Tag Archives: jurisdiction

Belgian Privacy Commission Found Facebook in Violation of EU and Belgian Privacy Law


About two weeks ago KU Leuven University and Vrije Universiteit Brussel in Belgium published a report commissioned by the Belgian Privacy Commission about the tracking behaviour of Facebook on the internet, more specifically how they track their users (and non-users!) through the ‘Like’ buttons and Share buttons that are found on millions of websites across the internet.

Based on this report and the technical report, the Belgian Privacy Commission published a recommendation, which can be found here. A summary article of the findings is also published.


The results of the investigation are depressing. It was found that Facebook disregards European and Belgian privacy law in various ways. In fact, 10 legal issues have been found by the commission. Facebook frequently dismisses its own severe privacy violations as “bugs” that are still on the list of being fixed (ignoring the fact that these “bugs” are a major part of Facebook’s business model). This allows them to let various privacy commissioners think that privacy violations are the result of unintended functionality, while in fact it is, the entire business model of Facebook is based on profiling people.

Which law applies?

Facebook also does not recognise the fact that in this case Belgian law applies, and claims that because they have an office in Ireland, that they are only bound by Irish privacy law. This is simply not the case. In fact, the general rule seems to be that if you focus your site on a specific market, (let’s say for example Germany), as evidenced by having a German translation of your site, your site being accessible through a .de top-level domain, and various other indicators as well (one option could be the type of payment options provided, if your site offers ways to pay for products or services, or maybe marketing materials), then you are bound by German law as well. This is done to protect German customers, in this example case.

The same principle applies to Facebook. They are active world-wide, and so should be prepared to make adjustments to their services such that they comply with the various laws and regulations of all these countries. This is a difficult task, as laws are often incompatible, but it’s necessary to safeguard consumers’ rights. In the case of Facebook, if they would build their Like and Share buttons in such way that they don’t phone home on page load and don’t place cookies without the user’s consent, they would have a lot less legal problems. The easiest way to comply if you run such an international site, is take the strictest legislation, and implement it such that it complies with that.

In fact, the real reason why Facebook is in Ireland is mostly due to tax reasons. This allows them to evade taxes, by means of the Double Irish and Dutch Sandwich financial constructions.

Another problem is that users are not able to prevent Facebook from using the information they post on the social network site for purposes other than the pure social network site functionality. The information people post, and other information that Facebook aggregates and collects from other sources, are used by Facebook for different purposes without the express and knowing consent of the people concerned.

The problem with the ‘Like’ button

Special attention was given to the ‘Like’ and ‘Share’ buttons found on many sites across the internet. It was found that these social sharing plugins, as Facebook calls them, place a uniquely identifying cookie on users’ computers, which allows Facebook to then correlate a large part of their browsing history. Another finding is that Facebook places this uniquely identifying datr cookie on the European Interactive Digital Advertising Alliance opt-out site, where Facebook is listed as one of the participants. It also places an oo cookie (which presumably stands for “opt-out“) once you opt out of the advertising tracking. Of course, when you remove this cookie from your browser, Facebook is free to track you again. Also note that it does not place these cookies on the US or Canadian opt-out sites.

As I’ve written earlier in July 2013, the problem with the ‘Like’ button is that it phones home to Facebook without the user having to interact with the button itself. The very act of it loading on the page means that Facebook gets various information from users’ browsers, such as the current page visited, a unique browser identifying cookie called the datr cookie, and this information allows them to correlate all the pages you visit with your profile that they keep on you. As the Belgian investigators confirmed, this happens even when you don’t have an account with Facebook, when it is deactivated or when you are not logged into Facebook. As you surf the internet, a large part of your browsing history gets shared with Facebook, due to the fact that these buttons are found everywhere, on millions of websites across the world.

The Filter BubblePersonal data points

A major problem of personalisation technology, like used by Facebook, but also Google, and others, is that it limits the information users are exposed to. The algorithm learns what you like, and then subsequently only serves you information that you’re bound to like. The problem with that is, that there’s a lot of information that isn’t likeable. Information that isn’t nice, but still important to know. And by heavily filtering the input stream, these companies influence our way of how we think about the world, what information we’re exposed to, etc. Eli Pariser talks about this effect in his book The Filter Bubble: What the Internet is Hiding From You, where he did a Google search for ‘Egypt’ during the Egyptian revolution, and got information about the revolution, news articles, etc. while his friend only got information about holidays to Egypt, tour operators, flights, hotels, etc. This is a vastly different result for the exact same search term. This is due to the heavy personalisation going on at Google, where algorithms refine what results you’re most likely to be interested in, by analysing your previously-entered search terms.

The same happens at Facebook, where they control what you see in your news feed on the Facebook site, based on what you like. Problem is that by doing that a few times, soon you’re only going to see information that you like, and no information that’s important, but not likeable. This massively erodes the eventual value that Facebook is going to have, since eventually, all Facebook will be is an endless stream of information, Facebook posts, images, videos that you like and agree with. It becomes an automatic positive feedback machine. Press a button, and you’ll get a cookie.

What value does Facebook then have as a social network, when you never come in touch with radical ideas, or ideas that you initially do not agree with, but that may alter your thinking when you come in touch with them? By never coming in touch with extraordinary ideas, we never improve. And what a poor world that would be!

