X
Tech

Logged in or out, Facebook is watching you

Researchers at software vendor CA have discovered that social networking site Facebook is able to track the buying habits of its users on affiliated third-party sites even when they are logged out of their account or have opted out of its controversial "Beacon" tracking service.
Written by Brett Winterford, Contributor

Researchers at software vendor CA have discovered that social networking site Facebook is able to track the buying habits of its users on affiliated third-party sites even when they are logged out of their account or have opted out of its controversial "Beacon" tracking service.

Read This:

facebook.jpg

Facebook: The Google of social networks?

Since lifting its university-only restrictions in September 2006, Facebook has become the poster child for social networks and attracted more than 100 million users. But will it survive 'the next big thing'?
Read More

Beacon, launched in November, tracks the transactions Facebook users make at e-commerce sites such as ticketing company Fandango and Blockbuster Video, in order to list them in the user's "mini-feed". It is intended, Facebook claims, as a means of "social marketing" -- users recommending products and services to their peers.

Responding to privacy concerns, Facebook has since moved to reassure users that it only tracks and publishes data about their purchases if they are both logged in to Facebook and have opted-in to having this information listed on their profile.

But in "extremely disconcerting" findings that directly contradict these assurances, researchers at CA's Security Advisory service have found that data about these transactions are sent to Facebook regardless of a user's actions.

Tests by CA researcher Stefan Berteau, published here, seem to prove the point.

During the test, Berteau executed actions (saved a recipe) on Facebook affiliate site epicurious.com three times.

In the first instance, he saved a recipe while still logged in to Facebook.

"An alert appeared allowing me to opt-out of Facebook's publishing this as a story on my feed, which I did," he said.

He then saved a recipe on Epicurious.com with the Facebook window closed, but while he was still logged in to Facebook. Again he was alerted, and this time chose "No, thanks" -- and therefore opting out of the service.

He then saved a third recipe while he was completely logged out of the Facebook site under a new browser session, and received no alert.

Berteau then consulted CA's network traffic logs, and found that in all three cases, data (such as his Facebook account name and details of his actions on the affiliate site) had been submitted to Facebook.

Berteau claims the results of the tests prove that Facebook is able to collect information about its members' surfing habits on affiliate sites, regardless of whether permission has been granted.

Facebook replied to CA's concerns in a letter describing the ease with which user's can opt out of having the purchasing information listed on the "mini-feed" on their profile.

"I replied explaining that I was not particularly worried about the feeds, which are only shown to friends who I have previously vetted, but that I was more concerned about the silently collected data, particularly the possibility of that data being sold to third parties," Berteau said.

Facebook has since released a statement claiming that it has no choice but to collect the data so that it can be used should the user decide to "opt-in" to the service.

"If a Facebook user clicks 'No, thanks' on the partner site notification, Facebook does not use the data and deletes it from its servers.

"Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well," the statement said.

Berteau said that while such a statement is reassuring, there is nothing in Facebook's privacy policy that acknowledges it doesn't store or use that data.

"The fact that the data continues to be sent to Facebook.com continues to pose a risk to user's privacy until a binding, public mechanism is in place to assure that the above policy stays in place, and that users are notified if it ever changes.

"Facebook's privacy policy is such a mechanism. Officially stating in its policy that it will not store or use data which is not associated with a logged in Facebook account which opted in to Beacon would go a long way towards providing clarity and an assurance of privacy towards their users," he said.

Editorial standards