“Opting out” of something means you no longer wish to participate or contribute. But when it comes to your digital privacy and security, explicitly “opting out” doesn’t necessarily mean a tech company stops collecting, or even sharing, your data.
After a number of revelations this year, including reports that Google tracks location data when location history is turned off and that Facebook still collects data even when targeted advertising is disabled, it’s become apparent that many opt-out settings give you the illusion of control, while not doing much, if anything, to protect your privacy.
Here’s when “opting out” doesn’t stop data collection.
1. On Facebook, opting out of targeted advertisements from third parties doesn’t apply to data collection.
You probably didn’t realize that Android apps like Tinder, Grindr, and Pregnancy+ that use Facebook’s free software development tools send their users’ data to the social networking site. These apps are incentivized to share your data with Facebook because they benefit from the company’s products, like simple authentication (which Facebook manages) or user analytics (which Facebook provides). In return, Facebook gets a better picture of who you are, based on the apps you use, and uses this data to inform what ads you are served.
You can seemingly turn off “Ads based on data from partners” in Facebook by marking “Not allowed.” On its Ads settings page, under “Ads based on data from partners,” Facebook clearly states, “Now this setting gives you control over more of your data,” which could easily be misinterpreted to mean data collection and not data usage.
In fact, a Facebook representative clarified to BuzzFeed News that the controls don’t restrict the collection of data. The setting’s “Not allowed” option means that Facebook can’t use the data collected from third-party apps to serve you ads, but it can use the data for other internal features, like People You May Know. In small print, the company clarifies that it doesn’t delete any existing data after you’ve opted out, either.
2. Turning off Location History doesn’t stop Facebook from tracking your location.
Researcher Aleksandra Korolova found that even when location settings in Facebook’s app are turned off, the company learns your location anyway. In the company’s own support page for advertisers, Korolova discovered, Facebook explains that it uses open Wi-Fi networks, Bluetooth beacons, check-ins, business location boundaries, and in-transit detection to determine whether a Facebook advertisement led to a store visit in real life.
A patent Facebook filed in 2017 describes a technology that uses the strength of Wi-Fi, Bluetooth, cellular, and near-field communication (NFC, or the technology used for digital payment apps) to estimate your current location as an alternative to GPS. As revealed in Facebook’s responses to Congress earlier this year, the company is already recording this kind of information about users through its apps, including data “about other devices that are nearby or on their network,” “nearby Wi-Fi access points, beacons, and cell towers,” “signal strength,” and “online and offline actions.”
On top of that, until March 2018, Facebook worked with other data companies, including Acxiom and Experian, to learn more about its users, including their offline shopping histories, through products like loyalty cards at supermarkets and promotional email lists.
3. This goes for Google, too. Turning off Location History in Google doesn’t stop Google from tracking your location.
Google has a feature called Google Maps Timeline that shows in startlingly precise detail anywhere you were you went in the past month with your phone, as well as how and when you got there. You’d think that changing a setting shown at the bottom of your Timeline page, called Location History, would prevent location tracking. But it doesn’t. The setting to turn off location tracking, confusingly, is called Web & App Activity, and, when disabled, it completely stops personalization across all Google products.
4. Removing a third-party app’s access to your Facebook account doesn’t necessarily remove the Facebook data that app has already stored on its own servers.
On Facebook’s App Settings page (Menu > Settings > Apps and Websites), you can click to “remove” apps from your Facebook account.
After you've successfully removed the app, Facebook states, in small print, the app “may have info you previously shared” with it, and the onus is on you to contact the company to remove it.
If you’ve found apps with egregious access to your data, removing them isn’t enough. Before you do, click to “View and edit” the app. Then, in the pop-up window, scroll down to the “Learn More” section where it says “Contact [app name]” or “Give feedback for [app name]” and request that data be removed.
If you connected an app to Facebook before 2015, you may have unwittingly given it access to data you didn’t intend to share. After reviewing my own App Settings page, I learned I granted TripAdvisor access to all of my Facebook photos, including tagged photos of me. Waze, meanwhile, had access to my custom friend lists (including one named “Frenemies”).
Facebook’s lax permission policies for third-party apps is how 270,000 users who took a personality quiz app on Facebook gave a researcher access to personal data from as many as 87 million users. That data ended up in political research firm Cambridge Analytica’s hands.
Even if you didn’t explicitly give an app permission to obtain your information, Facebook may have handed it over for you. The New York Times published documents on Tuesday showing that the social network created business partnerships with other tech companies and gave them unprecedented access to personal data, without users’ explicit permission. Spotify, Netflix, and the Royal Bank of Canada were given access to read, write, and delete users’ private messages, while Microsoft’s Bing search engine could see the names of nearly all users’ friends. Facebook user data may have even helped Amazon combat biased book reviews written by people who knew the author.
5. For now, when you clear all cookies from Google Chrome, the browser removes all cookies — except for Google authentication cookies that keep you signed into Google products.
In September 2018, a tech executive named Christoph Tavan discovered that Chrome version 69 was not deleting Google’s cookies, even after you choose to delete “Cookies and other site data” in the browser’s settings. Additionally, after viewing a list of all cookies stored in Chrome and clicking on the Remove All button, the Google cookies seem to be removed. Then after refreshing the page, Google cookies are restored.
Tavan also found that telling Chrome to “clear browsing data” doesn’t clear the copy of your history in your computer’s local storage. “That comes unexpected[ly,] since local Storage is broadly used in web/ad tracking,” he wrote.
In a blog post this September, Chrome product manager Zach Koch said that Google will change how it clears cookies in a future version of the browser, and it will sign users out of Google completely if all cookies are cleared. As of the current version of Chrome (71), Google cookies are still preserved.
6. An upcoming Facebook feature called “Clear History” probably won’t truly clear a Facebook user’s web browsing history.
Facebook doesn’t just track you on Facebook. It also uses “like” buttons, invisible tracking pixels, and other mechanisms embedded in websites to watch and collect data about what you’re doing on the internet, even when you’re not on Facebook.
When you clear cookies and browsing history in your web browser, it stops websites and their advertisers from following you around. But because you’re constantly logged into Facebook, it’s not possible to clear the browsing data Facebook’s collected about you around the web, or to stop it from doing so.
Facebook announced a “Clear History” feature at its developer conference this year that addresses this data collection and claims to give users the ability to “flush your history whenever you want.” But experts told BuzzFeed News that, as the not-yet-released feature is described, it will only disassociate your Facebook profile from the data. It will not remove the web browsing data from Facebook’s servers.
Clear History seemingly gives users the ability to see their browsing history, clear it from their profile, and opt out of browsing history collection moving forward. But Erin Egan, the company’s chief privacy officer, said, “We’ll still provide apps and websites with aggregated analytics,” even if users opt out. This implies that the data will continue to be collected, but will be unidentifiable.
It’s always a good idea to read the fine print when you opt out, to figure out what is actually happening to your data.
If you want to limit the data you give companies, like Facebook and Google, here’s the best way to do that: clear your cookies, log out of those accounts while you browse the web, delete the mobile app and use it in your mobile web browser instead, limit your time on their products, and block trackers using “Do Not Track” extensions, like Privacy Badger.