Facebook has been ordered by a Belgian court to stop tracking non-Facebook users when they visit the Facebook site. Facebook has been given 48 hours to stop the tracking or face possible fines of up to 250,000 Euro a day.
Facebook has said that it will appeal the ruling, claiming that since their european headquarters are situated in Ireland, they should only be bound by the Irish Data Protection Regulator.
Facebook’s chief of security Alex Stamos has posted an explanation about why non-Facebook users are tracked when they visit the site.
The tracking issue centres around the creation of a “cookie” called “datr” whenever anyone visits a Facebook page. This cookie contains an identification number that identifies the same browser returning each time to different Facebook pages. Once created, the cookie will last 2 years unless the user explicitly deletes it. The cookie is created for all visitors to Facebook, irrespective of whether they are a Facebook user or even whether they are logged into Facebook at the time.
According to Stamos, the measure is needed to:
- Prevent the creation of fake and spammy accounts
- Reduce the risk of someone’s account being taken over by someone else
- Protect people’s content from being stolen
- Stopping denial of service attacks against Facebook
The principle behind this is that if you can identify requests that arrive at the site for whatever reason, abnormal patterns may unmask people creating fake accounts, hijacking a real account or just issuing so many requests that it overwhelms the site.
Stamos’ defence of tracking users is that they have been using it for the past 5 years and nobody had complained until now, that it was common practice and that there was little harm because the data was not collected for any purpose other than security.
The dilemma raised by Facebook’s actions is a common one in the conflicting spheres of maintaining privacy and maintaining security. It is obvious that if you can identify all visitors to a site, then it is possible to determine more information about what they are doing than if they were anonymous. The problem with this from a moral perspective is that everyone is being tagged, irrespective of whether their intent was going to be malicious or not. It is essentially compromising the privacy of the vast majority for the sake of a much smaller likelihood of bad behaviour.
This may suit Facebook’s purpose, but clearly visitors to Facebook are unaware of the tracking and have not been asked to consent to it.
The other issue that hasn’t been acknowledged by Facebook is that if the use of the “datr” cookie is supposed to be a security measure, it is one that is not particularly effective because it can be circumvented. All someone who is accessing the page through software needs to do is to delete the cookie after each access. At this point, Facebook would have to use other information about the machine that was accessing the site to decide if this was in fact a completely new user or someone just deleting the cookie at which point they could throw up some sort of other block.
The point of this is that Facebook have alternative means of detecting irregular patterns of behaviour without needing to use cookies that maintain a history of sites with any Facebook links that a person visits. Stamos explains that they could ask additional verification questions to determine user legitimacy if they didn’t have the cookie and so that is not an unreasonable thing to do to preserve the privacy of all users who don’t own a Facebook account or want to be tracked when they are not logged in.
The “datr” cookie has long been the cause of controversy because of its use as a tracker of people who aren’t logged in or even a Facebook user. It seems that Facebook has stopped setting the cookie when visiting a page with a Facebook social plugin (verified by the author) but it is still set if a user clicks on a like button, even if the user never subsequently logs in to Facebook.
Facebook has shown through its long history of controversy with the “datr” cookie that it is willing to fight attempts to stop its use of trackers through a range of measures. These measures include arguing that it is only doing this for the benefit of its customers’ security.
Alex Stamos has advocated that the action taken by the Belgian court will compromise the security of not only Belgian Facebook users, but also of the 1.5 billion users that use Facebook. The claims are overblown and reflect the fact that Facebook will generally put its business needs and simple convenience ahead of the public’s privacy concerns.