Facebook's Beacon Even Sneakier Than Originally Thought

Last week, Facebook made a lot of noise about how it was making its new Beacon spyware—we mean advertising initiative—less sneaky. But guess what? Over the weekend, Computer Associates reported that even after you’ve declined to have Beacon advertise your habits back to your friends, and even if you’ve logged out of Facebook, it will still surreptitiously report your actions back to Facebook’s servers. And there’s no way you can turn it off.

But Berteau’s investigation reveals that Beacon is more intrusive and stealthy than anyone had imagined. In his note, titled “Facebook’s Misrepresentation of Beacon’s Threat to Privacy: Tracking users who opt out or are not logged in,” he explains that he created an account on Conde Nast’s food site Epicurious.com, a site participating in Beacon, and saved three recipes as favorites.

He saved the first recipe while logged in to Facebook, and he opted out of having it broadcast to his friends on Facebook. He saved the second recipe after closing the Facebook window, but without logging off from Epicurious or ending the browser session, and again declined broadcasting it to his friends. Then he logged out of Facebook and saved the third recipe. This time, no Facebook alert appeared asking if he wanted the information displayed to his friends.

After checking his network traffic logs, Berteau saw that in all three cases, information about his activities was reported back to Facebook, although not to his friends. That information included where he was on Epicurious, the action he had just taken and his Facebook account name.

It appears Facebook is blatantly misrepresenting what Beacon does at this point. Consider this quote from Chamath Palihapitiya, vice president of product marketing and operations at Facebook, when asked last week whether or not Facebook would still receive Beacon data if a user chose to opt out: “Absolutely not.”

“Facebook’s Beacon More Intrusive Than Previously Thought” [PCWorld]
(Photo: Getty)

Comments

Edit Your Comment

  1. 7j6cei says:

    Ha ha ha ha ha, thats what people get for using stupid sites like facebook! Get a life people! We don’t care who your friends are or how drunk you got last night!

  2. AstroPig7 says:

    @7j6cei: Then why do you care if they’re on Facebook?

  3. Quellman says:

    @7j6cei:
    What a rude comment. While I may not agree with the premise of beacon, I think that attacking the users is petty.

  4. Xandey says:

    So, has anyone found a list of Beacon Affiliated sites? I smell a boycott :)

  5. stanfrombrooklyn says:

    The problem is that the minute the tech press started to throw around Facebook valuations of “$15 billion” then Facebook had to think about ways to really become worth $15 billion. And the only way is to squeeze every bit last of data from their members in every way – ethically or unethically – possible and then sell it to anyone and everyone with a credit card. It’s unbelievable how the interface of Facebook has become so cluttered and worthless in just 6 months. If I have one more “friend” poke me, send me a virtual beer, or throw a stupid pie in my face I’m going to cancel my account.

  6. Myron says:

    If you don’t like what Facebook is doing, cancel your account. Am I missing something?

  7. ChChChacos says:

    So which websites use this beacon. I say we boycott using those until they fix this if you’re a concerned facebook user. Maybe that will get the point across to everyone who is trying to implement Beacon on their websites. But that might be a little drastic.

  8. Xandey says:

    @Myron: It’s tough to cancel your account when you’re of an age when many of your friends expect you to be on Facebook. Even if it’s only a perceived expectation.

    It also doesn’t matter if you remove yourself from Facebook. They still get the information that your IP address bought a table on Overstock or bought a movie on Blockbuster.

    It might be a neat trick to buy racy things from your friends computer, make sure you have popups turn ON and then publish them all to his news feed. hehehe

  9. Xandey says:

    @ChChChacos: yea, most of the sites I’ve never been to and don’t care. But NYT… For shame!

  10. Half Beast says:

    This has become a trend in most social networking sites. The more complex ones like MySpace or Facebook have a lot of little nooks and crannies where they can place schemes to farm data. This sort of targeted data collection even transpires on the simpler sites like Livejournal, where they’ve recently forced advertising on all of the free accounts, and some of the paid ones. This was disappointing to me as a long time LJ user, as all the ad space just sullies what used to be a pretty personal experience.

  11. Phunk says:

    I’m really glad that I don’t use any of these social networking sites. I still do my networking the old fashioned way: Lunches and business meetings at the titty bar.

  12. Xkeeper says:

    Suprise, this is no different than Comcast “No, we’re not really throttling BitTorrent, whatever gave you that idea”.

    Nothing of shock here, just standard coroprate stupidity and misleading.

  13. newtonite says:

    Isn’t this the similar to what Yahoo does?

    “Yahoo is using something called “Web beacons” or a “super cookie” that tracks not only where its users go on the Yahoo network but also tracks where they go outside of the Yahoo network using a persistent file on the hard drive. Note that you have to have a Yahoo account to be tracked. If you want to opt-out of this tracking, log in to your Yahoo account, then go to privacy yahoo.com/privacy.”

    Google some of the quoted text for links to more information.

  14. Xkeeper says:

    @half-beast:

    This sort of targeted data collection even transpires on the simpler sites like Livejournal, where they’ve recently forced advertising on all of the free accounts, and some of the paid ones.

