Did you find this article through Facebook? There’s a pretty good chance that the answer is yes. Even if you came here another way, there’s a pretty good chance that Facebook still knows you’re reading this. A group of Belgian researchers has found that Facebook’s tentacles extend beyond the limits the company publicly promises, potentially breaching major European Union privacy laws in the process.
The researchers at the University of Leuven and the Vrije University Brussels released their report, entitled “From social media service to advertising network: A critical analysis of Facebook’s Revised Policies and Terms,” on Tuesday, at the behest of the Belgian Privacy Commission.
The report, an advisory document that does not carry the force of law, alleges that Facebook’s practice of using “like” buttons scattered across the Web to deliver cookies—small files that track computers’ activity—violates the EU’s stringent regulations on online data collection.
The report’s authors also insist that the ways Facebook lets users manage their privacy are insufficient under the EU’s privacy laws.
Unlike much more permissive U.S. laws, EU regulations mandate that websites delivering cookies get permission beforehand. Asking for these permissions typically takes the form of a banner ad running across the top of a website when a European visits it for the first time.
The Belgian report also found that Facebook’s “complex web of settings” placed an undue burden on individual users attempting to manage their own privacy. Selectively opting out be confusing, the researchers said, and people have no control over their appearance in “sponsored stories” or how their location data is used.
“Facebook combines data from an increasingly wide variety of sources (e.g., Instagram, Whatsapp and data brokers),” the study notes. “By combining information from these sources, Facebook gains a deeper and more detailed profile of its users. Facebook only offers an opt-out system for its users in relation to profiling for third-party advertising purposes. The current practice does not meet the requirements for legally valid consent.”
A Facebook spokesperson insisted that much of the information contained in the report was inaccurate, suggesting it was due to the researchers’ not having met with Facebook while assembling the document.
“We’re disappointed that the authors of this opinion and the Belgian DPA, who we understand commissioned it, have declined to meet with us or clarify the inaccurate information about this and other topics,” the representative said. “We remain willing to engage with them and hope they will be prepared to correct their work in due course.”
The spokesperson added that Facebook’s cookie-use policy has been common practice for well over a decade, and that European users could opt out of data collection using a website operated by the European Interactive Digital Advertising Alliance.
The study’s authors insisted that opting out through a government-linked data-privacy authority remained insufficient.
“If people who are not being tracked by Facebook use the ‘opt out’ mechanism proposed for the EU, Facebook places a long-term, uniquely identifying cookie, which can be used to track them for the next two years,” report co-author Günes Acar explained to The Guardian. “What’s more, we found that Facebook does not place any long-term identifying cookie on the opt-out sites suggested by Facebook for US and Canadian users.”
The researchers criticized Facebook for only offering a superficial explanation of how it used the data it gathered.
“For many data uses, the only choice for users is to simply ‘take-it-or-leave-it,'” the report read. “If they do not accept, they can no longer use Facebook and may miss out on content exclusively shared on this platform. In other words, Facebook leverages its dominant position on the…[online social network] market to legitimize the tracking of individuals’ behavior across services and devices.”
H/T The Guardian | Illustration by Max Fleishman