party inventory : Facebook offers Apps to use its ad-network, the “Facebook Audience Network”, against a commission. Note that monetization of third-party inventory depends on the ability to read the user's Facebook data, and this is arguably one of the reasons that pushed Facebook to close its ad-network on the mobile web. Via Intelligent Tracking Prevention (ITP), Safari users have protections against Facebook tracking on third-party sites.
Having billions of users on Facebook or Instagram is not enough, you have to make them dependent, whatever the cost. Here is a good summary from Robin Kelly, US Senator from Illinois :
The business model for your platforms is quite simple: keep users engaged. The more time people spend on social media, the more data harvested and targeted ads sold. To build that engagement, social media platforms amplify content that gets attention. That can be cat videos or vacation pictures, but too often it means content that’s incendiary, contains conspiracy theories or violence. Algorithms on the platforms can actively funnel users from the mainstream to the fringe, subjecting users to more extreme content, all to maintain user engagement.
Last lever, always display advertisements (compared to posts from your friends and pages you follow). If you are still on Instagram, you may have noticed the gradual invasion of advertisements in your feed and in stories. Instagram has caught up with Facebook, and we have probably reached the saturation point. Even if Facebook and Instagram don't really have any competitors, advertising pressure is at its maximum.
Increasing demand: consumerism and propaganda
Offering numerous advertising opportunities is not enough; advertisers must still be convinced of the effectiveness of advertising on Facebook apps and on its network of partners. Facebook has several strong points: its ability to target a large part of the population, at different times of the day, its multiple targeting criteria as well as its "native" advertising formats. But the key point is profitability: Facebook must prove that it makes money for advertisers, and not the other way around.
How does Facebook optimize an advertising campaign? Here is a standard process:
- By starting the advertising campaign without a priori targeting: this makes it possible to reach users and test advertising messages.
- Then observing the conversions: in order to understand the characteristics of users who achieve the advertiser's objective, the most effective advertising messages, the best time and context to deliver advertising, etc.
- Finally by targeting similar users: “lookalikes” or “similar audiences” in adtech jargon.
Thus, the effectiveness of Facebook's advertising campaigns is closely linked to the information it holds about its users as well as its ability to correctly measure conversions.
By default, the advertiser indicates his goal, his budget and his message, the Facebook algorithm manages the targeting automatically.
Quite often, Facebook knows in advance the type of users to target because the advertiser sent him a list of customers called "custom audience" and asked him to target similar users.
The advertiser can let Facebook find the right audiences or upload a “custom audience” or manually enter targeting criteria. He will instantly see an estimate of the number of people affected.
It may seem almost innocent when said like that, but Facebook targeting contributed to Trump's 2016 victory. Facebook's algorithm doesn't just optimize advertising campaigns, it also promotes the diffusion of large-scale propaganda and therefore represents a serious threat to democracies.
Facebook is spying on you, everywhere
On its applications
The general public knows the Facebook application. But he also owns the Instagram applications and WhatsApp, which are among the most used applications in the world. Facebook also has a foot in the future with Oculus, its virtual reality platform, on which he would also like to broadcast advertising. Each of your interactions is used to make you addicted and monetize your attention.
Here you can delete your Facebook accounts and Instagram, migrate your contacts from WhatsApp to Signal, and not buy an Oculus headset. A trap for Facebook and Instagram, you will not simply have to deactivate your accounts but also delete them.
Everywhere else
What the general public doesn't know is that Facebook also spies on you elsewhere. The list of tools made available to third parties is as long as an arm, and these are provided with a consideration, allow Facebook to collect ever more information about you, for its own use.
Here are some examples, not exhaustive:
- Social plugins including the famous “Like” button, very popular with publishers.
- The Facebook Audience Network, for application developers who want advertising monetization via the Facebook ad-network.
- The Facebook Pixel and the SDK, which allow advertisers to send the activity of their prospects and customers, from their websites and applications, to Facebook.
