A CA security researcher is sounding the alarm that Facebook's controversial Beacon online ad system goes much further than anyone has imagined in tracking people's web activities outside the popular social networking site.
Beacon will report back to Facebook on members' activities on third-party sites that participate in Beacon even if the users are logged off from Facebook and have declined having their activities broadcast to their Facebook friends.
That's the finding published on Friday by Stefan Berteau, senior research engineer at CA's Threat Research Group in a note summarizing tests he conducted.
Of particular concern is that users aren't informed that data on their activities at these sites is flowing back to Facebook, nor given the option to block that information from being transmitted, Berteau said in an interview.
"It can happen completely without their knowledge, unless they are examining their network traffic at a very low level," Berteau said.
The CA news comes after Facebook scrambled on Thursday night to tweak Beacon in order to calm complaints from privacy groups and Facebook users that the ad system is too intrusive and too confusing to opt out of.
Beacon is a major part of the Facebook Ads platform that Facebook introduced with much fanfare several weeks ago. Beacon tracks certain activities of Facebook users on more than 40 participating websites, including those of Blockbuster and Fandango, and reports those activities to the users' set of Facebook friends, unless told not to do so.
Off-Facebook activities that can be broadcast to one's Facebook friends include purchasing a product, signing up for a service and including an item on a wish list.
Beacon has been blasted by groups such as MoveOn.org and by individual users who have unwittingly broadcast information about recent purchases and other web activities to their Facebook friends. This has led to some embarrassing situations, such as blowing the surprise of holiday presents.
On Thursday night, Facebook tweaked Beacon to make its workings more explicit to Facebook users and to make it easier to nix a broadcast message and opt out of having activities tracked on specific websites. Facebook didn't go all the way to providing a general opt-out option for the entire Beacon program, as some had hoped.
But Berteau's investigation reveals that Beacon is more intrusive and stealthy than anyone had imagined.
In his note, titled "Facebook's Misrepresentation of Beacon's Threat to Privacy: Tracking users who opt out or are not logged in," he explains that he created an account on Conde Nast's food site Epicurious.com, a site participating in Beacon, and saved three recipes as favorites.
He saved the first recipe while logged in to Facebook, and he opted out of having it broadcast to his friends on Facebook. He saved the second recipe after closing the Facebook window, but without logging off from Epicurious or ending the browser session, and again declined broadcasting it to his friends. Then he logged out of Facebook and saved the third recipe. This time, no Facebook alert appeared asking if he wanted the information displayed to his friends.
After checking his network traffic logs, Berteau saw that in all three cases, information about his activities was reported back to Facebook, although not to his friends. That information included where he was on Epicurious, the action he had just taken and his Facebook account name.
"The first two cases involve the transmission of user data despite 'No thanks' having been selected on the opt-out dialogue, and are causes for deep concern. They pale, however, in comparison to the third case, where Facebook was receiving data about my online habits while I was not logged in, and was doing so silently, without even alerting me to the cross-site communication," he wrote in the research note.
If a user has ever checked the option for Facebook to "remember me" - which saves the user from having to log on to the site upon every return to it - Facebook can tie his activities on third-party Beacon sites directly to him, even if he's logged off and has opted out of the broadcast. If he has never chosen this option, the information still flows back to Facebook, although without it being tied to his Facebook ID, according to Berteau.
Berteau wasn't able to determine where this data flows to in Facebook. "That's part of the concern here," he said in the interview. He repeated the Epicurious experiment with Kongregate.com, another Beacon-affiliated site, and got similar results.
In email correspondence with Facebook's privacy department, Berteau was told, among other things, that "as long as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook."
A similar statement was made by a high-ranking Facebook official on Thursday. In an interview with The New York Times, Chamath Palihapitiya, vice president of product marketing and operations at Facebook, was asked whether Facebook would receive information about a user's purchase if the user declined to broadcast the purchase to his Facebook friends.
His answer: "Absolutely not. One of the things we are still trying to do is dispel a lot of misinformation that is being propagated unnecessarily."
Facebook didn't immediately reply to requests for comment.