December 1, 2007
@ 05:24 PM

Earlier this week I wrote a blog post which pointed out that the two major privacy and user experience problems with Facebook Beacon where that it (i) linked a user's Facebook account with an account on another site without the users permission and (ii) there was no way for a user to completely opt out of being tracked by the system.  Since then Facebook has announced some changes which TechCrunch named Facebook Beacon 2.0. The changes are excerpted below


Facebook users will see a notification in the lower right corner of the screen after transacting with a Beacon Affiliate. Options include “No Thanks” that will immediately stop the transaction from being published. Alternatively closing or ignoring the warning won’t immediately publish the story, but it will be put in a queue

Second Warning

Presuming you’ve ignored or closed the first notification, Facebook warns users again the next time they visit their home page. A new box reminds you that an activity has been sent to Facebook. Like the first notification you can choose to not publish the activity by hitting remove, or you can choose to publish it by hitting ok.


Opt Out
Found via the “External Websites” section of the Facebook Privacy page, this allows users to permanently opt in or out of Beacon notifications, or if you’re not sure be notified. The downside is that there is no global option to opt out of every Beacon affiliated program; it has to be set per program. Better this than nothing I suppose.

The interesting thing to note is that neither of the significant problems with Beacon have been fixed. After the changes were announced there was a post on the CA Security Advisory blog titled Facebook's Misrepresentation of Beacon's Threat to Privacy: Tracking users who opt out or are not logged in which pointed out that the complaining about purchase history getting into the news feed of your friends is a red herring, the real problem is that once a site signs up as a Facebook affiliate they begin to share every significant action you take on the site with Facebook without your permission. 

Which is worse, your friends knowing that you rented Prison Girls or Facebook finding that out without your permission and sharing that with their business partners, without your permission? Aren't there laws against this kind of invasion of privacy? I guess there are (see 18 U.S.C. § 2710)

I wonder who'll be first to sue Facebook and Blockbuster? 

Anyway, back to the title of this blog post. The problem with Facebook Beacon is that it is designed in a way that makes it easy for Facebook Beacon affiliates to integrate into their sites at the cost of user's privacy. From Jay Goldman's excellent post where he Deconstructed the Facebook Beacon Javascript we learn

Beacon from 10,000 Feet

That basically wraps up our tour of how Beacon does what it does. It's a fairly long explanation, so here's a quick summary:

  1. The partner site page includes the beacon.js file, sets a <meta> tag with a name, and then calls Facebook.publish_action.            
  2. Facebook.publish_action builds a query_params object and then passes it to Facebook._send_request.            
  3. Facebook._send_request dynamically generates an <iframe>which loads the URL and passes the query_params. At this point, Facebook now knows about the news feed item whether you choose to publish it or not. 

When you read this you realize just how insidious the problem actually is. Facebook isn't simply learning about every action taken by Facebook users on affiliate sites, it is learning about every action taken by every user of these affiliate sites regardless of whether they are Facebook users or not.

At first I assumed that the affiliates sites would call some sort of IsFacebookUser() API and then decide whether to send the action or not. Of course, this is still broken since the affiliate site has told Facebook that you are a user of the site, and depending on the return value of the hypothetical function the affiliate in turn learns that you are a Facebook user.

But no, it is actually worse than that. The affiliate sites are pretty much dumping their entire customer database into Facebook's lap, FOR FREE and without their customers permission. What. The. Fuck.

The icing on the cake is the following excerpt from the Facebook Beacon page

Stories of a user's engagement with your site may be displayed in his or her profile and in News Feed. These stories will act as a word-of-mouth promotion for your business and may be seen by friends who are also likely to be interested in your product. You can increase the number of friends who see these stories with Facebook Social Ads.

So after giving Facebook millions of dollars in customer intelligence for free in exchange for spamming their users, Facebook doesn't even guarantee their affiliates that the spam will even get sent. Instead these sites have to pay Facebook to "increase the chances" that they get some return for the free customer intelligence they just gave Facebook.