    They have? I just checked, and there are no advertisements displayed on any of the pages I visit often…

  15. jodles says:

    you can also just not add beacon to begin with—then there’s no problem!

  16. Gary says:

    A list located at the bottom of the press release from Facebook: [www.facebook.com]

    This blogger complied a list of what data these websites are likely to send: [www.dcoates.com]

    The problem with Beacon is that ALL users of a website have info sent to Facebook. It is automatic, even though it is not linked to an account. Even without linking to a Facebook account, the info gathered on every user of a website is excellent marketing information. They could sell ads to websites that target specific users when they know the likely next step a user will take based on past internet use.

    It’s either really devious, or very poorly planned.

    Caveat emptor.

  17. hubris says:

    @half-beast: If someone wants a personal experience, they can buy a domain, set up a website of their own and start a blog.

    While if you pay for LJ I don’t think you should have ads, if you have a free account, then I have no problem with there being ads (you’re renting server space…someone has to pay for that). Ads run the business, and why would LJ pay and pay if they weren’t getting anything back? Not the way a business runs.

    What Facebook is doing is completely beyond that, though. They are spying and reporting on their members, even when they choose not to have their activity monitored. That’s why I “deactivated” my account when this crap started. Any of my friends really want to get in touch with me, they know how. Anyone else I don’t really care if they can see my pictures or where I’m working/going to school.

  18. edrift101 says:

    …I just signed up for Facebook.

    So, is this Beacon set up automatically or is it one of the “plug-ins”?

  19. Bladefist says:

    7J6CEI is just mad because his friend list says 0. Facebook has gone corporate and sold out. The site is great because you can stay current with old friends. And it acts as my phone book. However with all these privacy concerns and i’m sure more to come, I don’t think I’ll be very active on there anymore.

  20. new and troubling questions says:

    @7j6cei: There ARE a lot of drunk sorority girls with trophy friends on facebook, yes, but for me and a lot of other recent college grads I know, it is (or was) a good way to try and keep in touch after school…now, i’m not so sure.

  21. overbysara says:

    I’m a facebook early adopter, and am very seriously considering canceling my account. I like it because I have found so many old friends there… but this is just completely, unreasonably intrusive.

  22. ahursh says:

    As an about-to-graduate college student, Facebook is indispensable. How else am I going to be able to keep track of acquaintances from school as we move to different coasts, choose new email addresses when our .edu accounts close, get married and change our names? While I have hated every new feature since “Status Update,” and refuse to add new apps, Facebook has become my self-updating Rolodex, and I can’t walk away.

    I wish we could go back to “thefacebook.” Alas.

  23. CaptainConsumer says:

    For us folks who trust nobody anyways, use a proxy server, this should solve your tracking problems.

    [proxy.org]

    I tested and you CAN set up an account with a proxy server….

  24. Lin-Z [linguist on duty] says:

    @jodles: the problem with that is that facebook doesn’t give you the option. Beacon is an opt-out application rather than opt-in.

    so I just deleted my facebook. Take that data-miners!

  25. Groovymarlin says:

    Can you get around this by logging out of Facebook when you leave the site, and deleting whatever cookie they set?

    I only signed up for Facebook a few weeks ago to stay connected to some former colleagues. I’d hate to have to cancel it already but if that’s what it takes, that’s what I’ll do.

  26. Half Beast says:

    @omerhi: Understood. I did a little more looking into specifically what is going on here and there’s a terrible dichotomy between them. I supopse i overreacted.

    On a secondary note, one really shouldn’t be forced to use a proxy server to network. Just my opinion.

  27. tokenblackgirl says:

    @stanfrombrooklyn:

    You can’t leave facebook, at all. I joined the site on a lark a
    couple of months ago and tried to leave it cause i realized how dumb
    that shit is. Guess what? you can’t leave at all. You can deactivate
    your account, but your friends will still have you on their list and
    can still send you messages as if you were on the site still.

    I’ve spent the last few months emailing facebook to permanently
    remove me for their archives, sadly, they won’t let me so i’ve just
    given up and stuck with the dumb shit and idiot people keeping adding
    and poking me. Man i want to poke out eyes of Mark Zuckberg.

  28. BigNutty says:

    Many people that use Facebook don’t even know whats going on, and probably don’t even care.

  29. DrGirlfriend says:

    @tokenblackgirl: Are you getting emails from Facebook every time someone pokes you or whatever? Since you can’t completely take yourself out of facebook anyway, why not reopen your account and fix your privacy settings?

    I’m on Facebook and have disabled a ton of stuff – hardly anything goes on my News Feed, and I don’t get emails from facebook, either. People can poke away and I’ll never find out unless I go to Facebook itself. I know, editing your privacy settings doesn’t mean you’re safe from the Facebook overlords, but at least I don’t get harassed with emails and I can keep stuff I do out of the feeds.

  30. Buran says:

    @tokenblackgirl: So they’re idiots because you don’t like what they’re doing?

    That’s like calling someone you disagree with “stupid”, something else that goes on a lot online.

    The fact that someone does something you don’t like doesn’t make them either an idiot or stupid. It just makes you look judgmental whether you intended that or not.

