Slashdot Mirror

← Back to Stories (view on slashdot.org)

Report: Facebook Tracks Visitors Who Have Opted Out, Violating EU Law

Posted by Soulskill on from the hand-in-cookie-jar dept.

itwbennett writes: In a technical analysis (PDF) of Facebook's tracking practices, researchers found that Facebook tracks everyone who visits its site, including people who don't have an account, and even continues to track users and non-users who have opted out of targeted ads. The problem with these practices is that the cookies are placed without consent, which under EU law is only allowed if there is a strict necessity to do so. Facebook disputes the report: "We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us."

40 comments

  1. Standard Operating Procedure by Fire_Wraith · · Score: 4, Informative

    This is pretty much how Facebook operates. They don't just suck in all the information of people who use their service, they collect information on everyone else. Even if you don't use Facebook, they've built a 'shadow' profile on you using information they've gotten from your friends and family. They're certainly not the only one that does so, but they're one of the most pervasive (at least in my opinion).

    It's also why it's important to use something like Ghostery, to block the methods they're using to track people. Bottom line, if you don't see the Facebook "like" button load, you've got them blocked.

    1. Re:Standard Operating Procedure by Anonymous Coward · · Score: 0

      Even more important to provide lots of consistent but false information.

    2. Re:Standard Operating Procedure by Anonymous Coward · · Score: 0

      The information will be used, true or not.

      You will probably not match Facebooks suicide-filter if you start to provide obviously false information but I wouldn't be surprised if they also had a there-is-something-sketchy-about-that-guy-probably-a-terrorist-filter.

    3. Re:Standard Operating Procedure by kwbauer · · Score: 1

      How can one claim to "not use Facebook" while visiting Facebook pages?

    4. Re:Standard Operating Procedure by Anonymous Coward · · Score: 1

      Every page, that has facebook like button is "visiting facebook pages". They load scripts from facebook and BAM! you are under surveilance.

    5. Re:Standard Operating Procedure by Ol+Olsoc · · Score: 1

      Even if you don't use Facebook, they've built a 'shadow' profile on you using information they've gotten from your friends and family. They're certainly not the only one that does so, but they're one of the most pervasive (at least in my opinion).

      No need for opinion, you are 100 percent correct. Just go to a popular website with noscript turned all on, see the blocked scripts. See who they are from - do a whois or better google the name. Enable them temporarily. Usually then a new bunch of scripts are blocked, check them out, I've seen 5 or more levels of scripts on single pages. It was a while back, but I think I've found a few pages that end up running 30 or more scripts on you.

      Some of the scripts are benign, like fonting scripts to aid in the display of the page. Some are medium level intrusive, like google analytics. Others are annoying trackers, and one each metric shitload of them are from Facebook. One does not escape Facebook's asshattery just because they don't have an account.

      Also It's highly suggested to get an addon to get rid of the persistent cookies that are not stored in the usual cookiejar. Ostensibly for allowing a site to store some graphic properties, they are also handy for some trackers, and won't get deleted when you go through and kill other cookies.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    6. Re:Standard Operating Procedure by Ol+Olsoc · · Score: 1

      Even more important to provide lots of consistent but false information.

      Wasn't there some kids that came up with a way to do that automatically?

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  2. the road goes on forever by turkeydance · · Score: 1

    and the party never ends.

  3. Here in America by rsilvergun · · Score: 2

    we have an understanding. We write laws to protect consumers and nobody enforces them. Did nobody in Europe get the memo? Where's Thatcher when you need her...

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:Here in America by Anonymous Coward · · Score: 2, Insightful

      Long since underground. Which is where we needed her decades ago.

    2. Re:Here in America by Anonymous Coward · · Score: 0

      Where's Thatcher when you need her...

      Six feet under, just where she belongs.

    3. Re:Here in America by Anonymous Coward · · Score: 0

      Build, build, build your strawman
      gently in the thread
      easily easily easily
      it is defeated.

    4. Re:Here in America by Ol+Olsoc · · Score: 1

      Where's Thatcher when you need her...

      In the deepest recesses of hell, enjoying a menage a trois with Ronald Reagan, and Nancy.

      And if you're not good, you'll be sent to hell to watch.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  4. they also.... by Anonymous Coward · · Score: 4, Informative

    Facebook tracks everyone who visits its site, including people who don't have an account, and even continues to track users and non-users who have opted out of targeted ads.

    they also track everybody that visits a 3rd party site with facebook code (like button, shared login, etc) on it.. and they're tracking everybody playing a game that hooks into facebook api's.. even if that game isn't actually hosted on facebook and the player isn't signed in through it.

    1. Re:they also.... by Anonymous Coward · · Score: 0

      woops, forgot completely about facebook "apps" (don't use a smart phone or tablet), and the whole of instagram.. those are also watching and tracking everything, too.

