In my last post, I linked to a site that explains how to block Facebook Beacon. I recommend that post if you’re interested in preventing Facebook from knowing what you are doing on third-party sites. At the same time, GigaOM has been asking some important privacy questions; he wants to know what data third-party sites are sharing with Facebook.
Using a packet sniffer and the wonderful Firefox extension TamperData, I’ve got the answer – at least in one case. I looked at how Epicurious has integrated Facebook Beacon, and what I’ve found is rather troubling.
The actual implementation on Epicurious’ side is pretty simple; they make a script inclusion call to Facebook on recipe page loads. With the call, the javascript file http://facebook.com/beacon/beacon.js is loaded. This call happens regardless of your Epicurious login state (even if you don’t have an Epicurious accont) – Epicurious loads this javascript for both cases.
Here’s where things get interesting. When a browser loads a “page” or file, standard information is sent back to the web server. In this case, when you load an Epicurious page, you’re also loading a Facebook page. Among the standard information sent back to Facebook is your IP, your referer location, and a cookie. Your IP is the address of your home computer, your referer location is the URL you are viewing, and your cookie includes a little value called “c_user” – your Facebook ID. Here’s what the call looks like (sanitized with [] to remove private and superfluous info):
Host=www.facebook.comUser-Agent=Mozilla/5.0 []Accept=text/xml,application/xmlAccept-Language=en-us,en;q=0.5Accept-Encoding=gzip,deflateAccept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive=300Connection=keep-aliveReferer=http://www.epicurious.com/recipes/food/views/1247213Cookie=c_user=[Faceook ID]; login_x=[Your FB login];Cache-Control=max-age=0
Therefore, regardless of your login state to Epicurious, any time you load (not just review) a recipe or any other Beacon-enabled page, Facebook knows exactly what you are looking at. In essence, this setup is sending your clickstream and path data to Facebook, precisely correlated to your Facebook identity. On Beacon-enabled pages, Facebook knows everything you do in Epicurious.
Caveats: I doubt that Facebook had much say in how Epicurious integrated, so it’s possible that this privacy leak is the fault of Epicurious, not Facebook. However, if Facebook’s integration plan is to have all its partners making Javascript include calls, this “information sharing” will be widespread. As a final note of caution, this is not much different from DoubleClick’s model; of course, with the public’s eye on Facebook, one can expect higher degrees of scrutiny for Facebook.
Hey Fred,
This is the standard method used by pretty much all advertising networks to target advertising. You’ll find that the practices of DoubleClick, Yahoo and Google preempt this move by Facebook. Any request made to a web server will send the cookies on your machine which have been stored by the given server. When you are logged in to Facebook, your Facebook ID is stored as a cookie on your computer, and when you make a request to the beacon server, this information is sent along with the request.
Services like DoubleClick do this without your even being “logged in,” meaning that they store cookies on your machine regardless of your intent, and connect your activity across any number of sites which their advertising is displayed on.
The flip-side of this privacy concern is the extent to which advertising networks can provide you with relevant advertising. You can always turn off cookies altogether (or just log out of Facebook when you’re not using their site). This way the DoubleClicks and Facebooks won’t be able to “see” you on these sites unless they correlate your IP address on their side. But these networks (and I assume Facebook) would argue that your experience would be diminished, getting advertisements that are unrelated and distracting.
It’s a tough line to tow, but that’s the current tradeoff posed by advertising networks. I guess there’s something to be said for the fact that you can opt out of DoubleClick while search providers do not offer a similar service and are collecting much more sensitive data.
Cameron, I agree – that’s why I included my caveat. There really isn’t anything new here. To that extent, it seems likely these privacy “concerns” won’t resonate, except with tin foil hat types like me.
Where it gets interesting is in the confrontation. How are people going to react as Facebook follows them around the web, and their actions confront them when they log back in to Facebook?
Perhaps it will be a big deal, perhaps it won’t…thats the trouble with privacy. We say we care, but…
there is in fact something new.
with doubleclick and other ad-networks – there was always a well defined way of clearing any information in the cookies. Kill the browser and/or clear the cookies. With Facebook – the data is being stored against a persistent userid and the user can never get rid of the logged data. Ad Networks also provide a standard opt-out site – see http://www.networkadvertising.org/managing/opt_out.asp
and besides – the Doubleclick cookie is just an identifier for the browser – not for the user’s identity. It’s not portable from one machine to another. And doubleclick doesn’t have our name and address.
I think what’s being attempted is unprecedented. Yahoo and Google have never done this before either.
@Anonymous, I think if you do a little inspection on your Google cookies, you’ll find that there are a few that uniquely identify you, namely your NID. This will follow you when you log in, regardless of what browser, machine, or IP address you’re coming from. I haven’t done any tests, but my guess is that you’re assigned a random ID when you first visit a web page, then transitioned to your permanent ID if you log into any of Google’s services.
If you think Facebook is scary, Google already has “beacons” on every page containing AdSense. This means that every page you visit which has a “Ads By Google” box on it is tracking which pages you visit, which sites they’re on, and connecting this to your search query logs.
Frankly, I think the fact that Facebook puts this information in the public and typically allows you to edit it ex post facto means that they’re concerned about people’s feelings about the way their data is being used. I’m not sure I can say the same about other companies with the same level of personal information.
I loaded a Recipe page on Epicurious to see this in action but dont get any of the Pop-ups asking me if its OK to send info to Facebook (I have gotten them at Hotwire.com, so I know what i’m looking for); I took a look at the Page Source and saw the reference to the Beacon JavaScript in the HTML Header – but no reference in the page Body (none of the c_user,login,etc. info that you covered in your post)
I wonder what determines whether or not the service is loaded on a page or not…I have a Facebook account and have been targeted by Beacon before, so why not now, when I’m looking at an Apple-Cranberry Crisp recipe on Epicurious?
You’ve got to rate a recipe to encounter Beacon.
A couple other sources have picked up this story. Find coverage here on PC World, which cites a Computer Associates blog post that did the same cookie analysis as mine.
To a certain extent, this coverage is piling-on, but we should be aware of who is tracking us and for what reasons. A similar gaze should be cast upon Google.