Facebook has already had a tough week. It’s not getting any better.
With the company already reeling from criticism about its privacy policies, a new report confirms that Facebook tracks your surfing behavior too in more extensive ways than you may realize.
It is something we at VentureBeat had already reported a few days ago, but now it is being documented with more detail.
This gets complicated, so let’s step back and explain clearly what is happening, starting with the controversy last week about a program called Beacon. The popular social network suffered a revolt against the feature, because it sends messages to your friends about your purchase and other online behavior, and did so without your approval.
So late last week, Facebook about-faced on its Beacon policy, and sends data to your friends only if you give your approval. So, for example, if you surf at a partner site, say Blockbuster, Facebook will send a message to your Facebook friends about the purchase you make there only if you check a box allowing it to — a message about your purchase then appears in your friends’ news feeds.
But now it turns out that Beacon tells Facebook what you are doing whether or not you are logged in to Facebook, and whether or not you have approved any data sharing, according to an independent report by a security analyst at IT company CA. (See example screenshot). In other words, while your behavior isn’t shared with your friends, its collected by Facebook nonetheless — and this is something you won’t have explicitly approved.
The report supports the findings of another technical report from this past week which describes the hidden data-sharing aspect of Beacon, but in less detail (we noted the secret data-tracking aspect here).
Facebook has responded, acknowledging the data transfer, although it says privacy safeguards are in place:
Before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well.
It’s worth noting that the company has been trying for years to use data from other sites to learn more about you. Here’s an old version of Facebook’s terms of service, from 2005 (pdf here).
Facebook also collects information about you from other sources, such as newspapers and instant messaging services. This information is gathered regardless of your use of the Web Site. We use the information about you that we have collected from other sources to supplement your profile unless you specify in your privacy settings that you do not want this to be done.
As the controversy continues, Coke has quit Beacon and so has Overstock.com. Travelocity, listed as a Beacon partner when it launched, has yet to implement it.