My Move to Switzerland

Accelerated because of the recent exposure of the NSA’s horrible PRISM program by whistleblower Edward Snowden, I’ve decided to finally take the steps I’ve contemplated about for roughly a year now: moving my online persona to Switzerland.

Why Switzerland?Swiss Flag

The reason I chose Switzerland is because of United States policy, really. In recent years, the US administration has been flexing their jurisdictional muscles and have been putting several perfectly legitimate websites out of business because their owners published things the US junta didn’t like. This happens even when your servers aren’t located in the United States, and even when you don’t market your site to Americans. Having a .com, .net or .org is apparently enough to fall under US jurisdiction.

Examples are legion: Mega (previously known as MegaUpload), ran by the New Zealand citizen Kim Dotcom, whose domains have been seized by the US government because of vague copyright infringement allegations. Their website got defaced by the American government, and you can imagine the kind of damage this may inflict if you’re running a company or non-profit, and the image put up by the US authorities says your website was taken down because of, shall we say, ‘questionable’ content.

TVShacks, the website ran by the then 23-year-old Richard O’Dwyer, a UK citizen who faced extradition to the United States in 2011 because of copyright allegations, even when he was not doing anything illegal according to UK law. His website simply aggregated links to where copyrighted content could be found on the Internet, and he complied with proper notice and take-down requests. Yes, you’ve read it correctly: here is someone who actually faced extradition to the US, even when he didn’t do anything illegal under UK law, based on what exactly? Some vague copyright claims by Hollywood.

You have to be careful about which companies you deal with, and especially in which country they are incorporated. Because if you’re dealing with a US-based company, any US company, it will be subject to the US PATRIOT Act, NSLs (National Security Letters), FISA and legally required to put in back-doors and send logs containing your traffic to the US intelligence community, the NSA in particular. And in the order by the FISC (Foreign Intelligence Surveillance Court) it explicitly says that you can’t inform your clients about the fact that you have to send all their communications to the NSA. It also stipulates hefty prison sentences for the leadership of the US companies that are found to be breaching this stipulation in the order. And they aren’t collecting just meta-data: the actual content of your communications are recorded and profiled and searched through as well. But this wasn’t really anything new: the US plus the UK and her former colonies have been running the ECHELON program for many years. Its existence was confirmed by a European Parliament investigation into the capabilities and political implications of ECHELON in 2001.

What Can You Do?

The solution to this is quite complex and involves many factors and variables you have to consider. But here are some of the things I did:

Basically you want to have nothing to do with US companies. Basically don’t have any US ties whatsoever. Because as soon as there is a US link, your service providers are subject to US legislation, have to comply with the spooks’ orders and more importantly: can’t tell you about it. So avoid US companies, US cloud providers, etc. at all costs if you want to stay really secure. So no Google, Facebook, Twitter, LinkedIn, etc. without approaching this with a clear strategy in mind. Be careful when (if at all) you’re using these services.

Be sure to install browser plugins like HTTPS Everywhere (to use secure HTTPS connections wherever possible; providing end-to-end encryption) and Ghostery to prevent letting these companies track the web pages you visit.

The hardware and software you’re using also needs to be as secure as possible. Don’t order your new computer on the Internet, but go to a physical (brick-and-mortar) store (pick one at random that has the model you fancy in store) and buy one cash over the counter. The computer should preferably be running a free software (free as in freedom, not free as in ‘free beer’) operating system like GNU/Linux (there’s an easy to use distribution of GNU/Linux called Ubuntu) or BSD, and the software running on top of that should preferably be free software as well. This is done to ensure that the hardware cannot be compromised in the transfer from the manufacturer to you (since it’s impossible to tell which computer you’re going to pick at the store), and to ensure proper review of the source code of the software you are using. Or, as Eric S. Raymond said in his book The Cathedral and the Bazaar: “Given enough eyeballs, all bugs are shallow.” You cannot trust proprietary software, since you cannot check the source code, and it’s less flexible than free software because you cannot extend or change the software to fit your needs exactly. Even if you yourself don’t have the expertise to do so, you can always hire someone to do this work for you.

With regards to domain security (to prevent the US authorities from defacing your website) you can register a domain name that doesn’t fall under US jurisdiction. I chose Switzerland (.ch) because of the way they’ve been resisting pressure by the US authorities when they clamped down on Wikileaks. The server is also physically located in Switzerland. This server is also running my email, which I access through a secure, encrypted SSL/TLS connection.

Now, e-mail is basically a plain text protocol, so people still get to read them if they sniff your packets somewhere between source and destination. The best way to prevent this from happening, is to use encryption, not just for authentication, but encrypt the content as well whenever possible. I use GnuPG, an open source implementation of PGP, together with the Enigmail plug-in for Thunderbird. This works using asymmetric encryption, with two keys, a public key and a private key, which you generate on your machine. The public key can be published and shared freely, as this is what allows other people to send encrypted mail to you. You have to keep the private key secret. You can then send encrypted email to people if you have their public key.

If you want to read up some more on some of the practical measures you can take to increase your security, please visit Gendo’s Secure Comms webpage. It contains comprehensive practical advice and lots of links to the software you need to set up secure comms.

My plan is to write more articles on this website, so I’d like to thank you for your time, and hope to see you again soon!