All the Ways Facebook Can Track You

Cyber Politics, Privacy, Security & Privacy

F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click here

Facebook has unparalleled access to data tracking more than a billion individuals across the globe.

This access is “given” by people who would be denied access to Facebook and their “friends” if they do not agree to baffling terms and conditions. These Facebook users may not even be aware of what they’re disclosing or are so overwhelmed by the reality of what they’re revealing about themselves that they may be in denial of the potential consequences.

Regardless of what people tell themselves, there is an undeniable anxiety that feeds persistent rumors that Facebook spies on their users via the microphones and cameras on their mobile devices. This excellent ReplyAll podcast gives fascinating examples of how and why this notion persists in the general public, and just how hard it is to dispel even for the technically aware.

But Facebook does not need to use our microphones and cameras. It already has more than enough information from our metadata to know us better than even our spouses do.

However, understanding the power of metadata is not easy.

Metadata’s power does not come from any one piece of information, but from the sum of many insignificant pieces of information. All the little pieces are cleverly combined and correlated to guess precise and thoroughly creepy information that we never provided directly.

To give an idea of some of the information Facebook can infer about you, here is a list of nearly 100 spookily precise categories that they allow advertisers to use when targeting you.

One amusing demonstration of how this works is the satirical case of a “ye olde data scientist” working for the British colonial office who identified Paul Revere as the ringleader of the American Revolution, allowing the Red Coats to snuff out liberty before it had a chance to start.

Facebook has a lot more little insignificant pieces of information than we can easily grasp. It is impossible to really list every single possible piece of data that the site can capture about us, but I will try anyway!

The data Facebook potentially has on us all can be classified in 7 key categories:

1. Data your hand over willingly: everything you post directly; everything you ‘like’; every location check-in you make; all your friends/followers; all messages you send privately to your friends/followers; all your searches.

2. Data they can gather about your behaviour on their properties without any real consent: all your clicks; how long you stay on each image/video/text; how your mouse moves around (correlates with eye movements); all you type but don’t submit.

3. Data they can gather without any real consent about your behaviour on other properties that include Facebook spyware (ads, pixels, share/like buttons): all the same information as 1 & 2 combined; also Facebook create shadow profiles for tracking ‘users’ who have never used a Facebook service.

4. Data they can gather without any real consent from your phone/tablet: fine detailed geo-location over time; what other apps you use; files (videos/photos/documents) on your devices; user names, contacts, messages, calls; the name and metadata of every WiFi hotspot and BlueTooth device you have ever connected to; the infamous camera/microphone surveillance that they deny.

5. Data they can gather without any real consent from your phone/tablet via other apps: same as 3 but without installing any Facebook app on your device; for example, Facebook bought a VPN app that can report back on all internet traffic from all apps on a device with the app installed.

6. Offline data they can buy and/or get via partnerships without any real consent: your credit history, your bank card payments history; your shopping loyalty program history; any available government records (house ownership, voter registration, etc).

7. Online data they can buy and/or get via partnerships without any real consent: results of online tests you have taken for fun, which are often run by data stalking companies to build psychometric profiles (for example think Cambridge Analytica).

This list is far from complete, but this is all real data that we know Facebook and similar companies gather. None of it requires using the microphone and camera permissions that you ‘agreed’ to give them during installation.

And it’s only the beginning. They are also using cutting edge psychological research to manipulate what we see to secretly push changes in our behavior, including related to voting. Like Google, it has bought a generation of the world’s best and brightest in fields as diverse as AI and anthropology, and put them all to work day and night trying to make the ultimate in paid advertisements.

We are wasting so much talent that could be curing diseases, elevating humanity, and making the world a more just and free place. And on what? Twisting society into a fishbowl with a very few people standing outside watching and making invisible changes to our water for their own purposes.

Protecting our privacy matters to the whole society. Without privacy all other civil and human rights are endangered. This is an obvious area where government regulation can make sense to restrict and outlaw socially destructive behaviors. This is what regulation is for: creating incentive structures that make our society more tolerable for more people, rather than the opposite.


Rate this article

43 votes


So…A question I’ve had for a while. I have ExpressVPN, and use it every time I go online. However, I don’t think VPNs will stop Facebook from tracking me, right? If anything, it’ll just have them track me from a different IP.

Hi Tony,

The answer is a little bit complex, but in general, no, a VPN won’t stop Facebook from tracking you. A VPN basically transfers trust from your ISP, or whoever is providing the WiFi hot-spot you are using (Starbucks, an airport, your friend at their home, ..), to the company whoever runs the VPN service.

