In a report commissioned by the Belgian data protection agency and first seen by The Guardian, researchers revealed that Facebook tracks the web browsing of everyone who visits on a page on the facebook.com domain, irrespective if they are a user or not, or even if they have explicitly opted out of tracking in the EU via the European Digital Advertising Alliance website.
They subsequently found that Facebook would place cookies on visitors to facebook.com websites, including fan pages and other pages.
The issue specifically revolves around the giant's use of social plugins on some 13 million websites, with these used to detect users and send tracking cookies to Facebook, even if there is no user interaction with the page. This tracking is done for advertising purposes, although EU privacy law details that – in almost all cases - prior consent must be given before tracking is allowed.
“We collect information when you visit or use third-party websites and apps that use our services. This includes information about the websites and apps you visit, your use of our services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us,” details Facebook's data usage policy, which was updated this year.
The company is regulated by the Irish Data Protection Commissioner, which checks that Facebook is acting within the EU Data Protection Directive.
Facebook reacted angrily to the report, which has no legal standing, claiming that it is “inaccurate”.
"This report contains factual inaccuracies," a spokesperson said. "The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public.
"However, we remain willing to engage with them and hope they will be prepared to update their work in due course."
The report's authors have said that they stick by their findings, and say they have not been contacted by Facebook, or received a meeting request.
Eddy Willems, security evangelist at G Data Security Labs, told SCMagazineUK.com that this was more evidence that big US tech companies are out of the loop on EU laws.
“It is clear that the US companies like Facebook and Google needs to talk much more in detail with the EU definitely concerning our privacy laws as they differ 100 percent,” said Williams.
“It is nearly unbelievable how much ‘big data' is stored from all of us at the servers of US based companies. This could explode and is already exploding in the face of some US based companies,” he said.
Willems added that there needs to be ‘better communication' on how technology companies use customer data, but believes EU needs to change too.
“I've seen numerous good EU security and privacy projects but I never saw one united ‘voice'. If we got that united ‘voice' it should be much easier to talk and change the mentality of some big companies like Facebook. Let's hope this study could be one of the better steps in solving this ‘privacy' problem and also for the future.
Alexander Hanff, CEO of Belize-based Think Privacy Inc, which provides a range of ‘privacy enhancing' technologies and services, said in an email to SC that whilst he was glad it was receiving attention, this isn't news.
“Myself and other privacy advocates have been complaining against this type of behaviour for years now and I have made countless observations that such practices are non-compliant with Article 5(3) of the ePrivacy Directive. I have argued this point with ICO, the European Commission and various other "authorities" throughout Europe. Furthermore, again, privacy advocates (particularly myself) have complained about companies ignoring Do Not Track since it first appeared in web browsers - so none of this is new or exclusive news.”
He added: “Clearly Facebook and every other social network (including Twitter) as well as analytics and other third-party companies which track users without explicit consent are in breach of the Directive - the problem is, Data Protection Authorities have so far refused to take any action against them, let alone meaningful action.
“These regulators have completely failed to protect the fundamental privacy rights of EU citizens and despite the rhetoric, continue to do so. One can only hope that now the issue has gone "mainstream" some action will happen as a result, but given the track record of DPA's on these issues so far - I wouldn't hold my breath.
Caspar Bowden, privacy advocate and former chief privacy adviser at Microsoft, added in an email to SC that EU regulators “now have the evidence to force Facebook to stop the most massively privacy invasive – and deceptive – practices in the industry.”
Brian Honan, managing director and consultant at BH Consulting, added: “This is a blatant disregard of people's privacy. People should not have to opt-out of a service they never signed up to or agreed to.”
“This is endemic of how many large companies view their relationship with their customers. Personal data is viewed as part of the transaction and/or engagement which these companies will look to monetise. However, companies need to remember the personal data entrusted to them by their customers does not belong to them…Large corporates who misuse personal data and government agencies who conduct illegal mass surveillance are causing irreparable damage to the trust people have in the internet.”
Neil Hare-Brown, CEO of Storm Guidance, told SC that this was the latest example of a tech giant acting “at best irresponsibility and at worst unethically or illegally”.
“Surely, it should not be hard for multi-million dollar businesses to view potential privacy concerns from the point of view of the user?” Surely Facebook would not claim that users (account holders, or not) would, once they understood these practices, willingly consent to this profiling of them?”