French Gov't Gives Facebook 3 Months To Stop Tracking Non-User Browsers 176
Reader iamthecheese writes
RT reports that France's National Commission of Information and Freedoms found Facebook tracking of non-user browsers to be illegal. Facebook has three months to stop doing it. The ruling points to violations of members and non-members privacy in violation of an earlier ruling. The guidance, published last October, invalidates safe harbor provisions. If Facebook fails to comply the French authority will appoint someone to decide upon a sanction. Related: A copy of the TPP leaked last year no longer requires signing countries to have a safe harbor provision.
Youtube next? (Score:5, Insightful)
I wonder if youtube is going to be next they keep track of the videos you watch to show you recommended ones on the home page even if you don't sign in.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
If you use a shared computer then they are making the details of one user available to other users and this strikes me as something that they should be expected to make clear to users.
To me sharing a used user account on a computer is like sharing a used condom.
Re: (Score:1)
+1 to it :P
Re:Youtube next? (Score:5, Insightful)
It is their website after all. Facebook tracks people who don't visit their site. Big difference here. We could use a law such as this French one here in the "land of the free".
Re: (Score:2)
Thanks thats what I get for reading the summary.
Doesn't twitter have tracking buttons too?
Re: (Score:1)
Don't know, I've never used Twitter either. My cookie list shows nothing from either Facebook or Twitter. Guess my blocking has been pretty successful.
Re: (Score:2, Insightful)
Aren't there any devs left on this site?
I'm all for privacy, but if: ... why is it wrong for me to use that however data however I like?
* I'm running some site
* someone (a bunch of people) embed an image on their page that hits back to my site (or a service I offer)
* I log that shit cause those users are hitting my servers
IMO, if anyone should be dinged here, it's those sites that are embedding the trackers without notifying the user that they'll be sending the users browser off to umteen different external
Re: (Score:1)
Because it's not "I'm running some site". It's "Facebook is running some site" and "someone (a bunch of people) embed an image (or other tracking data) on their page that hits back to [Facebook]" is being done at the behest of
Re: (Score:3)
This isn't about stuff that a user explicitely clicks on.
This is about code embedded into third party websites.
Pretty much every blog, every news site etc. have 'share on FB' buttons. And the mere fact that these buttons are loaded when I open the page sends Facebook information about me. Without me using Facebook or having a FB account.
You're solution parses as 'don't open any link unless you know beforehand where said link leads and that the page in question does not contain any Facebook tracking'. That's
Re: (Score:2)
That's why I, as a web developer, have always avoided the usual social sharing Javascript embeds (which all load iFrames which contain even more Javascript), or similar plug-ins from ShareThis etc. It's sufficient to use a basic link to the sharer URLs for each service (Facebook, Twitter, etc.) with the right parameters, and optionally use JS to have the links open in a little window. So it only tracks or loads when someone actually clicks on it. Easy, lightweight, fast-loading, more control over appearance
Re: (Score:2)
Don't be so overly dramatic. "Stalking"? No. Of course not. You are diminishing your argument with such ridiculous language.
Re: (Score:3)
It would be different if Facebook didn't have those rules in place, then they could claim innocence for the data arriving at their servers.
And if would be different if EU law didn't explicitly forbid collecting data without the consent of the ones creating the data. And no, it's not the responsibility of the users to take care to not create the data in the first place. It's alw
Re: (Score:2)
Do facebook not disclose what information is collected via the buttons alongside the rules on how to implement them?
If so, then it is the responsibility of each individual site to pass this information on to the end users...
Re:Youtube next? (Score:4, Interesting)
FB's practise of tracking users through their Like button clearly violates privacy regulations in a number of countries. And even so, I don't think legislators are looking to stop people from collecting server logs or to ban 3rd party cookies. They are however putting limits on what companies can do with the data.
Re: (Score:2)
... But the implied reason for collecting a server log is to diagnose issues and compile aggregated site statistics, not to track individual users. And tracking cookies can get a lot more information than you can glean from your server logs.
