Apparently, it will soon be illegal to like anything in Germany anymore, at least through Facebook. (http://www.webpronews.com/germany-dislikes-facebooks-like-button-2011-08)Thanks to a determination given by “the data protection centre of the northern German state of Schleswig-Holstein” (ULD), the Facebook “Like” button violates Germany’s strict privacy edicts, and therefore, must be removed.

As pointed out by The Local, the issues with Facebook were explained by a ULD release, and it essentially says Facebook’s “Like” button builds profiles of users and submits them back to a server in the United States. This is a direct violation of the rules set up by Germany concerning the privacy of its citizens. Because of that, German businesses that reside in the Schleswig-Holstein district must remove the “Like” button from their sites, or else face punishment in the form of a fine:

ULD expects from website owners in Schleswig-Holstein to immediately stop the passing on of user data to Facebook in the USA by deactivating the respective services. If this does not take place by the end of September 2011, ULD will take further steps. After performing the hearing and administrative procedure this can mean a formal complaint according to sect. 42 LDSG SH for public entities, a prohibition order pursuant to sect. 38 par. 5 BDSG as well as a penalty fine for private entities. The maximum fine for violations of the TMG is 50TS Euro.

That’s 50,000 Euros for those who aren’t sure.

<snip>

... the burden of being Facebook-compliant falls on the business owners, at least for now. Nothing in the documents indicates Facebook will be punished for these privacy violations, perceived or otherwise. The fines will not be aimed at Facebook for collecting the data, instead, they will be for the owners who continue to feed the beast.

I think the last line of the article is interesting. The German state govt is not going to attempt to go after Facebook directly, just after German business owners in tbe state of Schleswig-Holstein that keep the Facebook "like" button on their web sites.

I wonder if the rest of Germany will follow? And any other countries in the EU?

This post could just as easily gone to the politics, business or social issues forum. I don't have a crystal ball ;), but this looks like it could potentially have major ramifications.

In another article earlier this month, Germany threatened legal action against Facebook over its biometric facial recognition technology which also violates its privacy and data protection laws.


<snip>

“We have repeatedly asked Facebook to shut down the facial recognition function and to delete the previously stored data,” Johannes Caspar, the data protection commissioner for the state of Hamburg, (http://www.zdnet.com/blog/facebook/germany-facebook-facial-recognition-feature-violates-privacy-laws/2330) said in a two-page German-language statement released this week. Caspar’s office is giving Facebook two more weeks to draft a response before pursuing possible legal action against the company. German authorities could fine Facebook up to €300,000 ($420,000).

“We don’t think that this kind of technology conforms with EU data protection law,” Caspar told Deutsche Welle. (ed. Deutsche Welle is a German news broadcaster)

<snip>

The reason the german governement would go after the business rather than facebook is obvious. Facebook is not the one directing the firm customer to them, it is the firm whioch are directing their customer to use facebook and facebook to "like" them. Therefore the rational is that it is those firm which are responsible to make sure the privacy of those customer is repsected. And thus the fine would be to the firm.

I tend to view firm which send back or save data in US server very very very dimly. Why ? Because for all my data saved in german server, I have a right of corection, view. Anything going in the US I lose control.
My data is not for sale for the highest bidder. I am not the product.

This is just silly.

The responsibility for "feeding the beast" rests solely with the people who actually press the 'like' button. If a like button is placed on a website and remains unpushed, no law is being broken as no private data transfer is taking place.

http://i246.photobucket.com/albums/gg117/ThePsychoClown/facebook-like-button.jpg

This is just silly.

The responsibility for "feeding the beast" rests solely with the people who actually press the 'like' button. If a like button is placed on a website and remains unpushed, no law is being broken as no private data transfer is taking place.

http://i246.photobucket.com/albums/gg117/ThePsychoClown/facebook-like-button.jpg


This is just false.

Your button is on photobucket and they have just seen my IP-adress because I loaded this thread. That's all they know - my browser demanded your picture. They don't know who I am and they don't know about this thread.

The real "like"-Button is an iframe (a website inside a website) which loads code from the Facebook-Server. If I load a website with a "like"-Button, Facebook knows my IP, the website I visited and sets a Cookie in my browser if i don't have one already.

If I were a Facebook-User and logged in, they would also know my identity and all the other sites with "like"-Button I visited since my Facebook-Cookie existed.

