Facebook is continuing to monitor the browsing habits of European users even when they explicitly opt-out of tracking, claims a new, independent report compiled by the Belgian Privacy Commission. The social network tracks users that are logged out of the site and individuals who do not have a Facebook account, say researchers. This, they say, means that Facebook is not only ignoring the data rights of users but is also in breach of European law requiring users to consent to having tracking cookies placed on their computer.
Facebook's Like button is found on 32 percent of the top 10,000 websites
"When a logged-in Facebook user visits a site with Facebook social plug-ins, Facebook receives the Facebook ID and browser ID, along with the URL of the page being visited," says the section of the report dedicated to social plug-ins. "[And] when a Facebook user explicitly logs out, Facebook keeps uniquely identifying … cookies in the browser, which are then used to track logged-out users across the web."
facebook's tracking cookies even affect those without a facebook account
The researchers claim that these tracking cookies are also stored on a user’s machine even if they deactivate their account and that some of the social network’s plug-ins track users who have never created a Facebook account in the first place. The researchers found that sites including OkCupid, MTV, and MySpace placed Facebook's cookies on computers even if the computer user did not click or interact with the site in any way. "Their main goal is to try and make money by advertising to you, and this means tracking you as much as possible," Professor Bart Preneel, a Belgian cryptographer and co-author of the paper told The Verge.
facebook tracked users trying to opt-out from being tracked
The report also found that the official opt-out mechanism employed by Facebook and companies such as Microsoft and Google, was ineffective in the EU. When the researchers visited the European Digital Advertising Alliance website used to opt-out of multiple tracking schemes at once, Facebook instead placed a new tracking cookie on their test computer. The same cookie — which has a lifespan of two years unless manually cleared by the user — was not placed on test computers visiting the equivalent sites in the US and Canada. The Guardian reports that this finding was confirmed by Steven Englehardt, an independent researcher from Princeton University.
Facebook, however, disputes the researchers' work entirely. "This report contains factual inaccuracies," a spokesperson for the company said in a statement given to The Verge. "The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public. We have explained in detail the inaccuracies in the earlier draft report ... and have offered to meet with [the report's commissioning body] to explain why it is incorrect, but they have declined to meet or engage with us."
The report was commissioned by the Belgian data protection agency and compiled by various cryptography, telecom, and media researchers from the University of Leuven and Vrije Universiteit Brussels in Belgium.