New report says Facebook’s “watchful eye” violates EU privacy rights.
A new report at the behest of the Belgian Privacy Commission has accused Facebook of breaching EU laws by continuing to keep a tab on the browsing movements of users through social plugins, regardless of privacy choices or account status.
As cited in The Guardian, the report reveals that the social networking site tracks everyone, primarily using cookies and the ‘like’ button, violating not only individual’s privacy rights but also European laws that mandates users’ consent to having tracking cookies placed on their computer.
The tracking occurs regardless of users’ explicit opt out or login status; apparently even the users who never have an account on Facebook are being tracked.
Facebook’s social plugins such as its "like" button can be found on more than 13m sites, wherein the "tracking cookies" are placed. As soon as a user visits these third-party sites, the plugin detects and sends the tracking cookies, named ‘datr,’ back to Facebook – even if the user does not press the "like" or "share" buttons or logs in to the site itself.
The report further claims that Facebook has placed a long-term tracking cookie on EU users, a tactic not tried on American or Canadian users.
Researchers tested the official opt-out mechanism employed by Facebook by visiting the European Digital Advertising Alliance website that subscribed to "opt-out" mechanisms.
Findings reported in The Independent say that Facebook instead placed a new tracking cookie on their test computer in the EU, which was not placed at the same time on test computers visiting the same sites in the US and Canada.
According to Article 29, the pan-European data regulator working party, users can opt out of ad tracking, but an opt-out mechanism "is not an adequate mechanism to obtain average users informed consent."
As cited in The Guardian, Brendan Van Alsenoy, a researcher at ICRI and one of the report’s author, said: "European legislation is really quite clear on this point. To be legally valid, an individual’s consent towards online behavioural advertising must be opt-in.
"Facebook cannot rely on users’ inaction (ie not opting out through a third-party website) to infer consent. As far as non-users are concerned, Facebook really has no legal basis whatsoever to justify its current tracking practices."
Meanwhile, Facebook has strongly contested the results of the report, carried out by researchers at the Centre of Interdisciplinary Law and ICT (ICRI), the Computer Security and Industrial Cryptography department (Cosic) at the University of Leuven, and the media, information and telecommunication department (Smit) at Vrije Universiteit Brussels.
In a statement, the company said: "This report contains factual inaccuracies. The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public.
"We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us. However, we remain willing to engage with them and hope they will be prepared to update their work in due course".
Facebook said any clarifications can be sought with the Irish Data Protection Commissioner, its EU regulator.
The social networking site had been under scanner in the EU for its practice of selling targeted ads through tracking users’ movements.