Fact: Facebook tracks non-users - says 'fix already underway'
The bug led to people who hadn’t signed up for Facebook being tracked – through code stored in their browsers – while visiting web pages that integrated certain Facebook technology. The report on the problem was first published in February and came to light a month later
On Thursday, Facebook’s European policy chief, Richard Allan, acknowledged in a blog post that the Belgian “researchers did find a bug that may have sent cookies to some people when they weren’t on Facebook.
“This was not our intention – a fix for this is already under way,” he stressed, adding that the violations were few and they’re to be addressed on case by case basis.
The paper, entitled ‘From Social Media Service to Advertising Network’, was prepared by the researchers at the Universities of Leuven and Brussels on the request of the government watchdog, Belgian Privacy Commission.
The authors of the report claimed that Facebook gave its European users only a “false sense of control” over their personal information.
Among other things, the company was blamed for denying its clients a “meaningful choice” on how their data was collected and used for advertising purposes; for absence of “legally valid consent” for detailed user profiling, achieved by Facebook through combining information from own services like Whatsapp and Instagram; for forcing advertising on people and only allowing them to opt out of certain profiling.
Facebook says that it follows all the relevant laws and regularly publishes audits by its European privacy regulator, the Irish Data Protection Commissioner.
As for the promotional material on the social networks, “we provide multiple ways to learn how ads work on Facebook,” Allan stressed.
“Unlike many companies, we explain how we will use this information and the controls we honor and offer. And we apply the choices people make before using information for behavioral ads,” he added.
However, the Belgian scholars weren’t satisfied by comments from Facebook, with the report’s co-author, Brendan Van Alsenoy of the Leuven University, saying that he stands by all the conclusions made in the paper.
“[Facebook] are unfairly attributing statements to us that we simply did not make,” Van Alsenoy is cited by the Wall Street Journal.
A Facebook spokeswoman then commented that Allan’s blog post was not a comprehensive response to the Belgian report, but only an attempt to provide a more detailed account of the tech giant’s practices.
The Belgian Privacy Commission does not have the power to directly sanction Facebook.
But the company may well face liability as a result of a class action lawsuit from 25,000 users, which an Austrian court began hearing on Thursday.
The suit is brought in by law student, Max Schrems, for Facebook’s participation in the NSA’s PRISM surveillance program and other alleged data protection violations.
Schrems, who is claiming €500 in damages to each affected user, said that he believes his lawsuit “can heighten data protection" in Europe.
During the first day of hearings, Facebook's lawyers attempted to the judge of the Vienna court not to admit the suit.
"The lawsuit is inadmissible on the procedural level - the court is not responsible. It is unjustified in terms of content," Nikolaus Pitkowitz, Facebook's lawyer, is cited by Reuters.
The judge ruled that a written decision on whether the court can handle the case will arrive by the end of spring.
Schrems accused the US tech giant of applying delaying tactics, which is “a typical strategy, because most consumers will run out of time and money."
However, it’s unlikely to work as legal costs in the case are
being borne by Austrian law firm Roland ProzessFinanz AG in
exchange for 20 percent of any winnings, he said.
The Austrian suit is the latest of several legal challenges in Europe and the US over the way Facebook uses the personal data of its users, sharing it with businesses and governments.
EU legislators have also proposed a law, which may see tech companies fined up to 5 percent of their annual revenue or €100 million for violating regulations about personal information.