Facebook will block Belgians without accounts from access to its content

The restriction will be an offshoot of its meeting a local order to stop tracking people without accounts

151027 facebook headquarters 9

Facebook's headquarters in Menlo Park, California, on Oct. 29, 2015

Credit: Martyn Williams

Facebook has outlined its plans to follow a court ruling in Belgium requiring it not to track people who do not have accounts on the social networking website.

The company said it was giving the details ahead of the order being served on it by the Belgian Privacy Commission, which is expected later this week.

Among the steps Facebook plans to take is to require people without Facebook accounts in Belgium to create accounts and log in to the social networking website before they can see its publicly available pages and other content, the company said.

"Today, anyone can see Facebook pages for small businesses, sports teams, celebrities and tourist attractions without logging into Facebook—typically found using a search engine," a Facebook spokesman said in an email.

A court in Belgium last month passed an interim order asking the company to stop tracking users that do not have accounts on the social networking website, or risk fines.

The dispute largely hinges around Facebook's use of a special cookie called 'datr' that it claims helps it distinguish between legitimate and illegitimate visits to its website, and identifies browsers and not individuals. Facebook claims that by using the security cookie it protected Belgian people from more than 33,000 takeover attempts in the past month.

But technical experts assisting the Belgian Privacy Commission found that when a user not signed on to Facebook visited the website, the datr cookie was set with a two-year lifetime. When they thereafter visited a Web page on gayworld.be, a website that includes a Facebook social plug-in, the inspection of the network traffic revealed that the datr cookie was sent to the facebook.com domain in the cookie header of the HTTP requests, according to the experts.

In a letter on Tuesday to the Belgian Privacy Commission, Facebook said that while it plans to appeal the court's ruling, it will comply with the order in the meantime. The company said it would cease setting datr cookies for non-registered users in Belgium, and delete existing datr cookies for such users to the extent it is technically feasible.

The removal of the datr cookies will, however, have implications on the services Facebook offers unregistered users in Belgium, because of the security role it claims the cookies play. "Since the datr cookie provides protections against content scraping and application-level denial of service attacks, we will only be able to offer access to content to people in Belgium with Facebook accounts," the Facebook spokesman said.

Registered Facebook users in Belgium that attempt to login to their account from an unrecognized Web browser may also need to complete additional security steps, such as entering a security code or identifying their friends in a photo.

Facebook claims the controls related to datr have been evaluated and validated many times by the Irish Data Protection Commissioner.  The company claims that it has only one establishment in the European Union in Ireland, and Irish national data protection law can be applied to all its European users, according to records.  But the Belgian Privacy Commission asserted jurisdiction because, among other reasons, the local processor Facebook Belgium was a permanent establishment in Belgian territory being run by Facebook in the U.S.


Subscribe to the Best of PCWorld Newsletter