- Facebook App Events, which allows you to report events of all kinds (web, app, offline) to Facebook.
- The Facebook Login, which allows you to connect to an application via your Facebook account.
Most sites and applications use at least one of Facebook's tools. And since you are rarely asked for your opinion, Facebook often knows what you do, this even if you do not have a Facebook or Instagram account. Apple's video ad for App Tracking Transparency is a good illustration of Facebook's invasive side.
Since the beginning of 2020 and in response to multiple scandals, Facebook allows its users to become aware of activity "off Facebook" and to dissociate it from their accounts :
Don't be fooled by Facebook propaganda, "sometimes" means "usually."
Dissociating the activity does not mean deleting it from Facebook's servers... The firm keeps all your interactions but no longer associates them with your account. Note that Facebook won't make it easy for you : to separate your activities, you will need:
It would be so nice if it was a little more visible and in just one step... Like on your Google account for example :
Google, the other big browser, makes your life a little easier.
Obviously, neither Facebook (nor Google) deletes your activity, it is too valuable. It's simply a matter of no longer associating it with your account.
What if you don't have a Facebook or Instagram account? Facebook is still monitoring you, he has your contact details via the address books he may have stolen from your friends, it preserves your activities on the web, in apps and offline. What is the benefit of its advertising model?
- Facebook measures the impact of its ads by comparing conversion rates between people exposed to the ad and people not exposed.
- You may be exposed to Facebook Audience Network ads on third-party apps.
- More generally, your behavior allows the Facebook algorithm to improve its predictive models.
Surveillance in danger
As Internet users become more and more aware of the protection of privacy, surveillance outside of Facebook apps is becoming more difficult. We will study how Facebook adapts and communicates with advertisers, via the white paper "Why you should leverage Facebook's resilient signals", co-written with the French agency Fifty-Five.
Why communicate with advertisers? Facebook needs accomplices to monitor you outside its App, advertisers must correctly use the tools made available by Facebook so that your personal data is collected correctly and in a lasting manner (the famous "resilient signals") towards the ogre of Menlo Park.
First of all, why would Facebook's surveillance outside of its apps be in danger? For 3 reasons according to Facebook and Fifty-Five:
- The new laws (GDPR, ePrivacy, CCPA, ...) impose legal restrictions on widespread surveillance such as legal basis for processing personal data, and a prior consent for storing information or accessing information already stored (excluding technical cookies).
- Browser and operating system protections (Apple App Tracking Transparency or ATT, Intelligent Tracking Prevention Webkit or ITP, Firefox Enhanced Tracking Protection or ETP, ...) make the tracking more difficult.
- Adblockers (uBlock Origin, NextDNS, Adguard, Blokada...) make it possible to block advertisements and other trackers at the source.
What impact for advertisers' advertising campaigns?
Facebook's current trackers, pixels and other SDKs, are not very resilient signals. We also see the opportunity for Facebook to extend its surveillance to what you do offline.
As we can see:
- Facebook can continue to measure what you do on its apps (Facebook, Instagram).
- Facebook is having trouble to measure what you do on advertisers’ sites and apps : due to browser protections and other adblockers, old Facebook trackers are less and less effective.
- Facebook only hasa very partial view of what you do offline.
How is this partial vision problematic for advertisers? Here Facebook and Fifty-Five must explain why widespread surveillance would be necessary:
Here, Facebook tries to reassure you with very generic targeting criteria. In reality, your advertising profile is incredibly more detailed.
The measuring advertising performance is essential. If Facebook has access to fewer conversions (purchases, registrations, installations, etc.), its algorithm will have less information on the criteria that work (user profiles, advertising message, advertising context), which will reduce the effectiveness of its advertising. The advertiser will potentially have to pay more for less results.
How to scare advertisers? If they don't allow Facebook to monitor you well enough, their advertising campaigns will no longer work properly:
“Holes” in the measurement among advertisers? A disaster according to Facebook...