Whether I click on any of them or not is irrevelant, and that's the problem. Here (http://www.heise.de/security/artikel/Das-verraet-Facebooks-Like-Button-1230906.html) briefly described in German. Here (https://www.datenschutzzentrum.de/facebook/)'s the ULD's analysis, also in German.

The reason the german governement would go after the business rather than facebook is obvious. Facebook is not the one directing the firm customer to them, it is the firm whioch are directing their customer to use facebook and facebook to "like" them.



I can think of a more obvious reason. Facebook is an American company on a .com website. What Facebook does is none of Germany's business. Their only concern is what German businesses do.

If I were a Facebook-User and logged in, they would also know my identity and all the other sites with "like"-Button I visited since my Facebook-Cookie existed.

Whether I click on any of them or not is irrevelant, and that's the problem. Here (http://www.heise.de/security/artikel/Das-verraet-Facebooks-Like-Button-1230906.html) briefly described in German. Here (https://www.datenschutzzentrum.de/facebook/)'s the ULD's analysis, also in German.

The bolded conditions are a voluntary choice of the user, not the web page, and certainly aren't necessary for browsing websites.

The bolded conditions are a voluntary choice of the user, not the web page, and certainly aren't necessary for browsing websites.


Thank you, Captain Obvious. Thing is, they also profile non-users with a cookie with two years lifetime (could be personalized at some point when people decide to register at facebook), and the sort of profiling they do on their users also doesn't comply with german standards. Hence it is not ok for german website owners to object their users to this and use the data which they get in return for embedding the "like"-buttons.

btw, a similar thing happened with Google Analytics some time ago. Google delivered (after long demands and apparently contrary to Facebook) a special plug-in which anonymizes parts of the IP-Adresses, so it's still legal for german website owners to run it, but only with this plug-in installed.

I can think of a more obvious reason. Facebook is an American company on a .com website. What Facebook does is none of Germany's business. Their only concern is what German businesses do.

That is actually not correct. The reason is not the nationality of the company. If facebook was a german company, it would not change *anything*.

That is actually not correct. The reason is not the nationality of the company. If facebook was a german company, it would not change *anything*.


Oh, it would. They would be forced to comply with German and EU data protection laws. You can read in the ULD analysis I linked in #4, page 15ff, how they are trying to determine "Verantwortlichkeit" (liability) and come to the conclusion that they can't do anything about what facebook does because it matters where the data is processed, and that happens in the US under their law. Facebook has only some kind of service subsidaries in Germany and (concerning EU laws) in Ireland. So they have to go after the german website owners and hope that Facebook will comply because they don't want to lose their german customers. And they plan to do further analysis to determine if they can go after Akamai who runs the servers for Facebook, which are because of load balancing all over the place, and has a german subsidiary.

This is just false.

Your button is on photobucket and they have just seen my IP-adress because I loaded this thread. That's all they know - my browser demanded your picture. They don't know who I am and they don't know about this thread.

The real "like"-Button is an iframe (a website inside a website) which loads code from the Facebook-Server. If I load a website with a "like"-Button, Facebook knows my IP, the website I visited and sets a Cookie in my browser if i don't have one already.

If I were a Facebook-User and logged in, they would also know my identity and all the other sites with "like"-Button I visited since my Facebook-Cookie existed.

Whether I click on any of them or not is irrevelant, and that's the problem. Here (http://www.heise.de/security/artikel/Das-verraet-Facebooks-Like-Button-1230906.html) briefly described in German. Here (https://www.datenschutzzentrum.de/facebook/)'s the ULD's analysis, also in German.

Yes of course I'm oversimplifying it. But cookies and collection of data is not restricted to Farcebook. If people are worried about things like this, they disable cookies or set up their browsers to make sure their 'information' is not collected by the simple act of 'visiting a website'.
The responsibility for securing your own data should be yours, not anyone else's.

This plus the Data Protection act (certainly here in the UK) only covers recognisable personal information, so I doubt that an IP address and a website visited even constitutes a breach of the Data Protection Act.

As much as I detest Farcebook and won't have anything to do with having an account with them, I think that when governments start to legislate using a sledgehammer to crack a nut, it's not a good thing.

As for if I ever visit a website with an embedded 'like' button, so Farcebook may know that someone with this IP address looked at that site and totally ignored the Farcebook button. What harm is there when the actual website that I visit could also be downloading cookies, spyware and all sorts of invisible nonsense?

