2 min read

CA: Facebook’s Beacon more intrusive than previously thought

The application reports user activity to advertisers even when logged off and opted-out, says researcher

A CA security researcher is sounding the alarm that Facebook’s controversial Beacon online ad system goes much further than anyone has imagined in tracking people’s Web activities outside the popular social networking site.

Beacon will report back to Facebook on members’ activities on third-party sites that participate in Beacon even if the users are logged off from Facebook and have declined having their activities broadcast to their Facebook friends.

That’s the finding published on Friday by Stefan Berteau, senior research engineer at CA’s Threat Research Group in a note summarizing tests he conducted.

Of particular concern is that users aren’t informed that data on their activities at these sites is flowing back to Facebook, nor given the option to block that information from being transmitted, Berteau said in an interview.

“It can happen completely without their knowledge, unless they are examining their network traffic at a very low level,” Berteau said.

The CA news comes after Facebook scrambled on Thursday night to tweak Beacon in order to calm complaints from privacy groups and Facebook users that the ad system is too intrusive and too confusing to opt out of.

Beacon is a major part of the Facebook Ads platform that Facebook introduced with much fanfare several weeks ago. Beacon tracks certain activities of Facebook users on more than 40 participating Web sites, including those of Blockbuster and Fandango, and reports those activities to the users’ set of Facebook friends, unless told not to do so.

On Thursday night, Facebook tweaked Beacon to make its workings more explicit to Facebook users and to make it easier to nix a broadcast message and opt out of having activities tracked on specific Web sites. Facebook didn’t go all the way to providing a general opt-out option for the entire Beacon program, as some had hoped.

But Berteau’s investigation reveals that Beacon is more intrusive and stealthy than anyone had imagined.

In e-mail correspondence with Facebook’s privacy department, Berteau was told, among other things, that “as long as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook.”