[zonbron]

Dit verhaal krijgt nog een staartje.


Lezen is weten. Deze faceboeksite is NIET geblokkerd voor niet leden:

https://www.facebook.com/notes/alex-...3678944202929/


Volledige C/P:

03 Dec 2015 - An update on this issue is available here.
My job at Facebook is to keep the 1.5 billion people using our service safe. That's what motivates me every day, and when one of our important technologies to detect and stop attackers is threatened, I have to speak up.

The Belgium Privacy Commission recently filed against Facebook in a Belgian court to prevent us from using a cookie called datr that plays a fundamental role in our efforts to keep people safe. Most significantly, we use the datr cookie to help differentiate legitimate visits to our website from illegitimate ones.

There are all kinds of important legal arguments going on about whether every individual country in the EU has the authority to bring objections to companies operating there, but I want to set those arguments aside for the moment to focus on the technical details.

It's no surprise to anyone these days that companies face real and frequent threats from attackers of all levels of sophistication. Facebook is a leader in security, and we invest in technologies that we develop and share with other companies and researchers so that we aren't the only ones who benefit from advancements. However, the actions of the Belgian Privacy Commission could undermine our efforts to keep the accounts of people in Belgium safe.
The reason I'm bullish on the datr cookie is because for at least the last five years we have used it every day to defend people's accounts through the following actions:

Preventing the creation of fake and spammy accounts
Reducing the risk of someone's account being taken over by someone else
Protecting people's content from being stolen
Stopping DDoS attacks that could make our site inaccessible to people

If the court blocks us from using the datr cookie in Belgium, we would lose one of our best signals to demonstrate that someone is coming to our site legitimately. In practice, that means we would have to treat any visit to our service from Belgium as an untrusted login and deploy a range of other verification methods for people to prove that they are the legitimate owners of their accounts. It would also make Belgian devices more attractive to spammers and others who traffic in compromised accounts on underground forums.

The Belgian Privacy Commission initially argued an incorrect point that Facebook uses the datr cookie to target ads to people who aren’t Facebook users. We don’t — and the Commission abandoned that argument. Now they are focused on the fact that we set the datr cookie when someone visits one of our sites, such as Facebook.com, or clicks a Like button on a publisher's website and interacts with the login page that appears. We do not set the datr cookie when someone simply loads a page with a Like button.
The HTTP header that sets the datr cookie.
The datr cookie is only associated with browsers, not individual people. It doesn't contain any information that identifies or is tied to a particular person. At a technical level, we use the datr cookie to collect statistical information on the behavior of a browser on sites with social plugins, such as the Like button, to help us distinguish patterns that look like an attacker from patterns that look like a real person.
For example, if the datr cookie demonstrates that a browser has been visiting hundreds of sites in the last five minutes, that's a pretty good indication we are dealing with a computer-controlled device (a bot). On the flip side, consistent use over several days usually indicates that a browser is legitimate and should be able to access Facebook normally.

While we use this aggregated, statistical information about browsers for security, we thoroughly delete logs generated by the datr cookie after 10 days. People can delete the datr cookie and this associated information from their browser at any time. Of course, the absence of history in the datr cookie reduces our ability to determine the legitimacy of a visit to our site, which means we will likely prompt for more information to help keep spammers out. These controls have been evaluated and validated repeatedly by the Irish Data Protection Commissioner.

I encourage the Belgian court to consider the very real ramifications of disallowing this type of privacy-preserving and security-necessary cookie. Many websites and services such as content distribution networks use cookies to provide equivalent protections. If this judgment were fairly enforced across the industry, it would mean a worse experience for people and less effective security for the internet overall.