Report Claims Facebook Breaks EU Law By Tracking You Even If You Opt Out

By Gerald Lynch on at

You think logging out of Facebook protects you from the prying eyes of Mark Zuckerberg's minions? Think again; a new report from researchers at the Centre of Interdisciplinary Law and ICT (ICRI) and the Computer Security and Industrial Cryptography department (Cosic) at the University of Leuven (via The Guardian) reveals that Facebook tracks the browsing habits of anyone that visits a page on its site, even those that have explicitly opted out of cookie tracking and those that have logged out of the service.

Facebook's tracking tactics go so far as to keep tabs on web users that don't even have a Facebook account -- merely visiting a Facebook page (such as fan or brand pages, which don't require an account to access), or visiting a third-party site making use of social plug-ins such as the omnipresent "Like" button or Facebook commenting module, will see the social network place a tracking cookie on a person's computer.

EU law requires that a person must give prior consent to web tracking techniques before a site or service can issue a cookie to their machines, something only given an exception if it is required for the networking to connect a service, or if it's integral to a service that has already been explicitly requested from a user.

“If people who are not being tracked by Facebook use the ‘opt out’ mechanism proposed for the EU, Facebook places a long-term, uniquely identifying cookie, which can be used to track them for the next two years,” said Günes Acar of Cosic, co-author of the report.

“What’s more, we found that Facebook does not place any long-term identifying cookie on the opt-out sites suggested by Facebook for US and Canadian users.”

So, a particularly tricksy tracking campaign tailor made for EU browsers then.

“We collect information when you visit or use third-party websites and apps that use our services," reads Facebook’s data usage policy.

"This includes information about the websites and apps you visit, your use of our services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us.”

Updated: Facebook has sent us the following statement regarding the allegations:

This report contains factual inaccuracies. The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public. We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us. However, we remain willing to engage with them and hope they will be prepared to update their work in due course.