The tracking is reportedly used to target advertising toward users, and monitors the users through its social plug-ins such as the “Like” widget which has been placed on over 13 million sites, including health and government website. When a user visits a site containing one of these plug-ins, it reportedly detects and sends the cookies back to Facebook, even if the user does not interact with the plug-ins in any way.
Facebook also reportedly places persistent tracking cookies on users’ computers if they visit any pages on the facebook.com domain, including fan pages and others that do not require an account, effectively allowing Facebook to track non-users.
"When a logged-in Facebook user visits a site with Facebook social plug-ins, Facebook receives the Facebook ID and browser ID, along with the URL of the page being visited," the report’s annex on Facebook plug-ins reads. "When a Facebook user explicitly logs out, Facebook keeps uniquely identifying … cookies in the browser, which are then used to track logged-out users across the web."
EU privacy law requires that users’ consent be acquired before cookies or tracking services are used, unless it is necessary for either the networking needed for connecting to the service, or to deliver a service specifically requested by the user.
“European legislation is really quite clear on this point. To be legally valid, an individual’s consent toward online behavioural advertising must be opt-in,” researcher Brendan Van Alsenoy, one of the study’s authors, told the Guardian. “Facebook cannot rely on users’ inaction to infer consent. As far as non-users are concerned, Facebook really has no legal basis whatsoever to justify its current tracking practices.”
The study also analyzed the official mechanism used to opt-out of tracking mechanisms in the EU, used by companies like Facebook, Microsoft and Google. When researchers visited the European Digital Advertising Alliance website used to opt-out of multiple tracking services, Facebook reportedly placed a new tracking cookie on their computer. The finding was confirmed by Princeton University researcher Steven Englehardt, who was not involved in the original report’s creation, according to the Guardian.
“I started with a fresh browsing session and received an additional...cookie that appears capable of uniquely identifying users on the UK version of the European opt-out site. This cookie was not present during repeat tests with a fresh session on the US or Canadian version,” he said.
However, Facebook disputed the findings of the report in a statement to the Verge. “This report contains factual inaccuracies," a spokesman said. "The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public. We have explained in detail the inaccuracies in the earlier draft report ... and have offered to meet with [the report's commissioning body] to explain why it is incorrect, but they have declined to meet or engage with us."