How to Stay Safe from the Cookie Monster
Have you ever wondered how Facebook makes friends suggestions to you? I can tell you there are numerous ways. But I’ll provide you with some broad brushstrokes in this article as to one of the ways Facebook can connect you to others, whom you’ve never met before.
A few weeks ago, when I began thinking about what to write about regarding online privacy, I had a privacy-related experience that concerned me. I’d googled a local cardboard company and called the number on the site. Contact info on the site was Tim with and his phone number. The guy was great. A few hours later, Tim so and so came up in my Facebook feed as a suggested friend. How did Facebook connect the dots? I never met him in person, nor do I know anyone who knows him. He’s not even a friend of a friend.
I felt I needed to conduct my own investigation into how Facebook could have connected all these datapoints to suggest this person be my friend.
What are cookies?
Internet web cookies are little text files filled with random text that appear innocuous and meaningless. If you open your cookies file, it looks like gobbledgook, which is my way to say the data are encrypted. There are different types of cookies such as tracking cookies, session cookies, third-party cookies, etc. but for all intents and purposes we’ll run through a simplified explanation of how tracking cookies work.
The data in these cookies (text files) save information like login details, preferences, tracking identifiers such as which browser you’re using, from which device, your search history, etc.
Tracking cookies don’t require you to interact with an ad or a social media button to send your data to the creator’s server. The moment a webpage loads, any existing cookie is transmitted to its origin server. If no cookie is present, the resource can generate one, unless you were in incognito or privacy mode.
For example, if I post a blog with an image hosted on a different site, that site can create or send a cookie to its server, even though I’m not visiting their site directly, I’m only accessing their resource. Likewise, most ads and widgets on websites are sourced from third-party servers, not the site itself, and they all leverage cookies to track users.
What is the controversy behind cookies?
These tracking cookies are supposed to be used to improve your web surfing experience, but it turns out they provide a goldmine of information for targeted advertising purposes.
How Did Facebook Know Which Site I Visited and Who I Spoke To?
Here is the chain of events: a) I did a Google search, b) I visited the first site from the search results, c) I perused the website until I got the information I was looking for, d) I called the phone number on the site. E) I visited Facebook a few hours later.
Every website that displays social icons such as Facebook, X, LinkedIn, and TikTok will surely have additional tracking tools embedded.
Facebook Pixel is a piece code tracks user actions (e.g., visiting a page or clicking a button) and sends that data to Facebook for advertising purposes.
These tools work even if you have third-party cookies disabled. If you were logged into Facebook in Chrome at the time, tracking is straightforward—Facebook links your activity to your account. Even if you weren’t logged in, Facebook uses other types of cookies to identify your browser and track you across sites with its scripts. Other techniques, like browser fingerprinting (analyzing your device’s unique settings), can also help Facebook follow your activity.
So, when I visited Tim’s cardboard site, Facebook likely recorded that visit because of its tracking mechanisms. I was also logged into Facebook account on from my iPhone.
Key Points About Facebook Tracking:
• Facebook App Permissions: If you make a call from a smartphone with the Facebook app installed, and you’ve granted it access to your call logs or contacts, Facebook might detect your calls and associate them with your contacts or others’ contacts.
• Website Integration: If the website you visited uses Facebook’s advertising or analytics services, it might have tracked your interaction (for example, clicking the phone number) and shared that data with Facebook, especially if the number is tied to a Facebook account.
• Contact Data: If the person you called has your phone number in their contacts and has uploaded their contact list to Facebook (a common feature for friend suggestions), Facebook could link your number to your account. If your phone number is also tied to your Facebook profile, this connection becomes even stronger.
Making the Friend Suggestion
Facebook likely tracked my visit to Tim’s website via embedded tools (e.g., pixels or plugins) and linked it to my phone call through contact data, app permissions, or cross-device tracking. This allowed them to suggest him as a friend. Facebook’s algorithms combine these data points—my website visit and the phone call—to infer a connection.
The website visit told Facebook I was interested in something associated with that site.
The phone call to a number linked to a Facebook user (either through their account or their contacts) gave Facebook a specific person to connect me to.
Since I was using Chrome (and logged into Facebook) and my phone (with the Facebook app), Facebook had enough information to suggest that person as a friend.
If you want to limit Facebook’s tracking abilities, log out from your account from your computer as well as your mobile devices when you’re not using the app. Also, you can use incognito mode from within Google Chrome, and even better still, try a data privacy-sensitive browser such as Brave (https://brave.com)
Jason Cardinal, CISSP, is a bilingual GenX’er with 20+ years in tech and cybersecurity. He holds clearances from the RCMP, Hydro Québec, OPP, Sûreté du Québec, and U.S. Homeland Security. A volunteer, half-marathoner, martial artist, and guitarist, Jason earned his CISSP in 2023 on his first try. He offers lectures and training sessions.
Follow him at jasoncardinal.ca
