重点 (Top highlight)
On June 9th, 2020 at 2:13 pm, I paid $13.87 to have bubble tea delivered to my house via the popular food delivery service Doordash. I can’t say I’m especially proud of this decision.
2020 年 6月9日下午2:13,我花了13.87美元,通过受欢迎的送餐服务Doordash将气泡茶送至我家。 我不能说我为这个决定感到特别自豪。
When I made the purchase, I expected that my little indulgence would remain between me and Doordash, since I hadn’t done anything to explicitly link the service to my other online accounts. Maybe the driver who delivered it would roll their eyes. Maybe Doordash’s recommendation system would say “Ah, that’s a juicy sale!” and suggest I repeat the order in a few days. But I assumed my purchase wouldn’t ripple much beyond that.
当我做出的购买,我期待我的小放纵WOU l D 同时保持我和Doordash之间,因为我没有做过任何显式链接服务,我的其他在线帐户。 交付它的驾驶员也许会睁大眼睛。 也许Doordash的推荐系统会说:“啊,那是多汁的买卖!” 并建议我在几天后再次下订单。 但是我认为我的购买不会超出此范围。
But I was wrong. Doordash (and hundreds of companies like it) aren’t just recording every purchase you make. They’re also sharing purchase data with other companies, who are using it to target ads. And as I would discover as a result of my extravagant bubble tea order, one of those companies is Facebook.
但是我错了。 Doordash(以及数百家喜欢它的公司)不仅记录了您的每次购买。 他们还与其他公司共享购买数据,这些公司将其用于定位广告。 而且由于我大量的泡沫茶订单而发现,这些公司之一就是Facebook。
When the California Consumer Privacy Act (CCPA), a landmark privacy law, went into effect on January 1, it gave residents of California an unprecedented legal tool to access the information that big companies gather about them. This includes companies that would really prefer that their activities remain in the dark, like Clearview AI.
当具有里程碑意义的隐私法《加利福尼亚消费者隐私法》(CCPA)于1月1日生效时,它为加利福尼亚州的居民提供了一种前所未有的法律工具,可以访问大公司收集的有关他们的信息。 这包括像Clearview AI这样真正希望自己的活动保持黑暗的公司。
But the CCPA has also created a new and interesting corporate privacy strategy — drown the consumer in information. The logic here makes sense. The CCPA is scary — fines under the law, which began to be enforced on July 1, could easily run into the millions or even billions of dollars for large companies. Faced with this risk, some companies seem to have thought, “If we give the consumer access to basically everything, we can’t possibly be accused of CCPA noncompliance, right?”
但是CCPA还创建了一种新的有趣的公司隐私策略- 将消费者淹没在信息中 。 这里的逻辑是有道理的。 CCPA非常令人恐惧,根据7月1日开始执行的法律罚款,对于大型公司而言很容易达到数百万甚至数十亿美元。 面对这种风险,一些公司似乎已经想过:“如果我们让消费者基本上可以使用所有产品 ,我们就不可能被指控违反CCPA,对吗?”
The result is that consumers can now access massive data dumps from several large companies, including Facebook. To get your own, you simply go to Facebook.com/your_information, click on Download Your Information, and follow the instructions. Often within a few minutes, you’ll be invited to download a giant zip file with everything Facebook knows about you.
结果是,消费者现在可以访问包括Facebook这样的多家大型公司的大量数据转储。 要获取自己的信息,您只需访问Facebook.com/your_information ,单击“下载您的信息”,然后按照说明进行操作。 通常,您会在几分钟之内被邀请下载Facebook知道的关于您的所有内容的大型zip文件。
And when I say everything, I mean everything. My own data dump was 461 megabytes. It contains every post I’ve ever made on Facebook, every photo I’ve uploaded to the platform, everything I’ve commented on or liked, all my videos, conversations with my friends, and a good deal more.
当我说一切时,我指的是一切。 我自己的数据转储为461 MB。 它包含我在Facebook上发表的每条帖子,我上传到平台的每张照片,我评论或喜欢的所有内容,我所有的视频,与朋友的交谈等等。
That Facebook gathers all this data is not exactly breaking news. We’ve all known for a long time that Facebook is aware of basically everything we do. In his painful visit to the U.S. Senate, Mark Zuckerberg even made clear the company’s reason for learning everything about you: “We run ads.”
