Monzo app includes Google Ads and Google/Facebook tracking libraries

I’ve done some digging and I think I’ve been able to get to the bottom of this.

tl;dr: It’s the Facebook pixel installed on the Monzo website triggering this.

The Detective Work
To work this out I first of all checked my off-Facebook activity and found it a bit odd that the last reported date was Saturday 25th January 2020. If the actual application was pinging Facebook then I’d expect that the date displayed would be much sooner to today as it’s the 84th of January and I’ve pretty much checked my balance every hour.

Next I decided to check how I was interacting with Monzo. On my MacBook I generally use Firefox and I use an add-on called Facebook Container to stop Facebook from tracking me around the web. On my Android mobile however it’s a different story. Whilst I don’t have the Facebook app, I am logged in on Chrome and I don’t have anything to prevent Facebook logging my data.

With that in mind I remembered that on Saturday I opened the email about our new overdraft rates and clicked through to view the terms and conditions.

There’s a brilliant little add-on for Google Chrome called Facebook Pixel Helper that shows you any Facebook pixels installed on sites you’re browsing. It’s useful for me as an advertiser as I can check that pixels have been installed correctly and are reporting back the required data.

Visit the terms and conditions page and access the tool and voila, one pixel found:

I had a look back at my browsing history on Google Chrome and I haven’t visited the Monzo website since the 25th which marries up with this perfectly.

As a sidenote Monzo don’t have their pixel installed on the community so no events are being logged from us using this site.

Why Do Monzo Need A Pixel On Their Site?
Quite simply it’s for advertising purposes. The pixel reports back Facebook users that have visited your site and it’s quite powerful data. You could for example create an audience of people who have visited the Monzo website within the last 30 days and then from that audience exclude a list of everyone who already has a Monzo account. You can then be pretty certain that everyone remaining is curious but hasn’t signed up yet so you could hit them with some pretty aggressive advertising getting them to sign up if you wish to do so.

You can also use the pixel to measure things like how many people signed up to Monzo as a result of a Facebook ad that was run, which is useful when it comes to fine tuning ad campaigns, budgets and targeting.

So in conclusion I don’t believe the Monzo app is contacting Facebook, but on the other hand visits to their website are triggering Monzo to appear in your off-Facebook activity log.

12 Likes

I don’t understand a lot of this but I’ve checked and Monzo have sent over 1,500 interactions to Facebook. Should I be worried?

On the surface I’d say that’s normal because the app did previously ping Facebook directly. I’d only be concerned if the last received date wasn’t a day that you visited the Monzo website. This could be on any device you’ve used to access Facebook so check all of your browsing histories.

If the date doesn’t marry up then Monzo haven’t done what they previously said they would in this thread and removed their calls to Facebook from the app.

That does seem excessive , what phone do you have?

I have a little extra info to add.

I’ve found a second Monzo entry in my off-Facebook activity log - this one seems to be directly associated with the mobile app - notice the name:

The most important thing here is the last received date - 26th September 2019. This is exactly in line with @simonb’s post earlier in the thread on the 7th October:

Also, in terms of excessive it really depends on what the app was sending. I guess if it was pinging Facebook every time you opened the app then the number reported could well make sense. I’d actually call this excessive. I’ve only had Tik Tok installed since 28th May and in that time I’d say I’ve opened it at most 50 times.

4 Likes

They can have whatever data they want from me, I’m not that fussed in fairness

1 Like

The problem is that even if you don’t use Facebook, a lot of apps and websites will still rat you out to them. It takes extreme efforts (more than defending against the majority of malware) to stop this given their tracking pixels, like buttons and app SDKs are embedded everywhere*. The GDPR was supposed to solve this but given the lack of enforcement companies know they can get away with it.

*would you have expected Monzo to send device data to Facebook every time you open the app? It’s a bank FFS, it’s probably the least likely place I would’ve expected Facebook to be involved.

4 Likes

Not for me.

Facebook’s been receiving data as recently as this week from Monzo, for me.

edit: iOS user

Sorry, should have said, iPhone.

@Zain your one’s a bit strange because it’s seemingly stopped sending data but a lot later than we would have expected.

Did you by any chance reinstall the app on that date or end up logged out for any reason? I guess if the Facebook calls are active when the app is initially installed then that could explain it.

I also assume you update your app regularly so weren’t still on an old version and more to the point that Monzo actually pushed through the change to iOS.

@mbell I honestly have no idea what’s happening here. Either there’s a bug in the fix Monzo pushed out or they haven’t pushed the fix out at all.

It would be interesting to hear from a few others to see what they have in their reports too.

@mbell I honestly have no idea what’s happening here. Either there’s a bug in the fix Monzo pushed out or they haven’t pushed the fix out at all.

maybe there’s some server-side change rolling out to iOS and it hasn’t got to me yet. regardless I’m feeling pretty disgusted right now.

3 Likes

Is there anyway to see this info for an email that doesn’t have a Facebook account with that login?

1 Like

I don’t blame you! Hopefully somebody from Monzo will be along tomorrow to explain why this is happening when they’ve stated it shouldn’t be.

3 Likes

Love the outrage on here and your review @RichardL is great - thanks (perfect irony too given you work in advertising!).

Just for the record, I’m seeing a similar picture to @RichardL - the app’s last update was 1 October 2019 but the one showing recently is from the website.

To provide some context, I also have HSBC and Starling in my list so this is clearly not unique to Monzo in any way, I’d imagine most banks that like to advertise efficiently are doing exactly the same (not to mention literally every other website in the world, my list reads like my Internet history!).

Why would anyone expect Monzo to be the outlier?

3 Likes

Monzo have replied about on this on Twitter

2 Likes

Advertising ID along with a ton of device-specific info the Facebook SDK sends by default like your carrier, device language, model, and of course IP address, all of which allow FB to correlate it with other apps embedding the SDK (as well as websites with the FB tracker, since IP address and most device data will remain consistent) even if you disable the advertising ID.

That is what people are worried about, which is conveniently omitted from Monzo’s explanations including their own documentation linked above. Mentioning just the advertising ID is misleading and could even put them in trouble regarding the GDPR (well, if the ICO was doing its job).

9 Likes

I understand that, was just raising the point that Monzo have made a response about this.

Unfortunately as long GDPR isn’t actively enforced, it will not be taken seriously.

1 Like

I was going to ask if you were sure GDPR applies to this sort of thing (I thought it wouldn’t) but thought I’d look up the definition myself instead. Interestingly the inclusion of “an online identifier” in the definition of ‘personal data’ tends to suggest that it does indeed apply.

1 Like

I can’t view this topic unless I disable my uBlock browser extension :sweat_smile:

2 Likes