This reminds me of the story of Tom Sawyer tricking people into paying him to paint a fence he was supposed to paint as part of his chores.

At the end of the day, Facebook can't fix the privacy problems I mentioned in my previous post in a way that completely preserves their users privacy without completely changing the design and implementation of Facebook Beacon. Until then, we'll likely see more misdirection, more red herrings and more violations of user privacy to make a quick buck. 


Saturday, December 1, 2007 7:52:17 PM (GMT Standard Time, UTC+00:00)
> Which is worse, your friends knowing that you rented Prison
> Girls or Facebook finding that out without your permission
> and sharing that with their business partners, without your
> permission?

Hi Dare, aren't we susceptible to the latter with any bit of third-party content on a website? (ie, the classic "web bug" or "beacon" problem which surfaced with DoubleClick in the 1990s.)

Example: That page you cite alerts,,,, and possibly other services of my visit, with cookies set by at least one of them. (I'm pretty heavily blocked, and so may not have seen some requests.)

The third-party service may not know which actions you took on that site (at least, not without similar JavaScript enhancement), but such third-party icons can be used to build profiles of the webpages an IP address or cookie holder visits. True, or am I missing something here...?

Saturday, December 1, 2007 9:35:06 PM (GMT Standard Time, UTC+00:00)
do any of those sites have accurate and detailed information about my personal details from name and birthday to work and education history?

is any of those sites being fed accurate and detailed information about my online activities by major sites on the web?
Sunday, December 2, 2007 3:08:31 AM (GMT Standard Time, UTC+00:00)

[wheelchair rolls up]

What you fail to realize, Herr Obasanjo, is that this is a key part of the Total Information Awareness program. In a study commissioned by the Bland Corporation for the Information Awareness Office, it was predicted that the formation of a "super-hub" that was able to correlate and connect activity across a variety of domains would improve our ability to identify persons of interest by no less than three orders of magnitude.

[right hand reaches up, removes cigarette dangling from mouth]

Simulations of such a "super-hub," utilizing an agent-based neural network capable of predictive modeling, showed that terrorists and their known associates are clearly 17.5% more likely to rent the film, "Prison Girls." The same film cited in your article.


[right hand reaches up, places cigarette in mouth]

Dr. Strangelove
Sunday, December 2, 2007 3:37:41 AM (GMT Standard Time, UTC+00:00)
> do any of those sites have accurate and detailed information about my personal details from name and birthday to work and education history?
> is any of those sites being fed accurate and detailed information about my online activities by major sites on the web?

Didn't you just describe every site that uses Google Analytics?

I don't understand; Google gets to send whatever Javascript it wants to folks who run gAnalytics (including myself!), collecting all kinds of behavioral information about what's going on on any webpage with the analytics code, without getting the consent of remote users first (supposedly the user has accepted the local privacy policy, if it exists, which might detail this cross-polination of data). if you're logged into your Gmail, Google Calendar, Google Checkout or *any other Google service* AND you're on a page with either Google AdSense or Google Analytics, doesn't Google have access to and the ability to correlate who's going where? They just don't advertise it as such...

So, which is worse? One where you don't even think about it, or one where the functionality is made quite freakily obvious?
Sunday, December 2, 2007 4:41:57 AM (GMT Standard Time, UTC+00:00)
Yeah ... the lack of universal opt-out is pretty unforgivable. This actually drove me to write a dedicated plugin for blocking it completely
Sunday, December 2, 2007 2:46:03 PM (GMT Standard Time, UTC+00:00)
Thanks for doing the detailed analysis for us readers.

I was very curious as to how Beacon works. This article makes it clear to me.

My instinct is that Facebook will never make any real money like Google or Microsoft and it will never appeal to the mainstream users.
Sunday, December 2, 2007 8:17:05 PM (GMT Standard Time, UTC+00:00)
Dare replied to the cross-site tracking issue with a question about correlation to realworld identity.

You're right, the second is built atop the first. Both aren't quite transparent, much less consensual.

