Facebook 1, Your Privacy 0

As if I needed another reason to avoid social networking sites like the proverbial plague.

You may have heard by now that Facebook recently added a “feature” called Beacon that automatically spies on your activities on other websites and tells everyone else on Facebook what you’re doing over there. For the technical-minded, there’s a good analysis of precisely how this works, but the basic idea is as follows:

  1. When you log in to Facebook, it stores a cookie in your browser with your log-in information. This way, when you go back to Facebook next time, it automatically logs you back in. This cookie persists as long as you don’t explicitly log out of Facebook. (In other words, going to a different site or closing your browser doesn’t delete the cookie.)
  2. Websites can feed information into Beacon by using a little JavaScript code that Facebook provides. Let’s say your favorite online movie rental store does this. When you add, say, Brazil to your queue, the store’s website executes Facebook’s JavaScript, telling it “whoever this guy is just added Brazil to his queue at FoobarVideo.com”.
  3. That JavaScript code sends a request to Facebook’s website, passing along the message “whoever this guy is just added Brazil to his queue at FoobarVideo.com”. Since the code creates an iframe to do this, the browser also sends your Facebook cookies along with the request. Remember, as long as you haven’t logged out of Facebook, your cookies that log you in are still there, even if you aren’t currently visiting Facebook.
  4. Facebook uses the cookie to figure out precisely who you are, and adds “Hapless User just added Brazil to his queue at FoobarVideo.com” to your Facebook page. (You really need to pick a better user name, by the way.)
  5. After that’s done, your browser, assuming it still has the same page open, shows a popup window for a few seconds giving you a chance to opt-out of what Facebook just did. Yes, the notification goes away after a brief delay. Hope you noticed it.

Now, there are many things wrong with this. First, and most obviously, is that Facebook is reporting your activities on other sites without you initially knowing, and only informing you in a manner that’s easy to miss. Many users only discovered this when visiting their Facebook page and noticing all this new information they never entered, let alone intended to share with the world.

Even if you think you don’t have anything to hide, you probably do. Suppose your favorite online store wants to Beacon the purchases you’re making. It’d sure suck if all your friends could find out what you’re buying them for Christmas just by visiting your Facebook page. And if you’re renting Debbie Does Anything That Moves from that online video rental store, you should know the production values are pretty questionable. Um, I’ve heard.

Secondly, even if you manage to opt-out, or configure Facebook after visiting each site that does this to always opt-out, Facebook is still receiving the Beacon messages. It’s just not showing them on your page. Facebook is perfectly capable of building a profile in its database of your activities on other websites, and you just have to trust that they won’t do anything nefarious with them. Or, you know, have them stolen when a script kiddie breaks into their servers.

But even worse, Facebook can build this profile on you even if you don’t have a Facebook account! Sure, Facebook won’t be able to match the Beacons you unwittingly send to an account name, but they can still track you to a degree by your computer’s IP address. Are they keeping a database of this information too? Who knows! And since you don’t have a Facebook account, you’ll never see the message saying that the Beacon was sent.

Let me repeat that: Facebook is perfectly capable of building a profile of your activities on other websites, even if you don’t have a Facebook account, and without you ever knowing about it.

(And in that case, who even cares what their privacy policy might say? You never agreed to it anyway.)

Fortunately, if you have a decent browser, there is a way to protect yourself from Facebook Beacon. Those requests your browser sends to Facebook behind your back all fetch URLs of the form http://facebook.com/beacon* or http://*.facebook.com/beacon*. Firefox users can use the AdBlock extension to block any attempts by your browser to access those URLs. Other decent browsers should have some similar feature.

Now I can see this Beacon thing as potentially being useful in principle, as I can imagine there are times when you’d like to point out your activities on other websites, such as that scathing review you just wrote about Debbie Does Anything That Moves. But the correct approach would be for the site to ask before sending the Beacon to Facebook, and to explictly opt-in on Facebook’s website (just in case that other website is misbehaving) to enable them in the first place. Revealing information about your activities without your prior consent is a violation of your privacy.

This has been a public service announcement for those of you with Facebook accounts. Because Facebook certainly didn’t bother telling you about this beforehand.