Four Nations Join Belgium to Demand Facebook Rein in Cookies

Privacy authorities in four European countries join Belgium to demand that Facebook stop setting cookies for non-members, despite Facebook's claim that this is a security measure.

Facebook Cookies 2

A Belgium court ruled in November that Facebook must stop setting cookies for visitors who do not have an account on the social network. Now, four more European countries have made the same demand.

On Dec. 3, Facebook complied with the Belgian court order and warned that non-members would not receive a specific cookie—known as the "datr" cookie—and would be blocked from access to content on the site. In addition, the social network’s ability to stop more than 400,000 account takeover attempts each day would be affected, Alex Stamos, chief security officer for Facebook, said in a blog post.

"In the absence of the datr cookie, we will have to treat any visit to Facebook from an unrecognized browser in Belgium as potentially malicious," he said. "As a result, people in Belgium will see some changes to the way Facebook works."

Belgium, however, is no longer alone. On Dec. 4, privacy authorities in four other European countries, France, Germany, Netherlands and Spain, joined the Belgian Privacy Commission in requesting that Facebook stop tracking any citizens who were not members of the social network. It's unclear whether other nations may be readying their own requests to prevent the company from tracking citizens who are not members of the social-media service.

"Most of this tracking is invisible to the regular user, and the more they find out about what is going on, the more that it clashes with their expectations of privacy," said Danny O’Brien, international director for the Electronic Frontier Foundation, a pro-digital rights group.

Earlier this year, the Belgian Privacy Commission requested that Facebook cease tracking non-members. After the group filed a complaint, Belgium's civil court found Facebook in violation of the country's privacy laws in November and ordered the social network to stop collecting information on non-users.

"The defendants collect[ion of] data about the surfing behavior of millions of inhabitants of Belgium who have decided not to become a member of Facebook's social network site, regardless of what they do with the data, is a manifest violation of [E.U.] privacy legislation," the court stated in its order.

Facebook's Stamos argued that the "datr" cookie is a valuable tool that the social network uses to fight fraud. The cookie can be used to prevent the creation of fake accounts, reduces the risk of an account takeover, protects users from third-party content scraping and helps identify requests that may be part of denial-of-service attacks.

"At a technical level, we use the datr cookie to collect statistical information on the behavior of a browser on sites with social plugins, such as the Like button, to help us distinguish patterns that look like an attacker from patterns that look like a real person,” Stamos stated in an October blog post on the topic.

Facebook could likely re-write its service's code to retain the same level of security without the datr cookie, but will not likely do so, until its appeal to the court is resolved, said the EFF's O'Brien.

"Companies are reticent to re-engineer their systems in the face of a court order," he said. "Right now, Facebook is making a tweak to its systems, which is not the best solution either for Beligan users or Facebook itself."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...