Liber Calvariam

Of all the techie things we know, many, even most non-techies, they all have their view on Facebook. I am no different in that case. I have made in the past several cases where I question the actions of Facebook, the choices they made and the things their users agree upon. I have in the past always tempered that to some extent because, I think that there is no such thing as a ‘free service’, there is always a price to pay and that price is not always ‘expressed’ in coin or currency.

The first article in this was in the Guardian (at http://www.theguardian.com/technology/2015/mar/31/facebook-tracks-all-visitors-breaching-eu-law-report), it was published on March 31st and the title is of course pretty upsetting, namely “Facebook ‘tracks all visitors, breaching EU law’“, now the title is already reason for debate, but I will get to that shortly. The quote that is part in this is: “People without Facebook accounts, logged out users, and EU users who have explicitly opted out of tracking are all being tracked, report says“. This links to a story that was published on February 23rd. That link is important, as that story links to two articles. The first one (at http://www.law.kuleuven.be/icri/en/news/item/icri-cir-advises-belgian-privacy-commission-in-facebook-investigation), has links to full reports and states: “Facebook’s default settings related to behavioural profiling or Social Ads, for example, are particularly problematic. Moreover, users are offered no choice whatsoever with regard to their appearance in “Sponsored Stories” or the sharing of location data“, I have experienced part of this myself, even now, at times, it still takes a moment to figure out what settings are where and I am very tech savvy. More important, the second link to the full Facebook PDF article was not found, a little sloppy I must say. There is no way to tell whether this flaw was because of actions from the University of Leuven, or from the Guardian.

My issue follows from “EU privacy law states that prior consent must be given before issuing a cookie or performing tracking, unless it is necessary for either the networking required to connect to the service (“criterion A”) or to deliver a service specifically requested by the user (“criterion B”)” as well as “A cookie is a small file placed on a user’s computer by a website that stores settings, previous activities and other small amounts of information needed by the site. They are sent to the site on each visit and can therefore be used to identify a user’s computer and track their movements across the web“, by themselves they seem innocent enough, but when we consider the implications, we get ‘identify a user’s computer‘ and ‘track their movements across the web‘, now we get the issue, so how deep goes this identification and how much tracking is done, just your actions whilst on Facebook or EVERYTHING you do on the web and where you do it? That last part becomes an issue when we consider that we use Facebook on our mobiles. There is an issue that is implied, but not correctly and completely addressed by the Guardian (as well as many other papers).

Yet, the information the article gives as brought by ‘Article 29‘ gives us: “The Article 29 working party has also said that cookies set for “security purposes” can only fall under the consent exemptions if they are essential for a service explicitly requested by the user – not general security of the service“. I do not completely agree with that statement. Their statement is not wrong, but consider the mobile user, the user is a device in motion, whilst at the same time could be engaging with data in motion, two very different concepts, and whilst the cookie is not meant to be for both, it will include both, which could be regarded as an exemption. You see, when you move, from tower X to tower Y, either as Pede Strian, or as the Vehicular Mover, we will need explicit security, not just general security. Their statement has merit from a desktop, but it now becomes a question, whether the mobile or the desktop user is now the majority here. In addition, I have not even adjusted this view for those connected through ‘free Wi-Fi‘ a dubious concept for sure, one where security needs to be a lot more defining. In my personal view there is a clear need for an exemption, which I would quote as “the consent exemption, essential for the secure use of a service explicitly required for the mobile user“. That does not take away the need to address issues involving the advertised purpose of sponsored visibility, which is a fair enough issue, but let’s face it, Facebook is offered for ‘free’, those sponsored moments are the ‘price’ we get to pay and I for one agree with the not like, but I understand that the cost of running Facebook hardware is not that cheap in the end.

Now we get to the ‘actual issue’. The one that was brought on April 10th (at http://www.theguardian.com/technology/2015/apr/10/facebook-admits-it-tracks-non-users-but-denies-claims-it-breaches-eu-privacy-law). The issue is not just the quote “Facebook has admitted that it tracked users who do not have an account with the social network, but says that the tracking only happened because of a bug that is now being fixed“, because, as I see it, this issue has been around at least 8 weeks, and if we accept that the issue was already in play before the University of Leuven came with the (unread) paper and their version of evidence, than we can postulate that this issue had been going on for months. In this Facebook is not innocent, because, if Facebook is set up properly by its administrators, then the system had been collecting parsed data which should have been linked to certain flags. The fact that data was collected ‘unchecked’ gives us pause to question the system as designed, or we accept that Facebook exploited a bug to their own ends. Neither could be seen as illegal, for the mere reason that the evidence linking it all to ‘intent’ could not be proven as I see it. Even if a legal party had access to the entire system, the premise of intent might not ever be proven.

A bigger issue is the quote from Richard Allan “The researchers did find a bug that may have sent cookies to some people when they weren’t on Facebook. This was not our intention – a fix for this is already under way“, you see, a cookie is sent (under normal conditions) when a user action warrants it. They log in, they go to a certain page or they use an app, or location, where they are linked to a Facebook account (for example, we place a comment on the Guardian page (to just mention an option) and we sign in using our Facebook account. In those cases the cookie seems valid to me, yet is that part of the ‘when they weren’t on Facebook‘ part? If not, then it is not just a bug, it seems to me that there is an unchecked balance of server based flags that are triggered by any instance whilst the user is not connected, which is not just a bug, it is a systematic flaw of the Facebook system, but is that the actual case here?

Another issue I have is with the quote from Brendan Van Alsenoy, a researcher at ICRI. Here we see: “European legislation is really quite clear on this point. To be legally valid, an individual’s consent towards online behavioural advertising must be opt-in” that quote might be correct, but is that not part of the user agreement from Facebook, they by creating the account are opting in? In addition, we get a truckload of these opting in moments as we accept the usage of an app within Facebook. So are these not explicit opt-in moments?

I still have issues with something that was on the Wall Street Journal in August 2014 (at http://blogs.wsj.com/digits/2014/08/08/facebook-messenger-privacy-fears-heres-what-you-need-to-know/). You see, I had similar issues, but guess what, suddenly within days all news on this issue just stopped and no one followed up or gave a clear picture on why certain rights were there. I think it would be distressing to people when they agree to “call phone numbers without your intervention,” and “use the camera at any time without your permission”, two of at least half a dozen questionable rights we signed over. My issue was with the part ‘without your permission‘, which is an issue to say the least. Yes, I agree that it could be just an android phrase, but none of these rights or messages ever popped up on Google plus or any other Google option I use, so is it just me?

In the end we love bashing a big boy like IBM, Microsoft or Facebook, but let’s be fair about it all and that is only possible if we get a clear article on the subject, it seems to me that the articles of late do not paint a clear picture, it just sketches events and acting on these partial sketches is not a good thing, or fair towards Facebook.

 

Advertisements

Leave a comment

Filed under IT, Law, Media, Science

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s