A new report claims the social networking service is tracking people without their permission. It doesn’t matter if you don’t even use Facebook: they’re still watching you. Here’s what that means to you, and what you can do about it.
Of course, Facebook’s privacy settings have been a worry since the site was set up in 2004, and frequent changes to your settings means there’s often a fresh new concern. But we do throw ourselves online with such enthusiasm! Photos, private messages, locations – many of us document our lives using Facebook and Twitter. You can even turn your tweets into a book.
And when Facebook acquired WhatsApp, even the privacy of that SMS service got a few sweating.
And to add further fuel to controversies, the Belgium Privacy Protection Commission (CPVP/CBPL) says Facebook “tramples” on European privacy laws…
What Are They Doing?
Following a report by their inter-university centre, EMSOC/SPION, in conjunction with their counterparts in France, Spain, the Netherlands, and Germany, the commission states:
“The research results are disconcerting. Facebook disregards European and Belgian privacy legislation in several ways… [Tracking people through social plug-ins] does not only impact Facebook users but also virtually every Internet user in Belgium and Europe.”
The social networking giant has seemingly ignored EU law by tracking traffic on Facebook.com domains – fan pages, most notably, but also profiles with looser privacy settings – that don’t require an account. Perhaps more worryingly, the social plug-in used to “Like” pages across more than 13 million websites reads tracking cookies and sends that data onto Facebook.
So it actually doesn’t matter if you’ve got a Facebook account or not: they can still track you.
And if you do have a Facebook account, session cookies allow the service to track sites you visit even after logging out.
EU privacy law asserts that consent has to be given before using tracking cookies (though exemptions apply if cookies are necessary to connect to a service or if they’re needed to deliver something the user has requested). It’s basically the reason websites have to let first-time visitors from the EU know that they employ cookies.
How Are They Getting Away With It?
A spokesman from Facebook said:
“As we expressed to the CBPL in person when we met, there is nothing more important to us than the privacy of our users and we work hard to make sure people have control over what they share and with whom. Facebook is already regulated in Europe and complies with European data protection law, so the applicability of the CBPL’s efforts are unclear. But we will of course review the recommendations when we receive them with our European regulator, the Irish Data Protection Commissioner.”
And that’s the crux of Facebook’s argument: that they’re only subject to Irish law, as their European headquarters (a lavish, typically-cool building designed by Frank Gehry, complete with ping-pong table, inspirational posters, and giant illustrations of astronauts) is in Dublin.
The idea of shadow profiles – information about people who don’t use the service – isn’t anything new, of course. Max Schrems, Austrian activist and founder of Europe v Facebook, previously spoke out about Facebook flouting European law, and said in 2011:
“Now we are rather positive that the Irish authorities will make Facebook change a whole lot. If you read the interviews with the authority it seems like they are taking the cause very seriously.”
The Privacy Protection Commission doesn’t have the power to impose fines, but can begin lawsuit procedures.
Article 29 is Also Kicking up a Fuss
The Belgium Privacy Protection Commission isn’t the only agency concerned about tracking cookies. The Article 29 Working Party, an independent data regulator, says social plug-ins should also ask permission from the user before sending out cookies, and that session cookies should expire when logged out of Facebook.
“Facebook cannot rely on users’ inaction (ie not opting out through a third-party website) to infer consent. As far as non-users are concerned, Facebook really has no legal basis whatsoever to justify its current tracking practices.”
Last month, Facebook admitted to tracking non-users, but said it was due to a bug that is being fixed.
What Can You Do About It?
As Facebook says, you can opt-out of personalised ads which can publicise your likes, or you could even use non-tracking browser extensions like Disconnect (though these can sometimes be a pain when leaving comments, for example). Otherwise, some extensions like Edit This Cookie for Chrome let you customise which cookies you allow.
And don’t forget to tamper with your app permissions too.
It’s very easy to get frustrated with the social network, and the European Commission (EU) has a recommendation if you are concerned about your privacy. In a hearing (instigated by Max Schrems) concerning the Safe Harbour framework, which allows the transmission of personal data from Europe to the USA, EU Legal Advisor, Bernhard Schima, said:
“You might consider closing your Facebook account, if you have one.”
Have you ever considered leaving Facebook? Why? Or have you already left the network – and, in retrospect, do you think this was a good move? Let us know below.