Facebook will contest the Brussels court verdict which threatens “one of our important technologies to stop attackers”.
Facebook is to appeal against a Brussels court ruling on Monday which gives it 48 hours to stop tracking non-members who visit its site, or pay daily fines of up to €250,000 (£175,000).
The verdict is a victory for Belgium's privacy watchdog in a long-running battle with Facebook over its ‘Datr' tracking cookie. Datr in installed without permission whenever anyone, even non-members, visit the social network's site or click a Facebook ‘like' button on other sites. It then tracks their browser activity.
But Facebook has said it will appeal against the ruling, whose fines deadline runs out tomorrow (Wednesday). And its chief security officer Alex Stamos roundly criticised Belgium's Privacy Commission before the verdict, saying its actions threaten the security of Facebook's 1.5 billion members and go against the user security that data watchdogs should be defending.
The Brussels court has ruled Facebook must obtain explicit consent before using Datr to track and collect data on non-members in Belgium. "This is personal data, which Facebook can only use if the internet user expressly gives their consent, as Belgian privacy law dictates," it said in a statement. “If the Internet surfer has no Facebook account, then Facebook has to explicitly ask for permission, and give the required explanation.”
The court ordered Facebook “to stop tracking and registering internet usage by people who surf the internet in Belgium, in the 48 hours which follow this statement”. If it fails to comply, it will have to pay fines of up to £175,000 a day to the Belgian Privacy Commission.
The court also rejected Facebook's argument that it should answer only to the Irish Data Protection Commissioner, where its European headquarters are.
But Facebook's spokesperson confirmed in a statement: “We will appeal this decision and are working to minimise any disruption to people's access to Facebook in Belgium. We've used the Datr cookie for more than five years to keep Facebook secure for 1.5 billion people around the world."
And in a recent blog, Stamos insisted the actions of the Belgian Privacy Commission “could undermine our efforts to keep the accounts of people in Belgium safe”.
He said: “Most significantly, we use the Datr cookie to help differentiate legitimate visits to our website from illegitimate ones. We use the cookie for preventing the creation of fake and spammy accounts, reducing the risk of someone's account being taken over by someone else, protecting people's content from being stolen, and stopping DDoS attacks that could make our site inaccessible to people.”
But analysing the court case, independent UK data privacy expert Chris Boyd, malware intelligence analyst at Malwarebytes, said users are unlikely to agree with Facebook's stance.
He told SCMagazineUK.com via email: “While there may be benefits to Facebook in terms of warding off DDoS, for the individual users who actually possess Facebook accounts they may wish to invest in two-factor authentication and steer clear of attempted phish and other obvious scam attempts.
“People mostly associate cookies with dubious forms of advertising and other unwanted types of tracking, and I feel it may be an uphill struggle for Facebook and others to re-associate cookies in the court of public opinion with good security practices."
Boyd also said the case is likely to be a forerunner for other personal privacy battles: "This could be seen as the ever-growing backlash against cookies and tracking. Many people have real issues with being tracked while not making use of a particular service, and we can expect to see more of this taking place as familiarity with ad-blockers and tracking opt-outs increases. Our browsing habits can be incredibly valuable to companies, and informed consumers understandably wish to take control of their data as a result."
European data protection expert Rafael Laguna, CEO of Open-Xchange, was strongly critical of Facebook's stance and said it goes against the tide of privacy protection running through Europe.
He told SCMagazineUK.com: “Europe as a whole is going through an intense period of democratic self-determination. ‘Safe Harbour' has been resoundingly rejected by the European Court and Google has been pulled up on its anti-competitive behaviour by the European Commission. Simply put, European institutions hold the privacy of their citizens to a far higher standard than American companies care for.
“It's easier for Facebook to rely on a cookie that indiscriminately monitors user (and non-user) activity than it is for them to invest in more sophisticated security measures. It doesn't matter that they've used the Datr cookie for five years, or that other sites utilise similar cookies, or that the Irish Data Protection Commissioner has separately validated its use. In our world, democracies, governments and laws tell companies what's best for their citizens, not the other way around.”
Stamos argued that Datr does not track individuals online, and its logs are deleted after 10 days. “The Datr cookie is only associated with browsers, not individual people. It doesn't contain any information that identifies or is tied to a particular person,” he said.
However, if Facebook is forced to comply with the ruling, he said: “We would have to treat any visit to our service from Belgium as an untrusted login and deploy a range of other verification methods for people to prove that they are the legitimate owners of their accounts. It would also make Belgian devices more attractive to spammers and others who traffic in compromised accounts on underground forums.”
The court case dates back to a March 2015 investigation on behalf of Belgium's Privacy Commission, which found Facebook's tracking was “in violation of European law”, as we reported at the time. Facebook said the finding was “inaccurate”.
Facebook has also faced privacy challenges in other European countries including Germany and Holland.