Facebook's Beacon just the tip of the privacy iceberg

Similar (or worse) tracking and information collection rampant across industry

Facebook's Beacon ad service may, ironically, be the best thing that's happened to the online privacy movement in a while.

The controversy raised by the social networking site's use of the Beacon technology has helped drag into the open the widespread but hitherto largely hidden problem of online consumer-tracking and information-sharing, according to privacy advocates.

"This Facebook debacle is in one way very good, because it shows people just what is happening," said Pam Dixon executive director of the World Privacy Forum. "There are other sites and other places where very similar data arrangements exist, but it is all happening under the radar and people simply don't realize it."

A bushel of Beacons, and worse

Facebook's Beacon was released in early November as a part of its Facebook Ads platform. It is ostensibly designed to track the activities of Facebook users on more than 44 participating Web sites, and to report those activities back to the users' Facebook friends, unless specifically told not to do so.

The idea is to give participating online companies a way to monitor the activities of Facebook users on their Web sites and to use that information to then deliver targeted messages to the friends of those Facebook users.

But the relative lack of disclosure about what was going on -- and the relative difficulty involved in opting out of the program -- has led to a maelstrom of criticism against Facebook over the past few days. Adding fuel to the fire have been a series of damaging disclosures by a CA Inc. security researcher that show that Facebook's tracking was far more invasive and extensive that the company originally let on.

According to the researcher, Facebook's Beacon tracked the activities of users even if they had logged off from Facebook and had declined the option of having their activities on other sites broadcast back to their friends.

Likely to be even more damaging was another disclosure Monday afternoon that Beacon's tracking did not stop with just those of Facebook users. Rather, it tracks activities from all users in its third-party partner sites, including IP address data of people who never signed up with Facebook or those who deactivate their accounts.

Unfortunately, such tracking is not at all unusual in the online world -- it's far more the norm than the exception, Dixon said. "One of the things we have been saying about behavioral advertising is that people don't know it's happening.... You have to be tremendously technically savvy to know what is happening under the hood," she said.

Dixon's organization was one of was one of nine privacy advocacy groups that in October submitted a proposal to the Federal Trade Commission asking the agency to consider implementing a Do Not Track list to protect people from having their online activities unknowingly tracked and used by marketers. The FTC itself held a two-day workshop in early November to hear industry and consumer views on online tracking and behavioral-based advertising amid growing concerns about the privacy implications of those activities.

Bad as it might appear to be, what Facebook is doing is less egregious than what a majority of other sites do, according to some privacy advocates. In Facebook's case, for instance, the company at least made the information-sharing transparent and gave users an opportunity to control it, said Chris Hoofnagle, senior staff attorney at the Berkeley Center for Law and Technology at the University of California, Berkeley.

"Most e-commerce companies are quietly selling or sharing information by disclosing it in the privacy policy using euphemistic terms, such as 'joint marketers' or 'sister companies' that market products of interest to the consumer," Hoofnagle said.

Even those that claim not to collect or share the information in their privacy policies often find a way to do so anyway without the individual's knowledge, according to privacy advocates. For instance, many use tracking technologies such as flash cookies and first-party subdomain cookies to skirt around commitments they may have made in their polices regarding information collection and sharing with third parties. Others simply revise privacy policies quietly when they get into new marketing agreements.

Every little bit counts, and is counted

The growing monetization of hugely popular social networking sites such as Facebook and MySpace are only adding to this trend, notes Kathryn Montgomery, professor of communication at American University in Washington.

"Facebook and other popular social networks have ushered in a new era of behavioral profiling, data mining and 'nanotargeting' that will quickly become state of the art unless additional consumer and regulatory interventions are made," said Montgomery, who is the author of Generation Digital: Politics, Commerce, and Childhood in the Age of the Internet.

According to Montgomery, social networks are compiling elaborate profiles of their users by gathering "every bit" of data possible from the information people include in their profiles or post on the sites, and by tracking what their users do online.

The networking sites sell these profiles to marketers, who use the data to deliver messages that are hypertargeted to an individual's likes or dislikes. Messages can be tailored, for instance, based on things such as the kind of work people do, where they're from, their religion, their sexual preferences, their friends or the searches they perform, Montgomery said.

"The thing that concerns me is that these are mostly young people who are living in these online worlds," Montgomery said. "They enter into these interactive social networks because they want to connect with friends and to express themselves. I don't think they are even aware that they are being lured by these sophisticated and highly manipulative marketing," practices, she said.

Michael Zimmer, a Microsoft Fellow at the Yale Law School, said the Beacon privacy brouhaha is likely to be good for online privacy in the same way that last year's Department of Jusice fight with Google -- and the AOL search data release -- were. "The Beacon controversy has helped remind many of how easy and pervasive tracking of all kinds of Web behavior can be," Zimmer said.

The controversy is also likely to help foster a "more contextual understanding of privacy" within industry, he said. "Just because I share my mailing address with Amazon.com doesn't mean I want it to be public information. Just because I change my relationship status on my social networking site doesn't mean I want an announcement highlighting that change automatically e-mailed to everyone in my social network."

"Information is shared within particular contexts which are bound by particular norms of information flow, and designers and users of new Web technologies must come to terms with this contextual notion of privacy," he said.

People tend to strongly oppose such tracking when they know that it is happening or discover the extent to which it is happening, said Mark Cooper, director of research at the Consumer Federation of America.

For example, in a recent survey of 1,200 adults conducted earlier this year, 85% of the respondents said they rejected outright the idea that a site they value and trust should be allowed to serve up clickstream advertisements based on data from their visits to other sites. The survey was conducted by the Samuelson Law, Technology and Public Policy Clinic at UC Berkeley and the Annenberg Public Policy Center at the University of Pennsylvania.

A group created on Facebook to support a petition started by the MoveOn political advocacy group to protest Beacon's lack of privacy protection added 50,000 members between Nov. 11 and Nov. 29. Facebook users in the discussion forum for that group noted that their real complaint about Beacon is that Facebook is collecting the data about their purchases.

"I am sure the majority of the members of this group would have little problem with Beacon if it was something that they could individually choose to participate in," a user identified as Jonathan Horn wrote on the Facebook forum supporting the petition on Saturday. "What most people object to is their transaction information being harvested and shared without their consent."

But marketers tend to have the exact opposite view of the situation said Cooper, whose group is one of those asking for an FTC Do Not Track list. "The inclination of the industry is in direct conflict with the desires of the public, and we cannot rely on self-regulation," to correct the situation, he said. Federal agencies such as the FTC need to take the lead in getting the industry to adopt better standards of disclosure and to offer consumers easier ways to opt in and out of such tracking, he said.

"The people who believe that competition will solve the privacy problem have it backwards," he said. "We believe that in this market people will constantly try to find ways to exploit the personal information they have and that they gather. If a big mistake like [Facebook's Beacon] happens and it gets reversed, some will say we don't need a more systematic approach, whereas in fact it underscores the need for it."

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon