Facebook Beacon Roundup: Data Collection Methods Still Troubling
Facebook was the the target of much criticism in recent weeks, thanks to the rapid spread of reports about Facebook's Beacon, a tool that allows third-party websites to send information about user activities back to Facebook.
The controversy began when bloggers reported that their activity on certain non-Facebook sites was showing up on Facebook without their knowledge. The first public version of Becacon would give a user a limited amount of time to prevent a story from being published -- if the user missed the limited opportunity to say "no," Beacon automatically posted the activity to the users' profile. One of the first users to express concern about this automatic disclosure was a blogger who purchased a coffee table from Overstock.com, later finding the purchase reported on her Facebook profile.
Under fire from grassroots organizations and others, Facebook has changed the system to hold Beacon events in a queue (image) until the user says "okay," rather than the earlier practice of giving users approximately 30 seconds to say "no." Additionally, Facebook is allowing users to opt-out entirely, by checking an option that says "Don't allow any websites to send stories to my profile." These changes are likely to satisfy many users because it gives the user control over the publishing of their information on Facebook pages.
However, important privacy considerations remain. Jay Goldman's initial report on Beacon demonstrated that Beacon's fundamental technical underpinnings rely on third-party websites sending information to Facebook regardless of the user's opt-out/opt-in preferences. Security researcher Stefan Berteau observed that his behavior on epicurious.com was being transmitted to Facebook in a few unexpected scenarios (emphasis from original document, ordered list added for clarity):
To test [Beacon] in real life, I created an account on epicurious.com, and tried saving three recipes as favorites.
 The first recipe was saved while logged in to Facebook in the same browser session. An alert appeared allowing me to opt out of Facebook's publishing this as a story on my feed, which I did.
 The second one was saved after I had closed the Facebook window, but had not logged out or ended the browser session. The same alert appeared, and I opted out again, selecting "No thanks".
 I then closed the browser entirely and launched a new session. After confirming that I was not logged in to Facebook, I saved the third recipe. No alert appeared.
I then checked the network traffic logs, and was dismayed to find that in all three cases, data about where I was on Epicurious, what action I had just taken, and what my Facebook account name is was transmitted to Facebook.
Despite the fact that I was not logged in, Facebook just received enough information to tie the activity I took on their affiliate to my individual account, which combined with the social data they already have, such as circles of friends, level of education, communication patterns, and geographic locations, would allow them to profile individual consumer behavior on a nearly unprecedented level of detail.
Facebook responded to Berteau's blog post by saying "trust us" -- that if a user clicks "No, thanks", then the data from the third-party site is deleted from Facebook's servers. Unfortunately, "trust us" is an excuse that cannot replace privacy-protective architectures.
For those that want to merely protect a Facebook profile from having Beacon stories appear on it, there's an opt-out option on the "Privacy Settings for External Websites" pane. But for users that have Firefox and want to prevent third-party sites from sending data back to Facebook altogether, Nate Weiner's "Block Facebook Beacon" blog post has some useful suggestions. (Weiner's post also has links to potential solutions for Safari, Opera, and IE.)
As a general precaution, we would advise users not to send information to any part of the Facebook site unless they are willing to accept a risk that that information could be seen by more or less anyone.
Recent DeepLinks Posts
Jun 2, 2015
Jun 1, 2015
May 31, 2015
May 31, 2015
May 30, 2015
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Defending Digital Voices
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games