Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Facebook Privacy Security Social Networks

French Gov't Gives Facebook 3 Months To Stop Tracking Non-User Browsers 176

Reader iamthecheese writes RT reports that France's National Commission of Information and Freedoms found Facebook tracking of non-user browsers to be illegal. Facebook has three months to stop doing it. The ruling points to violations of members and non-members privacy in violation of an earlier ruling. The guidance, published last October, invalidates safe harbor provisions. If Facebook fails to comply the French authority will appoint someone to decide upon a sanction. Related: A copy of the TPP leaked last year no longer requires signing countries to have a safe harbor provision.
This discussion has been archived. No new comments can be posted.

French Gov't Gives Facebook 3 Months To Stop Tracking Non-User Browsers

Comments Filter:
  • Youtube next? (Score:5, Insightful)

    by sims 2 ( 994794 ) on Wednesday February 10, 2016 @12:26AM (#51476417)

    I wonder if youtube is going to be next they keep track of the videos you watch to show you recommended ones on the home page even if you don't sign in.

    • If it only impacts what happens on Youtube's website, based only on interactions with said website, I'd tend to say it's kosher.
      • by N1AK ( 864906 )
        Doesn't that rather depend on whether 1/ they tell you they are going to track it and 2/ how they track it. If you use a shared computer then they are making the details of one user available to other users and this strikes me as something that they should be expected to make clear to users.
        • If you use a shared computer then they are making the details of one user available to other users and this strikes me as something that they should be expected to make clear to users.

          To me sharing a used user account on a computer is like sharing a used condom.

    • Re:Youtube next? (Score:5, Insightful)

      by EzInKy ( 115248 ) on Wednesday February 10, 2016 @01:00AM (#51476545)

      It is their website after all. Facebook tracks people who don't visit their site. Big difference here. We could use a law such as this French one here in the "land of the free".

      • by sims 2 ( 994794 )

        Thanks thats what I get for reading the summary.

        Doesn't twitter have tracking buttons too?

        • by EzInKy ( 115248 )

          Don't know, I've never used Twitter either. My cookie list shows nothing from either Facebook or Twitter. Guess my blocking has been pretty successful.

      • Re: (Score:2, Insightful)

        by unrtst ( 777550 )

        Aren't there any devs left on this site?

        I'm all for privacy, but if:
        * I'm running some site
        * someone (a bunch of people) embed an image on their page that hits back to my site (or a service I offer)
        * I log that shit cause those users are hitting my servers ... why is it wrong for me to use that however data however I like?

        IMO, if anyone should be dinged here, it's those sites that are embedding the trackers without notifying the user that they'll be sending the users browser off to umteen different external

        • by Anonymous Coward

          I'm all for privacy, but if:

          * I'm running some site

          * someone (a bunch of people) embed an image on their page that hits back to my site (or a service I offer)

          * I log that shit cause those users are hitting my servers ... why is it wrong for me to use that however data however I like?

          Because it's not "I'm running some site". It's "Facebook is running some site" and "someone (a bunch of people) embed an image (or other tracking data) on their page that hits back to [Facebook]" is being done at the behest of

        • by Sique ( 173459 )
          Facebook has strict rules how the buttons have to be implemented, and thus they are liable for anything caused by those buttons.

          It would be different if Facebook didn't have those rules in place, then they could claim innocence for the data arriving at their servers.

          And if would be different if EU law didn't explicitly forbid collecting data without the consent of the ones creating the data. And no, it's not the responsibility of the users to take care to not create the data in the first place. It's alw

          • by Bert64 ( 520050 )

            Do facebook not disclose what information is collected via the buttons alongside the rules on how to implement them?
            If so, then it is the responsibility of each individual site to pass this information on to the end users...

        • Re:Youtube next? (Score:4, Interesting)

          by JaredOfEuropa ( 526365 ) on Wednesday February 10, 2016 @06:03AM (#51477397) Journal
          Fair points, but those concerned with privacy take issue with that last remark, that you can use that data however you want. Many countries have laws that may not forbid the collection of data outright, but put limitations on how you can use the data and what for. Often, there is a law that says that you may only use the data for the stated reasons you collected it, and never sell it on to third parties. And there's such a thing as implied reasons and reasonable expectations: the purpose of Facebook's "like" button is ostensibly to allow FB members to show approval for a site, and perhaps to entice non members to sign up. Visitors and site owners rightfully do not expect that button to track them. By the same token, people can reasonably expect to end up in a server log if they visit a site with embedded images. But the implied reason for collecting a server log is to diagnose issues and compile aggregated site statistics, not to track individual users. And tracking cookies can get a lot more information than you can glean from your server logs.

