This article was published on March 31, 2015

Facebook tracks logged-out users in ‘violation’ of EU law, study says


Facebook tracks logged-out users in ‘violation’ of EU law, study says

A study commissioned by the Belgian Privacy Commission (BPC) has found that Facebook is tracking all users of its social networking site, even if they’ve opted out of tracking.

The research also found that logged out users, and people who don’t have an account at all, were having their Web movements tracked by Facebook through its use of social plugins, primarily the ‘Like’ button.

Although commissioned by the BPC, it was carried out by members of the Interdisciplinary Centre for Law and ICT/Centre for Intellectual Property Rights (ICRI/CIR) of KU Leuven, the department of Studies on Media, Information and Telecommunication (SMIT) of the Vrije Universiteit Brussel (VUB) and the department of Computer Security and Industrial Cryptography (COSIC) of KU Leuven.

Under EU law, any website must get the user’s permission before placing any cookies on their computer. Among other practices, it’s the automatic placement of tracking cookies that interact with its social plugins found on millions of different websites, that puts Facebook “violation of European law,” the study said. Facebook disputes the accusations.

Part of the issue will also fall to the fact that the tracking cookies interact with cookies stored when visiting Facebook.com pages even if the user doesn’t interact with the Like button. Most of the Facebook social plugins themselves don’t actually create new cookies, the researchers added.

This report follows a preliminary investigation into Facebook’s privacy and data practices in relation European law. At the time it said there was “too much burden” on users to navigate Facebook’s “complex web of settings.”

We’ve contacted Facebook for comment and will update when we hear back.

Update: A Facebook spokesperson said:

This report contains factual inaccuracies. The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public. We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us. However, we remain willing to engage with them and hope they will be prepared to update their work in due course.

➤ From social media service to advertising network A critical analysis of Facebook’s Revised Policies and Terms [PDF via The Guardian]

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with