Facebook收集所有这些数据并非完全是新闻。 众所周知 ,Facebook基本上了解我们所做的一切。 马克·扎克伯格(Mark Zuckerberg)在痛苦地访问美国参议院时,甚至明确表示了该公司了解与您有关的一切的原因:“ 我们投放广告。 ”
It’s still breathtaking to see your entire online life arrayed in front of you in little folders filled with HTML documents. But it’s not shocking, exactly.
看到整个在线生活摆在摆满HTML文档的小文件夹中,仍然令人神往。 但这并不令人震惊。
What’s more interesting is a tiny folder, hidden away in Facebook’s massive data archive, labeled “your_off-facebook_activity” (a directory name that only a programmer could love). This folder contains a list of all the companies that have provided data on your activities elsewhere back to Facebook. It’s new as of January 2020.
更有趣的是,一个很小的文件夹隐藏在Facebook的海量数据存档中,标记为“ your_off-facebook_activity”(只有程序员才能喜欢的目录名称)。 此文件夹包含所有将您的活动数据提供回 Facebook的所有公司的列表。 自2020年1月起是新的 。
In Facebook’s own words, this data captures “a summary of activity that businesses and organizations share with us about your interactions with them, such as visiting their apps or websites.” This includes “Opening an app, logging into an app with Facebook, viewing content, searching for an item, adding an item to a shopping cart, making a purchase” and “making a donation.”
用Facebook的话来说 ,该数据捕获“企业和组织与我们分享的关于您与他们的互动(例如访问他们的应用程序或网站)的活动摘要”。 其中包括“打开应用程序,使用Facebook登录到应用程序,查看内容,搜索商品,将商品添加到购物车,进行购买”和“捐赠”。
Yup. If you’ve bought an item on myriad e-commerce websites, made a donation to a political campaign, used any of several hundred participating apps, or, in my case, bought a wildly expensive bubble tea, there’s a good chance Facebook knows about it. What are they doing with this knowledge? Again, it’s pretty clear. It’s there so it can “show you more relevant ads,” “help you discover new businesses and brands,” and the like.
对。 如果您在众多的电子商务网站上购买了商品,为政治竞选活动捐款,使用了数百种参与应用程序中的任何一种,或者就我而言,购买了价格昂贵的泡泡茶,那么Facebook很有可能知道它。 他们用这些知识做什么? 同样,这很清楚。 它在那里,因此可以“向您显示更多相关的广告”,“帮助您发现新的业务和品牌”等。
It’s not surprising to me that Facebook is hoovering up all the data it can possibly get its hands on. What is surprising, though, is how many of the companies I know and trust are willingly handing that data to them.
让我感到惊讶的是,Facebook正在收集所有可能获得的数据。 但是,令人惊讶的是,我认识并信任的公司中有多少愿意 处理 数据交给他们。
Reading through my own “Off-Facebook” data page, I found a who’s-who of apps, websites, organizations, software programs, and political causes. My list included everything from large companies I use (like Sprint and Airbnb), to news websites (like the New York Times and Bloomberg), to medical providers (LabCorp), to charities (Carbon Fund).
通过阅读我自己的“ Facebook外”数据页面,我发现了谁是应用程序,网站,组织,软件程序和政治原因的由来。 我的清单包括从我使用的大公司(如Sprint和Airbnb)到新闻网站(如《纽约时报》和彭博社 ),医疗服务提供商(LabCorp)以及慈善机构(碳基金)的所有信息。
And that’s how I discovered that my indulgent bubble tea order had made its way from Doordash into Facebook’s vast database of my life.
这就是我发现我那放纵的泡泡茶订单已从Doordash进入了Facebook庞大的我的生活数据库的方式。
Even a plumber whose website I recall finding through a Google search, Mr. Rooter, was on the list. Also present were wellness apps like Fitbit and Welltory, and local business’ websites, like a pizza place two towns over that I frequent. In all, more than 1,000 external companies had provided information about my activities to Facebook.
甚至还有我记得通过Google搜索找到其网站的水管工Rooter先生也在名单上。 同时还展示了诸如Fitbit和Welltory之类的健身应用程序,以及当地企业的网站,如一个比萨饼,它在我经常光顾的两个城镇中占据了上风。 总共有1000多家外部公司向Facebook提供了有关我的活动的信息。
Clicking through on each company, I was able to see a summary of the data they had provided — sort of. Many of the specifics of these transactions were obscured by generality. Facebook lists an “Event” type field for each data point, and most had the generic (if a bit ominous) designation “CUSTOM.”
