If you think that just because you have never signed up for Facebook you’re immune to the tracking and collecting of user activities outside of this popular social networking site, think again.
Facebook’s controversial Beacon ad system tracks activities from all users in its third-party partner sites, including from people who have never signed up with Facebook or who have deactivated their accounts, CA has found.
Beacon captures detailed data on what users do on these external partner sites and sends it back to Facebook along with users’ IP addresses, Stefan Berteau, senior research engineer at CA’s Threat Research Group, said Monday in an interview.
This happens even if users delete the Facebook cookie. “The Facebook Javascript [code] is still called by the affiliate site and the information is passed in,” he said. In the case of users without accounts or with deactivated accounts, the data isn’t tied to a Facebook ID, he said.
However, it is well-known that IP addresses provide a variety of information about users, and have in some cases been used to identify individuals.
The information captured by Beacon in these cases includes the addresses of Web pages visited by the user and a string with the action taken in the partner site, Berteau said.
CA has tested this in Beacon partner sites Epicurious.com, which focuses on food, and Kongregate.com, which focuses on video games, he said. More than 40 sites have signed up for Beacon, although not all of them have implemented it.
It’s important for Facebook and the partner sites participating in Beacon to alert users about the data that is captured and passed back to Facebook, Berteau said.
“There is, to a certain extent, a privacy concern with the affiliate site, in that it’s important for them to disclose that they’ll be sending information about user actions to Facebook,” Berteau said.
While users’ activities on the Web are tracked in various ways for different purposes, most commonly with tracking cookies in banner ads, the Beacon implementation is one Berteau has never come across before in terms of the details of users’ actions that it’s able to capture and send back.
These latest findings build on Berteau’s report on Friday that Beacon stealthily tracked the activities of users on affiliate Beacon sites even if they were logged off from Facebook and had previously declined having their activities reported back to their Facebook friends.
Over the weekend, Facebook confirmed that Berteau’s report on Friday was accurate, but said that it deletes the data it gets under these circumstances.
Still, Friday’s findings deepened the privacy concerns surrounding Beacon since its introduction several weeks ago. And the admission Monday added to the concerns, since it contradicted what had, until then, been the official company line about this issue.
CA’s research, which is ongoing, has demonstrated that Beacon is more intrusive and stealthy than previously acknowledged and imagined.
Beacon is a major part of the Facebook Ads platform that Facebook introduced with much fanfare several weeks ago. Beacon tracks certain activities of Facebook users on participating Web sites, including those of Blockbuster and Fandango, and reports those activities to the user’s set of Facebook friends, unless told not to do so.
Off-Facebook activities that can be broadcast to one’s Facebook friends include purchasing a product, signing up for a service and including an item on a wish list.
The program has been blasted by groups such as MoveOn.org and by individual users who have unwittingly broadcast information about recent purchases and other Web activities to their Facebook friends.
On Thursday night Facebook tweaked Beacon to make its workings more explicit to Facebook users, and to make it easier to nix broadcast messages and opt out of having activities tracked on specific Web sites. Facebook didn’t go all the way to providing a general opt-out option for the entire Beacon program, as some had hoped.
Then on Friday, just hours after Facebook had scored some points with its modifications to Beacon, Berteau published his note about Beacon’s until-then unknown ability to monitor logged-off users’ activities and send the data back to Facebook.
Users aren’t informed that data on their activities at these sites is flowing back to Facebook, nor given the option to block that information from being transmitted, Berteau said at the time.
If users have ever checked the option for Facebook to “remember me” — which saves users from having to log on to the site upon every return to it — Facebook can tie their activities on third-party Beacon sites directly to them, even if they’re logged off and have opted out of the broadcast. If they have never chosen this option, the information still flows back to Facebook, although without it being tied to their Facebook ID, according to Berteau.
Berteau plans to post another note at some point Monday evening detailing his latest findings.
Facebook didn’t immediately reply to a request for comment.
However, Berteau said he had shared this latest finding with Facebook officials and they told him that Facebook deletes data that comes in from non-Facebook users and from deactivated accounts.
Berteau said he is encouraged that the Facebook officials he talked to seemed truly interested in his findings, and he believes that Facebook will make changes to address privacy concerns raised by his research.
Berteau’s colleague Benjamin Googins last week posted an article with some suggestions for users who want to protect themselves from the Beacon tracking activities.