If the advertiser does not fill these measurement “holes”, here are the consequences:
- Fewer conversions attributed to Facebook: some conversions will not be measured, the reporting will show advertising campaigns less effective than they actually are, with a higher customer acquisition cost.
- A truly less effective advertising campaign: Facebook will have less information to optimize the campaign.
- Imperfect information: As a result, the advertiser will doubt the reporting of possible future advertising campaigns.
“Resilient signals”, or how Facebook circumvents your protections
How does Facebook allow advertisers to fill these “holes”? Via what he calls “resilient signals”:
With your adblocker, did you think you were protected from Facebook's invasive surveillance? Error...
With the complicity of advertisers, here is how Facebook circumvents your protections:
- With the Conversion API (also called CAPI): if a Facebook tracker can be altered or blocked by your browser or your adblocker, the idea here is to leak your personal data to Facebook directly from a server controlled by the advertiser, via the use of its Conversion API. The advertiser can deduplicate events already sent from your surf on its website, it can also leak other information it has about you (your “offline” purchases, your scoring in its CRM, etc.).
- With advanced matching for the web applications : the advertiser will be able to flee your personal identification data (last name, first name, email address, telephone number, etc.) to Facebook when you validate a form. Note that this leak can even be automatically configured (via the Facebook pixel javascript tag) or manually (via Facebook IMG pixel).
- With the offline conversions : Facebook makes sure to collect your "offline" behavior, namely all your in-store purchases, your telephone reservations, etc. The advertiser can leak this information to Facebook via theOffline Conversion API, via its Facebook interface or by relying on one of the many Facebook partners. In the list of “offline” accomplices : point-of-sale payment terminals, digital receipts, loyalty cards, call center software, marketing and CRM software, integration platforms as well as an expanding list of “Facebook Business partners”.
When Apple forces it, Facebook ads that are more respectful of your privacy
The Aggregated Event Measurement Tool (also called AEM) : allows Facebook to measure the effectiveness of advertising campaigns in an aggregated manner (256 advertising campaigns maximum, no individual tracking) when the user has refused Facebook or Instagram tracking on iOS (via ATT). It is a tool inspired by Apple's solution, WebKit Private Click Measurement or PCM, and it is the only privacy-friendly solution offered by Facebook.
You might be surprised knowing Facebook: why not monitor iOS users on the web who have refused tracking on the Facebook or Instagram Apps? Because in its guidelines for app developers, Apple is very clear:
Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes
If Facebook violated this rule, it would risk being kicked out of the App Store. You can delve deeper into the subject with the article “Understanding Facebook’s updated iOS14 advertising guidance”.
And why not use PCM directly? Mystery, Facebook only declares:
Our solution is similar to Apple's private click measurement tool. However, it addresses some key use cases by advertisers not covered by Apple.
Note that if you refuse Facebook or Instagram tracking via the iOS ATT window, Facebook declares to reflect this choice in the processing of events sent via the Conversion API :
Events sent to Facebook via the Conversions API will also be processed in accordance with the limits defined by the aggregate event measurement tool.
How does Facebook handle events from other “resilient signals” (advanced matching and offline conversions)? Mystery...
Note that Facebook can also be a source of proposals when it comes to proposing advertising standards that better respect privacy. Some discussions between Apple and Facebook engineers (i.e. John Wilander and Ben Savage) sometimes make it possible to overcome the Apple vs. Facebook conflict, with proposals making it possible to respond to advertising use cases, while preserving the privacy of Internet users:
- Proposal for measuring the impact of an advertisement : in order to know if there is a conversion even if the user has not clicked on an ad first, which is currently not possible with WebKit PCM. This proposal would allow us to know if the group that has been exposed to advertising has a better conversion rate than the group that has not been exposed.