点击每个公司,我就能看到他们提供的数据的摘要。 这些交易的许多细节被普遍性所掩盖。 Facebook为每个数据点列出一个“事件”类型字段,并且大多数都有通用(如果有点不祥)的名称“ CUSTOM”。
But many did not. And from the Event type, it was often easy to determine what Facebook had logged. Looking at my entry for Doordash, for example, I saw that several events were recorded as “PURCHASE.” Each of these was time-stamped. I cross-referenced these against my Doordash order list. And that’s how I discovered that my indulgent bubble tea order had made its way from Doordash into Facebook’s vast database of my life.
但是很多人没有。 从事件类型,通常很容易确定Facebook记录了什么。 例如,在查看我的Doordash条目时,我看到几个事件被记录为“购买”。 这些每个都有时间标记。 我将这些对照我的Doordash订单列表进行了交叉引用。 这就是我发现我那放纵的泡泡茶订单已从Doordash进入了Facebook庞大的我的生活数据库的方式。
The order in question was indeed logged as a PURCHASE event in my Facebook data, shared by Doordash. It had a time stamp of 2:13 p.m. on June 9th. That’s exactly when I placed the Doordash order, and the time stamp matched exactly with the order history I was able to access in my Doordash app.
所涉及的订单确实记录为我的Facebook数据中的购买事件,由Doordash共享。 它在6月9日下午2:13的时间戳。 这正是我下达Doordash订单的时间,并且时间戳与我能够在Doordash应用程序中访问的订单历史记录完全匹配。
Again, Facebook showed me a little hint of the data it’d collected. But what it showed raised more questions than it answered. Facebook’s own page on Off Facebook Activity says that “For technical and accuracy reasons, we don’t show all the activity we’ve received…We also don’t show details like the item you’ve added to your shopping cart.”
再次,Facebook向我展示了所收集数据的一些提示。 但是,所显示的问题提出的问题多于其回答的问题。 Facebook自己在Off Facebook Activity上的页面说:“出于技术和准确性的原因,我们不会显示我们收到的所有活动……我们也不会显示您添加到购物车中的商品之类的详细信息。”
They don’t show it. But do they collect it? From the Off Facebook Activity view alone, it’s impossible to know. So I decided to find out. I filed a CCPA request with Doordash, but it languished. So I fired up Google’s Chrome browser, started network monitoring using the browser’s Developer Tools (which records all the raw data your browser sends and receives), set up a filter for data sent to Facebook, went to Doordash’s website, and created a brand new account.
他们没有显示 。 但是他们会收集吗? 仅从“关闭Facebook活动”视图中,就不可能知道。 所以我决定找出答案。 我向Doordash提出了CCPA请求,但请求却被搁置了。 因此,我启动了Google的Chrome浏览器,使用浏览器的开发人员工具(记录了浏览器发送和接收的所有原始数据)开始了网络监控,为发送到Facebook的数据设置了过滤器,访问了Doordash的网站,并创建了一个全新的帐户。
From the very first click, I was blown away by what Facebook is gathering. As I navigated from page to page and completed the account creation process, Doordash continually pinged Facebook with detailed updates about my activities. These included the fact that I signed up for an account, the moment I logged into it for the first time, and every page that I viewed while on the Doordash website.
从第一次点击起,我就被Facebook正在收集的内容所震撼。 当我一页一页地浏览并完成帐户创建过程时,Doordash不断对Facebook进行ping操作,以提供有关我的活动的详细更新。 这些包括以下事实:我注册了一个帐户,首次登录该帐户的那一刻以及在Doordash网站上查看的每个页面。
Again, this was with a brand-new Doordash account. I hadn’t used my Facebook account to log in to Doordash, or done anything to link the two services. Doordash chose to share my data with Facebook entirely of its own accord, and entirely without my knowledge.
同样,这是一个全新的Doordash帐户。 我没有使用我的Facebook帐户登录Doordash,也没有做任何事情来链接这两个服务。 Doordash选择完全按照自己的意愿与Facebook分享我的数据,而完全是在我不知情的情况下。
To dig deeper, I decided to recreate my lavish bubble tea purchase, this time with full monitoring. It was breakfast time, so I decided to find a smoothie instead of tea. I navigated to the page for my local Vitality Bowls restaurant. As I did so, Doordash diligently sent data about each of my actions to Facebook. I saw a smoothie that I liked (the Tropical Paradise™ for $7.49), so I clicked on it to learn more. Doordash sent this click to Facebook. It even included the name of the item I had clicked, and the store it was linked to (Vitality Bowls Dublin).
