Daily Mail: Facebook is ‘illegally’ tracking people’s internet searches across the web, even if they do not have an account with the social network. The technology company is using so-called internet ‘cookies’ – little pieces of tracking data – to collect information about people’s activity online, each time they visit a website which features a Facebook button.
Academics in Belgium claim that Mark Zuckerberg’s social network is breaching EU privacy laws by placing the tracking cookies on computers without the user’s consent to log their browsing data.
Facebook buttons are on more than 13 million ordinary websites, including those run by the government and the National Health Service, and allow users to do things such as ‘like’ a website, or ‘share’ the link on their own Facebook page.
A new report from the University of Leuven and a Brussels university claims that Facebook is tracking internet users in Europe for two years even if they have expressly opted out. Facebook has more than 1.3 billion users but there are millions more visits from people who are not signed up.
The researchers say Facebook is putting tracking cookies on internet users’ laptops, PCs and phones when the visit facebook.com – so they can target them with online advertising. This includes anyone clicking on a fan page or other pages still available without a login, or even when they visit some of the 13 million pages with a Facebook module on it and do not click on it.
The company first plants a tracking cookie on a user’s computer whenever they visit a website hosted on facebook.com, such as a page for a friend’s birthday party, a fan page for a celebrity, or for a brand or shop. After that, any web page they visit which features a Facebook button will relay information back to the social network.
And the problem only becomes worse if they try to protect their privacy online, by ‘opting out’ of allowing web companies to track them. Under EU privacy law websites must gain consent before using a cookie, with few exceptions, and websites must ask users to accept cookies when they visit for the first time.
Privacy campaigners have today accused Facebook of taking ‘staggering’ liberties by behaving in this way, and suggested that people can only really protecting themselves if they stop using the internet.
But cookies are also used to gather information about what websites people have visited, at which times of day, so that companies can target them with carefully tailored adverts. This practice, known as ‘behavioural advertising ‘, means that users who research a particular car online, for example, would then see an advert for the same car when they visit an unrelated website.
Users can theoretically stop companies from tracking their information in this way by clicking an ‘ad choices’ button, featured on many websites. Once they click that button, people are invited to pick and choose which internet companies are allowed to track them, or just ban them altogether.
However, researchers said today that Facebook takes the request to ‘opt out’ of online tracking as a cue to plant an extra cookie on people’s computers instead. The special cookie, called ‘datr’, gives that person’s computer or smartphone a unique tracking number, and allows Facebook to follow its activity for the next two years.
Report author Brendan Van Alsenoy told the Guardian: ‘European legislation is really quite clear on this point. To be legally valid, an individual’s consent towards online behavioural advertising must be opt-in. Facebook cannot rely on users’ inaction – not opting out – to infer consent. As far as non-users are concerned, Facebook really has no legal basis whatsoever to justify its current tracking practices.’
The report’s authors said that those who make the effort to opt out of getting Facebook cookies are given one as a result. Co-author Günes Acar said: ‘If people who are not being tracked by Facebook use the ‘opt out’ mechanism proposed for the EU, Facebook places a long-term, uniquely identifying cookie, which can be used to track them for the next two years.’ ‘If you take measures to protect your privacy from Facebook, you are actually going to be followed more on the internet,’ said Rob Heyman, another of the authors of the report.
Privacy campaigners said today that Facebook seemed to have forgotten that people are private citizens, rather than money-making machines. ‘It is both staggering and disappointing that Facebook feels the need to track non-Facebook users, people who don’t want to interact with the social platform,’ said Renate Samson, chief executive of the lobby group Big Brother Watch.
‘Just because internet companies can do something doesn’t mean that they should do it. This takes it a big step further than what [European Commission Attorney Bernhard] Shima was saying, which is that if you don’t want to be spied on, you should opt out of Facebook. Actually, you need to opt out of the internet.’
Mr. Shima said last week that people should close their Facebook accounts if they want to ensure that US security services are not spying on their information.
Facebook today said that the report was inaccurate and the researchers had persistently ignored their request to meet. A Facebook spokesman said: ‘This report contains factual inaccuracies. The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public. However, we remain willing to engage with them and hope they will be prepared to update their work in due course.’
‘Earlier this year we updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising. We’re confident the updates comply with applicable laws including EU law.‘
Two peas in a pod…
Facebook was last month accused of acting in violation of EU privacy laws by the same academics who claimed they had just expanded its old policy, not changed it, which Facebook denied. The group claimed the social media site ‘placed too much burden’ on users, rather than protecting themselves.
‘If a Facebook user opts out, Facebook promises to stop collecting or using browsing information for the purpose of showing ads. Running a number of tests, we confirmed that Facebook still tracks its users when they visit a webpage containing Facebook social plugins, even after the user “opts out”,’ the researchers concluded. Facebook tracks its users across websites even if they do not make use of social plug-ins, and even if they are not logged in.’
In January an Austrian court said it will consider a class action against Facebook by 25,000 people who are claiming their privacy has been breached.
The David v Goliath case is being spearheaded by law student Max Schrems, who wants Mark Zuckerberg’s social media site to compensate him and his supporters with a symbolic £400 each. A hearing in Vienna on April 9 will consider whether the lawsuit is admissible.
Mr. Schrems began his legal challenge last June, claiming that Facebook supplied personal information to the US Prism spy programme. Over the next few months 25,000 people added their names to the lawsuit. The programme is the U.S. secret service’s worldwide monitoring and data mining system and was exposed by whistleblower Edward Snowden last year.
Mr. Schrems is claiming damages of £397 (€500) per supporter, meaning that if the case was expanded and the activists won, Facebook would have to pay out a total of £23.8million.