Facebook Blames Bug For 'Inadvertently' Tracking People Not Actively Engaged On Its Site

Facing accusations from the Belgian Privacy Commission dating back to February that it is violating the privacy rights of its users, Facebook yesterday confirmed that the watchdog group had uncovered a "bug" that mistakenly tracked people even when they were not on the social media giant's website, but denied the body's assertion that the company gave users a "false sense of control" over their personal information.

Facebook said that it has begun to fix the problem at hand, which leveraged cookies to track people who had not signed up for the service when they visited websites that employ certain types of Facebook technology. In a blog post, however, Facebook European Policy Chief Richard Allan said that the Belgian watchdog group had reached a number of erroneous conclusions in its report, saying "The report gets it wrong multiple times in asserting how Facebook uses information to provide our service to more than a billion people around the world."


Part of a group of watchdog agencies that includes representatives from France and Spain, the Belgian Privacy Commission report analyzed a January 31 update of Facebook's terms of use in reaching their conclusions. In their report they say that Facebook didn’t offer people a “meaningful choice” for how their information was collected and used with regard to certain forms of advertising, that the company failed to meet legal requirements for consent when combining information from such Facebook services as Whatsapp and Instagram, and that instead of allowing people to opt into certain profiling and advertising they instead required that they opt out.

“It is important to note that tracking of non-users initiates even if one does not visit the Facebook homepage,” the researchers wrote. “In principle, any page belonging to the facebook.com domain will result in the placement of a long-term, identifying cookie (e.g., an event page, a shop page, fan page …).”

Facebook yesterday scrambled to save face, saying first that they follow all applicable laws and that they take steps to publish audits performed by the Irish Data Protection Commissioner, the company's European privacy regulator.

In the face of the Internet monolith's pushback, the authors of the report claim that Facebook is mischaracterizing their research. "They’re unfairly attributing statements to us that we simply did not make,” said co-author Brendan Van Alsenoy, a researcher at Leuven who says he stands by the conclusions of his report. A spokeswoman for Facebook later went on to say that Richard Allan's blog post should be viewed as an attempt to clarify Facebook's practices and not as a comprehensive response to the Belgian Privacy Commission report.

Read carefully, a great deal of the exchange between the Belgian Privacy Commission and Facebook seems to boil down to interpretation and wording, and considering that the agency lacks the power to directly fine or sanction Facebook a resolution of any significance seems unlikely. In the future, however, this may change dramatically, as there is a proposed law before the European Union that if passed would fine companies found in violation of user privacy rights of up to 5% of annual revenue or €100 million ($107.5 million) for violating personal data regulations.