CA Fires Another Shot Across Beacon's Bow
Page 1 of 1
Facebook's Beacon has been nothing if not a lighting rod for controversy.
The revolution that CEO Mark Zuckerberg promised when he unveiled Facebook's ad platform on November 6 has drawn the ire of privacy analysts, legal experts and, now, security researchers.
Two senior research engineers with Computer Associates (CA) who have taken a deeper look into the kind of information that Facebook collects about users' activities on third-party Web sites through its Beacon program claim that their findings contradict both what Facebook has said in public and what its privacy department has written in response to past inquiries.
The results, CA's Stefan Berteau writes, are "extremely disconcerting."
Berteau and his colleague, Ben Googins, conclude that Facebook is still receiving information about actions that users take on Beacon partner sites even if they decline to include the action in their News Feeds and are not logged in to Facebook.
Berteau and Googins concluded their research last week. Facebook has since responded with a statement essentially acknowledging that it collects data in the manner demonstrated by the researchers, but adding that it immediately deletes all information from users who click "No, thanks" to the Beacon prompt and from those who are logged out of Facebook.
"Obviously, we're encouraged that they made a statement," Googins told InternetNews.com, though he noted that tests on Monday showed that Facebook was still collecting the same data in the same manner as their research showed last week, before Facebook announced changes to the Beacon permission settings.
Now, no action users take on third-party sites will show up on their News Feeds. That concession had prompted civic action group MoveOn.org to declare "victory" in its petition campaign calling on Facebook to take its users' privacy more seriously. (MoveOn, for its part, is now claiming "victory" only in the fight over Facebook's data-sharing practices, telling InternetNews.com that "the data collection debate pre-existed and continues to exist.")
To put Facebook's data collection practices to the test, Berteau created an account with epicurious.com, a Beacon partner site, and saved three recipes to his favorites.
While saving the first recipe, he was logged in to Facebook in a different tab in his browser. At the prompt asking if he would like the story added to his News Feed, he clicked "No, thanks."
When he saved the second recipe, he had logged out of Facebook, but continued using the same browser session. Again, at the News Feed alert, he clicked "No, thanks."
To save the third recipe, Berteau was logged out of Facebook and had closed his browser, reopening it to start a new session. No Beacon alert appeared.
Checking the network traffic logs, Berteau found that each of the three actions resulted in data being sent to Facebook.
His conclusion: "The first two cases involve the transmission of user data despite 'No, thanks' having been selected on the opt-out dialog, and are causes for deep concern. They pale, however, in comparison to the third case, where Facebook was receiving data about my online habits while I was not logged in, and was doing so silently, without even alerting me to the cross-site communication."
Berteau notified Facebook about his concerns. On the CA blog, he posted the response from Facebook's privacy department, which includes this excerpt: "Please note that as long as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook."
Then, after Berteau and Googins posted their research methods and the responses to Berteau's inquiries from Facebook's privacy department on the CA blog, Facebook responded with this statement:
"When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook in order for Facebook to operate Beacon technologically. If a Facebook user clicks "No, thanks" on the partner site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well."
Googins reiterates that Facebook's statement contradicts the earlier communications of its privacy department. While he allows that from a technical standpoint, some data exchange is to determine whether or not the user is logged in to Facebook, the site could retain the same utility while collecting only a fraction of the information that is currently being sent.
A universal opt-out policy could help resolve the issue, Googins believes. That way, users who didn't want to participate in Beacon at all could rest assured that Facebook was not collecting any information about their activities on external sites.
"In a general sense, there needs to be a material change," Googins said. "Technically, we have no way of knowing what they're doing with the data once it's been received."
For the advocacy groups that have been pressing Facebook and other social networking sites to implement greater transparency in their data-collection and usage practices, CA's findings are simply another weapon in the arsenal it is planning to use as it appeals to regulatory bodies to update privacy laws governing the social Web.
"We intend to press both Federal Trade Commission and European Commission to scrutinize exactly what it [Facebook] is doing," the Center for Digital Democracy's (CDD) Executive Director Jeff Chester told InternetNews.com. "At the same time, Facebook must make its whole operation transparent to the public."
Chester also said that the CDD would be calling on advertisers to modify the partnerships they make with sites like Facebook in the hopes of developing an industry-accepted set of best practices for the intersection of commerce and social media.
"I'm not sure if we can take Facebook at face value," he quipped.
As of press time, Facebook had nothing to add to its statement posted on CA's blog and reprinted above in its entirety.