As follow-up to Ben’s look at Facebook’s Beacon system, I began investigating the extent of its privacy implications. What I found is extremely disconcerting. Facebook is collecting information about user actions on affiliate sites regardless of whether or not the user chose to opt out, and regardless of whether or not the user is logged into Facebook at that time. The evidence I present below directly contradicts both public statements made by Facebook, and direct email correspondence from their privacy department, demonstrating that Beacon is a serious threat to user privacy.
I would like to offer special thanks and recognition to Ben Googins for “Facebook SocialAds - Going Too Far?“, his initial blog entry on this subject, and to Jay Goldman, whose blog post on deconstructing Beacon was one of, if not the first to provide a detailed analysis of the beacon code, which proved invaluable to this investigation. I recommend it to anyone who wants a more in-depth technical look at the underlying code of Beacon.
Third party sites which affiliate with Beacon are given javascript code to place on specific pages. From a high level perspective, this code and the further code it pulls in from facebook.com takes the following actions:
- Prepares a series of variables to be sent to Facebook. These include a request to queue information, the url of the item viewed on the affiliate site, modified to include a Facebook tag, a random number, the “source id” (presumably a unique affiliate number), and the referring URL, including any variables.
- Calls a page on facebook.com (http://www.facebook.com/beacon/auth_iframe.php), passing as parameters the variables which were previously prepared.
- If the browser has previously been used to access facebook.com, a Facebook cookie is sent as well. This contains a randomly generated ID, and if the user has ever selected “remember me” while logging into Facebook, it will also contain their Facebook login ID.
- At this point, if the user is currently logged in to Facebook, a javascript function is called to pop up an alert window, asking if they want to publish this item to their feed. If they opt out, the feed is not updated, but by this point all the information mentioned above has already been transmitted to Facebook.
To test this in real life, I created an account on epicurious.com, and tried saving three recipes as favorites. The first recipe was saved while logged in to Facebook in the same browser session. An alert appeared allowing me to opt out of Facebook’s publishing this as a story on my feed, which I did. The second one was saved after I had closed the Facebook window, but had not logged out or ended the browser session. The same alert appeared, and I opted out again, selecting “No thanks”. I then closed the browser entirely and launched a new session. After confirming that I was not logged in to Facebook, I saved the third recipe. No alert appeared.
I then checked the network traffic logs, and was dismayed to find that in all three cases, data about where I was on Epicurious, what action I had just taken, and what my Facebook account name is was transmitted to Facebook. The first two cases involve the transmission of user data despite “No thanks” having been selected on the opt-out dialog, and are are causes for deep concern. They pale, however, in comparison to the third case, where Facebook was receiving data about my online habits while I was not logged in, and was doing so silently, without even alerting me to the cross-site communication.
As the screenshot above indicates, a GET request was issued to http://www.facebook.com/beacon/auth_iframe.php, with variables which included my current location on Epicurious, and the URL I had loaded to get there, including the variable indicating my action, namely “Save to Box”. A Facebook cookie was also returned, which includes a variable named h_user (presumably a user ID), and my login email address in plaintext. (The email address is partially visible as the value of login_x on the right side of the screenshot, as I didn’t feel like posting my alumni address to the world).
Despite the fact that I was not logged in, Facebook just received enough information to tie the activity I took on their affiliate to my individual account, which combined with the social data they already have, such as circles of friends, level of education, , communication patterns, and geographic locations, would allow them to profile individual consumer behavior on a nearly unprecedented level of detail.
How can this transfer of data be prevented? The blocking method from Ben’s blog will continue to be effective against Beacon, whether you are logged on to Facebook or not. In addition, deleting your facebook.com cookies and avoiding the “remember me” option when logging in will keep Facebook from being able to track you while not logged in. Your data will still be sent if you are logged in to Facebook, however, regardless of the choice you make when presented with the opt-out dialog.
I emailed Facebook’s privacy department (privacy@facebook.com), expressing my concerns about the data that was being collected despite opt-outs and users not being logged in, and inquiring as to the existence of a privacy or data retention policy for this silently collected information. If this information is received by Facebook, but purged as a matter of policy if the user was not logged on, or had opted out of feed publication, then my concerns would at least be eased slightly. I received a prompt response, containing what seemed to be a boilerplate statement about Beacon:
Hi Stefan,
Facebook is now affiliated with a variety of websites, all of whom can, with your permission, send the actions you take on their sites back into Facebook. These actions will appear in your Mini-Feed and may appear in the News Feeds of your friends.
If you are logged in to Facebook and take an action on an affiliated site, the website will alert you that it has a story it would like to send to your Facebook profile. You can then choose to take the following actions:
1. You can click the ‘Learn More’ link to find out more about that story or edit your privacy settings for these external stories.
2. You can click the ‘This isn’t me’ link if the Facebook account does not match the person using the external site. In this case, Facebook will never publish the story or otherwise share any information with the user’s friends on Facebook.
3. You can click ‘No Thanks’ in which case Facebook will never publish that story or otherwise share any information with your friends on Facebook.
4. You can click ‘close’ or simply ignore the notification in which case the story will be sent to Facebook, but will not be published on the site. Next time you navigate to the Facebook Home page after interacting with an affiliate site, you’ll receive a second reminder that the affiliate website is about to publish a story on your behalf. If you select ‘See More’ and then click the ‘X’ next to any story, the story will not be published. If you click ‘close’ or navigate away from your home page, the external story will then be published in your Mini-Feed and potentially the News Feeds of your friends.Please keep in mind that affiliate websites never have access to your profile information, nor does Facebook receive any personal data about you from an affiliate site. Let us know if you have any further questions regarding the privacy settings for this feature.
Thanks for contacting Facebook,
[Name removed - Stefan]
Customer Support Representative
This letter strongly implies that the data will only be sent to Facebook with my permission. I replied explaining that I was not particularly worried about the feeds, which are only shown to friends who I have previously vetted, but that I was more concerned about the silently collected data, particularly the possibility of that data being sold to third parties. I clarified exactly how I knew that the data was being collected without my permission, (referencing only the javascript actions at that time as I had not had a chance to independently verify my packet capture results), and asked if there was a policy in place to prevent this data from being misused.
The response I received was polite and prompt, but once again only addressed control of the feeds. Of particular interest, however, was the closing paragraph:
While we do not currently have the functionality you are requesting for this new feature, we appreciate your feedback and we will certainly keep it in mind as we continue to improve the site. Please note that as long as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook. [Emphasis mine - Stefan] Let me know if you have any further questions.
Thanks,
[Name removed - Stefan]
Customer Support Representative
The emphasized line is directly contradicted by all of my tests, which have been run multiple times and verified by independent parties. Now I don’t expect the customer support representatives to be intimately aware of the technical workings of their web site’s scripting, but they do need to be made aware of the actual privacy impact of a program. I am continuing the dialog in an attempt to explain the concerns that this raises, because the bottom line is that Facebook is materially misrepresenting the privacy impact of their Beacon program, and presenting users with the appearance of control over their information when in fact they have almost none.
If you liked my post, feel free to subscribe to my rss feeds
BlogoSquare