  31. Buran says:

    @Xkeeper: You only get ads if you have a “plus” account.

    I recently turned off autobilling and will be switching to plus (and adblock plus to block the ads) because I don’t agree with giving money to a company that has ties with the former KGB. I will likely stop posting within months and will be switching my blog to being hosted on my own site.

  32. AT203 says:

    Facebook’s position all along was that user’s would “grow accustomed” tot he privacy invading feature. As the younger generation comes online, they are forming anew their expectation of privacy. I can’t shake the feeling that these big datamining corporations are grooming us to accept the false mantra that “privacy is dead.”

    Privacy is certainly under threat, but it is not yet dead. And we would not like to live in a world where it is dead either.

  33. camille_javal says:

    hm…I just tried experimenting with this by saving a recipe through Epicurious, and nothing has happened. There was no box on epicurious, and nothing on my news feed. Now I’m just curious as to why I’m among the lucky – is it Safari? Something with my IP address? Pardon me for being dull-witted.

  34. Sam says:

    Okay, ignoring all the commenters who don’t seem to understand that Facebook doesn’t have to be a catalog of your drunken revelry if you don’t want it to, and rather can be a handy communication tool…

    Does the trick posted here block this new insidiousness?

  35. Gev says:

    @AT203: I don’t mind so much when they try and tell us privacy is dead as when they try to erode it and make people feel good about it happening by using the premise of “social networking.”

  36. statolith says:

    @jodles: That’s not how it works. Beacon isn’t something you ‘add’, it’s there by default, and as I understand it you can only opt-out on a (3rd party)site-by-site basis.

  37. hn333 says:

    I don’t have a Facebook account, then again I don’t have any friends.

    Win win

  38. floydianslip6 says:

    Spin it however you want. At the end of the day a database exists with all your personal information, now including online activity!

    What impresses me, is that we’ve arrived at the day and age where people not only partake in this, but do it with GUSTO.

  39. tokenblackgirl says:

    @Buran:
    Pretty much. Anyone who doesn’t know in some 6 degree of Kevin Bacon sort of way is an idiot for wanting to be my friend..

    You can reset your privacy notice, but thats not the point. I want
    to be completely off the site, as i you cna’t type in my name and find
    it, which again is not possible.

    On myspace, if you create your page and delte it, its gone. Facebook
    on the other hand go, well we don’t thnk it was a wise decision
    deciding to delete your page, so what we will do instead is suspend it
    indefintely, till you change your mind and come back to us.

    Seriously.

  40. floydianslip6 says:

    @tokenblackgirl: You can, however go through the long process of requesting a name change then systematically deleting and unfriending everyone.

  41. phantomfly says:

    I blocked Beacon using the Firefox app and guess what – it didn’t work. Allposters.com tried to send a story to my news feed anyway.

    Is anyone compiling a list of sites that use Beacon?

  42. tokenblackgirl says:

    @floydianslip6:

    I tried that, deleted everyone, well didn’t do a name change, just deleted and i still get messages from people.

    I never particulary cared for the site that, it just seemed way too
    overhyped for me. I understand some people using facebook as a rolodex
    but chances are, you only talk to about 10-20 even if its that much.

    The rest are people you keep on the backburner and my talk to, that just seems pointless. ( random tangent).

    That was just my gripe.

  43. snowmentality says:

    @tokenblackgirl — I was able to completely delete my account by the following procedure. I manually deleted everything on my account — every friend, every group, every wall post, news item, message, application, profile item, picture, etc. Then I deactivated. Then I emailed info@facebook.com from the email that had been linked to my account, and asked for a permanent deletion, which they gave me. (I just tried to log in to make sure, and my account really is gone.)

    They will only delete your account once you have manually deleted EVERYTHING.

    Believe me, this process just made me more sure that I’d made the right decision.

  44. sibertater says:

    @Quellman: Yeah, but that’s what FaceBook is about. I’m 35 and a member because I am also a college student and everyone under 25 at a university belongs to FB…and there are the “I got drunk last night” pictures on every one of them.

    Stereotypes are only bad if they’re wrong.

  45. Benstein says:

    Log out of your account, delete your cookies, then shop. You really should set your browser settings to delete all of your cookies when you close the browser anyway. We are no longer in the days of dial-up when the speed to re-download cookies was significant.

  46. hazeljemi says:

    Can you block the intrusion of privacy if you log out of facebook and use a different e-mail address for beacon websites than you use on facebook?
    Ps. Facebook really has become a necessity for keeping in touch with old friends/frienemys. My HS reunion is coming up and I’m like, why bother, I can see what they are doing on facebook and I know I don’t care.

  47. drjayphd says:

    @7j6cei: Then don’t look at them.

  48. Sam says:

    @phantomfly: Did you block *.facebook.com/beacon/* or just facebook.com/beacon/* (note the asterisk at the beginning)? That may make all the difference; Epicurious tried but failed to post something of mine.

  49. Mr. Gunn says:

    If you’ll read the profile of Zuckerberg, you’ll see why no one who knows him is even all that surprised. Give your info to a sociopath if you want, but don’t be surprised when he does something dickish with it.