          FB's practise of tracking users through their Like button clearly violates privacy regulations in a number of countries. And even so, I don't think legislators are looking to stop people from collecting server logs or to ban 3rd party cookies. They are however putting limits on what companies can do with the data.
          • by unrtst ( 777550 )

            ... But the implied reason for collecting a server log is to diagnose issues and compile aggregated site statistics, not to track individual users. And tracking cookies can get a lot more information than you can glean from your server logs.

            Click the checkbox to "Block third-party cookies and site data". Done.
            It's sad that isn't the default, but who's fault is that? If one actually cares about their privacy online, they'll have done the bare minimum to protect it. There is no reason, as far as I can tell, to allow 3rd party cookies, except things like tracking, so add exceptions where you want to allow it.

        • Re:Youtube next? (Score:4, Insightful)

          by herve_masson ( 104332 ) on Wednesday February 10, 2016 @07:57AM (#51477707)

          What you write is technically true. The thing is: a very tiny fraction of internet users has a clue about ways to protect their privacy. Most of them don't event think it matters. Because it's rather impractical to educate billions of users about this, some need to act to prevent big corporation to abuse their position. That's why french instances gave facebook a warn. Even though thay have no power to enforce anything seriously, I'm glag they took that position.

          • by unrtst ( 777550 )

            Technically true is what we should be relying on for laws.
            For the cookies to work, they have to be under the facebook.com domain for facebook.com to pick them up. That's a 3rd party, and easily identifiable, domain, and easily blocked with a checkbox - which, arguably, should be the default behavior. If they use a bunch of domains, the cookie will be useless (it'd be a bunch of different and unassociated cookies).

            Others have mentioned collusion between site operators trading backend logs that have nothing t

            • Again, "third party cookie" does not mean anything to most people. Granted, the checkbox is one clic away, but you need t know about cookies to use it. (or listen someone who told you "it's better this way"). Having this setting won't solve the large scale tracking issue (if we consider there is an issue here). This, at best, is a workaround for educated people.

              "facebook will simply find a way to make people click accept to see any part of the page,"

              FB does not control pages using their "like" button. Henc

              • by unrtst ( 777550 )

                Again, "third party cookie" does not mean anything to most people. Granted, the checkbox is one clic away ...

                Why not go after the default browser setting then? Why not go after the sites that are using this feature (there is no technical reason why that like image or link have to do anything until the user clicks it, and the image can come from the originating site, preventing FB from getting a hit).

                My whole point is, why is FB the target here? We have a very simple way to easily control and prevent this, and many other ways to further prevent such actions, and FB is not attempting to circumvent those means.

                FB does not control pages using their "like" button. Hence, prompting to "click somewhere" to see the page won't work, ok?

                The pa

                • I agree: sites hosting those like button are the ones we should blame hard, because they should protect their visitor's privacy. It's very easy for any web site to implement "safe" social buttons but they don't care for most.

                  I don't blame FB when they try to use any way they can to gather data. This is their business. I do think though there are some boundaries nobody should cross. Because there is no good technical answer yet does not mean we should just let them do anything. That's my opinion (and this is

        • I log that shit cause those users are hitting my servers ... why is it wrong for me to use that however data however I like?

          Because you didn't ask the user. Did the user explicitly consent for you to track them? User tracking should be opt-in not opt-out.

          IMO, if anyone should be dinged here, it's those sites that are embedding the trackers without notifying the user that they'll be sending the users browser off to umteen different external sites.

          While I agree that doesn't absolve Facebook from their own responsibility.

          Browsers can also be configured to aid with this. For example, the option "Block third-party cookies and site data", aka "from originating website only". I believe that used to be available for images as well.

          Which is FAR too crude of a filter to be actually useful. Sometimes third party cookies are helpful. Most of the time they are not. A crude filter like that cannot determine the difference.

