Slashdot Mirror

← Back to Stories (view on slashdot.org)

Report: Facebook Tracks Visitors Who Have Opted Out, Violating EU Law

Posted by Soulskill on from the hand-in-cookie-jar dept.

itwbennett writes: In a technical analysis (PDF) of Facebook's tracking practices, researchers found that Facebook tracks everyone who visits its site, including people who don't have an account, and even continues to track users and non-users who have opted out of targeted ads. The problem with these practices is that the cookies are placed without consent, which under EU law is only allowed if there is a strict necessity to do so. Facebook disputes the report: "We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us."

5 of 40 comments (clear)

  1. Standard Operating Procedure by Fire_Wraith · · Score: 4, Informative

    This is pretty much how Facebook operates. They don't just suck in all the information of people who use their service, they collect information on everyone else. Even if you don't use Facebook, they've built a 'shadow' profile on you using information they've gotten from your friends and family. They're certainly not the only one that does so, but they're one of the most pervasive (at least in my opinion).

    It's also why it's important to use something like Ghostery, to block the methods they're using to track people. Bottom line, if you don't see the Facebook "like" button load, you've got them blocked.

  2. they also.... by Anonymous Coward · · Score: 4, Informative

    Facebook tracks everyone who visits its site, including people who don't have an account, and even continues to track users and non-users who have opted out of targeted ads.

    they also track everybody that visits a 3rd party site with facebook code (like button, shared login, etc) on it.. and they're tracking everybody playing a game that hooks into facebook api's.. even if that game isn't actually hosted on facebook and the player isn't signed in through it.

  3. la la la isn't it ironic by Bender+Unit+22 · · Score: 3, Insightful

    That you need a cookie so that Facebook can remember that you don't want to be tracked.

    Of course that cookie could contain a single non-unique value that states, do not track me.
    But of course that Facebook doesn't really care about privacy can't come as a surprise to anyone.

  4. This is why I block them at the host file by Anonymous Coward · · Score: 4, Informative

    # Facebook
    127.0.0.1 www.facebook.com
    127.0.0.1 facebook.com
    127.0.0.1 www.static.ak.fbcdn.net
    127.0.0.1 static.ak.fbcdn.net
    127.0.0.1 www.login.facebook.com
    127.0.0.1 login.facebook.com
    127.0.0.1 www.fbcdn.net
    127.0.0.1 fbcdn.net
    127.0.0.1 www.fbcdn.com
    127.0.0.1 fbcdn.com
    127.0.0.1 www.static.ak.connect.facebook.com
    127.0.0.1 static.ak.connect.facebook.com
    127.0.0.1 aps.facebook.com
    127.0.0.1 www.connect.facebook.net
    127.0.0.1 connect.facebook.net

  5. Bullshit non-story by IamTheRealMike · · Score: 3, Insightful

    OK, so we have an article claiming Facebook is tracking everyone for evil advertising purposes, even when logged out. Facebook denies it and says it's garbage.

    Let's go do 30 seconds of digging and see who is right, shall we?

    1. Open an incognito window. Open Chrome developer tools.
    2. Load a Facebook "page" (i.e. a product page for some third party product or service)
    3. Be amused by the giant "STOP!" warning printed to the console, apparently people are being tricked into copy/pasting stuff into the developer console to get their accounts hacked.
    4. Observe the cookies that are set.

    There are three cookies set. Two of them appear to simply encode the loaded URL and have no ids or other interesting info. The last is the "DATR" cookie. What does DATR do? Well, we know what it does because last time this garbage blew up in the press Facebook explained what it does:

    We set the ‘datr’ cookie when a web browser accesses facebook.com (except social plugin iframes), and the cookie helps us identify suspicious login activity and keep users safe. For instance, we use it to flag questionable activity like failed login attempts and attempts to create multiple spam accounts.

    (link from here)

    So it's an anti abuse and security feature. Nothing to do with advertising. Also, guess what - such cookies are common across many websites. They are quite useful for detecting spammers. Presumably Facebook tried to explain this to the Belgian regulator in question, but it's just so much better politically for said regulator to pretend they caught some evil company in their terrible advertising habits red handed, than learn how large websites work.

    The problem is the more time the media and government regulators cry wolf over this stuff, the more inclined I am to believe they're all harmful idiots who want to break the web.