CA: Beacon's reach extends to non-Facebook users

If you think that just because you have never signed up for Facebook you're immune to the tracking and collecting of user activities outside of this popular social networking site, think again.

Facebook's controversial Beacon ad system tracks activities from all users in its third-party partner sites, including from people who have never signed up with Facebook or who have deactivated their accounts, CA has found.

Beacon captures detailed data on what users do on these external partner sites and sends it back to Facebook along with users' IP addresses, Stefan Berteau, senior research engineer at CA's Threat Research Group, said Monday in an interview.

This happens even if users delete the Facebook cookie. "The Facebook Javascript [code] is still called by the affiliate site, and the information is passed in," he said. In the case of users without accounts or with deactivated accounts, the data isn't tied to a Facebook ID, he said.

However, it is well-known that IP addresses provide a variety of information about users and have in some cases been used to identify individuals.

The information captured by Beacon in these cases includes the addresses of Web pages visited by the user and a string with the action taken in the partner site, Berteau said.

CA has tested this in Beacon partner sites Epicurious.com, which focuses on food, and Kongregate.com, which focuses on video games, he said. More than 40 sites have signed up for Beacon, although not all of them have implemented it.

It's important for Facebook and the partner sites participating in Beacon to alert users about the data that is captured and passed back to Facebook, Berteau said.

"There is, to a certain extent, a privacy concern with the affiliate site, in that it's important for them to disclose that they'll be sending information about user actions to Facebook," Berteau said.

While users' activities on the Web are tracked in various ways for different purposes, most commonly with tracking cookies in banner ads, the Beacon implementation is one Berteau has never come across before in terms of the details of users' actions that it's able to capture and send back.

These latest findings build on Berteau's report on Friday that Beacon stealthily tracked the activities of users on affiliate Beacon sites even if they were logged off from Facebook and had previously declined having their activities reported back to their Facebook friends.

Over the weekend, Facebook confirmed that Berteau's report on Friday was accurate but said that it deletes the data it gets under these circumstances.

Still, Friday's findings deepened the privacy concerns surrounding Beacon since its introduction several weeks ago. And the admission Monday added to the concerns, since it contradicted what had, until then, been the official company line about this issue.

CA's research, which is ongoing, has demonstrated that Beacon is more intrusive and stealthy than previously acknowledged and imagined.