Last week, Facebook made a lot of noise about how it was making its new Beacon spyware—we mean advertising initiative—less sneaky. But guess what? Over the weekend, Computer Associates reported that even after you’ve declined to have Beacon advertise your habits back to your friends, and even if you’ve logged out of Facebook, it will still surreptitiously report your actions back to Facebook’s servers. And there’s no way you can turn it off.
But Berteau’s investigation reveals that Beacon is more intrusive and stealthy than anyone had imagined. In his note, titled “Facebook’s Misrepresentation of Beacon’s Threat to Privacy: Tracking users who opt out or are not logged in,” he explains that he created an account on Conde Nast’s food site Epicurious.com, a site participating in Beacon, and saved three recipes as favorites.
He saved the first recipe while logged in to Facebook, and he opted out of having it broadcast to his friends on Facebook. He saved the second recipe after closing the Facebook window, but without logging off from Epicurious or ending the browser session, and again declined broadcasting it to his friends. Then he logged out of Facebook and saved the third recipe. This time, no Facebook alert appeared asking if he wanted the information displayed to his friends.
After checking his network traffic logs, Berteau saw that in all three cases, information about his activities was reported back to Facebook, although not to his friends. That information included where he was on Epicurious, the action he had just taken and his Facebook account name.
It appears Facebook is blatantly misrepresenting what Beacon does at this point. Consider this quote from Chamath Palihapitiya, vice president of product marketing and operations at Facebook, when asked last week whether or not Facebook would still receive Beacon data if a user chose to opt out: “Absolutely not.”
“Facebook’s Beacon More Intrusive Than Previously Thought” [PCWorld]