A new report from Belgian universities suggests that Facebook is in violation of EU laws because of its intensive tracking on user activity. The reports come from the University of Leuven and the Vrije University in Brussels, where researchers have published an analysis of Facebook terms and policies, which have been updated over the past few weeks. According to their reports, Facebook is tracking everyone visiting the sites, regardless of whether they have an account or not, and even pursues tracking if the users opt out from targeted advertisements.
The universities begun their research based on a commission from the Belgian Privacy Commission, who seemingly had doubts about the legality of Facebook tracking policies across the European Union. Although the report does not explicitly state that Facebook is in clear violation of EU laws, it does point out that it is very likely that the social media network truly is.
The teams that were researching these Facebook policies that seemed dubious to many across the EU are comprised of legal researchers, privacy experts and scientists. These researchers found that upon technical analysis of Facebook tracking practices, a cookie called datr was placed on browsers which were used to access the social media network. According to them, the cookie was placed even if the visitor did not have a Facebook account themselves. The cookie supposedly has a unique identifier, and will stay for two years, unless it is cleared from the browser.
The datr cookie is not the only cookie placed by Facebook on visitor browsers, as the network users various types of cookies to keep track and identify the user, after a single visit to any Facebook page. As a result of these cookies, and if they’re not cleared from the browser, Facebook will keep track of user activity. That tracking includes all the websites that contain Facebook plugins, share handles and social plug-ins in connection to the social media network.
These cookies will collect information such as the websites that were visited by the user, information about the browsers they are using, their operating systems and who knows how much more information. That means that you, as a Facebook or non-Facebook user, are constantly tracked during your web activity, for advertisement targeting purposes. Sounds frightening, but you’ve agreed to this if you are an account holder. But why does the network still use the same practices on those who don’t hold any Facebook accounts?
The funny thing is that Facebook lets you opt out from targeted advertisements, which in essence, has no effect whatsoever, if the findings of the Belgian researchers are accurate. According to them, even after a user visits the European Digital Advertising Alliance website and opts out there, the datr cookie will still be placed on their browser, which makes that whole ordeal completely useless. The problem here is that researchers came to the conclusion that this only happens with European users, while Canadian and American users are not affected.
Based on that reasoning, and on the fact that the cookie is placed on the browser without the user’s consent proves that Facebook is in violation of European laws. If that was a bit unclear: if American and Canadian opt-outs work and don’t need the cookie for “security and integrity purposes”, then why do European users have to deal with it anyway? The divide demonstrates that even though Facebook tells you that the cookie is necessary for security purposes, the fact that it is not included internationally demonstrates the opposite.
Facebook has responded to the report, saying that it “contains factual inaccuracies”. Moreover, the social media network representatives reiterated that the site uses these cookies in a lawful way, in order to identify and disable spammer accounts, recover account info, provide login notifications and approvals, deliver, select, evaluate, measure and understand ads on and off the platform, including those of its partners, and of course, to enhance security. As for non-Facebook users, the cookies serve the purpose of protecting services, detect and identify denial-of-service attacks and to prevent mass fake account creation.
The Belgian Privacy Commission, as well as German and Dutch authorities are not so sure about what Facebook is claiming. They have already formed a task force to investigate such practices, and have stated that the Belgian report will be included in their investigations. Moreover, they’ve stressed the fact that the drawing conclusions so soon would be rash. Worst case scenario for Facebook: it will be sued by the Eu.