          Users also have multiple options to control what the computer they own does online. For general browsing, solutions vary from browser plugins (AdBlock and friends), Proxy based solutions, hosts file modifications, local DNS server, firewalls, etc.

          Really? You seriously think my grandmother is going to understand how to modify a host file? Privacy isn't some

          • First let me say that I block everything that I can, to the point of ignoring a lot of content on the net.

            Because you didn't ask the user.

            That's...not how HTML works. The user asked for the data, and they're gonna get it, hard.

            The issue is trust. No one should trust anyone else. In the Ad space, that's why they need 3rd-Party Everything in the first place.

            Trust that you are going to get conned in public spaces. The conversation about Trust gets ignored by companies in a position to profit from your trust.

            tl/dr: it is absolutely your faul

            • First let me say that I block everything that I can, to the point of ignoring a lot of content on the net.

              So what? Lots of people don't even know that is possible.

              That's...not how HTML works. The user asked for the data, and they're gonna get it, hard.

              First off, don't even begin to pretend that webpages these days consist of merely HTML. Second, there is absolutely NO reason why the web page serving up the data cannot ask if the person requesting wants stuff from these third parties and to explain who and what these third parties are. That is technologically trivial. The reason they don't is because they are acting in bad faith and trying to hide their shady activities.

              tl/dr: it is absolutely your fault for getting raped.

              So my grandmother is at f

              • So what?

                Well, it's meant to disarm kneejerk accusations, demonstrating that I actually do understand the privacy concerns. Clearly, it didn't work.

                there is absolutely NO reason .... The reason they don't...

                Um? Please slow down; you're speaking faster than you can handle.

                So my grandmother is at fault for "getting raped" because she didn't have the technical chops to defend herself?

                Yes, she is absolutely at fault. People seem to want individual benefits without individual responsibility. I do not discount that there are bad-faith actors on the internet who should absolutely not be trusted; I am only saying that grandmother should not expect that the domains she visits have her best in

              • by unrtst ( 777550 )

                Second, there is absolutely NO reason why the web page serving up the data cannot ask if the person requesting wants stuff from these third parties and to explain who and what these third parties are.

                ... and your browser can do just that if you like! It's not a site feature, it's a browser feature, and the reason it's not on by default is the same reason that the default firewall does not prompt you for every new SYN packet it sends. Feel free to enable that, or block 3rd party cookies. Expecting them to behave (be there and work when you want, but don't do bad things) is crazy.

          • by unrtst ( 777550 )

            Browsers can also be configured to aid with this. For example, the option "Block third-party cookies and site data", aka "from originating website only". I believe that used to be available for images as well.

            Which is FAR too crude of a filter to be actually useful. Sometimes third party cookies are helpful. Most of the time they are not. A crude filter like that cannot determine the difference.

            Please provide an example or two of "helpful" 3rd party cookies.
            I'm guessing the answer will be something along the lines of, "so that the 'like' button works on my foxnews.com articles", and that would also be wrong (that button does not need to be loaded from FB's servers and, when clicked, could do the deed that talks to FB).

        • by AmiMoJo ( 196126 )

          Sites are encouraged to add those buttons, because people sharing them drives in more traffic. The problem is that when those buttons appear they don't usually have a Facebook EULA or warning attached to them, and in any case by the time you see them it's too late and you are being tracked.

          Going to a site gives it implied permission to collect some data about your visit, but that doesn't extend to 3rd party sites like Facebook. Advertisers should take note of this too.

          • Going to a site gives it implied permission to collect some data about your visit, but that doesn't extend to 3rd party sites like Facebook.

            I cannot agree. I understand the problems this causes, but loading HTML doesn't come with the assumption that you're only going to get content from Dale's Dildoes Dot Com.

            The web is not as friendly as it used to be, and Google, primarily, is in a position to abuse this fact by acting as if 3rd party content is not a problem. It is a problem (citation: TFA), but problem is that sites are not trustworthy: they have abused 3rd party content, and lost the public trust.

        • Why log it? Why not block it instead, unless you want them to lift your stuff?
          • by unrtst ( 777550 )

            Why log it? Why not block it instead, unless you want them to lift your stuff?

            How do you differentiate the traffic from normal traffic?
            The referrer header is a joke, and there is no other differentiation.