  5. Call me a cynic by Carewolf · · Score: 2

    But I would trust independent researchers over facebook any day, and especially when it comes to issues concerning possibly bad behavior by facebook.

    1. Re:Call me a cynic by kwbauer · · Score: 1

      Government agents looking to score a big payout are not exactly independent now, are they?

    2. Re:Call me a cynic by Anonymous Coward · · Score: 0

      What payout?

    3. Re:Call me a cynic by Anonymous Coward · · Score: 0

      job for life. Facebook is a dirty, evil, company, but I have no doubt that the investigators are politically motivated.

  6. How Is it Not Strictly Necessary? by wisnoskij · · Score: 0, Redundant

    If they did not target ads at consumers they would go out of business and cease to exist. There very existence is only possible because of the strictly necessary ads.

    --
    Troll is not a replacement for I disagree.
  7. Spartan by BobSwi · · Score: 0

    Wait until Windows 10 with Spartan, you can just log in directly to your browser with Facebook credentials, it's marvelous /s.

  8. la la la isn't it ironic by Bender+Unit+22 · · Score: 3, Insightful

    That you need a cookie so that Facebook can remember that you don't want to be tracked.

    Of course that cookie could contain a single non-unique value that states, do not track me.
    But of course that Facebook doesn't really care about privacy can't come as a surprise to anyone.

  9. Facebook Blocker by Anonymous Coward · · Score: 0

    I have used it for years.
    https://addons.mozilla.org/EN-US/firefox/addon/facebook-blocker/

    I hope it is enough to stop their tracking.

  10. Block their domains and IP addresses by Anonymous Coward · · Score: 0

    This kind of behavior must be met with the Internet Death Penalty.

    Domains: facebook.com, facebook.net, fbcdn.com, fbcdn.net and all subdomains of those

    IP addresses: Facebook is AS32934.

    whois -h whois.radb.net '!gAS32934'

    204.15.20.0/22 69.63.176.0/20 66.220.144.0/20 66.220.144.0/21 69.63.184.0/21 69.63.176.0/21 74.119.76.0/22 69.171.255.0/24 173.252.64.0/18 69.171.224.0/19 69.171.224.0/20 103.4.96.0/22 69.63.176.0/24 173.252.64.0/19 173.252.70.0/24 31.13.64.0/18 31.13.24.0/21 66.220.152.0/21 66.220.159.0/24 69.171.239.0/24 69.171.240.0/20 31.13.64.0/19 31.13.64.0/24 31.13.65.0/24 31.13.67.0/24 31.13.68.0/24 31.13.69.0/24 31.13.70.0/24 31.13.71.0/24 31.13.72.0/24 31.13.73.0/24 31.13.74.0/24 31.13.75.0/24 31.13.76.0/24 31.13.77.0/24 31.13.96.0/19 31.13.66.0/24 173.252.96.0/19 69.63.178.0/24 31.13.78.0/24 31.13.79.0/24 31.13.80.0/24 31.13.82.0/24 31.13.83.0/24 31.13.84.0/24 31.13.85.0/24 31.13.86.0/24 31.13.87.0/24 31.13.88.0/24 31.13.89.0/24 31.13.90.0/24 31.13.91.0/24 31.13.92.0/24 31.13.93.0/24 31.13.94.0/24 31.13.95.0/24 69.171.253.0/24 69.63.186.0/24 31.13.81.0/24 179.60.192.0/22 179.60.192.0/24 179.60.193.0/24 179.60.194.0/24 179.60.195.0/24 185.60.216.0/22 45.64.40.0/22 185.60.216.0/24 185.60.217.0/24 185.60.218.0/24 185.60.219.0/24 204.15.20.0/22 69.63.176.0/20 69.63.176.0/21 69.63.184.0/21 66.220.144.0/20 69.63.176.0/20

  11. Facebook "offered to explain why it is incorrect" by penguinoid · · Score: 2

    Pretty funny that anyone would care about Facebook's "explanation" about why the independent researchers finding all those tracking cookies are all mistaken... but to be honest, I'm pretty sure that killing off Facebook's tracking wouldn't do anything if everyone else is tracking you anyhow.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  12. This is why I block them at the host file by Anonymous Coward · · Score: 4, Informative

    # Facebook
    127.0.0.1 www.facebook.com
    127.0.0.1 facebook.com
    127.0.0.1 www.static.ak.fbcdn.net
    127.0.0.1 static.ak.fbcdn.net
    127.0.0.1 www.login.facebook.com
    127.0.0.1 login.facebook.com
    127.0.0.1 www.fbcdn.net
    127.0.0.1 fbcdn.net
    127.0.0.1 www.fbcdn.com
    127.0.0.1 fbcdn.com
    127.0.0.1 www.static.ak.connect.facebook.com
    127.0.0.1 static.ak.connect.facebook.com
    127.0.0.1 aps.facebook.com
    127.0.0.1 www.connect.facebook.net
    127.0.0.1 connect.facebook.net

    1. Re:This is why I block them at the host file by Anonymous Coward · · Score: 0

      I actually have a longer list with hundreds of domains. It would probably be better to put in dnsmasq.

