If you've visited a Facebook page—even if you don't have an account, and even if you've opted out of tracking—the social network drops a long-lasting cookie onto your computer, and follows you everywhere you go.
That's according to an in-depth report from a pair of Belgian universities, who were commissioned to investigate the issue by their local data protection agency. (Asked for a response, the UK's own Information Commissioner Office directed us to Ireland's data protection watchdogs, saying it wasn't their remit as Facebook is based in Ireland.)
The report found that Facebook tracks users even if they're logged out, have deactivated their account, or have opted out of behavioural advertising. The problem centres on Facebook's social plugins, those widgets that people install on their sites with the Like button.
The researchers suggested that Facebook sets a tracking cookie that can last for two years on your PC or device in three instances. First, when you visit a Facebook page—whether it's your own profile or a company page when you're not signed in; second, if you visit specific third-party websites (including mtv.com and, rather oddly, myspace.com); and third, rather ironically, if you go to the European Digital Advertising Alliance website to opt out of tracking.
From then on, every time you visit a page with a Like button or other social plugin, it sees the cookie and sends the tracking details back to Facebook. That happens even if you don't click Like, login to Facebook, or interact in any other way with the site.
If all this sounds exactly what you'd expect from Facebook, you're not alone. Paul Bernal, a lecturer at the University of East Anglia's law school, wasn't surprised by the report, though he said the extent of the tracking goes further than he would have thought. "Facebook has a record of pushing the boundaries, and for finding new ways to invade privacy, which is one reason that people like me, who understand at least part of how they work, are not generally on Facebook," he told me. "So it's not a surprise that they're doing whatever they can to track us, but this looks a bit more brazen than I suspected. They've had their fingers burnt in this field before, and I thought they might be a bit more circumspect."
Facebook said the report contained "factual inaccuracies" but did not detail them; the authors didn't speak to the social network "to clarify any assumptions" before it was published.
"We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us," Facebook told Motherboard. "However, we remain willing to engage with them and hope they will be prepared to update their work in due course." We asked for details of these inaccuracies, and have not yet received a response.
"I suspect there will be people licking their lips at another opportunity to go for Facebook."
Facebook doesn't appear to ask for consent, though it does warn users in its recently updated terms that it collects information about the websites and apps you visit. Users can opt out of the behavioural ad tracking, but not only do experts say that's not enough to meet EU laws, they suggest that Facebook is flouting wider opt-out systems, notably the European Digital Advertising Alliance.
"If people who are not being tracked by Facebook use the 'opt out' mechanism proposed for the EU, Facebook places a long-term, uniquely identifying cookie, which can be used to track them for the next two years," report co-author Günes Acar told the Guardian. "What's more, we found that Facebook does not place any long-term identifying cookie on the opt-out sites suggested by Facebook for US and Canadian users."
The report authors said they "have no idea" why North American and European users are treated differently.
Facebook claimed it recognises the unique opt out of a user, and applies it across all browsers and devices; we've asked the social network to explain why the researchers are seeing a cookie dropped on visitors of the European Digital Advertising Alliance site and are awaiting its response.
The report follows a ruling in UK courts regarding Google ignoring "do not follow" settings in Safari, that will let British users take legal action here rather than take the fight to the US as Google requested. That precedent may make it easier to take action against Facebook, Bernal suggested.
Facebook already faces regular audits from the US FTC following an investigation into privacy settings, and Bernal predicted that if Facebook doesn't drop the tracking system, it could face legal action on both sides of the Atlantic—particularly in Europe where the EU has shown an "increasing willingness" to take on US tech giants, highlighted by the Spanish right-to-be-forgotten ruling. "I suspect there will be people licking their lips at another opportunity to go for Facebook," Bernal said.
Want to protect yourself? Facebook pointed users to its privacy help page here. Alternatively, you can compartmentalise Facebook, using it only in a separate browser from your other activities, or you can install browser add-ons such as Privacy Badger from the EFF, which will let you use social tools without being tracked.
There's another obvious route, which Bernal advises: "I still think the best thing to do is to leave Facebook."