If you think that just because you never signed up for Facebook you're immune to the tracking and collecting of user activities outside of the popular social networking site, think again.
Facebook Inc.'s controversial Beacon ad system tracks activities from all users in its third-party partner sites, including people who never signed up with Facebook or who have deactivated their accounts, CA Inc. has found.
Beacon captures detailed data on what users do on these external partner sites and sends it back to Facebook along with users' IP addresses, Stefan Berteau, senior research engineer at CA's Threat Research Group, said today in an interview.
This happens even if users delete the Facebook cookie. "The Facebook JavaScript [code] is still called by the affiliate site, and the information is passed in," he said. In the case of users without accounts or with deactivated accounts, the data isn't tied to a Facebook ID, he said.
However, it is well known that IP addresses provide a variety of information about users and have in some instances been used to identify individuals.
The information captured by Beacon in these cases includes the addresses of Web pages visited by the user and a string with the action taken in the partner site, Berteau said.
CA has tested this in Beacon partner sites Epicurious.com, which focuses on food, and Kongregate.com, which focuses on video games, he said. More than 40 sites have signed up for Beacon, although not all of them have implemented it.
It's important for Facebook and the partner sites participating in Beacon to alert users about the data that is captured and passed back to Facebook, Berteau said.
"There is, to a certain extent, a privacy concern with the affiliate site, in that it's important for them to disclose that they'll be sending information about user actions to Facebook," Berteau said.
While users' activities on the Web are tracked in various ways for different purposes, most commonly with tracking cookies in banner ads, the Beacon implementation is one that Berteau said he has never come across before in terms of the details of users' actions that it's able to capture and report.
The latest findings build on Berteau's report on Friday that Beacon stealthily tracked the activities of users on affiliate Beacon sites even if they were logged off of Facebook and had previously declined having their activities reported back to their Facebook friends.
Over the weekend, Facebook confirmed that Berteau's report was accurate but said that it deletes the data it gets under these circumstances.
Still, Friday's findings deepened the privacy concerns surrounding Beacon since its introduction several weeks ago. And the admission today added to the concerns, because it contradicted what had, until then, been the official company line about this issue.
CA's research, which is ongoing, has demonstrated that Beacon is more intrusive and stealthy than previously acknowledged and imagined.
Beacon is a major part of the Facebook Ads platform that Facebook introduced with much fanfare several weeks ago. Beacon tracks certain activities of Facebook users on participating Web sites, including the Blockbuster and Fandango sites, and reports those activities to the user's set of Facebook friends, unless told not to do so.
Off-Facebook activities that can be broadcast to one's Facebook friends include purchasing a product, signing up for a service and including an item on a wish list.
The program has been blasted by groups such as MoveOn.org and by individual users who have unwittingly broadcast information about recent purchases and other Web activities to their Facebook friends.
On Thursday night, Facebook tweaked Beacon to make its workings more explicit to Facebook users, and to make it easier to nix broadcast messages and opt out of having activities tracked on specific Web sites. Facebook didn't go all the way to providing a general opt-out option for the entire Beacon program, as some had hoped.
Then on Friday, just hours after Facebook had scored some points with its modifications to Beacon, Berteau published his note about Beacon's until-then-unknown ability to monitor logged-off users' activities and send the data back to Facebook.
Users aren't informed that data on their activities at these sites is flowing back to Facebook, nor are they given the option of blocking that information from being transmitted, Berteau said at the time.
If users have ever checked the option for Facebook to "remember me" -- which saves users from having to log onto the site every time they return to it -- Facebook can tie their activities on third-party Beacon sites directly to them, even if they're logged off and have opted out of the broadcast. If they have never chosen this option, the information still flows back to Facebook, although without it being tied to their Facebook ID, according to Berteau.
Berteau plans to post another note later this evening detailing his latest findings.
Facebook didn't immediately reply to a request for comment.
However, Berteau said he had shared this latest finding with Facebook officials and they told him that Facebook deletes data that comes in from non-Facebook users and from deactivated accounts.
Berteau said that he is encouraged that the Facebook officials he talked to seemed truly interested in his findings and added that he believes Facebook will make changes to address privacy concerns raised by his research.
One of Berteau's colleagues, Benjamin Googins, last week posted an article with suggestions for users who want to protect themselves from the Beacon's tracking activities.