Facebook’s Beacon is Improved, But Remains a Threat

I originally published this blog at http://community.ca.com/blogs/securityadvisor

Published     Dec 11 2007, 04:59 PM by     Benjamin Googins

Last week, Facebook made positive changes to their Privacy Policy.  This update states that Facebook discards user data coming from users who are logged out or who are not Facebook users.

The addendum to Facebook’s Privacy Policy is as follows and can be found here:

“Facebook Beacon is a means of sharing actions you have taken on third party sites, such as when you make a purchase or post a review, with your friends on Facebook. In order to provide you as a Facebook user with clear disclosure of the activity information being collected on third party sites and potentially shared with your friends on Facebook, we collect certain information from that site and present it to you after you have completed an action on that site. You have the choice to have Facebook discard that information, or to share it with your friends.

To learn more about the operation of the service, we encourage you to read the tutorial here. To opt out of the service altogether, click here. Like many other websites that interact with third party sites, we may receive some information even if you are logged out from Facebook, or that pertains to non-Facebook users, from those sites in conjunction with the technical operation of the system. In cases where Facebook receives information on users that are not logged in, or on non-Facebook users, we do not attempt to associate it with individual Facebook accounts and will discard it.”

While these updates are welcome, and the universal opt-out of the posting of stories is good evidence that they are taking user privacy concerns seriously and attempting to address them, they have not yet taken the actions necessary to fully mitigate the risks posed by Beacon.

Some behaviors taken by programs (or by the entities or organizations offering programs) pose risks.  From a privacy perspective, a behavior poses a risk if it involves a user losing control of their information.  Beacon’s current implementation poses a risk  In the case of Facebook users, who are logged in or have selected “Remember me” while logging-in in the past, the risk is higher, since the information is sent in a way which can be tied to their user profiles, which would allow Facebook or anyone else receiving the data to infer even more information about that individual.  People without Facebook accounts face a smaller risk, as their information can only be tied to an IP Address and not an individual.

Risks do not automatically make something bad, however, and can be mitigated, or made better, if either informed consent or some action like a legally binding commitment is given before the transfer/collection of information.  If a risk is present and it is not mitigated, then we say that there is a threat to users.  Since data is still being transferred silently to Facebook from third party sites, they need a mitigating element.  As we mentioned in last week’s posting, Facebook has provided what is called “discoverable notice”.  It is up to the end user to seek it out, either in the privacy policy, the FAQ, or the help section.  Users who do not seek out this information will not be notified about the silent transmission of their data to Facebook.  Facebook users are not presented with prominent notice of this silent data transfer at any point in time, and so the average user will not be informed about the consequences of using Facebook and its affiliate sites.

This leaves Facebook with a few options, including technical and legal solutions.  Facebook has not stopped the transmission of data, but they have made changes to their help section, Beacon FAQ, and privacy policy stating that this silently collected data is immediately deleted.  Unfortunately, these changes do not prevent Facebook from reversing course without notifying users.  The FAQ and help are not binding in any case, and their privacy policy defines both non-material and material changes.  Material changes require 30 days advance notice to the users, whereas non-material changes can happen at any time, and are only reflected on the privacy policy itself, with no requirement for active notice to the users.  The changes made last week were introduced as a non-material change, which means that Facebook is reserving the right to do a quick update to the privacy policy, with no active notification to users, and begin storing, aggregating, tying this data to user accounts and generally using it as they please.

The only way for a user to know if Facebook has changed this policy is to continually monitor the privacy policy for changes, which is an undue burden to place on a user in order to protect information that they never agreed to release in the first place.

Beacon is an example of a new way of advertising on the web, and it offers some very interesting potentials.  But new and groundbreaking systems must be designed carefully in order to ensure that they respect the rights of their users, and this is in part due to their novelty.  Users do not have experience with systems like Beacon, and so designers have to be careful not to fall back on the assumed implicit consent which covers more established systems.  While Facebook did not launch Beacon in a way which protected their user’s rights, they have over the past week shown a strong commitment to changing that for the better.  We have been happy to see them react promptly and responsibly to this matter, and we hope to see them address our remaining concerns.

By: Benjamin Googins

avatar

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s