        • by epine ( 68316 )

          You're getting your annual check up and your GP suddenly launches into an unprovoked tirade:

          These people are showing up and spreading their grubby, contagious micro-organisms all over my scattered nose bag of Cosmo and Golf Digest magazines, why is it wrong for me to use their personal medical data however I like?

          Tell me, how would you answer your GP? With your jaw hanging open, wondered why the question even needs to be answered?

          In a local community, it's not considered good neighbourly etiquette to broad

  • Works for me (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Wednesday February 10, 2016 @12:35AM (#51476459)

    I deleted my Facebook account several years ago. I never visit the site, nor do I follow links that will take me to Facebook even incidentally. Yet, when I do my regular cleansing of cookies, I always find some from Facebook.com and Facebook.net in the list.

    Too bad I don't live in France...

    • Too bad I don't live in France...

      In Belgium Facebook is already prohibited from tracking non users. The result is: you cannot see any facebook page, even public ones if you are not a member.
      This is fine for me.
      For the cookies part, check out "self destructing cookies" add-on.

    • Re:Works for me (Score:5, Interesting)

      by gstoddart ( 321705 ) on Wednesday February 10, 2016 @02:25AM (#51476779) Homepage

      Well, too bad you've not taken ownership of your own privacy and blocked them.

      France is saying "no, you can't track people who don't even know they're being tracked and aren't visiting your web site". Until the country you lives in passes privacy laws .. you've got to do it on your own. Sadly, most normal internet users have been tracked by these parasites who feel it's their right to do so.

      The amount of websites which have Facebook, Twitter, or any of dozens of other sites which track you even if you don't visit them is mind boggling.

      So when those companies say "boo hoo, stop blocking out ads", you need to say "fuck you, I don't consent to being tracked by 15 3rd parties" and use your own blockers.

      Most other governments are too much on the fucking payroll to limit what companies can do. The US sure as hell will never to do, the US is pretty much the international champion of the rights of corporations to be douchebags. If your government isn't going to force them to stop tracking you, then you really need to do it yourself.

      And, honestly, even if your government tries, you need to do it yourself.

      I applaud trying to block this, but the scale on which this shit happens is beyond understanding to anybody who isn't in full possession of their own tinfoil hat.

      My primary browser? It can't even see facebook.com. If you're not actively defending yourself from this shit, you're already being tracked, whether you know it or not.

    • Re:Works for me (Score:5, Informative)

      by Errol backfiring ( 1280012 ) on Wednesday February 10, 2016 @05:39AM (#51477315) Journal

      I deleted my Facebook account several years ago.

      You cannot delete a facebook account. Everything is stored and stays so. They might have a "delete" function somewhere, but nothing is actually deleted. So you are still tracked and your data is still actively being used.

      • by AmiMoJo ( 196126 )

        Being able to truly delete your Facebook account is what the (not yet implemented) European Right to be Forgotten is about. The term has since been abused to talk about existing data protection laws, but originally the proposed right was that you would be able to force companies to delete your data if they had no legal reason to keep it.

      • by rizole ( 666389 )
        I deleted my account and came back a year later with a new one. Obviously my list of friends and interests haven't substantially changed but, based on how hard it was to link back up with some friends, facebook doesn't seem to have tied the two accounts together. Which suprised me on the one hand but it's nice to know they haven't thought of or managed to impliment that feature yet.
        It probably helps that I also have good security/privacy habits.
      • by antdude ( 79039 )

        What about when Facebook kick their members off? I assume they still keep their data and track?

  • by jader3rd ( 2222716 ) on Wednesday February 10, 2016 @12:40AM (#51476469)
    What about all of the other advertisers? They certainly don't have users. As much as I dislike Facebook I don't think that they're doing anything that any other advertising platform isn't doing.
    • FB is specific by its size and the amount of data they control. They have acces to an absurd amount of data compared to anyone else. That does not make the other harmless, that makes FB a priority.

      • They have acces to an absurd amount of data compared to anyone else. That does not make the other harmless

        I don't believe that they have an absurd amount more, compared to Google.

  • by duke_cheetah2003 ( 862933 ) on Wednesday February 10, 2016 @12:57AM (#51476537) Homepage

    I like this great tool from EFF. https://www.eff.org/privacybadger [eff.org] Lets you selectively block cookies of all kinds of tracking that occurs during casual browsing.