It does deliver cookies and it also delivers a whole bunch of javascript with it. If you don't take care of your cookies, and the overwhelming majority of net users don't even know what that is, facebook will have a detailed profile of your surfing habits through those "social plug-ins" regardless of if you are a member or not. If you are not a member, it will not be the profile of "Stray Cat", but that of IDxyz.

And this breaks our data protection laws whose standards are much higher than those of the UK, which is with all due respect a privacy nightmare. The reasons for our higher concerns obviously lie in our historical experience, as this successful campaign ad against former minister of interior and surveillance hardliner Wolfgang Schäuble shows:

http://forums.randi.org/imagehosting/99074e4fefe1a8e2d.jpg

Quote:

"Facebook’s Like button builds profiles of users and submits them back to a server in the United States. This is a direct violation of the rules set up by Germany"

The simplest possible like button is an F icon, nothing else. That does not create, collect or show any user information. It simply is a link by which the user can add something to his own FB profile.

The more advanced versions of Like button are more intrusive, they show a list of your friends with photos, who also liked this page, and so on. Still this is all based on privacy settings of each FB user.

The simplest possible like button is an F icon, nothing else. That does not create, collect or show any user information. It simply is a link by which the user can add something to his own FB profile.


But that would not be "Facebook's Like button", that would be something "handmade", like going back to Stray Cat's button and putting a link to facebook around it. That's not what they're talking about.

Look at a random The Guardian article, for example. Top right it has links to twitter and reddit, which are "real" links, but the little f with the "share" link is created by loading a javascript from Facebook which then implements the button into the page.

It does deliver cookies and it also delivers a whole bunch of javascript with it.
Not to my computer, I use the "no script" plug in to stop all that stuff I don't want. :)

If you don't take care of your cookies, and the overwhelming majority of net users don't even know what that is, facebook will have a detailed profile of your surfing habits through those "social plug-ins" regardless of if you are a member or not. If you are not a member, it will not be the profile of "Stray Cat", but that of IDxyz.
In which case it's not a breach of the Data Protection Law surely?

A programme of education in internet security/privacy would help people (all people) much more than a ban and fines, the problem being that one costs money and the other potentially raises money. Guess which one the politicians go for everytime? :)
And after the ban when those same unknowledgeable people think it's safe to surf because they don't have Farcebook spying on them anymore will get a shock of they ever find out about the sheer amount of information collected by cookies and other intrusive software.

In which case it's not a breach of the Data Protection Law surely?


I can only tell you that they see it as a problem, and they are the Pro's.

A programme of education in internet security/privacy would help people (all people) much more than a ban and fines, the problem being that one costs money and the other potentially raises money. Guess which one the politicians go for everytime? :)
And after the ban when those same unknowledgeable people think it's safe to surf because they don't have Farcebook spying on them anymore will get a shock of they ever find out about the sheer amount of information collected by cookies and other intrusive software.


I don't really disagree with you but you have to accept that this is a german data protection agency enforcing german data protection laws as good as possible as a national actor in the global net.

btw, we recently got around a "child porn" firewall like it exists in several "western" countries now, and a data retention law, thanks to our constitutional court who realized that they have no clue what this internet stuff is all about and invited, to give them a proper education, experts from our fabulous Chaos Computer Club, who thoroughly clued them in. And then they decided that those laws are unconstitutional. Amazing. :)

I can only tell you that they see it as a problem, and they are the Pro's.


Well, It's hard to argue with "You should trust the government, they know what's best for you." You should use this argument more often. Really.

Well, It's hard to argue with "You should trust the government, they know what's best for you." You should use this argument more often. Really.


The argument was "you should trust that government agencies know the laws they are enforcing".

That is actually not correct. The reason is not the nationality of the company. If facebook was a german company, it would not change *anything*.

If Facebook were a German company, the German government could put them out of business.

The argument was "you should trust that government agencies know the laws they are enforcing".

Germans actually believe that?

Or is Germany different from all other countries in that respect?

I tend to view firm which send back or save data in US server very very very dimly. Why ? Because for all my data saved in german server, I have a right of corection, view. Anything going in the US I lose control.

I didn't realize that. Sounds like a good law to me!

This is just false.

Your button is on photobucket and they have just seen my IP-adress because I loaded this thread. That's all they know - my browser demanded your picture. They don't know who I am and they don't know about this thread.

The real "like"-Button is an iframe (a website inside a website) which loads code from the Facebook-Server. If I load a website with a "like"-Button, Facebook knows my IP, the website I visited and sets a Cookie in my browser if i don't have one already.