Click the checkbox to "Block third-party cookies and site data". Done.
It's sad that isn't the default, but who's fault is that? If one actually cares about their privacy online, they'll have done the bare minimum to protect it. There is no reason, as far as I can tell, to allow 3rd party cookies, except things like tracking, so add exceptions where you want to allow it.
Re:Youtube next? (Score:4, Insightful)
What you write is technically true. The thing is: a very tiny fraction of internet users has a clue about ways to protect their privacy. Most of them don't event think it matters. Because it's rather impractical to educate billions of users about this, some need to act to prevent big corporation to abuse their position. That's why french instances gave facebook a warn. Even though thay have no power to enforce anything seriously, I'm glag they took that position.
Re: (Score:2)
Technically true is what we should be relying on for laws.
For the cookies to work, they have to be under the facebook.com domain for facebook.com to pick them up. That's a 3rd party, and easily identifiable, domain, and easily blocked with a checkbox - which, arguably, should be the default behavior. If they use a bunch of domains, the cookie will be useless (it'd be a bunch of different and unassociated cookies).
Others have mentioned collusion between site operators trading backend logs that have nothing t
Re: (Score:2)
Again, "third party cookie" does not mean anything to most people. Granted, the checkbox is one clic away, but you need t know about cookies to use it. (or listen someone who told you "it's better this way"). Having this setting won't solve the large scale tracking issue (if we consider there is an issue here). This, at best, is a workaround for educated people.
"facebook will simply find a way to make people click accept to see any part of the page,"
FB does not control pages using their "like" button. Henc
Re: (Score:2)
Again, "third party cookie" does not mean anything to most people. Granted, the checkbox is one clic away ...
Why not go after the default browser setting then? Why not go after the sites that are using this feature (there is no technical reason why that like image or link have to do anything until the user clicks it, and the image can come from the originating site, preventing FB from getting a hit).
My whole point is, why is FB the target here? We have a very simple way to easily control and prevent this, and many other ways to further prevent such actions, and FB is not attempting to circumvent those means.
FB does not control pages using their "like" button. Hence, prompting to "click somewhere" to see the page won't work, ok?
The pa
Re: (Score:2)
I agree: sites hosting those like button are the ones we should blame hard, because they should protect their visitor's privacy. It's very easy for any web site to implement "safe" social buttons but they don't care for most.
I don't blame FB when they try to use any way they can to gather data. This is their business. I do think though there are some boundaries nobody should cross. Because there is no good technical answer yet does not mean we should just let them do anything. That's my opinion (and this is
Privacy is for everyone (Score:2)
I log that shit cause those users are hitting my servers ... why is it wrong for me to use that however data however I like?
Because you didn't ask the user. Did the user explicitly consent for you to track them? User tracking should be opt-in not opt-out.
IMO, if anyone should be dinged here, it's those sites that are embedding the trackers without notifying the user that they'll be sending the users browser off to umteen different external sites.
While I agree that doesn't absolve Facebook from their own responsibility.
Browsers can also be configured to aid with this. For example, the option "Block third-party cookies and site data", aka "from originating website only". I believe that used to be available for images as well.
Which is FAR too crude of a filter to be actually useful. Sometimes third party cookies are helpful. Most of the time they are not. A crude filter like that cannot determine the difference.
Users also have multiple options to control what the computer they own does online. For general browsing, solutions vary from browser plugins (AdBlock and friends), Proxy based solutions, hosts file modifications, local DNS server, firewalls, etc.
Really? You seriously think my grandmother is going to understand how to modify a host file? Privacy isn't some
Re: (Score:2)
Because you didn't ask the user.
That's...not how HTML works. The user asked for the data, and they're gonna get it, hard.
The issue is trust. No one should trust anyone else. In the Ad space, that's why they need 3rd-Party Everything in the first place.
Trust that you are going to get conned in public spaces. The conversation about Trust gets ignored by companies in a position to profit from your trust.
tl/dr: it is absolutely your faul
Blame the victim (Score:2)
First let me say that I block everything that I can, to the point of ignoring a lot of content on the net.
