A report by Belgian researchers reveals how Facebook has been transformed from a social media service to an advertizing network, using cookies to track and identify users. No one is out of reach; not even people without a facebook account.
By Nikolaj Nielsen via Euobserver
Facebook is tracking users, both on and offline, contravening EU privacy rules, according to a report.
Compiled by researchers for the Belgian Privacy Commission, the report says the social media giant places cookies whenever someone visits a webpage belonging to the facebook.com domain, even if the visitor is not a Facebook user.
A cookie is a small file placed onto a computer by a browser and contains information that can be used to track and identify users.
People without Facebook accounts are not spared.
The 67-page report, first published in late February and then again with updated chapters on Tuesday (31 March), notes that “Facebook tracking is not limited to Facebook users.”
Facebook places a so-called “datre” cookie, which contains a unique identifier, onto the browsers of people in Europe who have no Facebook account. The cookie takes two years to expire.
A probe into Facebook by Ireland’s data protection commission in 2011 noted that the “datre” cookie is “used for security, among other purposes”. Ireland’s data commission at the time recommended Facebook to shorten the cookie’s 2-year lifespan.
Meanwhile, Facebook does not place any long term identifying cookie on the opt- out sites suggested by Facebook to US and Canadian users.
As for users, Facebook tracks them across websites even if they are not logged in or use social plugins.
Social plugins include Google+ “+1”, Linkedin “in share”, and Facebook’s “Like Button”. The Facebook Like button is present on some 13 million sites, including health and government websites.
Facebook’s policy says it still receives data when people visit a website “with the Like button or another social plugin”, even if they are logged out or don’t have an account.
Researchers say this violates the EU’s e-Privacy Directive because cookies placed via social plugins require prior consent unless it is needed to connect to the service network or is specifically requested by the user or subscriber to obtain a service.
Brendan Van Alsenoy, a researcher at ICRI and one of the report’s authors, told the Guardian that “to be legally valid, an individual’s consent towards online behavioural advertising must be opt-in.”
Facebook default setting also means it is able to tracks users for advertising purposes across non-Facebook websites.
“Even if the user takes the additional step to opt out, he or she will still be tracked by Facebook, but Facebook promises it won’t use the information for ad targeting purposes,” notes the report.
Facebook, for its part, says the report’s authors had “declined to meet with us or clarify the inaccurate information about this and other topics”.
A spokesperson at Facebook in an email said virtually all websites, including Facebook, legally use cookies to offer their services.
“If people want to opt out of seeing advertising based on the websites they visit and apps they use, they opt out through the EDAA, whose principles and opt out we and more than 100 other companies comply with,” said the contact.
Facebook says it takes this commitment one step further.
“When you use the EDAA opt out, we opt you out on all devices you use and you won’t see ads based on the websites and apps you use,” said the spokesperson.