Facebook has the opportunity to lead the industry, or become an example of "what not to do", when it comes to balancing the confidentiality exepctations of its members against the desire to exploit (i.e., monetize) their online interactions. Hopefully, Facebook will end up doing the right thing - the second post below however is unsettling as it appears that there are things going on regarding transmission of data despite the user interface improvements that allow people to opt-out. The reply from the company, "Facebook does not use the data and deletes it from its servers" leave too many questions unanswered - why transmit the information at all until the Facebook user "opt's in"?
Facebook's Misrepresentation of Beacon's Threat to Privacy
As follow-up to Ben's look at Facebook's Beacon system, I began investigating the extent of its privacy implications. What I found is extremely disconcerting. Facebook is collecting information about user actions on affiliate sites regardless of whether or not the user chose to opt out, and regardless of whether or not the user is logged into Facebook at that time. The evidence I present below directly contradicts both public statements made by Facebook, and direct email correspondence from their privacy department, demonstrating that Beacon is a serious threat to user privacy.
I would like to offer special thanks and recognition to Ben Googins for "Facebook SocialAds - Going Too Far?", his initial blog entry on this subject, and to Jay Goldman, whose blog post on deconstructing Beacon was one of, if not the first to provide a detailed analysis of the beacon code, which proved invaluable to this investigation. I recommend it to anyone who wants a more in-depth technical look at the underlying code of Beacon.
Third party sites which affiliate with Beacon are given javascript code to place on specific pages. From a high level perspective, this code and the further code it pulls in from facebook.com takes the following actions:
- Prepares a series of variables to be sent to Facebook. These include a request to queue information, the url of the item viewed on the affiliate site, modified to include a Facebook tag, a random number, the "source id" (presumably a unique affiliate number), and the referring URL, including any variables.
- Calls a page on facebook.com (http://www.facebook.com/beacon/auth_iframe.php), passing as parameters the variables which were previously prepared.
- If the browser has previously been used to access facebook.com, a Facebook cookie is sent as well. This contains a randomly generated ID, and if the user has ever selected "remember me" while logging into Facebook, it will also contain their Facebook login ID.
- At this point, if the user is currently logged in to Facebook, a javascript function is called to pop up an alert window, asking if they want to publish this item to their feed. If they opt out, the feed is not updated, but by this point all the information mentioned above has already been transmitted to Facebook.
Update: A Statement From Facebook - CA Security Advisor Research Blog - CA
Following the publication of the last two blogs about Facebook's Beacon program and the data we observed being sent to facebook.com, we have received the following statement from Facebook corporate communications, which addresses the use of the data:
"When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook in order for Facebook to operate Beacon technologically. If a Facebook user clicks "No, thanks" on the partner site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well."
Update: A Statement From Facebook - CA Security Advisor Research Blog - CA
I suspect that we'll be seeing no shortage of episodes like this, as Web-enabled services like Facebook, Google, or LinkedIn, attempt to monetize their data on users without upsetting too many people.
What's even more interesting is how data sharing vs. data privacy applies to the Enterprise. Make no mistake: Consumer applications offer these services for free because the user data is so very valuable. They use this data in the aggregate to target advertising or other services more effectively.
But does the Enterprise really want data about its employees, its customers, its initiatives, and more, trolled by these consumer companies? I'm always surprised to learn that large companies are using Google Analytics to examine their Web traffic, or using LinkedIn to set up groups of employees. Facebook's Beacon is just a particularly visible form of data-sharing...what else is this privately-held company doing with your data, or your employee's data?
So, a key question for Enterprise: Do you want to give consumer applications access to your valuable data?
Posted by: Steve Kuhn | December 04, 2007 at 09:57 AM