So what? Lots of people don't even know that is possible.
That's...not how HTML works. The user asked for the data, and they're gonna get it, hard.
First off, don't even begin to pretend that webpages these days consist of merely HTML. Second, there is absolutely NO reason why the web page serving up the data cannot ask if the person requesting wants stuff from these third parties and to explain who and what these third parties are. That is technologically trivial. The reason they don't is because they are acting in bad faith and trying to hide their shady activities.
tl/dr: it is absolutely your fault for getting raped.
So my grandmother is at f
Re: (Score:2)
So what?
Well, it's meant to disarm kneejerk accusations, demonstrating that I actually do understand the privacy concerns. Clearly, it didn't work.
there is absolutely NO reason .... The reason they don't...
Um? Please slow down; you're speaking faster than you can handle.
So my grandmother is at fault for "getting raped" because she didn't have the technical chops to defend herself?
Yes, she is absolutely at fault. People seem to want individual benefits without individual responsibility. I do not discount that there are bad-faith actors on the internet who should absolutely not be trusted; I am only saying that grandmother should not expect that the domains she visits have her best in
Re: (Score:2)
Second, there is absolutely NO reason why the web page serving up the data cannot ask if the person requesting wants stuff from these third parties and to explain who and what these third parties are.
... and your browser can do just that if you like! It's not a site feature, it's a browser feature, and the reason it's not on by default is the same reason that the default firewall does not prompt you for every new SYN packet it sends. Feel free to enable that, or block 3rd party cookies. Expecting them to behave (be there and work when you want, but don't do bad things) is crazy.
Re: (Score:2)
Re: (Score:2)
The problem is not HTML. You seem to not understand this issue at all.
Re: (Score:2)
Re: (Score:2)
Browsers can also be configured to aid with this. For example, the option "Block third-party cookies and site data", aka "from originating website only". I believe that used to be available for images as well.
Which is FAR too crude of a filter to be actually useful. Sometimes third party cookies are helpful. Most of the time they are not. A crude filter like that cannot determine the difference.
Please provide an example or two of "helpful" 3rd party cookies.
I'm guessing the answer will be something along the lines of, "so that the 'like' button works on my foxnews.com articles", and that would also be wrong (that button does not need to be loaded from FB's servers and, when clicked, could do the deed that talks to FB).
Re: (Score:2)
Sites are encouraged to add those buttons, because people sharing them drives in more traffic. The problem is that when those buttons appear they don't usually have a Facebook EULA or warning attached to them, and in any case by the time you see them it's too late and you are being tracked.
Going to a site gives it implied permission to collect some data about your visit, but that doesn't extend to 3rd party sites like Facebook. Advertisers should take note of this too.
Re: (Score:2)
Going to a site gives it implied permission to collect some data about your visit, but that doesn't extend to 3rd party sites like Facebook.
I cannot agree. I understand the problems this causes, but loading HTML doesn't come with the assumption that you're only going to get content from Dale's Dildoes Dot Com.
The web is not as friendly as it used to be, and Google, primarily, is in a position to abuse this fact by acting as if 3rd party content is not a problem. It is a problem (citation: TFA), but problem is that sites are not trustworthy: they have abused 3rd party content, and lost the public trust.
Re: (Score:2)
https://www.eff.org/deeplinks/2015/08/privacy-badger-10-here-stop-online-tracking [eff.org]
Re: Youtube next? (Score:1)
Re: (Score:2)
Why log it? Why not block it instead, unless you want them to lift your stuff?
How do you differentiate the traffic from normal traffic?
The referrer header is a joke, and there is no other differentiation.
Re: (Score:2)
You're getting your annual check up and your GP suddenly launches into an unprovoked tirade:
Tell me, how would you answer your GP? With your jaw hanging open, wondered why the question even needs to be answered?
