SAN FRANCISCO (Reuters) - Concern about Facebook Inc’s respect for data privacy is widening to include the information it collects about non-users, after Chief Executive Mark Zuckerberg said the world’s largest social network tracks people whether they have accounts or not.
Privacy concerns have swamped Facebook since it acknowledged last month that information about millions of users wrongly ended up in the hands of political consultancy Cambridge Analytica, a firm that has counted U.S. President Donald Trump’s 2016 electoral campaign among its clients.
Zuckerberg said on Wednesday under questioning by U.S. Representative Ben Luján that, for security reasons, Facebook also collects “data of people who have not signed up for Facebook.”
Lawmakers and privacy advocates immediately protested the practice, with many saying Facebook needed to develop a way for non-users to find out what the company knows about them.
“We’ve got to fix that,” Representative Luján, a Democrat, told Zuckerberg, calling for such disclosure, a move that would have unclear effects on the company’s ability to target ads. Zuckerberg did not respond. On Friday Facebook said it had no plans to build such a tool.
Critics said that Zuckerberg has not said enough about the extent and use of the data. “It’s not clear what Facebook is doing with that information,” said Chris Calabrese, vice president for policy at the Center for Democracy & Technology, a Washington advocacy group.
Facebook gets some data on non-users from people on its network, such as when a user uploads email addresses of friends. Other information comes from “cookies,” small files stored via a browser and used by Facebook and others to track people on the internet, sometimes to target them with ads.
“This kind of data collection is fundamental to how the internet works,” Facebook said in a statement to Reuters.
Asked if people could opt out, Facebook added, “There are basic things you can do to limit the use of this information for advertising, like using browser or device settings to delete cookies. This would apply to other services beyond Facebook because, as mentioned, it is standard to how the internet works.”
Facebook often installs cookies on non-users’ browsers if they visit sites with Facebook “like” and “share” buttons, whether or not a person pushes a button. Facebook said it uses browsing data to create analytics reports, including about traffic to a site.
The company said it does not use the data to target ads, except those inviting people to join Facebook.
Advocates and lawmakers say they are singling out Facebook because of its size, rivalled outside China only by Alphabet Inc’s Google, and because they allege Zuckerberg was not forthcoming about the extent and reasons for the tracking.
“He’s either deliberately misunderstanding some of the questions, or he’s not clear about what’s actually happening inside Facebook’s operation,” said Daniel Kahn Gillmor, a senior staff technologist at the American Civil Liberties Union.
Zuckerberg, for instance, said the collection was done for security purposes, without explaining further or saying whether it was also used for measurement or analytics, Gillmor said, adding that Facebook had a business incentive to use the non-user data to target ads.
Facebook declined to comment on why Zuckerberg referred to security only.
Gillmor said Facebook could build databases on non-users by combining web browsing history with uploaded contacts. Facebook said on Friday that it does not do so.
The ACLU is pushing U.S. lawmakers to enact broad privacy legislation including a requirement for consent prior to data collection.
The first regulatory challenge to Facebook’s practices for non-users may come next month when a new European Union law, known as the General Data Protection Regulation (GDPR), takes effect and requires notice and consent prior to data collection.
At a minimum, “Facebook is going to have to think about ways to structure their technology to give that proper notice,” said Woodrow Hartzog, a Northeastern University professor of law and computer science.
Facebook said in its statement on Friday, “Our products and services comply with applicable law and will comply with GDPR.”
The social network would be wise to recognise at least a right to know, said Michael Froomkin, a University of Miami law professor.
“If I’m not a Facebook user, I ought to have a right to know what data Facebook has about me,” Froomkin said.
Reporting by David Ingram; Editing by Peter Henderson and Richard Chang