As if Facebook wasn’t receiving enough criticism over its Beacon social ad system, now it seems it may be transmitting even more data than originally thought, and without the user’s permission.

According to Stefan Berteau, a security analyst with CA, Facebook is collecting far more data than was originally believed with their Beacon advertising system. Even as Facebook makes changes to the system to satisfy privacy concerns, Mr. Berteau began to explore just how much privacy was compromised by the system.

In a series of tests conducted with network monitoring software, he used the Beacon affiliate site, Epicurious.com, to conduct his tests. Mr. Berteau discovered that no matter what his status with Facebook was, information on his activity was sent back to the popular social networking site. His tests included:

• Logged in to Facebook, and the site open in the same session.
• Logged in to Facebook, but site not open.
• Logged out completely.

In all three tests his software showed that details of his interactions with the site were sent back to Facebook. In the two instances where he was logged in, he did receive notifications about if he wanted his actions transmitted on his News Feed, but in the third instance, where he was not logged in, he received no notification, but had evidence of his information being shared.

While Berteau did contact Facebook in regards to this, he only received boiler plate responses from customer service. To make sure that his results were not unique, he has also had them independently verified about other security experts.

This is certainly a disturbing concept that Facebook, or any entity for that matter, would be able to collect this much consumer data without your knowledge or permission. Thus far Facebook has not acknowledged this new wrinkle, but hopefully they will do so soon and dispel some of the concerns this raises.

Updated at 4:30 AM EST: Facebook has released a comment regarding the transferred data:

“When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook in order for Facebook to operate Beacon technologically. If a Facebook user clicks “No, thanks” on the partner site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well.”

Related:

Is Facebook down for the count?

Facebook’s Beacon now under attack from advertisers

Facebook loses two more advertisers over Beacon debacle

Facebook apologizes for the privacy disaster known as Beacon

FaceBook sneaks the dreaded Beacon back into play

Entry was posted on Saturday, December 1st, 2007 at 3:40 am under Piracy.  Print This Post

Read more entries by Sean P. Aune.
Stumble It!