If I were a Facebook-User and logged in, they would also know my identity and all the other sites with "like"-Button I visited since my Facebook-Cookie existed.

Whether I click on any of them or not is irrevelant, and that's the problem. Here (http://www.heise.de/security/artikel/Das-verraet-Facebooks-Like-Button-1230906.html) briefly described in German. Here (https://www.datenschutzzentrum.de/facebook/)'s the ULD's analysis, also in German.

btw, a similar thing happened with Google Analytics some time ago. Google delivered (after long demands and apparently contrary to Facebook) a special plug-in which anonymizes parts of the IP-Adresses, so it's still legal for german website owners to run it, but only with this plug-in installed.

It does deliver cookies and it also delivers a whole bunch of javascript with it. If you don't take care of your cookies, and the overwhelming majority of net users don't even know what that is, facebook will have a detailed profile of your surfing habits through those "social plug-ins" regardless of if you are a member or not. If you are not a member, it will not be the profile of "Stray Cat", but that of IDxyz.

And this breaks our data protection laws whose standards are much higher than those of the UK, which is with all due respect a privacy nightmare. The reasons for our higher concerns obviously lie in our historical experience, as this successful campaign ad against former minister of interior and surveillance hardliner Wolfgang Schäuble shows:

http://forums.randi.org/imagehosting/99074e4fefe1a8e2d.jpg


Aepervius & Childlike Empress: IMHO, the American news coverage on this has been poor, so thanks for going more into what the German protection laws are about and for the links. (I was able to translate the 1st one with Google translator but not the 2nd one for some reason.)

Probably a minor point, but I think its interesting that German states are the legal entities tackling these issues vs. the German federal govt. In the US, I think these type of laws are usually handled on the federal level -- with the exception of e-mail spam which really ticked a lot of people off. But perhaps that is why your data and privacy protection laws are better because there is more interest in protecting privacy and data on the state level. Perhaps as a result there is more competition between the state agencies with the result that the German citizen is the winner?

A programme of education in internet security/privacy would help people (all people) much more than a ban and fines, the problem being that one costs money and the other potentially raises money. Guess which one the politicians go for everytime? :)


Good idea. The FCC has some helpful web sites on ID theft protection -- it would be nice if they set up similar web sites providing education in internet security. I'm not expecting that to happen either though, not without a lot of public pressure anyway.

That is actually not correct. The reason is not the nationality of the company. If facebook was a german company, it would not change *anything*.


I think you're wrong there. The issue here is a breach of German law. Facebook is not a German company, therefore the German judiciary has no jurisdiction over them. If Facebook were a Germany company they would be required to adhere to German law, and thus could be prosecuted for their breach.

I think you're wrong there. The issue here is a breach of German law. Facebook is not a German company, therefore the German judiciary has no jurisdiction over them. If Facebook were a Germany company they would be required to adhere to German law, and thus could be prosecuted for their breach.


That's my understanding also. One exception -- I think a non-German company would be subject to prosecution for breach of German law if they were doing the storage and analyzing of data on servers physically located in German territory.

But Facebook is not doing that.

What are the likely long-term side effects of this legal decision?

Will Facebook and other non-German social media networks eventually block German users from setting up accounts? After all, if the companies can't make money off of them (or at least not the amount of money that they intended to make), why allow them free access to what is most likely an expensive application?

Or perhaps they may decide to allow German users access if they agree to pay a fee?

Any thoughts?

Will Facebook and other non-German social media networks eventually block German users from setting up accounts?
That would be my main concern with legal interference of access to social networking sites.
In fact any legal interference to something which is inherently not illegal.

As a 'worst case work around' a Facebook 'like' button could be placed on a page with a warning advising the veiwer (I hear that porn sites do this) that informs them that by entering that page, Farcebook can collect limited data about them, I see no harm. Anyone entering the page is effectively giving permission for their data to be collected and used. Nowhere on Earth should it be illegal to agree to share your own personal data with whoever you wish.
Instead the politicians go the ban and fines route... go figure.

The bolded conditions are a voluntary choice of the user, not the web page, and certainly aren't necessary for browsing websites.

And having installed several "facebook" like buttons on many pages, I can tell you that no information is sent to the server hosting the site that the button resides on.

The "like" button is simply a widget that is "copy and pasted" code onto a web page. Facebook is "receiving" that information, but only when someone clicks the button. The most they get otherwise is "someone visited this page from such such ip/domain"

A good programmer can try to get information from the "like" button, but for most sites, that is not what they intend for the like button to do.