  13. Facebook can be useful if you have this problem: by Futurepower(R) · · Score: 2

    Facebook can be useful if you have this problem: Are you too happy? Is it uncomfortable being happier than everyone else? Do you want to be miserable like everyone you see around you? Facebook has an answer. Read Facebook use predicts declines in happiness, new study finds. Or download the scientific paper.

    How to avoid the abusers:
    Adblock Edge
    NoScript
    Ghostery
    Better Privacy
    Cookies Manager Plus (Does not delete one particular Google cookie.)

  14. How do I put this in my APK file by Anonymous Coward · · Score: 0

    How do I put this in my APK file?

    1. Re:How do I put this in my APK file by dave420 · · Score: 1

      1. Stop taking your meds
      2. Stalk people on slashdot for mentioning you
      j. Chase the aliens in your head
      %. Complain about the aliens
      £. Threaten the aliens with legal action for besmirching HOSTS files
      ]. Go to 2.

  15. Facebook gets a list of all websites visited. by Futurepower(R) · · Score: 2

    Jurgen Schmidt of Heise Security says: "Since Facebook buttons are virtually omnipresent, Facebook can get a complete list of all the websites that I visit and link it to my person..."

    Facebook Blocker

  16. Re:Facebook "offered to explain why it is incorrec by MrL0G1C · · Score: 2

    So block them all. Ghostery - Download Page

    Google are the worst IMO.

    --
    Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
  17. Bullshit non-story by IamTheRealMike · · Score: 3, Insightful

    OK, so we have an article claiming Facebook is tracking everyone for evil advertising purposes, even when logged out. Facebook denies it and says it's garbage.

    Let's go do 30 seconds of digging and see who is right, shall we?

    1. Open an incognito window. Open Chrome developer tools.
    2. Load a Facebook "page" (i.e. a product page for some third party product or service)
    3. Be amused by the giant "STOP!" warning printed to the console, apparently people are being tricked into copy/pasting stuff into the developer console to get their accounts hacked.
    4. Observe the cookies that are set.

    There are three cookies set. Two of them appear to simply encode the loaded URL and have no ids or other interesting info. The last is the "DATR" cookie. What does DATR do? Well, we know what it does because last time this garbage blew up in the press Facebook explained what it does:

    We set the ‘datr’ cookie when a web browser accesses facebook.com (except social plugin iframes), and the cookie helps us identify suspicious login activity and keep users safe. For instance, we use it to flag questionable activity like failed login attempts and attempts to create multiple spam accounts.

    (link from here)

    So it's an anti abuse and security feature. Nothing to do with advertising. Also, guess what - such cookies are common across many websites. They are quite useful for detecting spammers. Presumably Facebook tried to explain this to the Belgian regulator in question, but it's just so much better politically for said regulator to pretend they caught some evil company in their terrible advertising habits red handed, than learn how large websites work.

    The problem is the more time the media and government regulators cry wolf over this stuff, the more inclined I am to believe they're all harmful idiots who want to break the web.

    1. Re:Bullshit non-story by Anonymous Coward · · Score: 0

      And they use that anti-spam data they collect for advertising.

    2. Re:Bullshit non-story by IamTheRealMike · · Score: 1

      I don't think so.

      1) You don't see ads on Facebook.com if you aren't logged in, and DATR isn't sent for social plugins around the web.

      2) They have already said they don't do that.

      So we have both their own statements and technical evidence.

    3. Re:Bullshit non-story by Anonymous Coward · · Score: 0

      I agree. I'm happy to rail against Facebook, but web browsers and HTTP are inherently stateless, and a lot of websites put of the façade of having state. Ie being logged in is a state - any website that allows you to log in is using your web browser in a way that it originally wasn't intended or designed for. Cookies are the fix to that - browsers let web sites write files to your computer so that the back-and-forth communication can be maintained.

      But you'll never be able to explain that to a politician. Some politicians are happier to point at an evil corporation than to understand the broken technology that our browsers are based on.

    4. Re:Bullshit non-story by Ol+Olsoc · · Score: 2

      The problem is the more time the media and government regulators cry wolf over this stuff, the more inclined I am to believe they're all harmful idiots who want to break the web.

      Very nice, and concise.

      But most very whooshable. Now try your method on any page that has a facebook button or for that matter most any popular page that the facebook crowd goes to. Check out the scripts while you are at it.

      Facebook is simply tracking everyone. No account needed. No opt-in or out needed.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  18. Question - If I change my country to EU in FB by Anonymous Coward · · Score: 0

    Do I get the protections? How does FB know if I did or did not more there. Change to EU and then delete account.

  19. Now You've Done It! by Anonymous Coward · · Score: 0

    You just invited you-know-who and his crapflooding spam.