Facebook has hit back at a new report commissioned by the Belgian Privacy Commission, which claims that Facebook tracks far more users than previously thought.
The report, conducted by researchers at universities in Leuven and Brussels, says the social giant is tracking the browsing habits of everyone visiting its site, irrespective of whether or not they are an account holder, and in complete disregard of whether or not they have opted out of being tracked across the EU.
Additionally, the report says Facebook also continues to track users after they close their accounts and sets tracking cookies on some third party websites. The researchers note that social plugins, such as the Like button, are often behind the setting of these third-party cookies, even if the user does not directly interact with them.
The researchers also say Facebook is placing tracking cookies every time a user visits tertiary pages on its site, such as celebrity pages or shops, all for the purpose of delivering targeted advertising based on other pages they visit across the internet.
Under EU law, websites must generally obtain consent before using a cookie and websites must seek permission from new users before placing them.
In theory, users who have previously consented to particular cookies, can later opt out of having their web browsing history tracked in this way by clicking an ‘ad choices’ button or similar, as found on many different flavours of advertisements across the web. Taking this option typically allows the user to then choose which internet companies can and cannot track them, or even block them completely.
In the case of Facebook, however, the researchers say that an ‘opt out’ request is interpreted in an unexpected way – it actually places an additional cookie on the user’s device.
That cookie – called ‘datr’ – actually allocates a unique tracking number to the user’s device, allowing Facebook to track it for the next two years, as explained by one of the report’s authors, Günes Acar:
If people who are not being tracked by Facebook use the ‘opt out’ mechanism proposed for the EU, Facebook places a long-term, uniquely identifying cookie, which can be used to track them for the next two years. What’s more, we found that Facebook does not place any long-term identifying cookie on the opt-out sites suggested by Facebook for US and Canadian users.
Co-author Brendan Van Alsenoy told the Guardian how this policy contradicts existing law within the European Union:
European legislation is really quite clear on this point. To be legally valid, an individual's consent towards online behavioural advertising must be opt-in.
If you take measures to protect your privacy from Facebook, you are actually going to be followed more on the internet.
Naturally, though, Facebook sees things differently to the report authors.
According to the Guardian, Facebook described the report as “inaccurate,” and said there had been no contact between itself and the authors prior to publication.
A Facebook spokesperson told the news agency that the report was based on assumptions, and no clarification or comment had been sought before it was made public.
Facebook said it remained “willing to engage with them and hope they will be prepared to update their work in due course,” adding:
Earlier this year we updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising. We’re confident the updates comply with applicable laws including EU law.
The Dublin headquartered company also told the BBC that it had passed two audits of its data protection policies and that it continues to be regulated by the Irish Data Commissioner.
These new reports come just a few days after we brought you the news that European Commission attorney Bernhard Schima admitted that the EU-US Safe Harbor agreement, designed to protect the privacy of European citizens, was not working as intended.
His advice to privacy-conscious Facebook users: “consider closing your account”.
The social giant has other concerns too – Max Schrems and his ‘Europe v Facebook’ group are not only challenging the Safe Harbor agreement in the European Court of Justice, but also seeking compensation for breach of privacy via a Vienna court too.
Schrems began that action last June, claiming that Facebook supplied personal information to the US Prism spy program. He, and the first 25,000 people who signed up to his group, have submitted a class action claim which seeks £400 compensation for each member. The court will decide whether the claimants can continue their action on 9 April.
If you’re concerned about tracking, try using a plugin for controlling which cookies you accept, such as Ghostery.