Facebook's Beacon of Idiocy

A Computer Associates security researcher says that Facebook's controversial Beacon online ad system goes much further than expected in tracking people's Web activities.

In his note, titled "Facebook's Misrepresentation of Beacon's Threat to Privacy: Tracking users who opt out or are not logged in," he explains that he created an account on Conde Nast's food site Epicurious.com, a site participating in Beacon, and saved three recipes as favorites.

After checking his network traffic logs, Berteau saw that in all three cases, information about his activities was reported back to Facebook, although not to his friends. That information included where he was on Epicurious, the action he had just taken and his Facebook account name.

 
"The first two cases involve the transmission of user data despite 'No thanks' having been selected on the opt-out dialog, and are causes for deep concern. They pale, however, in comparison to the third case, where Facebook was receiving data about my online habits while I was not logged in, and was doing so silently, without even alerting me to the cross-site communication," he wrote in the research note.

 
If a user has ever checked the option for Facebook to "remember me" -- which saves the user from having to log on to the site upon every return to it -- Facebook can tie his activities on third-party Beacon sites directly to him, even if he's logged off and has opted out of the broadcast. If he has never chosen this option, the information still flows back to Facebook, although without it being tied to his Facebook ID, according to Berteau.