Facebook tracks all site vistors, violating EU law, report says
Researchers at the University of Leuven in cooperation with researchers at the Vrije Universiteit Brussel have published an update to a February analysis of Facebook's new policies and terms. The report, commissioned by the Belgian Privacy Commission, already found in preliminary conclusions in February that Facebook, with its 2015 privacy policy update, likely acts in violation of European law.
After these initial findings, the researchers did a further technical analysis on Facebook's tracking practices. They focused on tracking techniques that use social plug-ins such as the "Like Button", which is used on more than 13 million third -party websites, and also tested the advertising tracking opt-out.
"In doing so, a number of remarkable new issues have come to light," said Brendan Van Alsenoy, legal researcher at the Interdisciplinary Center for Law and ICT of the University of Leuven.
It turns out, for instance, that Facebook places a cookie on the browser of anyone who visits a Web page belonging to the facebook.com domain, even if the visitor is not a Facebook user, the report found. The cookie placed by Facebook is called "datr" which contains a unique identifier and has an expiration date of two years.
Facebook users also get a range of additional cookies which uniquely identify the user.
Once these cookies have been set, Facebook will in principle receive information from them during every subsequent visit to a website containing a Facebook social plug-in. These cookies will give Facebook information like the URL of the Web page that was visited as well as information about the browser and operating system, the report said.
This means that Facebook tracks its users for advertising purposes across non-Facebook websites by default, the report said. Even opting out won't help. According to the researchers, Facebook will keep tracking you even if you have no account and opted out from targeted advertising on the European Digital Advertising Alliance website. When someone opts-out there, Facebook will place the same unique identifying "datr" cookie, they said.
Facebook sets the tracking cookie on the European opt-out site, but not on the U.S. and Canadian opt-out sites, Van Alsenoy said.
Facebook users are also extensively tracked. Even when a Facebook user deactivates his account, Facebook will still receive cookies that uniquely identify the ex-user, according to the report.
What's more, if a user opts out from tracking, Facebook will still receive information about visits to external sites containing Facebook social plug-ins. The only thing that changes is that Facebook promises to no longer use this information for targeted advertising, but there is no way the researchers were able to verify that, Van Alsenoy said.
The problem with these practices is that the cookies are placed without consent, which under EU law is only allowed if there is a strict necessity to do so. Facebook maintains that the "datr" cookie plays a key role in Facebook's security and site integrity features. However, given that the "datr" cookie is used in the EU when someone tries to opt out of ad targeting, but isn't used in U.S. and Canada in similar circumstances, it's hard to believe that the cookie is strictly necessary for site security, Van Alsenoy said.
People who want an easy way to protect themselves against ad tracking can use browser add-ons such as Privacy Badger, Ghostery and Disconnect, which block tracking, researchers said.
Meanwhile, Facebook slammed the findings. "This report contains factual inaccuracies," said a Facebook spokeswoman in an emailed statement, adding that the inaccuracies in the report were explained in detail to the Belgian Privacy Commission after the report's earlier draft was published.
According to the company, the use of cookies for logged-out accounts is a standard, acceptable and lawful practice that has been actively used by Facebook and many other websites for years. Facebook said it uses these cookies to, for example, identify and disable accounts of spammers, recover account information and provide extra security features like login notifications and login approvals. Facebook also uses them to deliver, select, evaluate, measure and understand the ads served on and off Facebook, including ads served by or on behalf of its affiliates or partners, it said.
Cookies are also set for non-Facebook users who have visited facebook.com, to help protect Facebook Services and the people who use it from malicious activity, the company said. They can help detect and prevent denial-of-service attacks and the mass creation of fake accounts, it added.
Facebook is confident that its updated policies comply with EU law, the spokeswoman said, adding that it routinely reviews product and policy updates with its EU regulator, the Irish Data Protection Commissioner (DPC).
Facebook will have to deal with other, national privacy authorities though. The Belgian, Dutch and a German privacy authority have all started investigations into Facebook's policy changes and the three countries in February formed a task force to examine how the policy might violate EU privacy laws.
The researcher's report will be taken into account by the three authorities, a spokeswoman for the Belgian Privacy Commission said, adding that it was too early to draw any conclusions. The Commission hopes that if it turns out that Facebook has violated the law, it can come to a friendly agreement, but if that turns out to be impossible, Facebook could also be sued as an extreme measure, the spokeswoman said.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com