I had a hunch…
Last week we welcomed Wendy Seltzer at the Yale Information Society Project, who gave a talk on “Online Privacy in Context.” Most of our discussion centered on the controversy swirling around Facebook’s Beacon advertising platform, where Facebook cookies are retrieved at third-party e-commerce sites, users are given 20-seconds to opt out (the default is to participate, and the screen disappears with the option still checked if no action is taken), and users’ likenesses are appropriated to shill for products.
I asked Wendy if she knew whether Facebook was still collecting user purchasing data even if that that user opted out of openly sharing a particular purchase with her Facebook friends. Wendy noted that Facebook claimed that wasn’t happening, which is supported by statements from Chamath Palihapitiya, vice president of product marketing and operations at Facebook, who, in an interview with The New York Times, was asked whether Facebook would receive information about a user’s purchase if the user declined to broadcast the purchase to his Facebook friends. His answer: “Absolutely not. One of the things we are still trying to do is dispel a lot of misinformation that is being propagated unnecessarily.”
Not so fast.
PC World is reporting on research conducted by a Computer Associates security expert who discovered that Beacon will report back to Facebook on members’ activities on third-party sites even if the users are logged off from Facebook and have declined having their activities broadcast to their Facebook friends.
Unbelievable. Facebook just announced plans to increase user privacy, but, as Stefan Berteau (the CA researcher) notes, “Facebook is materially misrepresenting the privacy impact of their Beacon program, and presenting users with the appearance of control over their information when in fact they have almost none.”
Facebook: please answer my plea.
UPDATE: Contradicting their early statements (above), Facebook now admits that their Beacon ad system does tracks users’ off-Facebook activities even if those users are logged off from the social-networking site and have previously declined having their activities on specific external sites broadcast to their Facebook friend. Story is here. Unbelievable.
This is quite bad behavior on Facebook’s part.
It’s not as simple as adding an ad server to your hosts file to block it either, as the beacon code gets served from a subdirectory rather than a subdomain:
But hopefully the various browser plugins and scripts will incorporate blocking these ads.