Facebook ordered in Belgium to stop spying on users who arent even signed in. Credit: Martyn Williams
Facebook plans to appeal an order by a court in Belgium that banned it from tracking people who are not signed on to the social networking website.
The dispute largely hinges around Facebook's use of a special cookie called 'datr' that the company claims helps it distinguish between legitimate and illegitimate visits to its website.
"We've used the datr security cookie for more than five years to keep Facebook secure for 1.5 billion people around the world," a Facebook spokesman said Monday. "We will appeal this decision and are working to minimize any disruption to people's access to Facebook in Belgium.”
The court in Belgium on Monday gave the social networking company 48 hours to stop tracking users that don't have accounts on the site or risk fines of up to 250,000 euros (US$269,000) a day, according to news reports.
Facebook Chief Security Officer Alex Stamos wrote in a blog post last month that the Belgian Privacy Commission, which filed the complaint, had initially argued incorrectly that Facebook uses the datr cookie to target ads to people who aren’t its users.
The commission subsequently "focused on the fact that we set the datr cookie when someone visits one of our sites, such as Facebook.com, or clicks a Like button on a publisher's website and interacts with the login page that appears," according to Stamos, who added that the company does not set the datr cookie "when someone simply loads a page with a Like button."
A report by technical experts assisting the Belgian Privacy Commission on Facebook tracking through social plug-ins noted that Facebook is in an unique position as it can "link the browsing behavior of its users to their real world identities, social network interactions, offline purchases, and highly sensitive data such as medical information, religion, and sexual and political preferences."
The experts found that when a user not signed on to Facebook visited the social networking site, the datr cookie with a two-year lifetime was set. When they then visited a Web page on gayworld.be, a website that includes a Facebook social plug-in, the inspection of the network traffic revealed that the datr cookie was sent to the facebook.com domain in the cookie header of the HTTP requests.
If blocked from using the datr cookie, Facebook said it would have to treat visits to its service from Belgium as untrusted logins, requiring a range of other verification methods to establish that people are legitimately accessing their accounts.
Sign up for CIO Asia eNewsletters.