Facebook is rolling out a global tool to help you understand what other sites and apps tell it about your activities, to make it forget what they’ve shared in the past, and to control what they share in the future. It’s called Off-Facebook Activity, and it’s part of the company’s effort to appear more privacy-friendly to its users. This article looks at how to use it.
Facebook first launched its Off-Facebook Activity feature in August 2019, making it available in a few select markets at first. It shows you what third-party sites and apps share data with Facebook about your activities when you visit them. The social giant also launched a Clear History feature at the same time, which lets you disconnect that data from your account.
This week’s announcement sees the company rolling these tools out globally. So why do we need them, and how do they work?
Facebook doesn’t just log what you’re doing when you visit its site. It also interacts with many of the third-party sites and apps that you use. Those third parties send Facebook information about your activities including things like opening an app on your mobile, logging into it online using your Facebook ID, or even just visiting a site. Many sites also log your searches and purchases, or whether you added an item to a wish-list or cart.
They do this in three ways: the first uses Facebook’s Pixel. This piece of Facebook code is known more generically as a web bug, and it logs your activities on any site that embeds it, sending that information back to Facebook. The second is the Facebook SDK, which is a software toolkit that people can use to build similar capabilities into everything from mobile apps to PC games. There’s even a separate one for tvOS, the operating system inside Apple TV devices. Finally, they use your Facebook Login, which is the feature that lets you log into sites automatically when you’re already logged into Facebook.
Sites and apps send Facebook this information along with the unique identity of the device that you’re using, which they collect using a software tracker.
Facebook also knows what device you use, and it has your personal information too, so it can index your activity on all these sites against your real identity, not just a number. This is how the company builds incredibly detailed profiles of its users and what they do around the web. It doesn’t sell that information to third parties, but it does use it to help them target ads.
Users (and governments) have been increasingly concerned about this tracking activity, especially in the wake of the Cambridge Analytica scandal, and the Off-Facebook Activity function is Facebook’s response to that.
You’ll find the tool by clicking the down arrow at the top right of your screen, and then selecting Settings. From there, select Your Facebook Information in the left sidebar:
Then you’ll see the Off-Facebook Activity option halfway down.
Facebook shows you a list of the apps and sites that have shared information about your activities when you visited them.
Next to each item is a number indicating how many interactions of yours the app or site reported to Facebook. Clicking an item on the list reveals the Activity Details pane:
It doesn’t reveal exactly what those interactions were. Neither does it reveal very recent activity, which takes a few days to show up. There is a ‘Download activity details’ button which, when clicked, takes you to an existing Facebook feature that lets you download everything in a searchable file.
You can configure settings such as the period of time you want to download, and the file format. HTML is human-viewable while JSON is designed for programs to read. I suggest creating both. Facebook said it can take up to a few days to create a file, but it took just a few minutes to collate ten years of activity for my account.
Back at the Activity Details pane, there’s another option at the bottom: Turn off future activity. Clicking here pops up another pane like this:
Hit ‘Turn Off’, and within two days Facebook will stop connecting events from that third-party site or app with your account. It also means you won’t be able to use your Facebook ID to log into that site in the future, possibly forcing you to set up new credentials with third-party sites if that was your only login method.
Turning off future activity for an individual site doesn’t mean you’re done. For one thing, Facebook admits that this list isn’t comprehensive. It collects more details and activity that it doesn’t show “for technical and accuracy reasons”, including information that it gathers when you’re not logged into Facebook (see more information about shadow profiles). It also still has all the data that it’s already collected from these and other places. To disconnect that activity from your account, and to disconnect from all activity in the future even if it isn’t displayed on the Off-Facebook Activity screen, you need two other things: the clear history button and the Manage Future Activity link. Look for them on the top right of the Off-Facebook Activity screen:
When I selected Clear History, the pane showed me several third party sites and apps that were not listed in the main Off-Facebook Activity page.
Confirming that you want to clear your history prompts a banner from Facebook telling you that “your activity has been cleared.” Note that Facebook doesn’t actually delete that data. It told us:
If a person clears their history we disconnect the activity we’ve already received from their account. If they disconnect future activity, we won’t use their off-Facebook-activity to target ads to them and we won’t attribute any interests to them based on this data. It can take 48 hours to disconnect the information depending on how long it takes our system to process it.
We’ve created a new type of ID for people within our system called a “separable identifier. This means the information that identifies who they are can be separated from their off-Facebook-activity. When you clear your history, we complete the separation. For example, after someone clears their history we might know there was a visit to a shopping website, but we won’t know who went there.
If you want to turn off all activity, click on the Manage Future Activity link. This gives you two simple options: turn off your future Facebook activity using a slider, and then view the activity you’ve turned off.
Click the slider, and it’ll display a finger-wagging pane reminding you that you’ll still see ads, and they’ll still be personalised based on what you do on Facebook. It’ll sign you out of some apps and websites, and sites will still send Facebook data about what you do when you visit them. Facebook just won’t connect that data to your account.
If you click it and then select Manage Future Activity, Facebook will show a banner telling you that all future activity has been turned off.
This is a step in the right direction but it isn’t perfect. It would be nice if Facebook showed you all the activities recorded about you from all sites, upfront.
It would also be nice if it deleted your data when you cleared your history, and it would preferable if the company didn’t collect data that you generate when you visit other sites. It still will – it just won’t tie it to your account.
What can you do if you want to continue using the social network but its Off-Facebook Activity functionality isn’t enough for you? Firefox offers a Facebook Container that creates a boundary between Facebook sites and the rest of the web. EFF also offers its Privacy Badger extension to block third-party tracking based on site behaviour, and there are several other signature-based blockers.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.
