Facebook has an interesting feature. It will let you see which companies have associated your off-Facebook activity with your Facebook account. If you visit:

https://www.facebook.com/off_facebook_activity/

you’ll see what companies are snitching on you to Facebook.

Off-Facebook activity includes information that businesses and organisations share with us about your interactions with them. Interactions are things such as visiting their website or logging in to their app with Facebook.

Because I use the Firefox web browser, all my off-FB activity is kept private from Facebook. I don’t use FB to sign into things. I also run an ad-blocker. So I expected my “Off Facebook Activity” to be completely blank.

It wasn’t.

Who are Lan Tim 2? And what did I purchase from them? First up, let’s check that I’m as paranoid as I think I am…

Yup! I’ve connected nothing to my FB account.

Perhaps I’m being a dolt. Perhaps I signed in to a store with Facebook without thinking about it? Perhaps it is a legitimate purchase…. And then I saw this:

Take a look at your off-Facebook activity and #ClearHistory Everything I've seen to date has been through #Android #Facebook App tracking. I wrote a report on this last year which can be found here https://t.co/xge3h3cSZP My Activity: 👇👇👇 pic.twitter.com/ELrVkCauhX — Christopher Weatherhead (@CJFWeatherhead) January 29, 2020

I don’t know Christopher – although we appear to have some mutual friends. It strikes me as a bit odd that two random individuals, who are both pretty privacy conscious, would both have made the same mistake which led to a Facebook associated purchase.

I checked through all my credit card statements and emails. I didn’t purchase anything around that time, and I couldn’t find any reference to the merchant.

You can download your Facebook data as JSON. So I did that. This is all it had about those mystery transactions:

What’s going on?

It’s actually a bit more complicated than that

Off-Facebook activity doesn’t just mean stuff that happens online. Facebook also does offline conversions which allows advertisers to match offline activity with online activity..

we use a process called matching to match the hashed information with Facebook profiles so that you can advertise to your customers on Facebook, Instagram and Audience Network. The more information you can provide, the better the match rate

Suppose I go to a restaurant, and I booked using my name and phone number. The restaurant sends that data to Facebook to say “Terence Eden ate at this restaurant on this day.” Facebook can then tell if I saw an advert which led me to make a purchase.

A good reason to use a disposable phone number for everything!

I reached out to a friend who worked at Facebook. Obviously they couldn’t tell me too much, but here’s what I did find out.

Lan Tim 2 supply custom printed apparel. Print your logo on a t-shirt or mug, that sort of thing. They’re a “white label” operation. That is, you buy from “Tom’s Terrific T-Shirts” but it’s Lan Tim 2 who print and supply the final item.

Had I bought anything like that? I didn’t think so. And then, I remembered…

Spreadshirt! I’d made some custom printed t-shirts through them. I contacted a few other people who’d seen Lan Tim 2. They’d also used Spreadshirt! And, like me, their last purchase was inconsistent with the data given to Facebook.

I assume I gave my phone number to Spreadshirt to provide delivery information.

If this is correct, then it looks to me like Spreadshirt took the phone numbers given to it for one reason – and then used them for another.

Or, perhaps I’m wrong, and some dodgy company has been randomly spamming Facebook with fake data?

It goes to show, Facebook’s level of transparency of data isn’t good enough.