Follow-up: Facebook’s Response

I originally published this blog at http://community.ca.com/blogs/securityadvisor

Published     Dec 03 2007, 07:43 PM by     Benjamin Googins

In addition to the statement we received this past Friday, we have received further communications from Facebook’s privacy department, this time directly addressing the silent data transfer to facebook.com.

Hi Stefan,
Thanks for clarifying your concerns. You can prevent stories from being generated for actions you take on external websites, but this is different from the data that is shared between Facebook and the external site. If you prevent a certain partner site from publishing stories about you through Beacon, the information about the action is still sent to us.  Please note that it is sent for the purpose of generating the notification on the partner site.  However, if your options are set such that the story won’t be published, we discard that information almost as soon as we receive it. While we do receive this information, we do not store it in our system. Let me know if you have any further questions or concerns.
Thanks,
[name removed – Stefan] Customer Support Representative Facebook

We have also been contacted by Facebook, and have spoken with them about the privacy issues surrounding Beacon.  We are very glad that they are taking this seriously, and are communicating more accurate information to their users about the data flow to facebook.com.  We hope that they will take steps to mitigate these issues in the near future, because while the statement that this data is not currently being stored or used is reassuring, the fact that the data continues to be sent to facebook.com continues to pose a risk to user’s privacy until a binding, public mechanism is in place to assure that the above policy stays in place, and that users are notified if it ever changes.  Facebooks privacy policy is such a mechanism.  Officially stating in their policy that they will not store or use data which is not associated with a logged in Facebook account which opted in to Beacon would go a long way towards providing clarity and an assurance of privacy towards their users.

At the present, continuing testing of the Beacon affiliate sites kongregate.com and epicurious.com reveals no change in its operation.  We still observe the data being sent when not logged in. If a machine has never been used to access facebook, or has not been logged in with “remember me” selected, then the affiliate data will be sent, but no facebook ID will accompany it. Otherwise, both a facebook ID and the affiliate data will be sent.  While logged in to Facebook, user actions taken on epicurious.com continue to be sent to Facebook, including (but not necessarily limited to) saving a recipe, rating a recipe, and reviewing a recipe.  This test was repeated 4 different times with different recipes.

The fact that change has not yet occurred is not necessarily a negative indication.  Changes to privacy policies should always be carefully thought out, and we are hoping to see Facebook act promptly, but also responsibly.  In the coming days we hope to see our privacy concerns addressed by a combination of changes to the Facebook privacy policy, the user interface for opting in/out of the program, and possibly the functionality of Beacon.  We will continue to monitor all publicly visible aspects of the Beacon system, and will report any updates here.

By: Benjamin Googins

avatar

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s