Facebook's tracking tools are even worse than we feared

During a Senate hearing today Senator Josh Hawley asked Mark Zuckerberg about Facebook's mysterious "Centra" internal dashboard. His answers should worry us all.

Pool/Getty Images News/Getty Images

Jack Dorsey and Mark Zuckerberg faced another grilling from the U.S. Senate today, mostly over spurious claims that their social networks are silencing conservative voices in the fallout of the presidential election. One more interesting tidbit from the hearing was when Senator Josh Hawley of Missouri asked Zuckerberg about "Centra," the name for what he claims is an internal tool Facebook uses to track its users across the internet.

Hawley shared a picture of the purported tool on Twitter, which he says he obtained from a Facebook whistleblower.

The dashboard, if authentic, shows a litany of data points Facebook has on individual users. And importantly, it highlights how users cannot easily escape the company's tracking even if they want to.

Break them up — One such label visible in the dashboard, "3 Device Linked IG Accounts," shows that Facebook can log the same user's activity on a device even if they switch accounts by using the device's unique hardware identifiers, like a smartphone's fixed IMEI number. Basically, you don't need to be logged into a particular account for the company to know it's you — create a new Instagram account and device-level identifiers will be used to recognize you're the same person. When you log in to Facebook on the web, the company drops a "DATR" cookie that will keep track of your activity even after you log out... and for up to two years thereafter.

It's been previously reported that Facebook uses browser cookies to track people who've never created a Facebook account at all, creating "shadow profiles" for those it hopes might create an account later.

The state of ad-tech — None of this is surprising, and Facebook is far from alone in performing this type of tracking — the entire online advertising industry is built upon it. In order to generate a detailed profile on individuals for the purpose of precise targeting, Facebook needs as much visibility as possible into your browsing activity across devices and platforms.

If you switch accounts — or use a smartphone and laptop interchangeably and your browsing activity doesn't sync across them — advertisers get much less information on you with which to target ads. Fixed identifiers allow Facebook to log user activity even if they've logged out, or deleted the Facebook app, or are using a different web browser.

The scope of this tracking may still be surprising to some people, despite awareness that Facebook collects heaps of data. Critics have said that users might be willing to exchange their data for free services, but the vast tracking apparatus used by Facebook and others is so complex as to make it difficult for the average person to know the extent of the tracking.

Apple responded to these privacy concerns with its release of iOS 14, which now requires apps to request permission before they can use a device identifier. Some apps monetize via advertisements from Facebook, which requires the company be able to identify who the user is. Without being able to link an app user to the information Facebook knows about them, the ads lose all the precise targeting secret sauce that makes them valuable. Zuckerberg has said that the change could wipe out billions in revenue. Apple has temporarily paused the change in order to give Facebook time to change its model. Meanwhile, all we hear are tiny violins playing a somber tune.

Abuse potential — The Cambridge Analytica scandal and revelations from Edward Snowden about NSA wiretapping showed how this data can get into the wrong hands even if Facebook doesn't intend for it to happen. That's the fundamental concern of privacy advocates — that Facebook is collecting unprecedented data in the interest of advertising, but is a poor steward of data privacy. Laws in the United States regarding privacy aren't exactly stringent, either, with the Patriot Act effectively giving the government free rein to conduct secret searches of Facebook's data under the guise of national security. That risks stifling free speech.

During the hearing, Zuckerberg said he wasn't familiar with Centra. But a rose by any other name would smell as invasive.