为了更深入地研究,我决定重新制作我购买的大量泡泡茶,这次是在全面监视之下。 早餐时间到了,所以我决定找一个冰沙代替茶。 我导航到本地Vitality Bowls餐厅的页面。 当我这样做时,Doordash会努力地将有关我的每个动作的数据发送到Facebook。 我看到了我喜欢的冰沙(热带天堂™售价为$ 7.49),因此我单击了它以了解更多信息。 Doordash将此点击发送到了Facebook。 它甚至包括我单击过的商品的名称,以及它链接到的商店(Vitality Bowls Dublin)。
The smoothie looked good, so I added it to my cart. This generated another ping to Facebook. I finished the checkout process, and sure enough, with my last click Doordash sent Facebook a PURCHASE event. Only this time, I could see exactly what they sent. It included an identifier for the store, an ID for the smoothie itself, its purchase price, an ID for the Doordash shopping cart and order, the quantity I had purchased, the currency I was using, and the fact that I was a new customer. The amount of data being sent to Facebook was mind-blowing — every aspect of my shopping experience, down to the individual click and the exact amount I had spent, was logged and duly shared.
冰沙看起来不错,所以我将其添加到购物车中。 这再次引起了对Facebook的回应。 我完成了结帐过程,果然,最后一次单击,Doordash向Facebook发送了一个PURCHASE事件。 只有这次,我才能确切看到他们发送的内容。 它包括商店的标识符,冰沙本身的ID,购买价格,Doordash购物车和订单的ID,我购买的数量,我使用的货币以及我是新客户的事实。 发送到Facebook的数据量令人赞叹不已-记录并适当共享了我的购物体验的各个方面,包括个人点击和我所花费的确切数量。
Again, Doordash is far from the only company sending my data to Facebook. Many other companies also shared purchase data. Sprint, for example, logged a PURCHASE record with Facebook around when I bought a new cell phone.
同样,Doordash绝不是唯一一家将我的数据发送到Facebook的公司。 其他许多公司也共享购买数据。 例如,当我购买新手机时,Sprint在Facebook上记录了购买记录。
Other companies provided data beyond purchases in a somewhat-understandable format, too. For example, several news sources told Facebook when I “VIEWED CONTENT” on their site. Welltory, a wellness app, shared when I “LEVELED UP.” What that means, I have no idea. But it has a nice Dungeons and Dragons feel to it.
其他公司也以某种可以理解的格式提供了购买以外的数据。 例如,当我在其网站上“查看内容”时,一些新闻来源告诉Facebook。 Welltory,一个健身应用程序,当我“ LEVELED UP”时共享。 那是什么意思,我不知道。 但是它对龙与地下城有一种很好的感觉。
And then there are all those “CUSTOM” records. Using the same browser data monitoring technique, I could likely determine what many of them signify. With CCPA, though, there may be a much easier approach. I can simply file requests with each company I’m curious about, and likely determine exactly what “CUSTOM” data they’re sending to Facebook. That’s exactly what I plan to do.
然后是所有这些“ CUSTOM”记录。 使用相同的浏览器数据监视技术,我可能可以确定其中许多表示什么。 但是,使用CCPA可能会有更简单的方法。 我可以简单地向每个我感兴趣的公司提出请求,并可以确定他们要发送给Facebook的“自定义”数据的确切位置。 那正是我计划要做的。
To Facebook’s credit, they’re extremely clear about why they’re gathering all your data. And they make it comparatively easy to access a massive archive of all your Facebook-related activity (in a human-readable HTML format, nonetheless!), which at least points you to which companies are sending them what categories of data, even if the specifics are vague. They should include more (like the exact data being logged), but it does provide a start, and many of their data collection efforts are disclosed publicly.
值得赞扬的是,他们非常清楚为什么要收集您的所有数据。 而且,它们使访问与您的Facebook有关的所有活动的庞大存档(尽管仍以人类可读HTML格式!)相对容易,这至少使您知道哪些公司向他们发送了哪些类别的数据,即使细节模糊。 它们应包含更多内容(例如要记录的确切数据),但确实提供了一个起点,并且其许多数据收集工作已公开披露 。
Other organizations that share your information with the company may be less comfortable with that sharing coming out. Some may not even realize what they’re sending to Facebook. Zoom made that claim when it was accused of sharing data, in violation of its privacy policy, earlier this year (Doordash’s privacy policy acknowledges that it shares data with third parties, but doesn’t specifically mention Facebook.)
