Facebook was the the target of much criticism in recent weeks, thanks to the rapid spread of reports about Facebook's Beacon, a tool that allows third-party websites to send information about user activities back to Facebook.

The controversy began when bloggers reported that their activity on certain non-Facebook sites was showing up on Facebook without their knowledge. The first public version of Becacon would give a user a limited amount of time to prevent a story from being published -- if the user missed the limited opportunity to say "no," Beacon automatically posted the activity to the users' profile. One of the first users to express concern about this automatic disclosure was a blogger who purchased a coffee table from Overstock.com, later finding the purchase reported on her Facebook profile.

Under fire from grassroots organizations and others, Facebook has changed the system to hold Beacon events in a queue (image) until the user says "okay," rather than the earlier practice of giving users approximately 30 seconds to say "no." Additionally, Facebook is allowing users to opt-out entirely, by checking an option that says "Don't allow any websites to send stories to my profile." These changes are likely to satisfy many users because it gives the user control over the publishing of their information on Facebook pages.

However, important privacy considerations remain. Jay Goldman's initial report on Beacon demonstrated that Beacon's fundamental technical underpinnings rely on third-party websites sending information to Facebook regardless of the user's opt-out/opt-in preferences. Security researcher Stefan Berteau observed that his behavior on epicurious.com was being transmitted to Facebook in a few unexpected scenarios (emphasis from original document, ordered list added for clarity):

To test [Beacon] in real life, I created an account on epicurious.com, and tried saving three recipes as favorites.
[1] The first recipe was saved while logged in to Facebook in the same browser session. An alert appeared allowing me to opt out of Facebook's publishing this as a story on my feed, which I did.
[2] The second one was saved after I had closed the Facebook window, but had not logged out or ended the browser session. The same alert appeared, and I opted out again, selecting "No thanks".
[3] I then closed the browser entirely and launched a new session. After confirming that I was not logged in to Facebook, I saved the third recipe. No alert appeared.

I then checked the network traffic logs, and was dismayed to find that in all three cases, data about where I was on Epicurious, what action I had just taken, and what my Facebook account name is was transmitted to Facebook.


Despite the fact that I was not logged in, Facebook just received enough information to tie the activity I took on their affiliate to my individual account, which combined with the social data they already have, such as circles of friends, level of education, communication patterns, and geographic locations, would allow them to profile individual consumer behavior on a nearly unprecedented level of detail.

Facebook responded to Berteau's blog post by saying "trust us" -- that if a user clicks "No, thanks", then the data from the third-party site is deleted from Facebook's servers. Unfortunately, "trust us" is an excuse that cannot replace privacy-protective architectures.

For those that want to merely protect a Facebook profile from having Beacon stories appear on it, there's an opt-out option on the "Privacy Settings for External Websites" pane. But for users that have Firefox and want to prevent third-party sites from sending data back to Facebook altogether, Nate Weiner's "Block Facebook Beacon" blog post has some useful suggestions. (Weiner's post also has links to potential solutions for Safari, Opera, and IE.)

As a general precaution, we would advise users not to send information to any part of the Facebook site unless they are willing to accept a risk that that information could be seen by more or less anyone.