When I worked at Meta, the execs said that many users think they're being spied on when they see ads based on a conversation they've had in real life, but the execs categorically denied that this could be happening, and said it's all just a coincidence. I thought this was a completely unfounded denial, since Meta had no way of auditing 3rd party apps on the user's phone, and it's perfectly plausible for another app to spy on their conversations and then use that to provide targeted ads to the Facebook account associated with the individual's email.
You had the conversation with someone and that someone googled/shopped/amaozned/clicked it. Or did before already, you don’t initiate every conversation in your life after all.
Now go and try getting a denial that they are not using the fact that you share a wifi with someone as parts of the recipe for the recommendation cake.
The arrow of causality can also go the other way. X corp is currently running a campaign targeting your area/demographic. A friend of yours sees and X ad and mentions something X-related to you in a private conversation. The next day, you see an X ad too.
Realistically, in a simple statistical way, plain "coincidences" have a significant "expected value". I.e., if you simply take the billions of people across the planet, and look even across a single day, lots of coincidences occur.
Now, add in psychological effects - "synchronicity", "frequency illusion" ("Baader-Meinhof"), "recency illusion", confirmation bias, etc... I'd expect a fair bit of compounding*.
Then, add in simple use of statistics, statistical inference, etc. and basic tracking of user navigation around the web, on a given website, etc.
I've had these experiences, perhaps one or two times a year, on average. Experiences where I was VERY surprised by ads presented. Experiences that would easily suggest a microphone must have been on when it shouldn't have been. Sometimes, I realized I'd used someone else's device in a way that could be tied to me. Other times, while some "leaps" would be involved, I could basically deduce myself that someone who had looked for information on some "X", and information on some "Y", might really be thinking about some "Z" that isn't easily arrived at from either X or Y in vacuo.
Spying, in the sense you suggest, can't be ruled out by the above. But, I would ask - why even spy? Is a company like "meta" really going to get much more useful (from their perspective) info by doing so? Particularly given the COST? It's becoming more realistic, arguably, but, really, these companies have had more than enough info on just about anyone for well over a decade to keep their algorithms and such well-occupied.
People gladly hand over tons of data constantly ... with full awareness and intentionality, and otherwise. The vast majority have no idea what statistical inference and other techniques can suggest based on seemingly obliquely connected info. Further, most users are so accustomed to "cookies" and other hidden types of tracking, and ignoring EULAs** ... really, it's hard for me to imagine a good case for doing anything more ... "invasive" and ... legally / otherwise dubious.
Edit: mostly came back to add one of my favorite (ab)uses of (statistical) inference:
* Outweighing significantly, I'd suggest, other quirks of human perception, memory, etc. that may diminish awareness and recognition of potentially related events. I write "suggest" mainly because I don't have ready refs to offer this second and don't have time to dig a couple up ... IIRC, the research that exists strongly favors compounding, though, of course, this could be argued to be influenced itself by human psychology (including social and economic factors, e.g., "publish or perish" etc.).
** Jargon buried in legalese, what a genius way to get just about anyone to agree to just about anything! If only John, King of England (in 1215), had been more skilled in the ways of the EULA - perhaps "King Charles III" would be emperor of the world now. Oh utopia denied ... kek.
While that is a positive take that could explain it, I am not convinced by that number crunch. 2/situations per year, per person, that is still "a lot" to be considered plausible statistical coincidence.
Yup. The typical use case is e.g. if someone logs in to your e-commerce site with their email and looks at a product but doesn’t purchase, then you can show them an ad for that product to try to remind them to go back and buy it.
It’s a really creepy feature though that can easily be abused.
You can (e.g. by email address), which is why it's impossible for Facebook to guarantee that ads weren't targeted based on listening in on conversations. It has no ability to determine how an advertising purchaser generated / obtained the data it is using to for ads targeting.