I don't know how many individual advertisers try to correlate to realworld identity as part of their business model. It's not that difficult to do, should they wish, as Richard M. Smith showed a decade ago, when the big worry was about DoubleClick's cross-site tracking. Once you do correlate site visits to realworld identity, then it's a much bigger deal, I agree.

Chris and I seem to be raising a similar point. Every bit of third-party content on a webpage enables profiling across domains, and we rarely see disclosure policies for the third-party content on a site. Knowing that you visit a webpage selling "Prison Girls" is just a step away from knowing whether you actually ordered it. Facebook Beacon seems a matter of degree rather than purely of kind, agreed?
Sunday, December 2, 2007 10:28:24 PM (GMT Standard Time, UTC+00:00)
Dare, do you think that maybe, just maybe, they might figure it out? People hated the newsfeed, but now there are people that swear by it. The Beacon concept is pretty powerful if they can manage to figure out how to help it empower users. The problem is that, although everyone loves to see what their social network is up to, most people are leery of people checking out too much about them...
Monday, December 3, 2007 3:56:56 AM (GMT Standard Time, UTC+00:00)
> Facebook Beacon seems a matter of degree
> rather than purely of kind, agreed?

Ja! The way falling 3 feet without a parachute vs. falling 30,000 feet without a parachute is "a matter of degree rather than purely of kind."

> Dare, do you think that maybe, just maybe, they might figure it out?

"Only two things are infinite: the universe, and human stupidity. And I'm not sure about the former."

-- Albert Einstein
Dr. Strangelove
Monday, December 3, 2007 5:43:49 AM (GMT Standard Time, UTC+00:00)
This isn't totally hopeless, but there are some more options that need to be made available. In all practicality it probably is hopeless without a major lawsuit to change Facebook's current direction, but I think the concept could work well.

Each affiliate site needs to let their users decide what actions can kick off a request to Facebook for beacon information. If I don't want Facebook to know what movies I rent then I won't enable the "send movie rental actions to Facebook Beacon" option on my favorite movie rental site. All actions should be disabled by default and if I don't opt-in to anything then Facebook will never even know that I have a movie rental account.

You say that affiliate sites are sending data to Facebook without their customers permission. I say, everything would be OK if the affiliate sites just asked their customers for permission before sending data to Facebook.

In addition, Facebook should let each user establish a whitelist of affiliate sites. If an affiliate site sends a request to Facebook, Facebook should reply with a "not a known user" message that looks the same whether the user is not on Facebook or the user has not whitelisted that affiliate. If I don't want my favorite movie rental site to know I use Facebook they won't know until I put them on that whitelist.

Facebook could even give me a notification the next time I login saying, "Our affiliate site tried to send information to your mini feed but they're not on your whitelist. Do you want whitelist them for future actions?"

Unfortunately all of these options add up and requiring so much configuration would definitely decrease the number of users that participate (and decrease the wealth of information sharing that Facebook and its affiliates benefit from under the current protocol). However, with all of these opt-in settings Facebook and its affiliates might avoid privacy lawsuits.
Tommy Vernieri
Monday, December 3, 2007 6:18:10 AM (GMT Standard Time, UTC+00:00)
Well, how about that, looks like you already brought up both of these ideas in your earlier post, "Some Thoughts on the Facebook Beacon." That's what I get for reading out of order and not following the links.

You're right, people won't opt-in and Facebook's sales pitch wouldn't be nearly as good as it must be now, but it would be a nice way for it to work.
Tommy Vernieri
Monday, December 3, 2007 2:25:18 PM (GMT Standard Time, UTC+00:00)
Adblock the following:

Job done.
Mike B
Monday, December 3, 2007 2:41:14 PM (GMT Standard Time, UTC+00:00)
I deleted my Facebook account after they launched the Beacon-program.

They clearly stepped over the line this time.
Tuesday, December 4, 2007 3:47:19 AM (GMT Standard Time, UTC+00:00)
What? No 'Share On Facebook' link? :)
Comments are closed.