All Things Digital

What Facebook CEO Mark Zuckerberg lacks in foresight, he certainly makes up for in disingenuous hair-shirt remorse. After two weeks of hue and cry over Facebook’s month-old Beacon advertising system and its disregard for member privacy, Zuckerberg today apologized for the company’s misstep and announced some of the fundamental changes to Beacon that users have been calling for.

“Once every 100 years, the way that media works fundamentally changes,” Zuckerberg stated … (kidding ….)

“We simply did a bad job with this release, and I apologize for it,” he wrote. “…When we first thought of Beacon, our goal was to build a simple product to let people share information across sites with their friends. … At first we tried to make it very lightweight so people wouldn’t have to touch it for it to work. The problem with our initial approach of making it an opt-out system instead of opt-in was that if someone forgot to decline to share something, Beacon still went ahead and shared it with their friends. … It took us too long after people started contacting us to change the product so that users had to explicitly approve what they wanted to share. … Instead of acting quickly, we took too long to decide on the right solution. I’m not proud of the way we’ve handled this situation and I know we can do better.”

And the company is trying. Today it released a privacy control to turn off Beacon completely. Said Zuckerberg, “If you select that you don’t want to share some Beacon actions or if you turn off Beacon, then Facebook won’t store those actions even when partners send them to Facebook.”

That’s a pleasant assurance, but one that some say doesn’t go nearly far enough. “So essentially he’s saying the information transmitted won’t be stored but will perhaps be interpreted,” writes Om Malik. “Will this happen in real time? If that is the case, then the advertising ‘optimization’ that results from ‘transmissions’ is going to continue. Right! If they were making massive changes, one would have seen options like ‘Don’t allow any Web sites to send stories to Facebook’ or ‘Don’t track my actions outside of Facebook.’ ”

Facebook may be worth $15 billion after all–not in future advertising revenues (which are apparently suffering at the moment), but in future legal fees.

A CA security researcher reports that the
site’s controversial Beacon online ad system, which transforms member transactions on affiliate sites into product/service endorsements, collects information about member actions on affiliate sites even if they’ve opted out of Beacon and logged off from Facebook. Stefan Berteau, senior research engineer at CA’s Threat Research Group, explained how in a post to the CA Security Advisor Research Blog:

I created an account on epicurious.com and tried saving three recipes as favorites. The first recipe was saved while logged in to Facebook in the same browser session. An alert appeared allowing me to opt out of Facebook’s publishing this as a story on my feed, which I did. The second one was saved after I had closed the Facebook window but had not logged out or ended the browser session. The same alert appeared, and I opted out again, selecting ‘No thanks.’ I then closed the browser entirely and launched a new session. After confirming that I was not logged in to Facebook, I saved the third recipe. No alert appeared.

“I then checked the network traffic logs and was dismayed to find that in all three cases, data about where I was on Epicurious, what action I had just taken, and what my Facebook account name is [were] transmitted to Facebook. The first two cases involve the transmission of user data despite ‘No thanks’ having been selected on the opt-out dialog, and are causes for deep concern. They pale, however, in comparison to the third case, where Facebook was receiving data about my online habits while I was not logged in, and was doing so silently, without even alerting me to the cross-site communication.”

Unsettling, such data collection practices. Though Facebook, of course, claims they are all on the up-and-up and conducted with proper privacy safeguards. “When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook in order for Facebook to operate Beacon technologically,” the company said in response to Berteau’s report. “If a Facebook user clicks ‘No, thanks’ on the partner-site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well.”

(Photo via FSJ)