Researches at Belgian universities have found that Facebook tracks everyone who visits its site, including people who don’t have an account, or those who have opted out of targeted ads. font size="2">In December 2014, Facebook announced that it would revise its Data Use Policy and Terms of Service.
At the request of the Belgian Privacy Commission, ICRI/CIR (KU Leuven), in cooperation with iMinds-SMIT (Vrije Universiteit Brussel) conducted an analysis of Facebook’s revised policies and terms, as they were announced last December.
According to thre research, Facebook's new policies and terms allow the social network to (1) track its users across websites and devices; (2) use profile pictures for both commercial and non-commercial purposes and (3) collect information about its users’ whereabouts on a continuous basis. Facebook announced the changes more than a month in advance, but the choice for its +1 billion users remained the same: agree or leave Facebook.
The researchers also focused on tracking techniques that use social plug-ins such as the "Like Button", which is used on more than 13 million third -party websites, and also tested the advertising tracking opt-out.
"In doing so, a number of remarkable new issues have come to light," said Brendan Van Alsenoy, legal researcher at the Interdisciplinary Center for Law and ICT of the University of Leuven.
It turns out, for instance, that Facebook places a cookie on the browser of anyone who visits a Web page belonging to the facebook.com domain, even if the visitor is not a Facebook user, the report found. The cookie placed by Facebook is called "datr" which contains a unique identifier and has an expiration date of two years.
Facebook users also get a range of additional cookies which uniquely identify the user.
Once these cookies have been set, Facebook will in principle receive information from them during every subsequent visit to a website containing a Facebook social plug-in. These cookies will give Facebook information like the URL of the Web page that was visited as well as information about the browser and operating system, the report said.
This means that Facebook tracks its users for advertising purposes across non-Facebook websites by default, the report said. Even opting out won’t help. According to the researchers, Facebook will keep tracking you even if you have no account and opted out from targeted advertising on the European Digital Advertising Alliance website. When someone opts-out there, Facebook will place the same unique identifying "datr" cookie, they said.
Facebook users are also extensively tracked. Even when a Facebook user deactivates his account, Facebook will still receive cookies that uniquely identify the ex-user, according to the report.
The research indicates that Facebook is acting in violation of European law.
First of all the researchers claim that Facebook places too much burden on its users. Users are expected to navigate Facebook’s complex web of settings (which include "Privacy", "Apps", "Adds", "Followers", etc.) in search of possible opt-outs.
"Facebook’s default settings related to behavioural profiling or Social Ads, for example, are particularly problematic," the research reads.
Moreover, users are offered no choice whatsoever with regard to their appearance in "Sponsored Stories" or the sharing of location data, the research found.
Second, users do not receive adequate information. For instance, it isn’t always clear what is meant by the use of images "for advertising purposes".
"Will profile pictures only be used for "Sponsored Stories" and "Social Adverts", or will it go beyond that? Who are the "third party companies", "service providers" and "other partners" mentioned in Facebook’s data use policy? What are the precise implications of Facebooks’ extensive data gathering through third-party websites, mobile applications, as well recently acquired companies such as WhatsApp and Instagram?," the researchers asked in their study.
At the request of the Belgian Privacy Commission, ICRI/CIR, in cooperation with iMinds-SMIT, drafted a report analysing Facebook’s revised policies and terms. The report forms part of the documentation upon which the Privacy Commission will rely in the course of its further investigation. The Belgian Privacy Commission is also part of a European task force, which includes data protection authorities from the Netherlands, Belgium and Germany.