What Is Facebook’s Datr Cookie, and Why Does Belgium Want It Gone?

By David Cohen Comment

BelgiumFlag640x480

Facebook chief security officer Alex Stamos used the social network’s revamped notes interface to post his response to a privacy lawsuit filed against the company in Belgium.

The suit, which was filed by the Belgium Privacy Commission, targets Facebook’s use of a cookie known as datr, and Stamos outlined why and how the social network uses the datr cookie, and why its use should not be banned.

Stamos wrote that Facebook uses the datr cookie to:

  • Prevent the creation of fake accounts and spammy accounts.
  • Lower the risk of users’ accounts being taken over by other people.
  • Protect users’ content against theft.
  • Prevent DDoS (distributed denial of service) attacks that could make Facebook inaccessible to some users.

Highlights from Stamos’ defense follow:

If the court blocks us from using the datr cookie in Belgium, we would lose one of our best signals to demonstrate that someone is coming to our site legitimately. In practice, that means we would have to treat any visit to our service from Belgium as an untrusted login and deploy a range of other verification methods for people to prove that they are the legitimate owners of their accounts. It would also make Belgian devices more attractive to spammers and others who traffic in compromised accounts on underground forums.

The Belgian Privacy Commission initially argued an incorrect point that Facebook uses the datr cookie to target ads to people who aren’t Facebook users. We don’t—and the commission abandoned that argument. Now it is focused on the fact that we set the datr cookie when someone visits one of our sites, such as Facebook.com, or clicks a like button on a publisher’s website and interacts with the login page that appears. We do not set the datr cookie when someone simply loads a page with a like button.

The datr cookie is only associated with browsers, not individual people. It doesn’t contain any information that identifies or is tied to a particular person. At a technical level, we use the datr cookie to collect statistical information on the behavior of a browser on sites with social plugins, such as the like button, to help us distinguish patterns that look like an attacker from patterns that look like a real person.

For example, if the datr cookie demonstrates that a browser has been visiting hundreds of sites in the past five minutes, that’s a pretty good indication that we are dealing with a computer-controlled device (a bot). On the flip side, consistent use over several days usually indicates that a browser is legitimate and should be able to access Facebook normally. While we use this aggregated, statistical information about browsers for security, we thoroughly delete logs generated by the datr cookie after 10 days. People can delete the datr cookie and this associated information from their browser at any time.

Readers: How do you think this court case in Belgium will play out?

datrCookie

Image of Belgium flag courtesy of Shutterstock.

Advertisement
Advertisement