Why a Belgian court ordered Facebook to stop tracking users or pay hefty fines
A commercial court agreed with privacy regulators that Facebook's use of a tiny file that can track people who don't have a Facebook account violates local privacy laws.
A 3D-printed Facebook logo is seen in front of the logo of the European Union in Zenica, Bosnia and Herzegovina in May. A Belgian court ruled on Monday that the site's use of a cookie that tracks users who don't have Facebook accounts violates local privacy laws.
Dado Ruvic/Reuters/File
On Monday, a Belgian court gave Facebook 48 hours to stop tracking Internet users who don鈥檛 have accounts with the social media site or face fines of up to 鈧250,000 ($269,000) a day.
The court鈥檚 order follows a case filed against the company in June by Belgium鈥檚 privacy watchdog saying the site indiscriminately tracks Belgian users who visit Facebook pages and the site or click on 鈥渓ike鈥 or 鈥渟hare鈥 buttons, even if they don鈥檛 have Facebook accounts.
The argument stems from conflicting views about a tiny file called the 鈥渄atr鈥 cookie, which Facebook says it uses to prevent unauthorized logins to the site and to verify users. The Belgian regulators argue that its use is far broader, making a record of when an Internet user visits a Facebook page, even if they don鈥檛 have an account, which the site can keep for up to two years.
鈥淭he way in which [Facebook] is contemptuous of the private lives of its members and of all Internet users demands action,鈥 Willem Debeuckelaere, president of Belgium鈥檚 Privacy Commission, in May.
Because such tracking occurs without obtaining a user鈥檚 consent, it violates local privacy laws, the court said in a statement, to the AFP.
Facebook it will appeal the court鈥檚 ruling, arguing that it should be subject only to data privacy laws in Ireland, where its European headquarters are located.
鈥淭he actions of the Belgian Privacy Commission could undermine our efforts to keep the accounts of people in Belgium safe,鈥 Alex Stamos, Facebook鈥檚 Chief Security Officer, wrote in a on Oct. 13, before the court鈥檚 ruling.
But the spat has been long-running. In his blog post, Mr. Stamos calls himself 鈥渂ullish鈥 regarding the datr cookie and argues that it has been used successfully for five years to maintain users safety by stopping the creation of fake or spam accounts and prevent users鈥 content from being stolen.
鈥淚f the court blocks us from using the datr cookie in Belgium, we would lose one of our best signals to demonstrate that someone is coming to our site legitimately,鈥 he wrote, adding it would also make users accounts more attractive to spammers.
Stamos wrote that the Belgian regulators initially argued incorrectly that Facebook uses the cookie to track people who aren鈥檛 Facebook users through 鈥渓ike鈥 buttons that simply appear on another site, even if a user does not click them.
The cookie can only identify browsers, not people, and only tracks users鈥 movements if they click one of the buttons or use the site鈥檚 login page, he wrote.
But the regulators have dismissed Facebook鈥檚 arguments that the cookie is used solely for security purposes.
鈥淭he argument that placing and receiving cookies is also strictly necessary to ensure Facebook users' security, lacks both a legal and a factual basis,鈥 the regulators wrote in in May. 鈥淔irst of all it is possible to guarantee user security in a less intrusive way. Moreover, it would be child's play for a potential attacker to simply block and/or remove cookies when launching the attack."
The Belgian court鈥檚 move comes as Facebook has faced a number of battles with European regulators, including a sweeping European Court of Justice ruling last month that invalidated a 15-year-old data transfer law that governed how American companies could handle the data of European users. That ruling also set Facebook up to face regulation by data protection officials in Ireland, where the case was originally filed.
The social media site's commenting practices have also faced scrutiny in Germany after a slew of racist posts directed at Syrian refugees.
On Monday, Bart Tommelein, Belgium鈥檚 secretary of state for the protection of privacy, rejected Facebook鈥檚 argument that it should be subject only to Irish data protection laws. He Reuters the Belgian court鈥檚 ruling meant that it could regulate the US-based company鈥檚 operations in Belgium.