In a local community, it's not considered good neighbourly etiquette to broad
Re: (Score:1)
That was a disingenuous response from Facebook and has no bearing on the legality of their tracking. The viewing of content on Facebook.com by non-logged in users was not part of the legal case. Facebook is fined for tracking non-Facebook users on other sites than Facebook.com and none of their actions so far have been enough to legalise their current operation.
So, they may try the same thing as in Belgium but, just like in Belgium, it is completely irrelevant to the case and won't help them one bit.
The tec
Re: (Score:2)
So you want a law that forces Google to provide services to you without any recompense? If the web is broken for you without Google then you obviously have a use for their services. Start a grass roots campaign to replace the services that Google provides. This is entirely different from the Facebook issue. Facebook tracks people who have no need or use for Facebook.
Re: (Score:2)
For example, I emailed someone at an apparently custom domain several weeks ago. Turns out, their email is served by gmail, even though it is not a "gmail" address. I did not know that at the time. Thus, Google has now obtained copies of my private email without my consent. THAT is what needs to stop.
That's your own fault for not checking the MX record.
Really, though, this is like ordering something from Amazon and complaining when they use UPS to ship the package because you didn't want to deal with UPS. You didn't, Amazon did.
Re: (Score:2)
Re: (Score:1)
They just wanna sell you stuff via automated computers. They aren't assembling lists for politicians to track.
I think.
Works for me (Score:5, Insightful)
I deleted my Facebook account several years ago. I never visit the site, nor do I follow links that will take me to Facebook even incidentally. Yet, when I do my regular cleansing of cookies, I always find some from Facebook.com and Facebook.net in the list.
Too bad I don't live in France...
Re: (Score:2)
Maintaining a whitelist is quite tedious. The idea behind AdBlock Plus is fine, it is their defaulting to purposely allowing "acceptable" to them ads through that is not.
Re: (Score:1, Redundant)
Others who, like you, are okay with "acceptable ads" absolutely should be able to view them. My point is that people who download AdBlock Plus do so to block ads, so blocking all ads is the obvious default.
Re: (Score:2)
And you should have the ability to express that view by clicking on a "show me acceptable ads" button. The problem with AdBlock Plus is that it defaults to that button being clicked for you. People use AdBlock Plus to block ads, believe it or not. It should be up to individuals to determine if an ad is acceptable or not.
Re: (Score:2)
You do realize that adblock plus has sold out to the ad industry, right? It's default behavior is not to block all ads. You have to take action not to see those they deem "acceptable". .
And that action consists of one single tick box. Hardly worth throwing the toys out of the pram for...
Re: (Score:2)
The EFF has Privacy Badger. Blur and Disconnect are two other options.
Adblock plus and Ghostery are partnered with the ad industry.
Re: (Score:2)
It didn't block your ad.
Re: (Score:2)
What about tech.slashdot.org? What if people want to read the article and on-topic comments but not your ads?
Re: (Score:2)
Ads from same domain as site are about as plentiful as unicorns.... apk
Well, for a start, there are about six such unicorns with your initials at the bottom on this very web page. Funny that.
Re: (Score:2)
Too bad I don't live in France...
In Belgium Facebook is already prohibited from tracking non users. The result is: you cannot see any facebook page, even public ones if you are not a member.
This is fine for me.
For the cookies part, check out "self destructing cookies" add-on.
Re:Works for me (Score:5, Interesting)
Well, too bad you've not taken ownership of your own privacy and blocked them.
France is saying "no, you can't track people who don't even know they're being tracked and aren't visiting your web site". Until the country you lives in passes privacy laws .. you've got to do it on your own. Sadly, most normal internet users have been tracked by these parasites who feel it's their right to do so.
The amount of websites which have Facebook, Twitter, or any of dozens of other sites which track you even if you don't visit them is mind boggling.
So when those companies say "boo hoo, stop blocking out ads", you need to say "fuck you, I don't consent to being tracked by 15 3rd parties" and use your own blockers.
Most other governments are too much on the fucking payroll to limit what companies can do. The US sure as hell will never to do, the US is pretty much the international champion of the rights of corporations to be douchebags. If your government isn't going to force them to stop tracking you, then you really need to do it yourself.
