CA: Facebook's Beacon more intrusive than previously thought

By , IDG News Service |  Security

A CA security researcher is sounding the alarm that Facebook's controversial
Beacon online ad system goes much further than anyone has imagined in tracking
people's Web activities outside the popular social networking site.

Beacon will report back to Facebook on members' activities on third-party sites
that participate in Beacon even if the users are logged off from Facebook and
have declined having their activities broadcast to their Facebook friends.

That's the finding published on Friday by Stefan Berteau, senior research engineer
at CA's Threat Research Group in a note summarizing tests he conducted.

Of particular concern is that users aren't informed that data on their activities
at these sites is flowing back to Facebook, nor given the option to block that
information from being transmitted, Berteau said in an interview.

"It can happen completely without their knowledge, unless they are examining
their network traffic at a very low level," Berteau said.

The CA news comes after Facebook scrambled on Thursday night to tweak Beacon
in order to calm complaints from privacy groups and Facebook users that the
ad system is too intrusive and too confusing to opt out of.

Beacon is a major part of the Facebook Ads platform that Facebook introduced
with much fanfare several weeks ago. Beacon tracks certain activities of Facebook
users on more than 40 participating Web sites, including those of Blockbuster
and Fandango, and reports those activities to the users' set of Facebook friends,
unless told not to do so.

Off-Facebook activities that can be broadcast to one's Facebook friends include
purchasing a product, signing up for a service and including an item on a wish

The program has been blasted by groups such as and by individual
users who have unwittingly broadcast information about recent purchases and
other Web activities to their Facebook friends. This has led to some embarrassing
situations, such as blowing the surprise of holiday presents.

On Thursday night, Facebook tweaked Beacon to make its workings more explicit
to Facebook users and to make it easier to nix a broadcast message and opt out
of having activities tracked on specific Web sites. Facebook didn't go all the
way to providing a general opt-out option for the entire Beacon program, as
some had hoped.

But Berteau's investigation reveals that Beacon is more intrusive and stealthy
than anyone had imagined.

In his note, titled "Facebook's Misrepresentation of Beacon's Threat to
Privacy: Tracking users who opt out or are not logged in," he explains
that he created an account on Conde Nast's food site, a site
participating in Beacon, and saved three recipes as favorites.

Join us:






SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question