与公司共享您的信息的其他组织可能对共享的发布不太满意。 有些人甚至可能没有意识到他们要发送给Facebook的内容。 Zoom在今年早些时候被指控违反其隐私政策共享数据时提出了这一要求(Doordash的隐私政策承认其与第三方共享数据,但没有特别提及Facebook。)
And some companies may be sending data they shouldn’t. Facebook has policies to prohibit sending sensitive data, like medical or financial records. But when everything is labeled “CUSTOM,” it’s impossible to tell if those policies are being followed.
一些公司可能正在发送他们不应该发送的数据。 Facebook的政策禁止发送敏感数据,例如医疗或财务记录。 但是,当所有内容都标记为“ CUSTOM”(自定义)时,就无法确定这些政策是否得到遵守。
That’s where laws like CCPA come in. If you’re curious about who is sending your data to Facebook — and what, specifically, they’re sending — you now have ways to find out. First, get your own massive data dump from Facebook, using the process I describe above. Then, comb through the “Off-Facebook activity” section to see who’s been sending them data about you.
那就是CCPA之类的法律出台的地方。如果您对谁将数据发送到Facebook以及具体是他们正在发送的数据感到好奇,则现在可以找到方法。 首先,使用我上面描述的过程从Facebook获得自己的大量数据转储。 然后,梳理“ Facebook外活动”部分,查看谁在向他们发送有关您的数据。
But the laws only work if we actively participate in our own privacy, learning about who is gathering data on us, and why.
但是只有在我们积极参与自己的隐私,了解谁在收集有关我们的数据以及原因的法律才能生效。
Finally, file a CCPA request with each company, requesting a detailed description of how they’ve shared your data, and for what purpose. Your request will have the backing of law if you live in California. But many large companies are extending CCPA access to customers outside the state, too. So it’s possible you’ll get a response even if you’re not a Californian.
最后,向每家公司提出CCPA请求,要求他们详细说明他们如何共享您的数据以及用于什么目的。 如果您居住在加利福尼亚州,则您的请求将获得法律的支持。 但是,许多大公司也将CCPA的访问权限扩展到州外的客户 。 因此,即使您不是加利福尼亚人,也有可能得到回应。
If you’re not happy with a company’s response, or feel they’re holding data back, get a lawyer. Since enforcement of the law went into effect on July 1, several firms are now taking CCPA cases. According to Mike Cardoza, a consumer protection attorney whose firm has begun accepting CCPA cases, attorneys “often pursue the cases as class actions, which are a good way to discourage corporate misbehavior.”
如果您对公司的回应不满意,或感到他们在扣押数据,请找律师。 自从7月1日实施该法律以来,几家公司正在受理CCPA案件。 消费者保护律师Mike Cardoza表示, 该公司已开始接受CCPA案件,律师“通常将案件作为集体诉讼进行起诉,这是阻止公司行为不当的一种好方法。”
CCPA and other privacy laws have given us, as consumers, an unprecedented level of access to our data. But the laws only work if we actively participate in our own privacy, learning about who is gathering data on us, and why. That can take a lot of work, and who wants to spend hours combing through the obscure corners of a giant zip archive, or searching through raw HTTP requests to find little tidbits of personal info? But if we want to ensure that our online lives are protected, we need to put in that work.
CCPA和其他隐私法使我们作为消费者获得了前所未有的访问我们数据的水平。 但是只有在我们积极参与自己的隐私,了解谁在收集有关我们的数据以及原因的法律才能生效。 那会花费很多工作,谁想花几个小时梳理一个巨大的zip档案的晦涩难懂的地方,或者搜索原始的HTTP请求以查找个人信息的小窍门? 但是,如果我们要确保我们的在线生活受到保护,就需要进行这项工作。
So roll up your sleeves, grab your own Facebook data archive, and start digging. If you find something surprising or concerning, use CCPA or other laws in your jurisdiction to follow up on it. I’ll be doing the same thing right alongside you. Only by taking these steps towards transparency and access can we empower ourselves to understand what giant companies know about us — and who they’re telling.
因此,请袖手旁观,获取您自己的Facebook数据存档,然后开始进行挖掘。 如果您发现令人惊讶或担忧的事情,请使用CCPA或您所在辖区的其他法律进行跟进。 我会和你一起做同样的事情。 只有采取这些提高透明度和获取机会的步骤,我们才能授权自己了解大型公司对我们的了解以及他们在告诉谁。
Oh, and Facebook, if you’re listening: The tea was totally worth it.
哦,还有Facebook,如果您在听:茶绝对值得。
扫一扫
5万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