    • Or just use, uMatrix and have full control of: cookies, scripts, XHR, iframes, html-video tags, etc.

      Or one can use, Privacy Badger, NoScript, Ghostery, and uBlock.

      I'll stick with uMatrix.
      • I had to give up on Firefox a few months ago because there are too many websites I need to access that force https but firefox refuses to let me see.

        So I had to find a replacement for noscript and found uMatrix. Although it took about a week to really understand what it was doing and how to configure it it's fantastic on how configurable it is.

        I've now removed firefox from my machines (although I believe uMatrix is available for firefox for anyone still using it)

      • All of these but NoScript operate on a blacklist basis, which means you block only the top of the iceberg. Ad and tracking servers multiply like cockroaches they are, and thus keep getting through any blacklist. You have no real chance without something opt-in rather than opt-out, such as Request Policy.

        • All of these but NoScript operate on a blacklist basis

          No, uMatrix blocks all 3rd party elements by default. By allowing certain 3rd party domains to serve content, you can find the minimum number of domains and content thereof to serve the page to your satisfaction.

  • by melted ( 227442 ) on Wednesday February 10, 2016 @02:08AM (#51476743) Homepage

    This should literally be like a 3-line code change. if (not logged in) { // don't log the cookie } Give them three weeks and a stern look to ensure compliance.

    • by Zocalo ( 252965 ) on Wednesday February 10, 2016 @05:06AM (#51477227) Homepage
      You are assuming they are only tracking people based on Cookies. That's a rather naive view, I'm afraid. You'd be better to assume that they are using everything they can get their mitts on to try and track and identify people; IP address, which browser, which headers the browser supplies, any OS details they can get... Just installing extensions to protect your privacy can in itself make you more readily identifiable for tracking purposes. Have a play with the EFF's Panopticlick tool [eff.org] and although you need to enable scripting to make it work the results from the fingerprinting should be an eye opener if you've not seen them before.
      • Yeah, Facebook's tracking is why I first installed no-script (I now rely on Ghostery). You know that little "f" logo that's nearly ubiquitous on every web page to let you share the page via Facebook? That isn't just a graphic and a link. It's accompanied by a godwaful script. Every time you visit a page with that 'f' logo, your computer contact's Facebook's servers and hands over enough information (Facebook cookie, cookies for other sites, browser ID and version, system info, etc.) for them to uniquely
    • Should be. Probably isn't. It'll need a restructuring of two frameworks, changing 23 xml files, and tweaking a dozen json generators.

  • They'll be fine, as long as they've already collected enough information to potentially embarass the judge. Or the prosecutor - then they won't find themselves in the dock in the first place.In fact, the judge and prosecutor probably wouldn't have been given their jobs otherwise. These people don't overlook the important details. 70-469 braindumps [abraindumps.com]
  • by BitterOak ( 537666 ) on Wednesday February 10, 2016 @03:12AM (#51476951)
    I guess I'll ask the obvious question. What is a "non-user browser"? Is it a browser operated by a robot or something? All the browsers I've used have been meant to be operated by a user. That's kind of the definition of a browser. There are programs like curl and wget which can fetch pages automatically, so is that what they mean by a non-user browser?
    • Non-Facebook users' browsers.
    • A non user browser is any browser that does not have a cookie on it identifying it as having been used to log into Facebook.

      If you erase all cookies, then you become a 'non-user' browser. When you log into Facebook, you become a Facebook user.

  • by Anonymous Coward

    ... ...

    Normally, the US state department would interfere ^H^H^H^H assist the offending ^H^H^H^H misguided country by demanding ^H^H^H^H arguing the laws change to a multinational- ^H^H^H^H user-friendly position. France takes "Liberte, Egalite, ..." seriously and and has disagreed with US policy before. France (and the rest of Europe) isn't interested in the TPP, so laws can't be changed via that either.

  • No surrender jokes yet? This place is going to the dogs.

  • ALL tracking should be banned! I will do anything I can do to prevent any website from tracking Web browsing!!!

In 1914, the first crossword puzzle was printed in a newspaper. The creator received $4000 down ... and $3000 across.

Working...