Facebook tracks everyone who visits its site, including people who don't have an account, and even continues to track users and non-users who have opted out of targeted ads, researchers at two Belgian universities have found.
After these initial findings, the researchers did a further technical analysis on Facebook's tracking practices. They focused on tracking techniques that use social plug-ins such as the "Like Button", which is used on more than 13 million third -party websites, and also tested the advertising tracking opt-out.
"In doing so, a number of remarkable new issues have come to light," said Brendan Van Alsenoy, legal researcher at the Interdisciplinary Center for Law and ICT of the University of Leuven.
It turns out, for instance, that Facebook places a cookie on the browser of anyone who visits a Web page belonging to the facebook.com domain, even if the visitor is not a Facebook user, the report found. The cookie placed by Facebook is called "datr" which contains a unique identifier and has an expiration date of two years.
Facebook users also get a range of additional cookies which uniquely identify the user.
Once these cookies have been set, Facebook will in principle receive information from them during every subsequent visit to a website containing a Facebook social plug-in. These cookies will give Facebook information like the URL of the Web page that was visited as well as information about the browser and operating system, the report said.
This means that Facebook tracks its users for advertising purposes across non-Facebook websites by default, the report said. Even opting out won't help. According to the researchers, Facebook will keep tracking you even if you have no account and opted out from targeted advertising on the European Digital Advertising Alliance website. When someone opts-out there, Facebook will place the same unique identifying "datr" cookie, they said.
Facebook sets the tracking cookie on the European opt-out site, but not on the U.S. and Canadian opt-out sites, Van Alsenoy said.
Facebook users are also extensively tracked. Even when a Facebook user deactivates his account, Facebook will still receive cookies that uniquely identify the ex-user, according to the report.
What's more, if a user opts out from tracking, Facebook will still receive information about visits to external sites containing Facebook social plug-ins. The only thing that changes is that Facebook promises to no longer use this information for targeted advertising, but there is no way the researchers were able to verify that, Van Alsenoy said.
Sign up for CIO Asia eNewsletters.