Facebook ordered to stop tracking non-users

Facebook is now blocking Belgians if they haven’t signed in.

Those Belgians who don’t have a Facebook account are now unable to view Belgian Facebook pages at all, even public profiles such as those for local businesses.

The change was forced on Facebook when a Belgian court ruling last month ordered the social network to either face fines or stop tracking people who browse the site when they’re not signed in.

Those were stiff fines: at the time of the ruling, Facebook was given 48 hours to comply, lest it face fines of up to €250,000 EUR ($267,000 USD) a day.

According to the BBC, Facebook expected to receive an order this week and plans to contest it.

In the meantime, it’s complying: cookies will no longer be set for non-users, and visitors to the site must have accounts to access content.

The Belgian court last month said that Facebook uses a special cookie that visitors pick up if they visit a friend’s page on Facebook or any other page on the web with Facebook “like” or “share” code in it – all without the visitor having ever signed up for a Facebook account.

That cookie stays on a given device for up to two years, enabling Facebook to keep track of people and what they’ve looked at on the web.

Facebook calls this particular contentious cookie the “datr” cookie and has claimed it’s safe.

Safe, or maybe even some type of terrorist repellent.

In the recent “Facebook is as bad as the NSA” rhetoric swap, Facebook claimed that its cookies keep Belgium from becoming “a cradle for cyber terrorism.”

Beyond fending off cyber terrorists, Facebook has argued that the datr cookie also provides better security for users by blocking the creation of fake accounts, protecting users’ content against theft, deterring denial-of-service (DoS) attacks, and reducing the risk of what it says are quite a lot of account hijacking attempts.

The BBC quoted a Facebook spokeswoman:

We had hoped to address the [Belgian Privacy Commissioner's] concerns in a way that allowed us to continue using a security cookie that protected Belgian people from more than 33,000 takeover attempts in the past month.

We're disappointed we were unable to reach an agreement and now people will be required to log in or register for an account to see publicly available content on Facebook.

Facebook will no longer set datr cookies for non-users, and those cookies that have already been baked will be deleted where possible.

Facebook told the BBC that it plans to come up with cookies for logged-in users to protect against certain attacks.

At the heart of the Belgian court case is a move Facebook made in June 2014 to give advertisers more ammunition to target users, by mixing data about what we do on its site with data about what we do on other sites.

Which leads us to another likely reason for Facebook’s mighty struggles against the ban against tracking non-users: the public pages of local businesses, sports teams, tourist attractions and celebrities that were formally accessible to non-users are now hidden away from Belgian non-users.

That surely isn’t going to make Facebook advertisers happy.

That’s what Paul Bernal, a privacy commentator and law lecturer at the University of East Anglia, had to say about it to the BBC:

[If] people cannot now find their Facebook pages [the business owners] will not be happy about it.

Beyond unhappy businesses, this case could ripple out to other European countries, he said:

I think the other protection authorities all over Europe will be looking at this.

Belgium isn't applying Belgian law, it's applying European law, so if they're applying it in Belgium why shouldn't they apply it everywhere in Europe?

In the meantime, EU privacy advocate Max Schrems, who first went after Facebook by filing complaints against what he said was its illegal data collection/retention, is demanding that Facebook stops data transfers between the EU and the US, due to snooping.

Schrems on Tuesday made legal moves in the wake of the European Court of Justice having in October struck down the Safe Harbor data transfer pact.

That pact had allowed companies to transfer European citizens’ personal data to the US.

Thousands of companies will be affected by that court decision.

Facebook’s on the front line when it comes to feeling the impact, because it’s called to abide by the individual data privacy regulations in each of the member states of the EU.

Schrems has filed complaints with data protection officials in Ireland, Germany and Belgium to block Facebook from transfering data to the US.

Schrems says he wants to “ensure that this very crucial judgment is also enforced in practice when it comes to the US companies that are involved in US mass surveillance.”

Schrems has warned that other companies that have participated in US snooping – he mentioned Apple, Google, Microsoft and Yahoo – may face similar complaints in the future.

Ars Technica quotes him (link added):

We are reviewing the situation in relation to all PRISM companies right now.

Image of Facebook logo courtesy of tanuha2001 / Shutterstock.com