Facebook partners send data even if user opts out of 'Beacon'
Security researchers claim the social networking site is still tracking users even if they are not logged in or have opted out of its Beacon service, a charge Facebook denies by saying it deletes the data.
Last Monday, CA researcher Stefan Berteau posted details of how Facebook seems to still be tracking users even though a user may not be logged into the site, and even if the user had already opted out of Beacon. He tested out his hypothesis by visiting a site that participates in the program, epicurious.com.
The site allows the user to save recipes as favorites, which would then appear on a user's Facebook profile if he or she opts in to Beacon. In the test, the researcher saved three recipes.
The first save was done while Berteau was still logged into Facebook, during which he opted out of sending any information to the social networking site. The second was done while the Facebook window was closed, which the alert to add it to his profile appeared, and again was opted out of. The third was done after logging out of Facebook and starting a new browser session completely.
In all cases, network traffic logs showed that data on Berteau's visits were still sent to the site, even though he had already opted out. What most disturbed him was the fact that the data was sent even when he had logged out of Facebook completely.
"Despite the fact that I was not logged in, Facebook just received enough information to tie the activity I took on their affiliate to my individual account, which combined with the social data they already have, such as circles of friends, level of education, communication patterns, and geographic locations, would allow them to profile individual consumer behavior on a nearly unprecedented level of detail," he mused.
When he contacted Facebook, he at first received a stock reply regarding Beacon, but the second time he received an even more interesting reply, which included the line "as long as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook."
Obviously, Berteau's tests contradicted this statement. More information on those tests can be found in a blog entry on the CA website.
In its defense, Facebook later sent a statement to CA claiming that in order for the system to work, data is still sent but then deleted once it is received based on the user's preference.
"Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well," the spokesperson added.
Regardless of Facebook's excuse for the data still being sent to it after a user has opted out, it still continues to place a negative light on Beacon as a whole in many users' eyes, and opens up still even more questions regarging the issue of privacy.
"From a technology perspective, it is much more efficient for Facebook to manage these deletions and permissions," Erick Schonfeld wrote for TechCrunch. "But from a privacy perspective, this arrangement is all wrong. Consumer trust is a very fickle beast."