Facebook is in trouble again – this time from the Belgian privacy commission, which is cross about the fact that it tracks internet users who are not members of the social network.
A court has ruled that it is unacceptable that every time someone clicks a “like” button on a website, their browsing activity is collected, regardless of whether they are Facebook users or not.
Facebook says it would weaken the security of its 1.5 billion members to remove the tool.
What’s it all about?
The controversy centres around a cookie – a simple text file which can track a number of user activities – which Facebook has used for the last five years.
Researchers found that even non-members who visited any net page that fell under the facebook.com domain would have what Facebook calls its datr cookie – which has a two-year lifespan – installed on their browser.
They conducted a series of tests including one where they did a Google search for the term “facebook data policy”. It led them to the Facebook data policy page which placed the datr cookie on their browser.
They then visited a Belgian website related to prostate cancer treatment which includes a Facebook like button and found that the datr cookie was sent to Facebook.
There was no formal notice regarding any cookie being stored.
The social network says that the primary use of the cookie is as a security tool: “It is something which our security team believes is the best way to protect people’s accounts,” a spokeswoman told the BBC.
But its tracking functionality has led the Belgian court to, rather dramatically, give Facebook 48 hours to stop using it or face a fine of 250,000 euros (£176,000 ) per day.
If Facebook has been using the cookie for years, why is this just coming to light now?
Eyes were drawn to the details of how Facebook’s cookies worked when the social network rolled out new terms and conditions in January, authorising it to track its users across websites and devices, use profile pictures for both commercial and non-commercial purposes and collect information about its users’ locations.
Users could agree to the changes or they could leave Facebook.
One of the things that the Belgian privacy commission did in response to the changes was commission a report from the Universities of Leuven and Brussels.
It concluded that tracking non-users was in breach of EU law.
Its findings were handed to the Belgian authorities who, after initial talks with Facebook failed to reach agreement, decided to take the case to court.
The judge agreed with the Belgian privacy commissioner, ruling that the information collected by the social network was personal data “which Facebook can only use if the internet user expressly gives their consent”.
What will Facebook do?
It is appealing against the ruling but has said that, if it is forced to remove the datr cookie in Belgium, it could make life harder for Belgian users of the service.
In a strongly-worded blog from head of security Alex Stamos it said that removing the cookie would mean “we would have to treat any visit to our service from Belgium as an untrusted login”.
It might mean that Belgians would have to go through a complicated log-in process to prove that they were the legitimate owners of their accounts, it added.
On the wider issue of how its privacy rules are enforced, it has said that it is only answerable to Ireland’s data commissioner, where it has its European headquarters.
Facebook says it needs the cookies for security reasons which sounds fair enough, no?
Mr Stamos said the cookie can help in a number of ways such as:
- preventing the creation of fake accounts
- reducing the risk of users’ accounts being taken over by other people
- protecting users’ content against theft
- preventing distributed denial of service attacks
It said that if the court blocks it from using the cookie in Belgium it “would lose one of our best signals to demonstrate that someone is coming to our site legitimately”.
It also pointed out that the cookie was associated only with browsers, not individual people, and does not contain any information that is tied to a particular person.
One of the report authors, Brendan Van Alsenoy said his team of researchers did not “buy the security argument”.
“We don’t find it persuasive. We think it is excessive. There are less intrusive ways to do this,” he told the BBC.
In a response to Facebook, it pointed out that the firm already faced many instances when it could not track users – such as the 198 million net users who use adblockers.
“To the best of our knowledge ad-blocking users do not pose a critical threat to Facebook nor do users who install them need to go through burdensome security checks when they log in to Facebook.”
Why does Facebook track users anyway?
Advertising revenue is Facebook’s biggest source of income, jumping 45% this year, with mobile ad sales accounting for 78% of that.
Being able to track web-browsing habits, even anonymised ones, allows it to better target that advertising.
The internet has always been offered for free and, the argument goes, people would not be prepared to pay cold, hard cash for services from the likes of Facebook and Google, preferring instead to pay with their data.
Facebook has learnt from past mistakes that it has to treat user data with kid gloves, understanding that privacy is hugely important to its members.
It allows users to opt out of having ads targeted at them by going to Settings, Adverts and then Advert Preferences but, pointed out Mr Van Alsenoy, this does not stop Facebook collecting the information.
Cookies which track browsing habits have always been controversial and, in 2011, all EU websites were forced to get consent from visitors to store or retrieve any information on a computer, smartphone or tablet.
It is unclear how the big tech firms will cope with the constant and increasing scrutiny from European privacy commissioners.
Privacy campaigners are very clear though about what they want from Facebook.
They argue that Facebook needs to be more explicit about what it is tracking and offer users the right to opt in to such tracking rather than having to search through the site to find ways to opt out.
And their voices are getting louder.
In October 2015, Austrian student Max Schrems won a David and Goliath-style battle over data privacy, when the European Court of Justice agreed with him that there needed to be more scrutiny of the way US companies handled European users’ data.
And a court in Austria is now considering whether it will bring action against Facebook for violating privacy laws in its country.
The battle between privacy campaigners and the big tech firms is far from finished.