And, honestly, even if your government tries, you need to do it yourself.
I applaud trying to block this, but the scale on which this shit happens is beyond understanding to anybody who isn't in full possession of their own tinfoil hat.
My primary browser? It can't even see facebook.com. If you're not actively defending yourself from this shit, you're already being tracked, whether you know it or not.
Re:Works for me (Score:5, Informative)
I deleted my Facebook account several years ago.
You cannot delete a facebook account. Everything is stored and stays so. They might have a "delete" function somewhere, but nothing is actually deleted. So you are still tracked and your data is still actively being used.
Re: (Score:3)
Being able to truly delete your Facebook account is what the (not yet implemented) European Right to be Forgotten is about. The term has since been abused to talk about existing data protection laws, but originally the proposed right was that you would be able to force companies to delete your data if they had no legal reason to keep it.
Re: (Score:2)
It probably helps that I also have good security/privacy habits.
Re: (Score:2)
What about when Facebook kick their members off? I assume they still keep their data and track?
What about other advertisers? (Score:3)
Re: (Score:2)
FB is specific by its size and the amount of data they control. They have acces to an absurd amount of data compared to anyone else. That does not make the other harmless, that makes FB a priority.
Re: (Score:2)
They have acces to an absurd amount of data compared to anyone else. That does not make the other harmless
I don't believe that they have an absurd amount more, compared to Google.
Just block the cookies.. (Score:4, Informative)
I like this great tool from EFF. https://www.eff.org/privacybadger [eff.org] Lets you selectively block cookies of all kinds of tracking that occurs during casual browsing.
Re: (Score:2)
Or one can use, Privacy Badger, NoScript, Ghostery, and uBlock.
I'll stick with uMatrix.
Re: (Score:2)
I had to give up on Firefox a few months ago because there are too many websites I need to access that force https but firefox refuses to let me see.
So I had to find a replacement for noscript and found uMatrix. Although it took about a week to really understand what it was doing and how to configure it it's fantastic on how configurable it is.
I've now removed firefox from my machines (although I believe uMatrix is available for firefox for anyone still using it)
Re: (Score:1)
All of these but NoScript operate on a blacklist basis, which means you block only the top of the iceberg. Ad and tracking servers multiply like cockroaches they are, and thus keep getting through any blacklist. You have no real chance without something opt-in rather than opt-out, such as Request Policy.
Re: (Score:2)
All of these but NoScript operate on a blacklist basis
No, uMatrix blocks all 3rd party elements by default. By allowing certain 3rd party domains to serve content, you can find the minimum number of domains and content thereof to serve the page to your satisfaction.
Why give them 3 months? (Score:5, Insightful)
This should literally be like a 3-line code change. if (not logged in) { // don't log the cookie } Give them three weeks and a stern look to ensure compliance.
Re: (Score:2)
They have already done it in Belgium, so it's only a matter of adding France to the list where facebook is forbidden?
Re:Why give them 3 months? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Should be. Probably isn't. It'll need a restructuring of two frameworks, changing 23 xml files, and tweaking a dozen json generators.
hey'll be fine, as long as they've already collect (Score:1)
Okay, I'll ask. (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
If you erase all cookies, then you become a 'non-user' browser. When you log into Facebook, you become a Facebook user.
Normally (Score:1)
Normally, the US state department would interfere ^H^H^H^H assist the offending ^H^H^H^H misguided country by demanding ^H^H^H^H arguing the laws change to a multinational- ^H^H^H^H user-friendly position. France takes "Liberte, Egalite, ..." seriously and and has disagreed with US policy before. France (and the rest of Europe) isn't interested in the TPP, so laws can't be changed via that either.
What? (Score:1)
No surrender jokes yet? This place is going to the dogs.
NO TRACKING! (Score:1)
Re: (Score:2)
How does a post prove software is safe? That is a ridiculous assertion, APK. Seriously.