'Unethical and illegal' Facebook criticised for tracking visitors
'Unethical and illegal' Facebook criticised for tracking visitors

In a report commissioned by the Belgian data protection agency and first seen by The Guardian, researchers revealed that Facebook tracks the web browsing of everyone who visits on a page on the facebook.com domain, irrespective if they are a user or not, or even if they have explicitly opted out of tracking in the EU via the European Digital Advertising Alliance website.

The researchers, who are from the Centre of Interdisciplinary Law and ICT (ICRI) and the Computer Security and Industrial Cryptography department (Cosic) at the University of Leuven, and the media, information and telecommunication department (Smit) at the Vrije Universiteit Brussels, were commissioned to look into the matter after the original draft report revealed that Facebook's privacy policy breached European law.

They subsequently found that Facebook would place cookies on visitors to facebook.com websites, including fan pages and other pages.

The issue specifically revolves around the giant's use of social plugins on some 13 million websites, with these used to detect users and send tracking cookies to Facebook, even if there is no user interaction with the page. This tracking is done for advertising purposes, although EU privacy law details that – in almost all cases - prior consent must be given before tracking is allowed.

The same law requires websites to notify users on their first visit to a site that it uses cookies, requesting consent to do so.

“We collect information when you visit or use third-party websites and apps that use our services. This includes information about the websites and apps you visit, your use of our services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us,” details Facebook's data usage policy, which was updated this year.

The company is regulated by the Irish Data Protection Commissioner, which checks that Facebook is acting within the EU Data Protection Directive.

Facebook reacted angrily to the report, which has no legal standing, claiming that it is “inaccurate”.

"This report contains factual inaccuracies," a spokesperson said. "The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public.

"However, we remain willing to engage with them and hope they will be prepared to update their work in due course."

The report's authors have said that they stick by their findings, and say they have not been contacted by Facebook, or received a meeting request.

Eddy Willems, security evangelist at G Data Security Labs, told SCMagazineUK.com that this was more evidence that big US tech companies are out of the loop on EU laws.

“It is clear that the US companies like Facebook and Google needs to talk much more in detail with the EU definitely concerning our privacy laws as they differ 100 percent,” said Williams.