Facebook has modified its Beacon ad program by making its off-site broadcasting capabilities more obvious to users and easier to opt out of — at least, in some cases. However, that adjustment hasn’t quelled privacy concerns on the part of users and at least one security vendor.
Facebook has been tracking user actions on affiliate sites, claims a CA Security Researchblog — even users who opted out of the Beacon program, and even when they were not logged in to Facebook.
This heretofore unknown capability stands in direct contradiction to Facebook’s public assurances, as well as direct e-mail correspondence from its privacy department, according to the CA blog.
To illustrate Facebook’s deeper-than-expected reach into the user experience, the CA blogger created an account onEpicurious.com and tried saving three recipes as favorites. “The first recipe was saved while logged in to Facebook in the same browser session. An alert appeared allowing me to opt out of Facebook’s publishing this as a story on my feed, which I did. The second one was saved after I had closed the Facebook window, but had not logged out or ended the browser session. The same alert appeared, and I opted out again, selecting ‘No thanks.’ I then closed the browser entirely and launched a new session. After confirming that I was not logged in to Facebook, I saved the third recipe. No alert appeared.”
CA then checked the network traffic logs and found that in all three cases, data about what had taken place on Epicurious and the Facebook account name were transmitted to Facebook.
“The first two cases involve the transmission of user data despite ‘No thanks’ having been selected on the opt-out dialog, and are causes for deep concern,” the blogger wrote. “They pale, however, in comparison to the third case, where Facebook was receiving data about my online habits while I was not logged in, and was doing so silently, without even alerting me to the cross-site communication.”
After querying Facebook, CA was told that if a Facebook user clicks “No, thanks” on the partner site notification, Facebook does not use the data and deletes it from its servers. Also, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook.
“In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well,” according to the response, which is also posted on the blog.
This latest turn of events, though, adds fuel to a longstanding debate about Web privacy that intensified last week when Facebook modified some parts of its Beacon advertising strategy. Users and privacy advocates had complained that the platform, which transmitted their activities on other sites — such as purchases or comments — provided too much information about the user. In response, Facebook made it easier to curtail such broadcasts and gave users the ability to opt out for specific Web sites.
Privacy advocates regard these as steps in the right direction — but not nearly enough.
“The slight alterations the company has made in its Beacon program will not address the much larger and more troubling privacy problems raised by the site’s new digital marketing apparatus,” said American University Professor Kathryn C. Montgomery, who testified this month before the Federal Trade Commission (FTC) for its ongoing investigation into digital marketing practices.
“Facebook and other popular social networks have ushered in a new era of behavioral profiling, data mining and ‘nanotargeting’ that will quickly become state of the art unless additional consumer and regulatory interventions are made,” she warned. “These practices raise particularly troubling issues for teens, who are increasingly living their lives on these sites and are largely unaware of how their every move is being tracked.”
The Creepiness Factor
Indeed, the Beacon controversy — and now CA’s findings — have served to highlight what Simeon Spearman, an analyst with for the Washington, D.C.-based futurist research and consulting firm Social Technologies, called “the creepiness factor.”
Facebook’s Beacon was a service that provided no value to users and strictly catered to advertisers, he told TechNewsWorld. “The service did not allow users to opt out as easily as it should have, and the creepiness factor of the service quickly emerged after its launch. Users would log in and see that their activities on sites outside of Facebook were being broadcast to their friends.”
Despite the willingness of many social network users to display private information for everyone to see, they want to remain in control of that information — and they still value privacy in their online activities, the protests show.
Furthermore, other social networking sites are likely to take note as they and the larger industry continue to edge toward what is basically a paradigm shift in Web advertising.
“The failure of Facebook’s service could make other social networking sites more cautious when using user data to devise new revenue strategies,” Spearman said. “Facebook is currently valued at (US)$15 billion, but it could lose value as advertisers come to believe that the opportunities for hypertargeted ads are restricted by demands for greater privacy and responsibility in using information made available by users of these sites.”
To be sure, many users were displeased even before the latest disclosures by CA. “In much the same way as traditional gold mining releases cyanide which poisons the surrounding environment, the Beacon’s spotlight on private e-commerce transactions is poisoning the goodwill that Facebook has built with its users, even as it unlocks a treasure trove of marketing power,” said Jeff Greenhouse, president of Singularity Design, an interactive marketing agency.
“While I have not had any purchases displayed in my feed yet — or at least I don’t think I have — I would not be happy to see them show up there, he told TechNewsWorld. I also have to point out that just because I buy something myself, that certainly does not mean that I endorse it or would recommend it to my friends. The choice to leverage my personal brand for the advancement of someone else’s brand is one that I want to make consciously and carefully.”
It may be that Facebook — and supporters of the approach it is taking — are counting on a younger generation of users and their laissez-faire attitude toward information on the Web.
Facebook’s ads are emblematic of most ads seen on the Web these days, said Sarah Withers, a paralegal in New York who began using the site in 2004 while an undergrad at Columbia University.
“It is what you accept when you use services like Facebook,” she told TechNewsWorld.
Indeed, Facebook is much less invasive in its approach than Google, which targets ads based on e-mail content, Withers added. “Now, that is a little disturbing.”