Facebook: Okay, we're tracking people, but it's a bug

Data tracking

Facebook has blamed a bug for tracking people's online habits even if they're not actually using the social network.

It follows a report commissioned by a Belgian data protection agency revealing that Facebook monitors the online movements of everyone who visits the site, whether they're logged in or not.

The tech giant has admitted being at fault, but said it's working to fix the bug.

In response to the report, Richard Allan, vice president of policity at Facebook Europe, said: "The report gets it wrong multiple times in asserting how Facebook uses information to provide our service to more than a billion people around the world."

"The researchers did find a bug that may have sent cookies to some people when they weren't on Facebook. This was not our intention - a fix for this is already underway."

The University of Leuven Computer Security and Industrial Cryptography department (Cosic), in partnership with the media, information and telecommunication department at Vrije Universiteit Brussels, claims that any user who visits any arm of the Facebook.com domain (as well as some third-party sites) will be tagged with a tracking cookie.

This cookie named datr' is embedded whenever you visit any form of Facebook page, as well as sites with a Facebook Connect feature. Once stored on a computer, the cookie is sent back to Facebook to track your browsing history any time the user visits a page with a Facebook social plugin, such as a like' or share' button.

Facebook Like sign

This means that over 13 million sites are regularly reporting their users' web activity back to Facebook. This happens regardless of whether the user interacts with the plug-ins, and whether or not they're logged in.

Some EU users, wary of potential privacy infringements, have accepted Facebook's offer of opting-out of any tracking methods.

However, the report claimed that Facebook also placed a long-term tracking cookie on EU users via the opt-out page, a tactic not used on US or Canadian users.

Facebook has protested that its privacy policies and data protection protocols have been reviewed by the Irish Data Protection Commissioner. The company has been the subject of two in-depth audits, which satisfied the IDPC as to Facebook's EU data law compliance.

However, this new report disagrees. It states that the rights of users are being infringed on by Facebook's overly vague privacy policies, which are "extremely generic" and encompass "all data collected by Facebook", making it "extremely difficult" for users to gain a firm understanding of which "specific data" is being collected.


Furthermore, the "take-it-or-leave-it" nature of Facebook's Data Use Policy is highlighted. Cosic notes that Facebook is "[leveraging] its dominant position on the OSN market to legitimise the tracking of individuals' behaviour across services and devices."

In addition to the Belgian Privacy Commission, the report will also inform authorities from Germany, a country with notoriously stringent data protection controls. Although it was commissioned as part of an EU taskforce investigation, it's currently unknown what effect this clash will have on Facebook's legal status.

According to Brendan Van Alsenoy, one of the report's co-authors, Facebook's current tracking of of users and non-users breaches EU law.

When asked whether the tracking systems of sites like Facebook were a threat to data privacy, he replied "don't you think individuals' privacy [is under] threat when a private company systematically collects information concerning the browsing activities of millions of people across millions of websites?"

Facebook has vehemently denied any wrongdoing, claiming that "this report contains factual inaccuracies" and that "the authors have never contacted us, nor sought to clarify any assumptions upon which their report is based".

The company states that the manner in which they use these tracking cookies is an industry-wide practice, and are confident in their full compliance with EU law. It also encourages authorities and organisations to reach out to the Irish Data Protection Commissioner to clarify any queries regarding its DUP.

A lawsuit against Facebook for its alleged tracking of user data began this week, accusing the company of taking part in the NSA's PRISM programme among other offences.

Campaigner Max Schrems said in an interview: "We are asking Facebook to stop mass surveillance, to [have] a proper privacy policy that people can understand, but also to stop collecting data of people that are not even Facebook users."

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.