- Proposal to allow platforms to measure the advertising campaigns of their advertisers : Ben Savage takes the example of Etsy, which allows its users to run Facebook campaigns. But with WebKit PCM, the "Etsy advertiser" is limited to 256 ad campaigns, and therefore Facebook cannot measure effectiveness or optimize campaigns for Etsy users (a level of granularity is missing).
- Proposal to give the user control over their centers of interest : allows us to address certain problems of FLoC, the proposal much criticized from Google to carry out behavioral advertising without third-party cookies.
Developments in browsers to better protect privacy are discussed within the "Privacy Community Group" of the W3C, the organization responsible for co-building web standards. Facebook therefore plays its role here, attempt to influence browser developments in order to limit the impact on its advertising business. And for that, Facebook must be credible with engineers from Apple, Firefox or Brave. Their first principle is respect for the privacy of Internet users (Chrome engineers often have Google's advertising bias).
On the subject of the W3C and this war for influence, read the excellent article "Concern trolls and power grabs: Inside Big Tech’s angry, geeky, often petty war for your privacy".
Illustrated circumventions, examples of advertising campaigns
To illustrate the impact of “resilient signals”, Facebook and Fifty-Five give 2 examples.
User sees an ad but doesn't click
First case, the user sees an advertisement on Facebook, does not click on it, but then goes to the advertiser's site to complete a form. He will be called back by a call center, to finally register.
Since this user's browser (Safari or Firefox for example) blocks third-party cookies from Facebook, the Facebook tracker (pixel) can't read Facebook user id on the advertiser's website. Facebook is therefore not capable of making the link between the user's advertising exposure and their surfing on the advertiser's site.
But when the user fills the form, the advertiser is able to call Conversion API or advanced matching for the web. He can thus send to Facebook the personal identification data of the form (name, email address, telephone number, etc.) and this can thus make the link with the user's account. Likewise, after registering the user via telephone, the advertiser will use the Conversion API to transmit the registration to Facebook.
User clicks on an ad
Second case, the user is on Safari, he clicks on a Facebook ad, then he consults a product page of the advertiser 8 days later to finally buy offline.
When the user clicks on the Facebook ad, it manages to place a first-party cookie on the advertiser's site. The Facebook pixel installed on the advertiser's site indeed retrieves the click id fbclid content as URL parameter, and stores it in the first-party cookie _fbc. Note that Safari could very well delete these tracking parameters, as Brave has already been doing since last year.
Since 2019 and the ITP 2.1 update, Safari deletes cookies created on the client side after 7 days (here the cookie _fbc created by the Facebook pixel). When the user visits the advertiser's product page after 8 days, Facebook can no longer make the link with its initial click, it does not recognize the user.
The bypass is indicated by Facebook and Fifty-Five: the prerequisite is to use server-side tagging like that of Google Tag Manager, which allows create an HTTP cookie via the HTTP Set-Cookie header and so on bypass the 7-day lifespan of client cookies.
The next step is to configure the Conversions API to work with Google Tag Manager, action already very well documented by Facebook and by Simo Ahava.
So when the user consults the product page, Google Tag Manager is called with a permanent first-party cookie, the mapping with the click identifier fbclic is correctly registered and the Google Tag Manager server container can correctly call Facebook's Conversions API to pass the information. Additional “benefit”: bypassing adblockers! Then, when the user purchases in-store, the advertiser uses the offline conversions tool to transmit the user's purchases to Facebook.
Surveillance cheat sheets
To push advertisers to adopt its “resilient signals”, Facebook took advantage of the remarkable work of Fifty-Five. The white paper thus contains summary sheets for each “signal”.
A summary of the different “resilient signals”.
The Conversions API
Here is the cheat sheet for the marketing team:
Facebook and Fifty-Five recommend installing the Conversions API in parallel with the Facebook pixel, and therefore collecting events on both the client and server side.
