Facebook tracks
the web browsing of everyone who visits a page on its site even if the user
does not have an account or has explicitly opted out of tracking in the EU,
extensive research commissioned by the Belgian data protection agency has
revealed.
The report, from researchers at the
Computer Security and Industrial Cryptography department (Cosic) at the
University of Leuven, and the media, information and telecommunication
department (Smit) at Vrije Universiteit Brussels, was commissioned after an
original draft report revealed Facebook’s
privacy policy breaches European law.
The researchers now claim that Facebook
tracks computers of users without their consent, whether they are
logged in to Facebook or not, and even if they are not registered users of the
site or explicitly
opt out in Europe. Facebook tracks users in order to target
advertising.
The issue revolves around Facebook’s use
of its social plugins such as the “Like” button, which has been placed on more
than 13m sites including health and government sites.
Facebook places tracking cookies on
users’ computers if they visit any page on the facebook.com domain, including
fan pages or other pages that do not require a Facebook account to visit.
When a user visits a third-party site
that carries one of Facebook’s social plug-ins, it detects and sends the
tracking cookies back to Facebook - even if the user does not interact with the
Like button, Facebook Login or other extension of the social media site.
EU privacy law states that prior consent
must be given before issuing a cookie or performing tracking, unless it is
necessary for either the networking required to connect to the service
(“criterion A”) or to deliver a service specifically requested by the user
(“criterion B”).
The same law requires websites to notify
users on their first visit to a site that it uses cookies, requesting consent
to do so.
A cookie is
a small file placed on a user’s computer by a website that stores settings,
previous activities and other small amounts of information needed by the site.
They are sent to the site on each visit and can therefore be used to identify a
user’s computer and track their movements across the web.
“We collect
information when you visit or use third-party websites and apps that use our
services. This includes information about the websites and apps you visit, your
use of our services on those websites and apps, as well as information the developer
or publisher of the app or website provides to you or us,” states Facebook’s
data usage policy, which was updated this year.
Facebook’s tracking
practices have ‘no legal basis’
An opinion published by Article
29, the pan-European data regulator working party, in 2012 stated
that unless delivering a service specifically requested by the user, social
plug-ins must have consent before placing a cookie. “Since by definition social
plug-ins are destined to members of a particular social network, they are not
of any use for non-members, and therefore do not match ‘criterion B’ for those
users.”
The same applies for users of Facebook who are logged out at the
time, while logged-in users should only be served a “session cookie” that
expires when the user logs out or closes their browser, according to Article
29.
The Article 29 working party has also
said that cookies set for “security purposes” can only fall under the consent
exemptions if they are essential for a service explicitly requested by the user
- not general security of the service.
Facebook’s cookie policy updated this
year states that the company still uses cookies if users do not have a Facebook
account, or are logged out, to “enable us to deliver, select, evaluate, measure
and understand the ads we serve on and off Facebook”.
The social network tracks its users for
advertising purposes across non-Facebook sites by default. Users can opt out of
ad tracking, but an opt-out mechanism “is not an adequate mechanism to obtain
average users informed consent”, according to Article 29.
“European legislation is really quite
clear on this point. To be legally valid, an individual’s consent towards
online behavioural advertising must be opt-in,” explained Brendan Van Alsenoy,
a researcher at Cosic and one of the report’s author.
“Facebook cannot rely on users’ inaction (ie not opting out
through a third-party website) to infer consent. As far as non-users are
concerned, Facebook really has no legal basis whatsoever to justify its current
tracking practices.”
Opt-out
mechanism actually enables tracking for the non-tracked
The researchers also analysed the
opt-out mechanism used by Facebook and many other internet companies including
Google and Microsoft.
Users wanting to opt out of behavioural
tracking are directed to sites run by the Digital Advertising Alliance in the
US, Digital Advertising Alliance of Canada in Canada or the European Digital
Advertising Alliance in the EU, each of which allow bulk opting-out from 100
companies.
But the researchers discovered that far
from opting out of tracking, Facebook places a new cookie on the computers of
users who have not been tracked before.
“If people who are not being tracked by
Facebook use the ‘opt out’ mechanism proposed for the EU, Facebook places a
long-term, uniquely identifying cookie, which can be used to track them for the
next two years,” explained Günes Acar from Cosic, who also co-wrote the report.
“What’s more, we found that Facebook does not place any long-term identifying
cookie on the opt-out sites suggested by Facebook for US and Canadian users.”
The finding was confirmed by Steven
Englehardt, a researcher at Princeton University’s department of computer
science who was not involved in the report: “I started with a fresh browsing
session and received an additional ‘datr’ cookie that appears capable of
uniquely identifying users on the UK version of the European opt-out site. This
cookie was not present during repeat tests with a fresh session on the US or
Canadian version.”
Facebook sets an opt-out cookie on all
the opt-out sites, but this cookie cannot be used for tracking individuals
since it does not contain a unique identifier. Why Facebook places the “datr”
cookie on computers of EU users who opt out is unknown.
‘Privacy-friendly’
design
For users worried about tracking,
third-party browser add-ons that block tracking are available, says Acar:
“Examples include Privacy Badger, Ghostery and Disconnect. Privacy Badger
replaces social plug-ins with privacy preserving counterparts so that users can
still use social plug-ins, but not be tracked until they actually click on
them.
“We argue that it is the legal duty of
Facebook to design its services and components in a privacy-friendly way,” Van
Alsenoy added. “This means designing social plug-ins in such a way that
information about individual’s personal browsing activities outside of Facebook
are not unnecessarily exposed.”
Facebook is being investigated by the
Dutch data protection authority, which asked the social network to delay
rollout of its new privacy policy, and is being probed by the Article 29
working party.
“We recently updated our terms and
policies to make them more clear and concise, to reflect new product features
and to highlight how we’re expanding people’s control over advertising,” said a
Facebook spokesperson in response to the original report.
“We’re confident the updates comply with
applicable laws. As a company with international headquarters in Dublin, we
routinely review product and policy updates including this one with our
regulator, the Irish Data Protection Commissioner, who oversees our compliance
with the EU Data Protection Directive as implemented under Irish law.”
Facebook had not responded to the new
findings by the time of publication.
No comments:
Post a Comment