Security researchers at CA found the Facebook Beacon keeps Facebook abreast of one’s activities on an advertiser’s site, whether the Facebook user opted out of that instance or not.
Without a blanket opt-out policy for Beacon, Facebook continues to give its userbase reasons to cast a wary glance at their profiles. CA’s Ben Googins said last week that opting out of a Beacon broadcast to friends’ News Feeds didn’t stop the data from being transmitted to Facebook silently.
“Regardless of whether you opt-out of the individual toast (opt-out popup) offer, data regarding your presence on the partner site is still sent back to Facebook,” said Googins. “In fact, this data is sent before you even have a chance to opt-out.”
Facebook later responded to Googins’ post:
“When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook in order for Facebook to operate Beacon technologically. If a Facebook user clicks “No, thanks” on the partner site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well.”
Then Facebook’s privacy department provided a followup to further explain the silent movement of data through Beacon:
You can prevent stories from being generated for actions you take on external websites, but this is different from the data that is shared between Facebook and the external site. If you prevent a certain partner site from publishing stories about you through Beacon, the information about the action is still sent to us.
Please note that it is sent for the purpose of generating the notification on the partner site. However, if your options are set such that the story won’t be published, we discard that information almost as soon as we receive it. While we do receive this information, we do not store it in our system.
Googins continued testing the communication between Beacon affiliates and Facebook. He found data still being sent to Facebook even when the Facebook user is not logged in.
“If a machine has never been used to access facebook, or has not been logged in with “remember me” selected, then the affiliate data will be sent, but no facebook ID will accompany it. Otherwise, both a facebook ID and the affiliate data will be sent,” said Googins.