PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Facebook

I previously complained about Facebook’s Beacon and Social Ads, and last week Facebook appeared to back down (at least from Beacon) by changing its policy and having users opt-in before their activities on other websites is broadcast on their profiles. I applauded Facebook’s change of heart.

But there are more disturbing aspects of Beacon that have not been changed. According to Macworld:

If you think that just because you have never signed up for Facebook you’re immune to the tracking and collecting of user activities outside of this popular social networking site, think again.

Facebook’s controversial Beacon ad system tracks activities from all users in its third-party partner sites, including from people who have never signed up with Facebook or who have deactivated their accounts, CA has found.

Beacon captures detailed data on what users do on these external partner sites and sends it back to Facebook along with users’ IP addresses, Stefan Berteau, senior research engineer at CA’s Threat Research Group, said Monday in an interview.

This happens even if users delete the Facebook cookie. “The Facebook Javascript [code] is still called by the affiliate site and the information is passed in,” he said. In the case of users without accounts or with deactivated accounts, the data isn’t tied to a Facebook ID, he said.

However, it is well-known that IP addresses provide a variety of information about users, and have in some cases been used to identify individuals.

The information captured by Beacon in these cases includes the addresses of Web pages visited by the user and a string with the action taken in the partner site, Berteau said. . . .

Over the weekend, Facebook confirmed that Berteau’s report on Friday was accurate, but said that it deletes the data it gets under these circumstances.

Still, Friday’s findings deepened the privacy concerns surrounding Beacon since its introduction several weeks ago. And the admission Monday added to the concerns, since it contradicted what had, until then, been the official company line about this issue.

For more, see Michael Zimmer’s post.

A while back, DoubleClick generated many privacy complaints. DoubleClick used information about people’s websurfing habits to target ads on various websites. Facebook’s Beacon appears to be a related incarnation of the DoubleClick advertising model.

Facebook is not the only one to blame with Beacon. About 40 websites participate in the Beacon program, including:

* Blockbuster

* CBS Interactive (CBSSports.com & Dotspotter)

* Citysearch

* Fandango

* LiveJournal

* Mercantila

* National Basketball Association

* NYTimes.com

* Overstock.com

* Sony Online Entertainment LLC

* Sony Pictures

* TripAdvisor

* Travelocity

* TypePad

* WeddingChannel.com

For a more complete list of these companies, see this post on the Consumerist blog.

These companies are disclosing their customer data with Facebook — often without their users’ knowledge or consent. This is possible because there is scant regulation on what most companies can do with your personal data. The law basically allows them to do whatever they want with it. Most companies have privacy policies, which tell you how they use the information. If a company violates its privacy policy, then the FTC can bring an action, but privacy policies are written in vague terms that often allow for a lot of information sharing. The current system of protecting privacy of personal information is referred to by industry as “notice and choice.” But the notice is often buried in lengthy and verbose privacy policies that most consumers don’t read; and there is often little choice consumers have other than to take it or leave it. In other words, there’s not much notice and not much choice.

Hat tip: Pogo Was Right

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
LinkedIn Influencer blog
*
Twitter
*
Newsletter

TeachPrivacy Ad Privacy Training Security Training 01