Mastodawn

Does anybody with a STRONG BACKGROUND IN WEBSITE PRIVACY have time to vet this research? Are TikTok and Meta pixels REALLY doing the things claimed? I'm concerned it may be overstating things in an attempt to sell its tag monitoring tools.

https://jscrambler.com/blog/beyond-analytics-tiktok-meta-ad-pixels

The Collection of Commercial Intelligence: TikTok & Meta Ad Pixels

Jscrambler analyzed the TikTok and Meta ad pixels used on websites and found that their default behavior requires immediate attention.

Jscrambler

Show thread

Wulfy—Speaker to the machines 6d ago

@dangoodin

Runtime analysis confirms what privacy researchers have warned about: Meta and TikTok ad pixels harvest product-level commerce data, scrape PII from checkout forms, and can transmit data before consent management platforms activate.

The hashing both platforms use? The FTC ruled in 2024 it does not constitute anonymisation. Deterministic SHA-256 hashes of emails and phone numbers are trivially matched against existing platform databases. The BetterHelp enforcement action proved this isn't theoretical.

The underrated risk: every merchant running these pixels feeds competitive intelligence — pricing, conversion rates, catalogue data — directly into platforms that sell targeting to their rivals.

One claim to treat with caution: Jscrambler reports Meta's automatic events feature captured partial payment card details (last four digits, expiry, cardholder name) from checkout pages. The mechanism is plausible — the feature scans visible DOM elements by default — but this specific finding hasn't been independently reproduced yet.

Source: Jscrambler Security Research Team, cross-verified against Meta's own documentation, FTC enforcement actions (BetterHelp, Nomi), and independent CMP vendor warnings.

https://jscrambler.com/blog/beyond-analytics-tiktok-meta-ad-pixels

#gprs #privacy #infosec

The Collection of Commercial Intelligence: TikTok & Meta Ad Pixels

Jscrambler analyzed the TikTok and Meta ad pixels used on websites and found that their default behavior requires immediate attention.

Jscrambler

Show thread

tasket 6d ago

@n_dimension @dangoodin I haven't read jscrambler claims, but one significant mitigating factor vs tracking pixels is that an array of browsers (prompted by Firefox back in 2019) have turned to first-party isolation (FPI) caching techniques: each site you visit (as represented in your Location bar) has a separate cache associated with it so that 3rd-party trackers have to send you different pixels/cookies for each site you visit.

Show thread

Dirk Hohndel 6d ago

@tasket @n_dimension @dangoodin

Let's ask this the other way around. Waterfox with Ghostery and PrivacyBadger running should give them very little to work with, correct? Or am I fooling myself?
(mind you, I use neither AI-Meta-Book nor Tiktok, but of course that doesn't mean that I'm not exposed to their scripts on any non-Mastodon page that I visit...)

Show thread

tasket 6d ago

@dirkhh I was going to mention uBlock Origin; it claims to block trackers so one would expect it blocks these as well.

Show thread

Dirk Hohndel 6d ago

@tasket
Well that was easy... added uBlock Origin.
There appears to be some overlap between it and ghostery, but ghostery claims that especially for ad-blocking they cover more...

I don't think having both will hurt me (except likely burning more CPU cycles.

Thanks

Show thread

tasket 6d ago

@dirkhh IIRC ghostery is based on a partnership with the adtech industry and has tried to monetize its use in the past. Their company was founded on the idea that ad tracking can be perfected, which IMO makes them true believers in something that is only capable of exploitation and misery.

Show thread

Dirk Hohndel 6d ago

@tasket
The things you learn on the fediverse. Did some reading on this and yeah... not good. Dang..

Show thread