Facebook tracks all site vistors, violating EU law, report says

Facebook slammed the report, claiming it contains factual inaccuracies

Facebook tracks everyone who visits its site, including people who don't have an account, and even continues to track users and non-users who have opted out of targeted ads, researchers at two Belgian universities have found.

Researchers at the University of Leuven in cooperation with researchers at the Vrije Universiteit Brussel have published an update to a February analysis of Facebook's new policies and terms. The report, commissioned by the Belgian Privacy Commission, already found in preliminary conclusions in February that Facebook, with its 2015 privacy policy update, likely acts in violation of European law.

After these initial findings, the researchers did a further technical analysis on Facebook's tracking practices. They focused on tracking techniques that use social plug-ins such as the "Like Button", which is used on more than 13 million third -party websites, and also tested the advertising tracking opt-out.

"In doing so, a number of remarkable new issues have come to light," said Brendan Van Alsenoy, legal researcher at the Interdisciplinary Center for Law and ICT of the University of Leuven.

It turns out, for instance, that Facebook places a cookie on the browser of anyone who visits a Web page belonging to the facebook.com domain, even if the visitor is not a Facebook user, the report found. The cookie placed by Facebook is called "datr" which contains a unique identifier and has an expiration date of two years.

Facebook users also get a range of additional cookies which uniquely identify the user.

Once these cookies have been set, Facebook will in principle receive information from them during every subsequent visit to a website containing a Facebook social plug-in. These cookies will give Facebook information like the URL of the Web page that was visited as well as information about the browser and operating system, the report said.

This means that Facebook tracks its users for advertising purposes across non-Facebook websites by default, the report said. Even opting out won't help. According to the researchers, Facebook will keep tracking you even if you have no account and opted out from targeted advertising on the European Digital Advertising Alliance website. When someone opts-out there, Facebook will place the same unique identifying "datr" cookie, they said.

Facebook sets the tracking cookie on the European opt-out site, but not on the U.S. and Canadian opt-out sites, Van Alsenoy said.

Facebook users are also extensively tracked. Even when a Facebook user deactivates his account, Facebook will still receive cookies that uniquely identify the ex-user, according to the report.

What's more, if a user opts out from tracking, Facebook will still receive information about visits to external sites containing Facebook social plug-ins. The only thing that changes is that Facebook promises to no longer use this information for targeted advertising, but there is no way the researchers were able to verify that, Van Alsenoy said.

The problem with these practices is that the cookies are placed without consent, which under EU law is only allowed if there is a strict necessity to do so. Facebook maintains that the "datr" cookie plays a key role in Facebook's security and site integrity features. However, given that the "datr" cookie is used in the EU when someone tries to opt out of ad targeting, but isn't used in U.S. and Canada in similar circumstances, it's hard to believe that the cookie is strictly necessary for site security, Van Alsenoy said.

People who want an easy way to protect themselves against ad tracking can use browser add-ons such as Privacy Badger, Ghostery and Disconnect, which block tracking, researchers said.

Meanwhile, Facebook slammed the findings. "This report contains factual inaccuracies," said a Facebook spokeswoman in an emailed statement, adding that the inaccuracies in the report were explained in detail to the Belgian Privacy Commission after the report's earlier draft was published.

According to the company, the use of cookies for logged-out accounts is a standard, acceptable and lawful practice that has been actively used by Facebook and many other websites for years. Facebook said it uses these cookies to, for example, identify and disable accounts of spammers, recover account information and provide extra security features like login notifications and login approvals. Facebook also uses them to deliver, select, evaluate, measure and understand the ads served on and off Facebook, including ads served by or on behalf of its affiliates or partners, it said.

Cookies are also set for non-Facebook users who have visited facebook.com, to help protect Facebook Services and the people who use it from malicious activity, the company said. They can help detect and prevent denial-of-service attacks and the mass creation of fake accounts, it added.

Facebook is confident that its updated policies comply with EU law, the spokeswoman said, adding that it routinely reviews product and policy updates with its EU regulator, the Irish Data Protection Commissioner (DPC).

Facebook will have to deal with other, national privacy authorities though. The Belgian, Dutch and a German privacy authority have all started investigations into Facebook's policy changes and the three countries in February formed a task force to examine how the policy might violate EU privacy laws.

The researcher's report will be taken into account by the three authorities, a spokeswoman for the Belgian Privacy Commission said, adding that it was too early to draw any conclusions. The Commission hopes that if it turns out that Facebook has violated the law, it can come to a friendly agreement, but if that turns out to be impossible, Facebook could also be sued as an extreme measure, the spokeswoman said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityprivacyFacebooklegaldata protection

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?