Facebook: People without accounts, logged out users, and EU users who have explicitly opted out of tracking are all being tracked

Facebook tracks the web browsing of everyone who visits a page on its site even if the user does not have an account or has explicitly opted out of tracking in the EU.

Click here to read the report.

This report has been commissioned by the Belgian Privacy Commission (www.privacycommission.be). The findings it contains build on the results of two research projects, namely EMSOC and SPION. Both EMSOC and SPION were funded by the Flemish Agency for Innovation through Science and Technology.

In the report we researched Facebook’s changes to the privacy policy and how this is reflected in their website and behaviour on other websites. These are our main findings:
Facebook’s revised Data Use Policy (DUP) is an extension of existing practices. This nevertheless raises concerns because Facebook’s data processing capabilities have increased both horizontally and vertically. By horizontal we refer to the increase of data gathered from different sources. Vertical refers to the deeper and more detailed view Facebook has on its users. Both are leveraged to create a vast advertising network which uses data from inside and outside Facebook to target both users and non-users of Facebook.

Facebook combines data from an increasingly wide variety of sources. These sources include acquired companies, partnering platforms and websites or mobile applications that rely on Facebook (or one of its companies) for advertising or other services. In addition, Facebook’s ability to monitor and track users’ activities outside Facebook has increased exponentially as time has gone by. Facebook’s tracking capabilities have expanded mainly through the spread of social-plugins (“like buttons”)1 and through new forms of mobile tracking.

Overall, Facebook’s revised DUP signals the company’s data use practices in a more prominent way. In this regard, Facebook seems to have taken an important step forward. However, the uses of data are still only communicated on a general and abstract level. Much of the DUP consists of hypothetical and vague language rather than clear statements regarding the actual use of data. Moreover, the choices Facebook offers to its users are limited. For many data uses, the only choice for users is to simply “take-it-or-leave-it”. If they do not accept, they can no longer use Facebook and may miss out on content exclusively shared on this platform. In other words, Facebook leverages its dominant position on the OSN market to legitimise the tracking of individuals’ behaviour across services and devices.

The re-use of user content for targeting and advertising purposes is deeply embedded in Facebook’s practices. It is impossible to add any information that may not later be re-used for targeting, and any “like” may become a trigger to portray a user in a “Sponsored Story” or Social Ad. From the latter one can opt-out, but the only way to stop appearing in Sponsored Stories, is by stopping to “like” content altogether. Users are even more disempowered because they are unaware about how exactly their data is used for advertising purposes. Furthermore, they are left in the dark about their appearance in promotional content. Facebook should not only provide users with more options to control how their data is gathered, but also show users how their name and picture is used in specific instances.

Facebook has responded to our report in press, but to date, we have not been contacted by Facebook directly nor have we received any meeting request. We’re not surprised that Facebook holds a different opinion as to what European data protection laws require. But if Facebook feels today’s releases contain factual errors, we’re happy to receive any specific remarks it would like to make.

Created by Elias Van Dingenen on 31/03/2015