I’m not familar with ExpressVPN, but a quick check ( suggests that they have had issues with poor security practices and continue to have issues around transparency, which personally I would find worrying.

The people who run any VPN service you use can technically spy on any of your traffic, can change that traffic, and do a lot of nasty things. If you cannot fully trust that provider, then this can be pretty risky. The same is true if you don’t have a VPN on when you connect to a random “free” public WiFi hotspot or to your ISP. In some places like the EU you can largely trust your ISP (except against government surveillance), due to legal protections, but that is not true in most of world, including the largely unregulated US market.

And of course a reputable VPN provider will expressly state that they will never do any of these things, and put in place processes to prevent it from happening. Basically, at some point you will have to trust someone – the difficulty is deciding who that someone will be. Trust is a serious problem in the VPN market as there are so many fly-by-night operations and outright scams that it can be very hard for normal users to find something reputable (see for example this CSIRO research on mobile VPNs explained by WIRED:

In terms of tracking, the IP address you come from is only a very small part of how tracking is done. Our VPN service (F-Secure FREEDOME) does strip a lot of tracking domains (a fairly unusual feature for a VPN service), but that can never be perfect, and again does not cover all the techniques available to track people online.

Already, if you are Facebook, Whatsapp, Instagram, or user of any Facebook property, you will likely have cookies saved on your browser (or the app on your phone) in order to not have to login multiple times per day. Those cookies directly can track you across the web on any other website that continues content from Facebook (for example adverts from their network and “share” buttons). Having a VPN does not remove your cookies or other stored tracking information.

Even if you are careful to avoid these accounts and/or religiously logout and clear your cookies, your browser itself is very identifiable via a large array of “browser fingerprinting” techniques. The EFF has a nice page ( to test how unique your browser is and how many bits of potentially identifying information you are providing about yourself just by how your device and browser are configured. Even this is far from a complete survey of all the techniques available to unscrupulous surveillance economy companies.

So what to do? First, without serious regulation with hard consequences for these companies, you just cannot avoid all this tracking. You can however avoid a lot by combining solutions. Obviously, first don’t use services from Facebook and similar companies if you can possibly avoid it. This is clearly not always possible for most people, so when you do use them, try to logout and remove cookies as much as you can. Also consider using a completely different browser only for those services (a hygiene measure that is also recommended for banking services – i.e. 3 separate browsers ideally).

Second, you can get a lot of tracking hygiene by combining a reputable VPN service, a good ad-blocker (e.g. uBlock Origin & EFF’s Privacy Badger), and forcing HTTPS use as much as possible (EFF’s HTTPS Everywhere).

More advanced users can also go a step further by blocking as much JavaScript as possible, for example by using the NoScript plugin. Unfortunately a lot of sites force the use of JavaScript even to view basic static text+image websites, so NoScript use does require manual adjustment and some small inconvenience. That said, it does allow you to block the worst offenders and only accept running this unknown software on your computer when it is from the site itself and only when actually needed, rather than running random code (code which is mostly there for different kinds of surveillance) from 20 external domains for each site you visit.



Than you for the writeup. But I think you don’t adress/explain a few issues/concerns extensively enough so it is understood what you actually mean with the points.

Like buttons on other websites follow you around and call home to facebook. What exactly is reported to the shadow profile? Can we know or is all traffic always encrypted?

Connected logins, “use facebook to log in”, what actually is submitted to facebook? is there a facebook shared session cookie set keeping track of everything for instance or just very limited interaction? It is a very convenient but quite concerning feature.

Notification plugins. What do they actually keep track of and report back? Basically browser plugin technology could be used to get access to every page you visit, even hijack the traffic and enable man in the middle attacks.

They actually have a patent for using the webcamera for the purpose of custumizing user content by detecting face expressions. It is not only the installation of the app that is a concern:

A BIG concern is also 3rd parties, connected apps and friend requests used for data mining. All it takes is one friend installing a particularly bad app with extensive permissions and it has access to ALL the data the user itself has access to on facebook, meaning all friend’s info, posts, PM’s, photos, etc. So accepting uknown people as friends is bad (access to their data viewed as a friend) but an infinitley worse issue is the apps (access to their own data viewed almost or fully as themselves and friend data viewed as them).Through networking not many people at all need to install the app and data will be accuired exponentially from their friend circles. Significant privacy implrovements might have been done here, I am not up to speed with their services, but a few years back this was the case I’m pretty sure.


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like