Social network claims privacy report commissioned by the Belgian privacy watchdog ‘gets it wrong multiple times’ over what Facebook does with user data

Facebook has admitted that it tracked users who do not have an account with the social network, but says that the tracking only happened because of a bug that is now being fixed.

The social network hit out at the report commissioned by the Belgian data protection authority, which found Facebook in breach of European data privacy laws, saying that the report “gets it wrong multiple times in asserting how Facebook uses information”.

“The researchers did find a bug that may have sent cookies to some people when they weren’t on Facebook. This was not our intention – a fix for this is already under way,” wrote Richard Allan, Facebook’s vice president of policy for Europe in a rebuttal.

Allan listed and responded to eight claims isolated from the report written by researchers at the Centre of Interdisciplinary Law and ICT (ICRI) and the Computer Security and Industrial Cryptography department (Cosic) at the University of Leuven, and the media, information and telecommunication department (Smit) at Vrije Universiteit Brussels.

Some of the claims listed by Facebook are not made in the report, including one that states “there’s no way to opt out of social ads”. The report clearly states that “users can opt-out from appearing in so-called Social Ads”.

“Facebook’s latest press release (entitled “Setting the record straight”) attributes statements to us that we simply did not make,” said authors of the study Brendan Van Alsenoy from the ICRI and Günes Acar from Cosic.

Cookies, tracking and web impressions

Facebook also disputed some of the terms the authors of the report use, such as their definition of “tracking”.

“Facebook does receive standard ‘web impressions’, or website visit information, when people visit sites with our plugins or other integrations. The authors misleadingly call this ‘tracking’,” said Allan. “Unlike many companies, we explain how we will use this information and the controls we honour and offer.”

Allan also wrote that Facebook is transparent about Facebook’s use of cookies for security, personalisation and ads.

“Cookies tell us when people are logged into Facebook. That’s why you don’t have to enter your name and password every time you visit, and so we can alert you in case someone else is trying to log in as you from an unknown computer,” said Allan.

But he also reinforced the point that “Facebook is offered free of charge, and we do that by showing ads we think are relevant to people’s interests”, which is also the funding method used to support many other services including those from Google, Microsoft, Yahoo and media organisations.

The Belgian Privacy Commission is expected to decide whether to act on the report on 29 April.

Facebook is under increasing pressure outside of Ireland, where the company is headquartered and regulated by the Irish data protection authority. A task force of data regulators from Belgium, France, Spain and Italy has been set up to look at Facebook’s privacy practices, while the Flemish, Dutch and European parliaments have also called for closer looks at the company.

“We deliberately chose to open up our findings to public scrutiny so that anyone can check our sources and methodology. People who are interested can compare the ‘claims’ Facebook attributes to our report with its actual contents. We still remain open to additional comments and suggestions, including from Facebook, in relation to our actual findings,” said the authors of the report.

• Class action privacy lawsuit filed against Facebook in Austria

• Leave Facebook if you don’t want to be spied on, warns EU