I've heard any number of stories from people about creepy things Facebook or other ad systems have done. "I was talking about X with a friend, and that evening an ad for X popped up on a web page!" The insidious thing is that it *could* have just been coincidence. You can't prove anything.

Well, this week it happened to me, and I don't even use Facebook. I can't prove anything. But it's deeply disturbing. TL;DR: Blank Facebook account I opened 8.5 years ago and never used receives recommendation, out of the blue, to check out a small store I only just learned existed and started patronizing.

It all starts eight and a half years ago, and should have ended there as well:

October 2010: I sign up for a "fake" Facebook account. (Source: Email, Facebook account activity.) I use the name "Ti Mc" and a dedicated email address. It's not supposed to be a super secret account, but I didn't give Facebook my phone number, address, a photo, or anything else. I didn't friend anyone or, apparently, send any messages.

(Source: Email, Facebook account activity.) I use the name "Ti Mc" and a dedicated email address. It's not supposed to be a super secret account, but I didn't give Facebook my phone number, address, a photo, or anything else. I didn't friend anyone or, apparently, send any messages. January 2011: I sign up for a second account, which I actually ever use. (Source: Email, memory.) The purpose of both accounts was "just in case", for those times I might need to contact someone when I only had their name, such as for found phones. (I recall using it for this.) I must have forgotten about the first one, which has no evidence of ever having been used, and I even lost the password. The second one used my full name, "Tim McCormack". It has since been deleted, and isn't directly involved in the rest of this timeline.

(Source: Email, memory.) The purpose of both accounts was "just in case", for those times I might need to contact someone when I only had their name, such as for found phones. (I recall using it for this.) I must have forgotten about the first one, which has no evidence of ever having been used, and I even lost the password. The second one used my full name, "Tim McCormack". It has since been deleted, and isn't directly involved in the rest of this timeline. July 2013: I move from Somerville to Allston. (Rent records.)

(Rent records.) November 2015: Facebook tries to entice me back with a "trending stories" email. It's very poorly targeted, using sports and politics as hooks; they clearly at that point knew basically nothing about me.

It's very poorly targeted, using sports and politics as hooks; they clearly at that point knew basically nothing about me. November 2017: The grocery store opens. (Store website.)

(Store website.) December 2017: I move from Allston back to Somerville. (Memory.)

(Memory.) December 2nd, 2018: I learn about a small grocery store a mile away. (Email.) It had opened while I lived in Allston, and had had little publicity. I found out about it via a Google Groups mailing list. I would have visited the store's website around then.

(Email.) It had opened while I lived in Allston, and had had little publicity. I found out about it via a Google Groups mailing list. I would have visited the store's website around then. December 2018–January 2019: I visit the store and make purchases with cash. (I can't verify this, but I usually pay by cash.)

(I can't verify this, but I usually pay by cash.) January 2019: I email back and forth with the grocery store's proprietor. He uses a Google Mail account.

He uses a Google Mail account. February 7 & 11, 2019: I pay by check at the grocery, and get a receipt via Square. (Bank records.) These were larger purchases for bulk items, and for the second one, I entered my email address so Square (their point-of-sale) could send me a receipt. I used a dedicated email that I made up on the spot for this Square-grocery transaction. I opened the receipt link in a private browser window.

(Bank records.) These were larger purchases for bulk items, and for the second one, I entered my email address so Square (their point-of-sale) could send me a receipt. I used a dedicated email that I made up on the spot for this Square-grocery transaction. I opened the receipt link in a private browser window. February 16, 2019: "📄 East Somerville Main Streets and 7 others are new Page suggestions for you". (Email.) Out of the blue I get this email on my dedicated Facebook-fake-account email address, with some recommended Pages: East Somerville Main Streets / Community Service USQ - Union Square / Real Estate Developer [note: Union Square is one of several "downtown" type locations in Somerville] Joe Curtatone / Politician [note: mayor of Somerville] Somerville Neighborhood Updates / Government Organization 311 Somerville / Government Organization [note: 311 is the city information hotline number] Somerville Arts Council / Arts & Entertainment [Name of Grocery Store] / Fruit & Vegetable Store [note: Store name removed to avoid casual harassment of the innocent.] Somerville Beat / Regional Website [note: A local events and news website]

(Email.) Out of the blue I get this email on my dedicated Facebook-fake-account email address, with some recommended Pages:

So: After 8 years of no interaction, Facebook sends me an email telling me about a store I found out about 2.5 months ago. (And 5 days after I tell Square that I've shopped there.) The only other thing it knows about me is a broad "interest" in Somerville, which is where the store is located, although also where I am located. Most of those 7 other Pages would be very broadly interesting to Somerville residents. (I don't know what the deal is with the real estate Page, and East Somerville Main Streets appears to be a business owners association. More on this discrepancy in a bit.)

Pretty damn creepy.

It's easy to imagine ways that Facebook connected up my information, given that they exchange data promiscuously with other companies:

My IP address visiting Facebook when I opened the account (and the grocery store's Wix-hosted website) can easily be geolocated to Somerville.

The fake name I used on the account is similar to my wallet name.

Even though I use different email addresses for every website and signup, and one standard one for general correspondence, they're all on the same domain. Facebook might have figured out that I have a catchall address (I receive mail for $anything@brainonfire.net ) and that they all represent the same identity.

) and that they all represent the same identity. The grocery store proprietor uses Google Mail. Does Google have a data exchange with Facebook? Did he add me to his address book, and also have a Facebook app that is constantly reading his address book? (IIRC, Facebook was found to have gained illicit access in at least one phone app system.) Is there other malware on his computer? (Or mine, perhaps via a browser extension?)

I left my phone on when walking to the grocery store and back. It's a dumbphone, but cell companies sell location data quite freely.

Any number of businesses know my name, home address, email address, and phone number.

I'm not aware of facial recognition software being at play here, but who knows.

Square knows my IP address, email address, name, and that I shopped at the grocery store.

It's that last one that makes me most suspicious. Square even advertises a data exchange with Facebook, although not precisely the same one that would have caught me up here. And those two Pages that seem targeted to business owners, that's very interesting. Facebook either has me pegged at a higher income bracket (upper middle class, sure) or has me profiled in some other way as a business owner (which I'm not).

I wonder about that check. The proprietor said that he thinks I must have been the first person to pay by check since he opened the store. Man, who even pays by check? Not me, other than maybe once a year; I only did it this time because it was for a large amount ($700-ish) and I dislike using credit cards in stores, for various reasons. (Privacy being one of them!) But in business, checks are de rigueur. And the timing! Just 5 days later, against a timescale of 8 years.

But I can't prove anything. It's all a black box. I can't imagine Square or Facebook would be very forthcoming on this. All I am left with is the vague feeling of having been creeped on by a collection of corporations who want to traffic in the details of my personal life.