The Conversion API thus makes it possible to bypass the protections of browsers such as Safari (limit of 7 days on cookies created in javascript). It also helps bypass adblockers when used in conjunction with server-side tagging. This API ultimately allows offline information to be transmitted, such as user scoring.
Here is the cheat sheet for the technical team:
We note in particular the following advice: "CAPI is a way to secure data for sensitive sectors (Banking, Insurance, ...)". And yes, your banking or insurance data leaks to Facebook, but don't worry, the connection is secure! Once again, everything is done to facilitate the leaking of all your interactions, particularly via native integrations:
- Tag Managers for your interactions with the advertiser's site
- eCommerce, CRM and Customer Data Platforms for your offline purchases and interactions.
Highlighting native integration with Google Tag Manager:
The integration of the Conversions API with Google Tag Manager's Server-Side Tagging is highlighted by Facebook, as Simo Ahava indicates.
Advanced matching
Here is the cheat sheet for the marketing team:
This option allows you to bypass the blocking of third-party cookies by browsers, and leak your personal data even if you have never clicked on a Facebook ad. In fact, the advertiser sends your personal identification data to Facebook, which allows it to link it with your Facebook account.
We note in the limitations:
- "Although cookie-less, it is key you collect consent from users": Do Facebook and Fifty-Five consider that your consent is not necessary with the other "resilient signals"?
- "If you work in sensitive sectors such as Banking, a heavier setup is required": you must then go through manual advanced matching and not automatic, i.e. configure the pixel (IMG) yourself to send personal identification data rather than letting the Facebook pixel (javascript) automatically retrieve the correct fields from the form.
Here is the cheat sheet for the technical team:
Nothing new, except the reminder that manual advanced matching must be used for "sensitive" sectors.
Offline conversions
Here is the cheat sheet for the marketing team:
Nothing new yet, only the observation that monitoring continues offline, it is based on your personal identification data (name, email, telephone number, etc.).
Here is the cheat sheet for the technical team:
We can once again note the fact that it is possible for the advertiser to import offline conversions themselves, or to go through one of Facebook's many partners. Facebook's surveillance capitalism works thanks to a vast ecosystem.
The Aggregated Event Measurement (AEM) tool
Here is the cheat sheet for the marketing team:
This setting allows the advertiser and Facebook to “limit damage” to iOS users who refuse tracking. Facebook reports aggregated performance information, which allows it to optimize advertising campaigns.
Note that Facebook can very well learn from campaigns that run on Android and on iOS users accepting tracking to better understand what works, what does not work (user profiles and advertising messages), and thus optimize campaigns on iOS users refusing tracking.
Facebook and Google, the precursors of adtech
As we have seen, Facebook has implemented a series of tools to bypass your protections and better monitor you, “resilient signals”. These tools are offered to advertisers, turnkey, with complete documentation:
- The white paper co-authored with Fifty-Five, "Why you should leverage Facebook's resilient signals".
- The Fifty-Five webinar, "How to leverage Facebook's resilient signals in a post-cookie world".
- Facebook's "Signals Playbook", accompanied by its Webinar.
Facebook's surveillance complex is impressive, but Google is no slouch. Facebook's Conversions API can rely on Google Tag Manager Server-Side Tagging infrastructure to bypass adblockers and browser protections. And Google is evolving its own monitoring based on the Conversion API model with his "advanced conversion tracking".
These new practices will unfortunately be a source of inspiration for other advertising players, making advertising surveillance even more ubiquitous and difficult to avoid.
What can we do? This arms race (surveillance marketing vs. browsers and adblockers) is not enough, it will never protect the least informed. We therefore need ban targeted advertising directly in law :
- By putting pressure on legislators, as the international coalition can do, "Ban Surveillance Advertising".
- By supporting the proposals of regulators such as the EDPS (European Data Protection Supervisor, the CNIL of the European Union): "EU’s top privacy regulator urges ban on surveillance-based ad targeting".