I originally published this blog at http://community.ca.com/blogs/securityadvisor
Published: November 29 2007, 02:59 PM by Benjamin Googins
“Creepy”, “stupid”, and “a violation of privacy” are a few ways people have described Facebook’s new advertising system. Facebook Ads introduce both a privacy concern and an annoyance factor, and give the user only marginal control over the annoyance concern and zero control over the privacy concern.
One newly introduced feature feeds information about your external web usage back to your profile under the ‘News Feed’ section. When Facebook Ads was first announced on November 6th, there were about 44 external websites (partners) using Facebook Beacon. If you visit one of these external sites and perform a ‘triggering action’ while there, information related to this action will be transmitted back to Facebook. For example, if you rent a ‘Lord of the Rings’ DVD from Blockbuster.com, Facebook Ads may send this information back to your profile and post it in your Mini Feed and News Feed. Likewise, if you played a game on kongregate.com, a message about your game play would be sent to your profile for everyone to see.
Facebook does offer an opt-out for individual transactions via ‘toast pop-ups,’ but this does not ensure your actions on a partner site will not make it back to your profile. If you close the page too quickly, “before the toast has popped,” or if you miss the toast completely, after 20 seconds Facebook assumes that an unclicked toast means you don’t care and feeds the information to your profile. Worse yet, the main privacy concern is that regardless of whether you opt-out of the individual toast offer, data regarding your presence on the partner site is still sent back to Facebook. In fact, this data is sent before you even have a chance to opt-out.
For me, the Ad system is a real privacy concern. It connects my online actions to my Facebook account – collecting and aggregating an even broader array of data in one database. Yikes. Once I found out about this ad system and realized I didn’t like it, I looked at my options.
Here are some of them:
- Cancel my Facebook account.
- Continually opt-out of News Feed from external sites.
- Do nothing.
- Block facebook.com/beacon*, hence block data transmission.
- Petition Beacon partner sites.
Option 1. This isn’t a good option for me at this time. I use Facebook to connect with people and have invested time and other resources building my Facebook presence. Quitting is not as easy as simply going into my account settings and selecting ‘deactivate.’ In the field of economics the term “elasticity of demand” is used to describe consumer receptivity to changes in price (e.g.: if the price goes up will they still buy?). I think I will create a new term “retractability of investment”. In other words, I invested emotion, time, and other resources in Facebook – what would it take for me to retract my investment by deactivating my account? As of now, my investment is too high and I don’t consider retraction a viable option, but if the privacy violations continue, my internal scale may tip.Option 2. This is not really a solution at all. Regarding the annoyance, there is only the opt-out option on a site-by-site basis. Besides, I usually have a million windows open and will probably miss the toast popup. Regarding the privacy concern, I can opt-out all day long with no effect on whether data will be sent. As of now, there is no way to control this through an opt-out solution.
Option 3. Nope, up until now Facebook has given me the power to choose what gets displayed on my profile. I like that. Having information about my external actions posted on my profile with no central option to disarm it is too much and I need to be able to stop it. Doing nothing is not an option. I reserve the right to limit the flow of information between my external web affairs and Facebook.
Option 4 is the only option I can think of that allows me to use Facebook, but control my privacy. As long as facebook.com/beacon is the folder used for external sites to send requests, this option will work. You will need a tool for blocking access to this folder. I tried out Firefox’s BlockSite Plugin and it works great (if you use Firefox). Just download the plugin and add http://www.facebook.com/beacon/* and facebook.com/beacon/* under ‘options’ to the ‘add’ section and restart your browser. Note: Adding facebook.com/beacon to Internet Explorer’s restricted sites, is not an option, this will block the entire domain (facebook.com). Also, the hosts file is not an option for the same reason.
Option 5. If you want to try a round-about route, you can petition. On Facebook itself there is a group called: ‘Petition: Facebook, stop invading my privacy’ and a petition to sign (don’t you love democracy). Also, Facebook encourages it’s users to give feedback. Another, possibly swifter round-about, approach would be to contact Beacon partners. There are only 44 partners, but over 20 million Facebook users. Which party do you think has greater voice with Facebook? (hint: probably not you). If you contact partners directly and voice your concern with Facebook Ads, you will probably have a greater return on your investment. Note: while writing this post, I received an RSS feed from OnlineMediaDaily telling of backlash against Facebook Ads. Electronic Privacy Information Center and The Center for Democracy and Technology both plan to take action by filing complaints with the FTC.
For me, I will take both the long term and short term approach – in other words, options 4 and 5. I want data transmission blocked immediately, but also want to send a clear message to Facebook that I am concerned about this new direction they are taking. Simply blocking posts via option 4 is only a band aid. We are now into a new stage of the ‘digital revolution’ and norms regarding personal privacy are still forming and everyone has a say where things will end up.
Unfortunately, for now, Facebook seems poised to continue with the Ad Network in its current form and is not providing usable controls for opting out of the data transmission and Newsfeeds. They could easily provide a central control mechanism, passing control to the user. If you are a Facebook user, click ‘Home’ > ‘Privacy’ > ‘News Feed and Mini Feed’ and you will see the following:
Where I have highlighted in RED is where Facebook should put the control option. Better yet, Facebook should make this new Ad network an opt-in option where the user must choose to join before data is transmitted – the box would be unchecked. See a follow up article here.
By: Benjamin Googins
Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat…
7 people have left comments:
As follow-up to Ben’s look at Facebook’s Beacon system, I began investigating the extent of the
Posted by: CA Security Advisor Research Blog | November 29, 2007 11:47 PM
Following the publication of the last two blogs about Facebook’s Beacon program and the data we observed
Posted by: CA Security Advisor Research Blog | November 30, 2007 11:17 PM
I agree with your option selection – I also agree that norms for digital use are what most concerns me. It is in line with how we invest our Attention and who has control over that information. Thanks for the tips on how to handle the situation.
Posted by: Levy | December 6, 2007 7:48 AM
Using FireFox 2+ and Block Site plug-in is a good solution.
I also recommend Adblock+ and filter subscription. Adblock will strip out nearly 100% of the ads and make your downloads much faster. FireFox has several hundred plug-ins to choose from.
Another approach is to locat the offending cookie and change it in some way to turn it into a poisoned the cookie. My choice cookie is kismyass1st.
FireFox, also, allows you pick and choose your cookie vendors.
Posted by: A reader | December 6, 2007 4:16 PM
Posted by: Benjamin Googins | April 28, 2008 6:03 PM
AdBlocker Pro works well in Firefox too! It also blocks Ads from hundreds of sites automatically.
I’d NEVER use Internet Explorer except in dire end of the earth, the aliens have invaded all is lost, circumstances.
Posted by: Alle | July 22, 2008 4:10 AM
We need not to confuse the reality online with the reality on your physical machine.
The foremost and most important thing is that the browser must implement a clear separation between web sites, if it doesn’t then change browser.
That’s the beauty (and I believe the original concept) of a web browser, it provides a clear separation among sites and your physical machine as well.
In Firefox, under “Tools”, “Options…”, “Privacy” you have the checkbox that says “Accept third party cookies”
That box is normally checked by default.
What that means is that Firefox allow a website to read other site’s cookies, hence, the “facebook’s beacon” works.
If you uncheck this box, facebook and their “partner” sites won’t be able to associate your online activity with each site.
And Facebook (or any other site) won’t know what other sites you are browsing except theirs.
Plain and simple.
Posted by: Giuseppe | January 9, 2009 5:50 AM