Facebook is in trouble again – this time from the Belgian privacy commission, which is cross about the fact that it tracks internet users who are not members of the social network.
A court has ruled that it is unacceptable that every time someone clicks a “like” button on a website, their browsing activity is collected, regardless of whether they are Facebook users or not.
Facebook says it would weaken the security of its 1.5 billion members to remove the tool.
The controversy centres around a cookie – a simple text file which can track a number of user activities – which Facebook has used for the last five years.
Researchers found that even non-members who visited any net page that fell under the facebook.com domain would have what Facebook calls its datr cookie – which has a two-year lifespan – installed on their browser.
They conducted a series of tests including one where they did a Google search for the term “facebook data policy”. It led them to the Facebook data policy page which placed the datr cookie on their browser.
They then visited a Belgian website related to prostate cancer treatment which includes a Facebook like button and found that the datr cookie was sent to Facebook.
There was no formal notice regarding any cookie being stored.
But its tracking functionality has led the Belgian court to, rather dramatically, give Facebook 48 hours to stop using it or face a fine of 250,000 euros (£176,000 ) per day.
Attention was drawn to the details of how Facebook’s cookies worked when the social network rolled out new terms and conditions in January, authorising it to track its users across websites and devices, use profile pictures for both commercial and non-commercial purposes and collect information about its users’ locations.
Users could agree to the changes or they could leave Facebook.
One of the things that the Belgian privacy commission did in response to the changes was commission a report from the Universities of Leuven and Brussels.
It concluded that tracking non-users was in breach of EU law. Its findings were handed to the Belgian authorities who, after initial talks with Facebook failed to reach agreement, decided to take the case to court.
The judge agreed with the Belgian privacy commissioner, ruling that the information collected by the social network was personal data “which Facebook can only use if the internet user expressly gives their consent”.
It is appealing against the ruling but has said that, if it is forced to remove the datr cookie in Belgium, it could make life harder for Belgian users of the service.
It also pointed out that the cookie was associated only with browsers, not individual people, and does not contain any information that is tied to a particular person.
One of the report authors, Brendan Van Alsenoy said his team of researchers did not “buy the security argument”.
In a response to Facebook, it pointed out that the firm already faced many instances when it could not track users – such as the 198 million net users who use adblockers.
“To the best of our knowledge ad-blocking users do not pose a critical threat to Facebook nor do users who install them need to go through burdensome security checks when they log in to Facebook.”
Advertising revenue is Facebook’s biggest source of income, jumping 45% this year, with mobile ad sales accounting for 78% of that. Being able to track web-browsing habits, even anonymised ones, allows it to better target that advertising.
The internet has always been offered for free and, the argument goes, people would not be prepared to pay cold, hard cash for services from the likes of Facebook and Google, preferring instead to pay with their data.